[Long Story Long (for Gen Xer's) or T.M.I (for Millenials)]
I am a computer tech by trade but I rarely have to deal with Malicious Content Extraction on Windoows OS's Depending on where I work. Internally we will have very secure Network Security Appliances and such. And more times than not I will be working for an organization that is several domains deep from the outside facing IPv4 addresses with a security expert taking care of ACL's, Group Policies, PIX boxes, Network Appliances or whatever Cisco calls them now. Since we always have roaming profiles with H:\ Home Drives we just wipe the infected system clean with some type of DoD Wipe and use an image server to apply a fresh install that is syspred(ed). Thus I rarely ever need to dig deep within the command line investigating with commands like NET, NETSH, WMIC etc! So lots of that is new to me. Further since I'm generally the guy responding to trouble ticket's I never touch Group Policies Servers, Permissions\Privileges\ACLs and such, it just wasn't my job and further more people don't want to show the 'underlings' how to run the server's in an a avoidance step to be the only person at the organization to understand and operate what is going on in the Servers and Domain Forrest so no one else can displace them for their job!
About Six weeks back we bought an HP Laptop from Costco with 10 home on it. It wasn't till then that I noticed funny Activity on the Win10 box and the old Vista Home Premium systems. Laptop came with a full year of McAfee and five extra licenses to use amongst other hardware including Smart Phones and Tablets et al. Normally I have used AVG free on systems that I had helped friends comeback from Malicious attacks. I would also use CCleaner and\or Search Bot, Malwarebytes, HiJack this and whatever else would be the flavor of the month. Used Zone Alarm for a long time on my AMD Athlon x2500 XP systems and was more than satisfied with it.
Over the past month I have recovered the Vista box a total of FOUR times due to Viruses (Pain in the Buttocks you know when they have arrived because it is more than obvious) and Spyware which didn't invade too much. Each time an attack would happen I would be magically placed into the 'Users' Group as well as remaining in the Administrator's Group.
After performing a fresh recovery I would always UnPlug the computer from the ISP's combo box since we have cable and land line phone coming through it. No we do not have an old RJ11 phone line hooked into the computer.
I want to severly hurt someone who thought it was a good idea to add hidden installs and logins API(s), remote registry edits from Microsoft. It wasn't until just a few days ago that I saw in the Sys Share Log's that the system was sharing both C:\$ and some IPv4\$ shares that I knew I was compromised AGAIN - crap!!! I had turned off all shating and services manually. Have UAC on of course but none of that mattered.
From then I noticed I didn't have permissions to navigate to explicit paths but I could still use CD in the Command Line and use exlorer to navigate to the same places.
Further it was then that I noticed there were a bunch more drivers loaded on my nVidia Ethernet hardware Driver like tunneling protocols and IPv6 which I have not installed or have been using - and I have been getting along just fine without them - they were just new vectors for malicious attack. So I deleted them, or at least the one's that did not have the remove button gteyed out.
Before going out on the Internet this last time after my last system recovery I tried locking down Windows Vista pretty hard by Internet Security Advanced Options and what ever else one can think of. Only problem was I couldn't download anything from Microsoft's website, using IE and these settings, like SP1 or any of the SysInternal tools but even before I got infected IE would say the file I would try D\L'ing from M$,SP1,for instance would not get downloaded from the official M$ website it would along the lines say "Could not download content, Download Aborted". Remember this was after administrator logged into the command line to reset REVERYTHING from all security and IE, the TCPIP Stack - so on and so forth. So I downloaded firefox and it worked just fine. Only problem is, is Service Pack one finished installing with errors from the logs I checked.
Still at this time I was not getting the slow CPU speeds due to svchost.exe -k Ntsvsc (or however that localgroup is named) being a big pig with sys resources and memory allocaTion.
Thus the first download I got was AVG Free - which included a free 30 day trial. But, alas, it came with it's own firewall and turned off Windows Security Firewall, and Defender after it installed.
...Let me back up a few step's first! When I downloaded AVG I had set the AVG Firewal to NAZI (Ask me for Permission on every inbound and outbound connection). Task Scheduler Popped it's EXE Head-Up asking for an outbond connection I stopped and picked up my smarty phone and searched the internet and came to the conslusion that it was ok. I could look back in the task log and see the Scheduler talking to Redmond. I looked up the IP addresses and did a whois and it showed M$ and physical Richmond location. So against better judgement I allowed it.
It wasn't till about then that I saw Security Audits go through the roof, Security and Application default logs showing Effors and Warnings. Then the nightmare started over again. $Systemroom$\system32\Drivers did not exist when browsing or typing it out the os did not recognize. Many paths as such appeared. And an AVG Scan could not open about 165 path names including the avg, AV, and wbem filefolder's.
I sneaked through the registry and spent an hour farting around in HKLM and HKLU. Found many entriens that were contrary to how I had configured the system. Even found two different Proxy Server IP addresses.
Logged into safe mode with networking and was unable to open a website in firefox, though I didn't try pinging ip's 22.214.171.124 & 126.96.36.199. Also found registry keys in current control set for c:\documents and settings\ and one for MBAM!
KNOCK KNOCK KNOCK HELLO, I'm running Vista and never downloaded Malwarebytes with this recovery.
This where I threw Up, not vomited, my hands and gave up yesterday with a migraine building for the past 5 hours.
I'm so sick of this. I read somewhere online that it takes about 5 minutes for a new unpatched no Service pack Windows Machines before some sort of something very bad finds its way onto the computer. Mind everybody I activated both the Administrator account and User account, added 25 character passwords to them, and disabled them both.
What do I do from here? I'm also concerned that my recovery D:\ Partition might have been played around with since one of the AVG notifications said it could not open it. Further I cannot Explor to the d:\ drive but can use the command line.
What is my next step?
Now I'm just waiting for further Guidance before moving forward. I need to gain adequate access to the internet first before I can D\L the tools necessary to proceed; thus if anyone can help me with that bit it would be appreciated.
Salt & Pepper
Edited by Queen-Evie, 09 August 2016 - 02:16 PM.
merged duplicate post into first post in topic