Firstly I am using Windows 7 x64 SP1.
I noticed some problems with my PC a few weeks ago and I have tried to solve it without success. I am reluctant to make any online purchases such as replacement PC parts (see later) or anything else while malware could be present. I do have several images of the current windows partition which I could restore but until I know how this malware has spread from one PC to the other I do not want to waste time doing that because the chances are the restored windows could become infected. My idea is that it could be due to flash drives as that was the only connection between the PC's.
I have 2 PC's and I am now having to use my older PC because the others hard drive died. I lost 2 HDD's in one day! The one was down to an error I made but the other seemed to work fine until the day the other hard drive died, it then developed serious read errors when any checks were attempted. The SMART details for that drive show no problems and there are no unusal noises from the drive such as head knocking etc. This drive contained all my software, drivers and windows updates. Please note that I did not install anything from this drive to the older PC because it could not access the drive. The older PC software was getting quite old so I did have to update it. This was mainly browsers and email clients plus a few other things. These were all downloaded from the internet and the browsers such as Firefox, Waterfox and Thunderbird are pretty much 100% guaranteed malware free from their respective sites. Besides, the problems I am getting now are almost identical to what I was experiencing on my newer PC so I would say that the malware is identical which does not seem likely if it was something that I downloaded.
The failed drive is an internal 3.5" SATA drive housed in a Startech USB3.0 dual bay hard drive docking station SDOCK2U33HFW.
I have contacted Startech asking them whether it was possible for the firmware of this docking station to be compromised and they told me that the firmware is not updatable at home. I did read about usb flash drives where the firmware could be compromised by malware, it seems a long shot but might explain explain both the compromise by the flash drives and the problems with the drive in the docking station if malware saw the drive as some large usb flash drive. Flashing firmware is probably manufacturer specific so that might not be possible.
I was having problems with my newer PC with problems with networking to my router which stopped internet access. This also affected my VOIP telephone which is only plugged into my router and not my PC's. I first noticed a problem when my router disconnected from the internet while I was trying to use VOIP. I did install some VPN software TrustVPN and a newer OpenVPN around the time these problems started but it could be totally unrelated. The router password was also changed and the logins were coming from my PC local network ie just the ethernet between my PC and router. I did change the 2 admin usernames to ones which are not so easy to guess previously Administrator which did seem to stop it. After I did that the problems with my router stopped but then other things started happening. Then I started losing internet access where the Network and Sharing page shows a Public Network under Network rather than Home Network. When this happens I lose internet access. This is happened on a number of occasions on both PC's.
I have done scans on this older PC with Malwarebytes AntiMalware 3 trial, I do not rate this product highly. I have also scanned with Microsoft security essentials and 360Total Security Essentials with Avira and Bitdefender engines and nothing was found. I have now uninstalled 360Total Security in case it is contributing to some of the problems. I just tried installing MS Windows Malicious software removal tool and it failed to install from windows update with an unknown error. My PC seems to connect to some unusual IP addresses and urls. I include a list of them below:
These are all found by Outpost firewall Pro which I run in rules mode which prompts for every new application wanting internet access so I can see what is being connected to. It shows a popup asking for net access with port, direction, TCP, UDP, IP and or url. The problems still exist if Outpost firewall is disabled.
1/ Waterfox browser listening to port 55522 before the browser even starts, I use the profile selection and this port is listened to at the profile screen.
2/ Waterfox localhost loopback Port 54190
3/ Port 54940 but did not note the application
4/ Port 55453
5/ Listening to Port 55456 by localhost
5/ a95-101-128-232.deploy.akamaitechnologies.com (220.127.116.11) This came up when starting Waterfox but on the profile selection screen.
6/ a95-101-128-227.deploy.akamaitechnologies.com (18.104.22.168) Another which came up while on the profile screen of Waterfox
7/ 22.214.171.124 (HTTP) again while on the Waterfox profile select dialogue An IP lookup says this is Akamai Technologies
8/ 27-109-105-109.akamai-cluster-tug.nordu.net (HTTP)
There are many more connected to Akamai
9/ Port 54940 localhost loopback
10/ Some from China and Korea which is why I did uninstall 360Total to see if that stopped these accesses. ATM I cannot find the IP addresses that I noted down.
I did use sfc which found some problem files which it could not restore. I know that shellstyle and related was one because I altered this file to allow window colors to be altered because I dislike looking at white screens so I use more eye friendly colors including browser extensions to force dark colors on some websites such as google etc. This has made things worse in terms of windows use with many things not working correctly. MSE will no longer download updates and they have to be received from windows update. BTW windows update no longer works and microsoft windows update fixing tool makes no difference.
What I would like is to know what this malware is and how to stop it reinfecting my PC's. The newer PC will require a new windows install after I have a new hard drive. The older PC can be restored from the backup but before I do that I want to make sure that the malware does not get back onto it ie how it is spreading. The USB flash drives seems the obvious route to me. One is a 128GB USB 3.0 flash drive and I do not want to dispose of it as they are not inexpensive.
BTW no one else has personal access to my PC's so I know with 100% certainty that no one has altered anything.