I am living in the 7th ring of hell right now so please bear with me as I have limited resources.
A vivcious rootkit has taken over my all my computer operating as C&C panel. It's taken over 2 weeks before I could connect to this site.
I had to buy a new computer and log on here from a safe place.
I am running a variety of unnconnect network computers with different operating systems. I first notice something strange occuring a month ago on my main computer running Windows 7 32bit Ultima 4TB when Google chrome folder was spawning a host of .js files. I had just updated Google from govt.redirector.com. I notice that the update version looked like chome but it was reconfigured butchered chromecast program with malicious extensions. It loaded bits of .js code. I uploaded the files to reverse.it, I believe - that detect it as malicious 10 out 10 for dangerous.
I have malwarebyte antimalware, antiransomware and antiexploit, Emsisoft, EMET 5.5, Windows Defender.
I took 3-4 minutes to search other programs for java, .js scripts, and installers, It search android auto sync folders, and navigation installer folder that had excutive privlege installer. it downloaded a bunch of windows cab files, installers, win.iso image, java development kit by setting up and mounting an image file of my hardrive using macrium reflect backup. It was as a hidden server domain controller to my computer. It produces an unknown account in svchost processes, audio, explorer etc. SID of S-1-5-5-0.xxx on all my files taking over control of Trusted Installer. Taskscheduler, audio, medi, ctfmon drivers. It setup a hidden proxy server and used Internet Explorer even though I turned off internet explorer in control panel and running Firefox with https everywhere, U-block, noscript etc. It exfiltrated my entire computer system files, I believe to a third part data broker. I always run wireshark connected to my internet activities.
I ran ever scan possible but they all came up empty since it is scanning either an image file, my disk since it mirroring my activities or it controls the the antimalware, antivirus scanners. It hooked and took control of EMET5.5 by presenting it with it's own certificates and hooked into the kernel in 7 places with unknown image file at ring 3 or 0. It likes .png files as I found 109.png file in Google folder. It has rooted all my android phones!
It takes control over even unconnected devices either using pulse audio at high frequency sending out bits of code. It has created a file or program called policy convertor.
Here is the strange part. I have several unconnected laptops with different operating systems. It migrated to them. I even formated these laptops and commence a recovery from their recoverery partition, the laptops were still infected. So it operates at level below the security scanners. I thought it may be in the boot sector. But I can take the hard drive out an battery out of the laptop and it will bootup in X:drive showing 196G windows drive! It will not allow me to download, install, or run any internet scans.
I thought it my be install in the system bios but 196G drive? It loads up EMS which I believe you can install windows on a laptop that has no internet connections.
There is a windows exploit that bypasses powershell and ADS and installs below the security scanner level so that you never know it's there. One IT person said it could be meltdown? It spanws other aliases. I found files traced to Trojan Powershell/Lonit.PA, WannaMin, Peasccto.A, w32/popureb.E, NircmdB.exe file, Virut etc. so more than one malware. I have part of their code. bootup log files etc. They also take contol of the gpedit.msc
I don't know if it is possible to regain control onf any of my computers. I don't know how these laptops can reboot into windows recovery console with no hard drive or batter connected and still load a compromised windows from a remote location? I found a newly found android data dump with a correct Mtg file on a ubunta HD sitting on my self for 2 yrs!
I cannot produce any scans as I don't want to activate these drives but the scans from FRT, Rogue, Gmer, Kapresky, Eset, emsisoft, malwarebytes, ADclearner, JRT etc. all are clean accept from one progam that disables script files and looks for worms but quickly disabled it. I cannot run dispart as they disabled the A key or locked me out all together even though I am disconnected from the internet. I believe they are using terminal mode from mounted scsi device.
I just need to find out why on one clean laptop with just only basic windows home premium, that the recovery partition has malware and why with the hard disk removed it can still load up a malware recovery partition from x: drive 169G drive unconnected from the internet? It maybe they were using my smartphone, I don't know.
I hope you can help me on this :-)
Edited by Melanie1, 23 February 2018 - 09:06 PM.