Good Afternoon Folks.
I believe that my machines are infected with one or more persistent strains of malware. I am requesting assistance for primary machine, but posting from secondary.
SIGNS OF INFECTION / PAYLOAD DELIVERY & PERSISTENCE:
The first sign that the latent (or new) payload executed was upon an unscheduled windows update which the system attempted but failed to apply, and then rolled back.
After the 'update' the Windows event log indicated that hundreds of URLs unsigned/recognized by Microsoft had been added to the list of places from which updates were sourced. So, it seems that Windows Update is one element of payload delivery / persistence.
Further investigation indicated that WUSA.EXE had extracted one or more cab files, prompting the unauthorized updates.
Event logs indicate that DLL injection is being used to override UAC controls, as evidenced by a hook whenever MCX2PROV.EXE is called.
Finally, unexplained URL redirects / abnormalities when using internet. For example,Google's Mail Login URL on a clean system:
Google's Mail Login URL on Infected System:
Issues first appeared on my secondary system around December. Chinese characters began mysteriously appearing in various event logs and registry keys, which I initially dismissed as file corruption; until I chanced upon the machine making mouse movements and running console commands on it's own.
I rolled back my primary system using system restore out of an abundance of caution, and scrubbed the secondary system of the registry files, DLL hooks, pipes, SIDs, scheduled tasks, etc it needed to persist; or so I thought.
Infection(s) are back on both systems, but it has less hold on this system, hence posting from here.
Edited by hamluis, 21 March 2018 - 02:46 PM.