Windows 7: Post Malware

Hi all!

I have just spent more than a month trying to clean my pc of a " remote " exploit. I realize now that it was on my system for more than 7-9 months. It affected two desktops and three laptops, ( apparently due to a weak password )

The reason I am here posting is that most or all scanner engines I was refferred to didn't find anything.

I finally think that it is resolved as I am not seeing the activity on the network or hard drive. What really supprised me was that it repeatedly returned on a system that was a new install.

I bought a new hard drive, flashed the bios (new mem stick - program downloaded from library ) took out the wireless card, isolated from the internet, formated the drive using the install disk, installed the OS and then the antivirus (avast-free) and then connected to the internet.

I believe that there are many people that have or still have the same malware that I had. I have posted many times as violated and violated 5/2011 at microsofts "answers.microsoft.com" and was given several helpfull suggestions, all not curing the issue.

I watched in real time the changes that occurred to my system (printer driver missing or corrupt, usb hub disabled while using, monitor going blank, several user accounts being made with special privledges (viewed using event viewer and using resource monitor) and had my password changed while I was using antimalware software to try and remove or find. I was never able to identify the source of the malware, only hopefully remove.

I am now wondering if there is a way to verify that my system is clean. Is a program " OTL " ok to look for items of suspect on a 64 bit OS or can someone list what they would do at this point in time.

Thank-You for your time

PS I have taken pictures of some of the items I identified but me being only a novice ( not knowing what to look for ) some are more than likely normal processes. I know some are not!

Hi,

Can you give more details about the malware you are referring too? What software did you use to try and clean your system?

Regards,
Golden

Definitely sounds like remote access malware. Probably why it didn't show up with scanners. The service for it might be named as a Windows service. One thing you might make sure is disabled is Remote Desktop. Also make sure Windows Firewall is turn on.

It is amazing the effort spent trying to get a clean system

Is it possible that someone can help me verify that the install I now have is not exploited in some way as I am almost to the point of trying mac or giving up.

In this day and age, is the reason that the system is always compromised due to having to connect to the internet and update. Is it then that the malware comes back knowing mac address of all of my hardware?

Please respond with any steps that could help to make sure that I am using a system that is not now compromised

Thanks in advance

System msi main board p55-gd65 with a intel I5 processor, 2 - 2 gig ddr3 ram, win 7 ult x64, all updates, ( trying ult. instead of pro x64 ), Seagate st310000528as, (firmware cc46), ATI Radeon 5750 (1meg ddr3), kaspersky 2011 antivirus retail edition installed and scanned system to include all vulnerability and browser config issues and corrected prior to install of OS and updates.

To answer your question, I have used superantimalware, malwarebytes, microsoft safetyscanner and microsoft security essentials, direct scans from norton, avg, dell, kaspersky, and one website suggested a program called "EmsisoftAntiMalware" which I used in my last install (win 7 pro x64 ) and using a cd to copy some scanners that program found a issue that said a program was "hidden install" just putting the cd in prior to selecting any programs from the disk. I did quarantine it and send it to that particular company for analysis. Here is a copy of the screen shot... see attached! Also note that it is in the process of changing!!!

I notice that any time I put a cd or dvd into the drive, It always lists a item to be written to disk " desktop.ini " and I can delete it, but if I try to drag it to my desktop it disappears. Is this normal. I don't know why this file always tries to go to the cd or dvd. Is it possible that it also "silently" is writing to flash drives "HPA" areas as I have purchased two new one's and am now wondering if they are compromised as well. I have read that some of the malware can write itself to that particular area and then transfer itself to other machines......

+++ Kaspersky just notified that it quarantined a "high" unknown threat and now I cannot send it to them as I don't have an email program associated to perform the requested send action +++
Help with this also please?

Any more questions or any suggestions would be greatly appreciated!

There was an earlier thread on a new rootkit infection that hoses the master boot record. Microsoft suggests fixing the MBR and then restoring the machine to a pre-infected state. Don't know if this is what you're experiencing but maybe the MBR needs to be repaired.

Rootkit Infection Requires Windows Reinstall, Says Microsoft

Also, did you scan in safemode, try Malwarebytes + MSE in conjunction with safe mode, it boots windows with as few services as possible running so you can generally get the little blighters that hide well!
Cheers,
Tom

I have tried all avenues that have been sent my way from 6+ sites.
I have asked the manufacturer of the hard drives if they are aware of the ability of malware infecting the HPA area of hard drives as nobody has given an answer other than some websites saying it is a real possibility.

Did anyone look at the screen shot that I uploaded? Is it normal to locate a file that is in the process of changing. (look at the highlighted line)

I would like someone to suggest a program for use and possibly someone in the know to look at it and tell me what your opinion is of that file's report. I understand that most programs dealing with this are for a 32 bit OS, but apparently some experts are able to digest the logs or files on a 64 bit system.

Is this a possibility on this site?

Thanks for the replies!!!

I don't think this user has something in their MBR, as they have purchased a new hard drive and reinstalled the operating system on the box.

With regards to the repeated return on a new install, makes me think a couple of things
#1). Are you using a legit copy of the OS itself? I've seen crap like this on hacked/preactivated copies of the OS. I simply cannot trust a leak, or a cracked version as I don't know what might have been mangled along the way
#2). You have a software package downloaded that you are eventually installing which has been compromised and is introducing the problem to your machine
#3). You have a machine on your local network that is causing damage to a newly installed machine by connected to it via the network and injecting bad stuff. I'd keep new install in different workgroup and with different passwords than any other machine on your network.

With respect to a Be-all-end-all program that could verify you were 100% safe...there isn't one that I know off. If there was, it's what we all would be using.

Any comment on the screen shot posted?

I agree with your posting trailer. I have used pc computers since the apple II-e days! I am not a programmer or a tech or geek! I am a end user and am at a loss as to how now to proceed.

With this last install, should I now do a scan and post the log?

Have used ubuntu from cd to access the internet for latest drivers but think even this is not safe or trustworthy on my network, ie going to other locations with new hardware and getting the drivers, programs, to check or install on my re-install.

As far as the copy of win 7 I had purchased the Windows 7 pro edition from fry's with hardware for a new build. The win 7 ult. I had purchased with a laptop that is not running ( due to malware changing my passwords and corrupting my system not allowing a restore or image to work) Both are legit copies of Windows 7 with valid product keys. They have both been registered and confirmed with MS ( ie genuine certificate on system page in windows ) As far as other machines, I have all other machines disconnected or batteries pulled and now am connecting directly to the modem via cat5e cable, disconnecting when I am not using the network to access the internet!

Still no response to the screen shot?, or help with a program to check my current install?

Looks like malware to me ... have you reset your router and password?