Fresh reinstall, unknown users added w/ NT Authority

I am completely at my wits end. I have been battling some hellish malware for months now. I have done just about everything I can think of, from using crazy passwords, changing the obvious settings prone to weakness, uncheck Remote access, disable built in admin, disabling shares, strict firewall settings, different firewalls, different AV software, just about everything really, anti-spyware. I have used about every advanced malware discovery out there to no avail, from tdsskiller, combofix, Reanimator, ansMBR, etc.. All come up blank.

The obvious normal signs of something being infected are there. Sudden dropping of firewall, suddenly being denied access to areas, finding services running that should be disabled, noting my av software isn't working properly. Lots of instances of svchost running, far more than reasonable, with the wrong PID, access level. Auditing in cmd environment and seeing unknown open ports, foreign addresses, not accountable to any legitimate service, etc.

To make matters worse, when I actively try to make changes preventing access, I find my own account changed, anything from my search function disabled to all admin tool (mmc) locked out. Piling on, this infection is not only nasty, it's aggressive, it won't hesitate to actually remove my account from all groups, basically locking me out of my own computer. Add to this a particular intelligence, and it's any computer users worst nightmare.

When I tried to limit services, the next time I would Logon, the service would be active again, yet I now had no permission level to make any changes. Same thing with the registry, I tried to lock down branches, and it has taken ownership and denied me all access. It goes on like that for about everything I do. Reset folder permissions with icacls, now I get access denied if I try to use it.

The cherry on top was when I found, after disabling my wireless adapters, a newly fashioned 'wireless shell' was added into the very BIOS. Talk about feeling invaded.

The sad thing is, I can't produce a report showing any 1 infection of any kind, so even through exhaustive research with tech at Bleeping Computer, he just thinks I'm a nut, and seeing things. I have pulled my event logs, but I think I've entered a technical area beyond his skill level.

Here is the very latest. I have reformatted and reinstalled at least 5 times in the last week alone, from 3 different windows 7 CDs. Factory that came with laptop, oem full install win7 home pro with and without SPK1. Each time yields the same results, registry keys/branches locked to me, services also locked to me. Unable to control firewall, edit tasks, etc. while trying to defend against/prevent/recover any of these, I have had my account disabled, booted from the OS, an orphan user with no rights.

To me, the most significant thing is during install, about 75% through, I see a message that System is Updating Registry, and when I am finally able to log in, there are already 100-200 security events, and I believe they are the root cause, so to speak.

What takes place is a smash through of users/groups. Special logins are created with SeImpersonate, SeTakeOwnership, etc. what happens, even before I assign a user name, my newly assigned SID is used as basically a template. They impersonate my account, assign priveledges to new Special Logon, assign this new user to all groups, from admin and guest, to EventLogReaders, IIS_IUSRS, etc. basically every group in the system. They first allow the Special Logons by granting NULL SID full privileges, then use this as an open door to bring in more users. Once this is done, they lower the in house group privileges which I can access, so I never have equal or more authority. If I 'cross some line', like trying to take ownership away, boom, I am gone, account disabled.

Special Audit policies are put in place to monitor Logon/off, access to anything remotely core to system, and the final master stroke, auditing system time, which would signify possible reinstall, and I'm sure measures are taken. In fact, this virus or whatever, gonna name it Evil in 1's&0's.

It has also managed to maintain presence on system through HDD replacement, system board replacement, factory reinstall of software during ASUS RMA, and as I have noted above, more reinstalls in the past few months than I had done in my life previously. It has also successfully masked itself through some of the most extensive anti-malware projects. I know I've dinged it from time to time, as I sometimes get back some access, but it is always short lived, and there's always a price to pay, usually in making the system useless.

I know it uses key loggers, recorders, it has PnP driver redundancies galore, and won't hesitate to activate components on its own, silently of course. I think it's one I'd the more unique things about this bug, it doesn't mind if it puts me, the real owner, in a position where all I can do is reinstall, maybe it likes a tidy house, and knows I will be reopen king the doors at some point. At the same time, it's never truly destructive, it could easily frag my components, heck, it could easily burn out the CPU if it wanted to, as u have seen it throttle up the CPU and it has sensor control... But it doesn't do any of this.

This thing almost feels personal, but I haven't made an enemy of any sort in years and years, and I am not even close to any kind if financial target, trust me... There have been seemingly interactive battles as well. I have been left reg keys on my desktop with messages like, 'do you like my style', but I don't know if ghat is just coded in advance.

It also opens my ports to the world, can't close them, and even though I have physically removed my wireless card, left Ethernet out, it has somehow managed to internally McGyver something out of (guessing here) onboard wifi or Bluetooth, not a clue myself, but when I can ping yahoo with no connection I'm familiar with, you can't argue with that.

So, I guess what I come down to is this, there is an obvious vulnerability with group membership, as well as the install process itself, as it's making entries while the install is still taking place. Unfortunately, I dong know anything about these, had never even seen SeLoadDriverPrivilege, and did not know the highest level of authority, root, was accessible to anything non-system.

One thing to note, I'm no slouch with IT, MCP, A+, C+, but have been out of the field for 8 years or so, a lifetime in IT. Still, having had a crash course in the past few months, I've made myself a lot more aware again, do here is what I 'think' I need, and that is at least equal footing with this monster.

If it can great itself root/kernel authority, then I certainly should be able to as well. If it can pre-load items during fresh install, then I should be able to as well. Unfortunately, I don't know how, so hope some of you kind folk can assist someone in desperate straights.

If you have any ideas at all, if maybe these behaviors fit a certain malware pattern, or you can help me mitigate or counter these user/group events, well, at this point it's all I want for X-mas to defeat this thing and clean my machine once and for all.

Thanks for taking the time, and though I'm in iPhone atm, not liking plugging in my Ethernet cable and welcoming all the black hats in the front door, I'll try to attach the initial event log so you can see exactly what's happening v

Thanks again, Dave.

Here is a text copy of event log..

The sad thing is, I can't produce a report showing any 1 infection of any kind, so even through exhaustive research with tech at Bleeping Computer, he just thinks I'm a nut, and seeing things. I have pulled my event logs, but I think I've entered a technical area beyond his skill level.

It may help if you would provide a link to your topic at Bleeping Computer. You don't appear to be registered there under the same nickname.

Hi Corrine. Here is the thread. I am ZDave there, and M0le is the tech who was helping, sort of, until his last post a short while ago. Full details are laid out.

Seriously Infested Computer - Very Cautious

The latest is I purchased Kaspersky PURE Internet suite at brick and mortar today do I had security on board. The same things I mentioned above happened again, and while KASP was completing install, it was shut down, and when I went to log back on, all passwords for my accounts were suddenly disabled.

The final thought from my helper is, it's all in my head, and im barking ip the wrong tree Since anwMBR did not flag malware, he deems me all clean. He actually states that, ' but otherwise, your machine is running well, right?

OMG, I feel like I entered the Twilight Zone. Here is the full rundown of the latest install episode. Let me know if you think my computer is 'running well otherwise':

------------------------------------

Diskpart Clear All
(0'd out entire drive)
Install from Factory Disk
Disabled all remote services, services, progs through firewall, etc.
Installed a few necessary drivers with windows firewall set to Block All, both in and out
After 1st driver restart, more services blocked.
(same issues at start up, accounts being added, rule reg keys denied)
No need to wait...
I purchased hard copy of Kaspersky Pure Total Security 2012, one of highest rated suites available.
Threw in install disk, plugged in Ethernet, the program was up and running in about 3-4 minutes.

Immediately, all the stinking windows services are added with full trust for KASP, I saw right away, manually placed them all into untrusted high threat, there were so many accessing Internet it was nuts, at least 20 at once...

Once I adjusted trust level, stopped traffic for most part, though I could see IE itself spoofed a few times, nothing I could do about it. As soon as database was updated and prog authenticated, pulled the plug on ether.

KASP updated itself, ran initial scan, found nothing. If course, how could it when all file attributes are completely rewritten to same date, etc, perfectly mimicking normal windows files.

KASP was either ready to restart on its own, or was sent a shut-down command from system, it has done this with Trebd Micro in past.

Restart, but it stalled, (as usual), could not get to logon screen.

Restart, get to logon, my passwords are all incorrect, can't log on with any of my accounts.

Booted to safe mode, my User logon was still password denied, but I was able to get in with first account, admin level.

Tried to run KASP again, but it won't run in safe mode.

Just for increased chance of getting in, added a new account, admin level.

Rebooted to normal startup, all three accounts now password disabled.

Booted into safe mode, same thing, total lockout.

tried to repair /restore, both failed. Only thing
I seemingly have left to do is reformat, reinstall.

Total bust.

Anytime a threat to whatever this is is detected, it's either neutralized or if it can't be, the system just boots all accounts, game over.


M0le, how can you fight something that inserts before any logical point, replaces all attributes exactly as they were from original install, and uses mimick accounts of actual accounts, mine, to make changes?

KASP didn't seem to stand a chance. Maybe it was close to detecting something, likely given the system response, and is killed on the spot.

This bug has kernel authority, it can over-ride basically anything it wants, if not immediately, then shortly after or at next restart.

Since I zeroed out all sectors of drive (unless even that fun tion is not to be trusted...), I am left with 2 possibilities in my mind.

1. It's residing in the BIOS. I write a while back that I found a wireless adapter shell added to boot sequence, leaves little doubt in my mind, as I certainly didn't do it, and it's totally nonstandard for Award BIOS. It had to be dropped in by malware. This means it's in the system before the kernel even initialized, and again can do whatever it pleases.

2. Far scarier, though much less likely, it's imbedded itself into the firmware of one of my components, and I don't even want to think about that.

I'm out if ideas...

------/------------------------------------

So having my accounts disabled, services and reg keys locked, etc, etc is any kind of normal behavior. I'm done with him, if it's not snacking him across the head and yelling its name, it can't exist. I had this computer working without issue forb8 months, then this all starts happening, I must be imagining things...

Half the fun is setting up a fresh install is customizing and ensuring a good security plan is in place. I can't even access the Favorites key in explorer to limit the clutter, no permission to make changes, absolutely ridiculous.

If you have any ideas, I'm all ears. Thanks, hope you have a great night.

Dave

Hi, Dave.

First, m0le is a respected member of the security community and an Instructor at the Bleeping Computer "Study Hall", providing malware removal training. I am not going to attempt to duplicate his help which would further complicate things (see "Third" below)

Second, what happened to the requested logs? They are not posted as requested in the instructions.

Third, even though m0le specifically instructed, "Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible." you repeatedly ignored those instructions.

The program that seems to really be able to identify and see through this mess is Reanimator, illustrating how thoroughly I've been infected. KBDUS.dll is a major one, ...

Sorry, I would trust m0le 100% over a remote analysis from RegRun Reanimator.

KBDUS.dll was a major infection determined by Reanimator? Do you know what KBDUS.dll is? From ProcessLibrary:

kbdus.dll library file contains functions for the US keyboard layout. kbdus.dll is a system process that is needed for your Windows system to work properly. It should not be removed.

This process is considered safe. It is unlikely to pose any harm to your system.

Since kbdus.dll is a system process it should not be stopped. The process is required for Windows to work properly.

If you allowed changes to your system suggested by Reanimator, it is no wonder you are having problems.

You also said, "I noticed I copied in a system image restore" which would account for ComboFix going nuts, as you reported, and as m0le replied:

Okay, these are my thoughts.

I have seen nothing in any of the logs that tell me there is anything untoward.

You are comparing an old FAT-partition install to your current NTFS install, which would remove quite a lot of access that you previously had which may explain some of the odd permission issues you are experiencing.

Finally, my advice is to follow the instructions provided by m0le in post #38. If you are still not happy, your other option is to take the computer to a tech shop and let them do a complete format/reinstall.

Hi Corrine.

Thank you a bunch for your insight. It helps to get a different perspective. It feels as if I've fallen down a rabbit hole, do to speak. Btw, logs were deleted due to a global upload limit at the site.

Having been the 'professional' in the past, it's very frustrating not to be able to resolve this myself. It certainly made me in characteristically defensive and apparently a royal pain to work with.

I guess I need to walk away from this thing for a while, it's not doing any good to keep growing more frustrated.

Again, thank you for looking at this and at least letting me know M0le is a person who can be trusted. There is definitely an unfortunate level of paranoia that accompanies it raised, and if not malware, I'm at a loss I think that's what's really bugging me. If not malware, then what else might it be.

Hope you have a great night.

Regards,

Dave

You're welcome, Dave.