Trojan+ preinstalled in NEW device; can't kill; HD replaced no help

Researchers, I've read in the past week, are just now figuring out what many people have gone crazy over for several years now: an automated Trojan, monitored by realtime evil geniuses viewing my desktop, which Trojan hijacks the entire system and registry at the root, sets the computer up as a stack server to multicast the worst kind of "spam" - trojans, trojan downloaders, keyloggers, spyware, software that copies and replaces entire operating systems, screen readers, fake desktop images, fake system file images, fake file directories, fake registries (to let the real owner think all's well as this automated but monitored malware changes everything and takes ownership of their computer and burn out the processors once they start broadcasting through the networks they set up.

Last week I was able to get a "ThreatList" out of the powershell by a pure stroke of luck showing the names of the hundreds if not thousands of malware files they're mass-multicasting through my laptop -- scary stuff. I've also made screenshots of a lot of things that are "not normal", from the Event Logs to the Control Panel to file directories and forged Cert's of Authenticity - real evidence I've been trying to show someone who knows what it means, its significant, but I can't get anyone to listen to me, much less BELIEVE me. My son even thinks I'm losing it.

I found an old thread from one "Dave" written almost 4 years ago today, in 2011, and nobody believed him either; his story is just like mine, so rather than rewrite it, I copied Dave's post below. My current situation is virtually identical. This is an old problem that is just beginning to become acknowledged as a reality. I've found a few very recent articles that discuss this pre-installed trojan-like malware that is activated when buyers of devices turn them on and register them. In my case, it survived the factory replacing the physical Hard Drive and the Motherboard!! This thing gives new meaning to the word Persistent; it's been around no less than 4 years and nobody believed it was possible. Now people are finally acknowledging it, but my question is, HAS ANYBODY FIGURED OUT HOW TO TAKE BACK OWNERSHIP OF A PC BY ITS REAL OWNER AND KILL THIS MUTANT MALWARE THAT IS PREINSTALLED IN NEW DEVICES?...Or is this a horrifically frightening unveiling of a new One World Government (already in place covertly) and its policies? Here is Dave's letter; everything he wrote has been happening to me, and I am now about where he was when this thread left off -- barely holding the pirates at bay, but every time I make a defensive move, they ramp up their efforts and make it worse. Please, read on, and bear in mind that it's recently been discovered that this sh*t is being found preinstalled on the new devices from multiple manufacturers, so we must wonder, who is really behind this, and what is their agenda?


Fresh reinstall, unknown users added w/ NT Authority

I am completely at my wits end. I have been battling some hellish malware for months now. I have done just about everything I can think of, from using crazy passwords, changing the obvious settings prone to weakness, uncheck Remote access, disable built in admin, disabling shares, strict firewall settings, different firewalls, different AV software, just about everything really, anti-spyware. I have used about every advanced malware discovery out there to no avail, from tdsskiller, combofix, Reanimator, ansMBR, etc.. All come up blank.

The obvious normal signs of something being infected are there. Sudden dropping of firewall, suddenly being denied access to areas, finding services running that should be disabled, noting my av software isn't working properly. Lots of instances of svchost running, far more than reasonable, with the wrong PID, access level. Auditing in cmd environment and seeing unknown open ports, foreign addresses, not accountable to any legitimate service, etc.

To make matters worse, when I actively try to make changes preventing access, I find my own account changed, anything from my search function disabled to all admin tool (mmc) locked out. Piling on, this infection is not only nasty, it's aggressive, it won't hesitate to actually remove my account from all groups, basically locking me out of my own computer. Add to this a particular intelligence, and it's any computer users worst nightmare.

When I tried to limit services, the next time I would Logon, the service would be active again, yet I now had no permission level to make any changes. Same thing with the registry, I tried to lock down branches, and it has taken ownership and denied me all access. It goes on like that for about everything I do. Reset folder permissions with icacls, now I get access denied if I try to use it.

The cherry on top was when I found, after disabling my wireless adapters, a newly fashioned 'wireless shell' was added into the very BIOS. Talk about feeling invaded.

The sad thing is, I can't produce a report showing any 1 infection of any kind, so even through exhaustive research with tech at Bleeping Computer, he just thinks I'm a nut, and seeing things. I have pulled my event logs, but I think I've entered a technical area beyond his skill level.

Here is the very latest. I have reformatted and reinstalled at least 5 times in the last week alone, from 3 different windows 7 CDs. Factory that came with laptop, oem full install win7 home pro with and without SPK1. Each time yields the same results, registry keys/branches locked to me, services also locked to me. Unable to control firewall, edit tasks, etc. while trying to defend against/prevent/recover any of these, I have had my account disabled, booted from the OS, an orphan user with no rights.

To me, the most significant thing is during install, about 75% through, I see a message that System is Updating Registry, and when I am finally able to log in, there are already 100-200 security events, and I believe they are the root cause, so to speak.

What takes place is a smash through of users/groups. Special logins are created with SeImpersonate, SeTakeOwnership, etc. what happens, even before I assign a user name, my newly assigned SID is used as basically a template. They impersonate my account, assign priveledges to new Special Logon, assign this new user to all groups, from admin and guest, to EventLogReaders, IIS_IUSRS, etc. basically every group in the system. They first allow the Special Logons by granting NULL SID full privileges, then use this as an open door to bring in more users. Once this is done, they lower the in house group privileges which I can access, so I never have equal or more authority. If I 'cross some line', like trying to take ownership away, boom, I am gone, account disabled.

Special Audit policies are put in place to monitor Logon/off, access to anything remotely core to system, and the final master stroke, auditing system time, which would signify possible reinstall, and I'm sure measures are taken. In fact, this virus or whatever, gonna name it Evil in 1's&0's.

It has also managed to maintain presence on system through HDD replacement, system board replacement, factory reinstall of software during ASUS RMA, and as I have noted above, more reinstalls in the past few months than I had done in my life previously. It has also successfully masked itself through some of the most extensive anti-malware projects. I know I've dinged it from time to time, as I sometimes get back some access, but it is always short lived, and there's always a price to pay, usually in making the system useless.

I know it uses key loggers, recorders, it has PnP driver redundancies galore, and won't hesitate to activate components on its own, silently of course. I think it's one I'd the more unique things about this bug, it doesn't mind if it puts me, the real owner, in a position where all I can do is reinstall, maybe it likes a tidy house, and knows I will be reopen king the doors at some point. At the same time, it's never truly destructive, it could easily frag my components, heck, it could easily burn out the CPU if it wanted to, as u have seen it throttle up the CPU and it has sensor control... But it doesn't do any of this.

This thing almost feels personal, but I haven't made an enemy of any sort in years and years, and I am not even close to any kind if financial target, trust me... There have been seemingly interactive battles as well. I have been left reg keys on my desktop with messages like, 'do you like my style', but I don't know if ghat is just coded in advance.

It also opens my ports to the world, can't close them, and even though I have physically removed my wireless card, left Ethernet out, it has somehow managed to internally McGyver something out of (guessing here) onboard wifi or Bluetooth, not a clue myself, but when I can ping yahoo with no connection I'm familiar with, you can't argue with that.

So, I guess what I come down to is this, there is an obvious vulnerability with group membership, as well as the install process itself, as it's making entries while the install is still taking place. Unfortunately, I dong know anything about these, had never even seen SeLoadDriverPrivilege, and did not know the highest level of authority, root, was accessible to anything non-system.

One thing to note, I'm no slouch with IT, MCP, A+, C+, but have been out of the field for 8 years or so, a lifetime in IT. Still, having had a crash course in the past few months, I've made myself a lot more aware again, do here is what I 'think' I need, and that is at least equal footing with this monster.

If it can great itself root/kernel authority, then I certainly should be able to as well. If it can pre-load items during fresh install, then I should be able to as well. Unfortunately, I don't know how, so hope some of you kind folk can assist someone in desperate straights.

If you have any ideas at all, if maybe these behaviors fit a certain malware pattern, or you can help me mitigate or counter these user/group events, well, at this point it's all I want for X-mas to defeat this thing and clean my machine once and for all.

Thanks for taking the time, and though I'm in iPhone atm, not liking plugging in my Ethernet cable and welcoming all the black hats in the front door, I'll try to attach the initial event log so you can see exactly what's happening v

Thanks again, Dave.