Solved Malware installed a hidden virtual HD/OS on C: partition

[UberGoober]

I know this because I did a D-Ban wipe that left about 12 GB of the HDD unaccounted for. I forget which utility allowed me to see X: with a 12 GB VM ...I have never installed a VM or used the feature to mount a DVD, etc. My local tech said he got it off, but it was still there when I booted up with no internet cable.

-I was able to view all the folders in the bad OS, but not to open them all. Those that did open had numerous Powershell scripts, and some folder names appeared to be programs for redirection, rewriting BIOS, copying any CD/DVD you insert, taking over control of all USB functions, changing SATA HDDs to SCSI, keeping an extensive Roaming profile even though I disabled sync years ago, and tons more I can't remember.

-Although the malware shows me screens that look like I am changing settings, they revert immediately upon closing the dialogue box.

-There can be hundreds of users connected to dialup (even though I removed my phone modem card and uninstalled its drivers). Can't remember all the steps through Hades it took to get my broadband set up. I had to enter my TWC master e-mail account password, but the baddies already had it anyway.

-Regardless of the device with which, or location from which, I log onto TWC webmail, it immediately becomes infected. I bought a new laptop, and it got infected the second TWC activated my cable modem; the Remote System has rewritten its firmware. Of course, TWC no-customer-service can't help; it's not their fault for allowing a backdoor into their redirect to start with, right?

Is there any way to clean up this PC, guys?

 

[Laith]

Your best bet is to contact your ISP and let your modem firmware be re-installed.

 

[UberGoober]

Thanks, Laith.

I did call them, but it's my modem, not TWC's, and they can't (or won't) attempt a firmware fix. The password has been changed by the malware, and several attempts at factory reset have cleared nothing. I downloaded a firmware update on a clean PC, but the malware simply substitutes a Power Shell / XML copy of what it had installed before.

I realize there may be no way to fix this besides adding the expense of monthly modem rent to my bill and buying ANOTHER new PC, but it has been very educational to attempt repairs, and it might help others to continue trying.

Thanks again, Laith.

I'm open to any other suggestions!

 

[Laith]

That malware seems very scary, i would just recommend buying a new router if your ISP can't or doesn't want to fix your firmware.

 

[UberGoober]

I have to admire these accursed guys for their skill, but I hate their offal!!

A new cable modem would solve one problem, for sure, but I think the hidden XP VM on partition C: would simply reinstall everything and my $ would go down the rat hole.

Any ideas for cleaning off the VM that is "SYSTEM" for the PC? Any way to take control of it?

I've tried Darik's Boot & Nuke; Partition Wizard and PartedMagic, Paragon Adaptive Restore, Macrium Reflect free, AVG Rescue Disk (blocked from running), tried to install Ubuntu (blocked), and the recovery environment on OEM Windows 7 disk (options needed not shown or greyed-out).

By the way, this bad boy included the Help corruption mentioned here - it was done from the VM's remote server.

 

[Laith]

I'm afraid you might have to buy a new disk, if it doesn't work then the motherboard is next.

Have you tried Kaspersky Rescue disk?

 

[UberGoober]

Yep, sounds like a money hole, huh? Just a few pieces of info in case someone else might recognize a symptom and immediately stop doing anything important on his machine...

I did use Kaspersky rescue on the brand new laptop when it got infected. K Internet Security came with the bundle. I tried to install it before hooking to the cable modem, but it refused because it wanted to look up the registration I filled out at the store first. Therefore, it got installed the way the malware wanted it - no real operation, just substitute screens to make me think there was (except the scans are way too short to be real).

The Rescue disk was recognized, a copy made, new instructions written into the copy, and a hidden shortcut to the bogus copy added. Then an error box came up and I was forced to reboot, which made only the bogus copy accessible.

Through the printer service, the MW copies and sends "home" every document, e-mail, spreadsheet, etc. on all drives. That includes flash drives, optical drives, USB backup drives, and multiple hard drives and every web page you visit.

I was running a hardened Windows 7, but this MW broke my long, complicated passwords once a backdoor at TWC was exploited.

Here's an example of a bogus program, just for the curious:


Thanks so very much for your time and advice, Laith.

 

[RolandJS]

...and restoring a OS-partition full-image onto present OS-partition did not help?

 

[UsernameIssues]

There is nothing abnormal about these folders:

 

[UberGoober]

...and restoring a OS-partition full-image onto present OS-partition did not help?

Thanks for your response, Roland. Great idea! I'll see what happens and let you know.

 

[UberGoober]

There is nothing abnormal about these folders

Thanks, UI - that's good to know. Let me start another thread since this one is marked "solved".