New
#1
Fresh reinstall, unknown users added w/ NT Authority
I am completely at my wits end. I have been battling some hellish malware for months now. I have done just about everything I can think of, from using crazy passwords, changing the obvious settings prone to weakness, uncheck Remote access, disable built in admin, disabling shares, strict firewall settings, different firewalls, different AV software, just about everything really, anti-spyware. I have used about every advanced malware discovery out there to no avail, from tdsskiller, combofix, Reanimator, ansMBR, etc.. All come up blank.
The obvious normal signs of something being infected are there. Sudden dropping of firewall, suddenly being denied access to areas, finding services running that should be disabled, noting my av software isn't working properly. Lots of instances of svchost running, far more than reasonable, with the wrong PID, access level. Auditing in cmd environment and seeing unknown open ports, foreign addresses, not accountable to any legitimate service, etc.
To make matters worse, when I actively try to make changes preventing access, I find my own account changed, anything from my search function disabled to all admin tool (mmc) locked out. Piling on, this infection is not only nasty, it's aggressive, it won't hesitate to actually remove my account from all groups, basically locking me out of my own computer. Add to this a particular intelligence, and it's any computer users worst nightmare.
When I tried to limit services, the next time I would Logon, the service would be active again, yet I now had no permission level to make any changes. Same thing with the registry, I tried to lock down branches, and it has taken ownership and denied me all access. It goes on like that for about everything I do. Reset folder permissions with icacls, now I get access denied if I try to use it.
The cherry on top was when I found, after disabling my wireless adapters, a newly fashioned 'wireless shell' was added into the very BIOS. Talk about feeling invaded.
The sad thing is, I can't produce a report showing any 1 infection of any kind, so even through exhaustive research with tech at Bleeping Computer, he just thinks I'm a nut, and seeing things. I have pulled my event logs, but I think I've entered a technical area beyond his skill level.
Here is the very latest. I have reformatted and reinstalled at least 5 times in the last week alone, from 3 different windows 7 CDs. Factory that came with laptop, oem full install win7 home pro with and without SPK1. Each time yields the same results, registry keys/branches locked to me, services also locked to me. Unable to control firewall, edit tasks, etc. while trying to defend against/prevent/recover any of these, I have had my account disabled, booted from the OS, an orphan user with no rights.
To me, the most significant thing is during install, about 75% through, I see a message that System is Updating Registry, and when I am finally able to log in, there are already 100-200 security events, and I believe they are the root cause, so to speak.
What takes place is a smash through of users/groups. Special logins are created with SeImpersonate, SeTakeOwnership, etc. what happens, even before I assign a user name, my newly assigned SID is used as basically a template. They impersonate my account, assign priveledges to new Special Logon, assign this new user to all groups, from admin and guest, to EventLogReaders, IIS_IUSRS, etc. basically every group in the system. They first allow the Special Logons by granting NULL SID full privileges, then use this as an open door to bring in more users. Once this is done, they lower the in house group privileges which I can access, so I never have equal or more authority. If I 'cross some line', like trying to take ownership away, boom, I am gone, account disabled.
Special Audit policies are put in place to monitor Logon/off, access to anything remotely core to system, and the final master stroke, auditing system time, which would signify possible reinstall, and I'm sure measures are taken. In fact, this virus or whatever, gonna name it Evil in 1's&0's.
It has also managed to maintain presence on system through HDD replacement, system board replacement, factory reinstall of software during ASUS RMA, and as I have noted above, more reinstalls in the past few months than I had done in my life previously. It has also successfully masked itself through some of the most extensive anti-malware projects. I know I've dinged it from time to time, as I sometimes get back some access, but it is always short lived, and there's always a price to pay, usually in making the system useless.
I know it uses key loggers, recorders, it has PnP driver redundancies galore, and won't hesitate to activate components on its own, silently of course. I think it's one I'd the more unique things about this bug, it doesn't mind if it puts me, the real owner, in a position where all I can do is reinstall, maybe it likes a tidy house, and knows I will be reopen king the doors at some point. At the same time, it's never truly destructive, it could easily frag my components, heck, it could easily burn out the CPU if it wanted to, as u have seen it throttle up the CPU and it has sensor control... But it doesn't do any of this.
This thing almost feels personal, but I haven't made an enemy of any sort in years and years, and I am not even close to any kind if financial target, trust me... There have been seemingly interactive battles as well. I have been left reg keys on my desktop with messages like, 'do you like my style', but I don't know if ghat is just coded in advance.
It also opens my ports to the world, can't close them, and even though I have physically removed my wireless card, left Ethernet out, it has somehow managed to internally McGyver something out of (guessing here) onboard wifi or Bluetooth, not a clue myself, but when I can ping yahoo with no connection I'm familiar with, you can't argue with that.
So, I guess what I come down to is this, there is an obvious vulnerability with group membership, as well as the install process itself, as it's making entries while the install is still taking place. Unfortunately, I dong know anything about these, had never even seen SeLoadDriverPrivilege, and did not know the highest level of authority, root, was accessible to anything non-system.
One thing to note, I'm no slouch with IT, MCP, A+, C+, but have been out of the field for 8 years or so, a lifetime in IT. Still, having had a crash course in the past few months, I've made myself a lot more aware again, do here is what I 'think' I need, and that is at least equal footing with this monster.
If it can great itself root/kernel authority, then I certainly should be able to as well. If it can pre-load items during fresh install, then I should be able to as well. Unfortunately, I don't know how, so hope some of you kind folk can assist someone in desperate straights.
If you have any ideas at all, if maybe these behaviors fit a certain malware pattern, or you can help me mitigate or counter these user/group events, well, at this point it's all I want for X-mas to defeat this thing and clean my machine once and for all.
Thanks for taking the time, and though I'm in iPhone atm, not liking plugging in my Ethernet cable and welcoming all the black hats in the front door, I'll try to attach the initial event log so you can see exactly what's happening v
Thanks again, Dave.