[canuhelpme]

I need advice. What do I do and or how does a malware problem I am and have had for months keep returning. I noticed it 3 weeks ago and after trying to remove it, the malware changed all my passwords (two desktops, 4 laptops), all my e-mail accounts, to include accounts I created trying to get help with answers.microsoft.com asking for help with malware removal.

The malware has caused me to loose everything on all systems listed above and recovery of the data is not the issue. I have reformatted and re-installed the os on the systems and it returns. I went to the point of "scrubbing" the drive with killdisk and it returned ( even after isolation - remove wireless card, not connect cat5 cable to router ). The last attempt I bought a new hard drive and installed win 7 making partitions, formatting, deleting, several times prior to installing. The malware is evident as soon as I sign in after the basic installation. The copy of win 7 was purchased from fry's electronics store at the same time I purchased a 1 TB hard drive (original) and other components for a new "build". Every computer on my network is compromised and fails to be clean even after using killdisk and turning off my router. I tried to go to a remote location and install the OS so as to not allow the malware a chance to "hack" into a local wireless signal. All attempts fail to give me a clean system. All systems have different and their own software that I tried to install. After three weeks +, 13 hrs phone support with MS, several hours at home going to forums, I am at no better. As long as I am connected to the internet, the remote access issue allows code to control my system and after making screenshots and putting them on the desktop to print my computer has 1) locked up, 2) restored to an earlier date while I was logged on as a user without admin. priv. 3) Trying to print, and I can't due to it changing the driver or .... 4) I replaced my router with a new netgear wndr4000 and thought I locked it down to only allow outbound traffic initiation ( apparently being infected it is he that is requesting connection to a remote host from code on my computer. Trying to alter or remove it cause my system to crash.

In safe mode on win 7 with new hard drive I notice a screen in the lower right corner. When I place the mouse over it and right click I get a dialog box listing two items, the bottom choice being checked and grayed out. I have digitally taken pic's of some of the effect's and I am now taking the system to a local college's forensic instructor, as he is very interested.

This last hard drive was installed with no other storage media in the system other than the dvd/cd drive to install OS. No flash drives, memsticks, etc were introduced to the system after install and still it is compromised.


My question now that you understand the history....

Other than the bios, infected install disk ( doubt due to same on all computer's different software ), where could this malware locate itself. The next thing to replace is the mainboard.

I need some answers as to what I should do next as not one person responds with the answer and I have been violated with this re-infection over and over.

I thought that maybee someone could help with suggestion / questions as I do have a few screenshots I put on flash drive and also numerous pics taken of the screen with my digital camera ( nikon d700 fx ) camera (raw format) and am willing to send card, hard drive, mainboard, etc, to allow someone to figure out or isolate this as I feel it is not the typical virus/worm/trojan/.....

Any help would be appreciated and please understand that if I don't make it back here. it is due to the computer's ability to control my network connection, or am in the process of trying another install or different hardware. Is it possible that it could store itself on the ram of my video card or onboard audio.....

Thanks ( I am currently using firefox and was given a copy of ubuntu 10. to use to get online. I was running it from cd (not installed) and had to finally install due to system crashing due to malware. If I don't return that means that I either had my password haccked to my accounts again or am down with the college instructor / police....

[LiveBrianD]

So you don't have the original hard drive in the system? Wow... and it's still there?

What happens with Darik's Boot & Nuke? http://www.dban.org/
That's similar to killdisk, but recommended more it seems.

I think it's EXTREMELY unlikely that your bios would be infected. However, if you can download a copy of the bios that you apply from a bootable CD and burn it to the cd from a friend's computer that's not infected, do so. Then use that to flash the bios. You reinstalled Windows without the network connection right? And you still had malware? On second thoughts, there may be something lurking in the bios. So try reflashing it.


What does your desktop look like in safe mode? Here's what I get:



Do you have a regular retail or OEM copy of Windows that was sealed when you bought it? Remember, pirated software can contain malware. I'm just putting that out there, not saying it's necessairly the case. You used different install discs on different computers right?

Could you upload those pictures that you took? Note: with the full post editor, you can upload files, but only up to 750KB of them, so you'd have to resize them. A better option might be to use photobucket and post a link to the images here.


One more thing - are you using the same username and password on all computers? Make them different. By default, Windows 7 requires a username and password from the computer you want to connect to in order to transfer files. I wonder if malware might be doing that. When you try to connect to a networked computer, Windows will try to use the login credentials of the computer you're on, and if that fails, it'll prompt for them.

[crazy4laptops]

Umm lets start with, What remote access tool in what version of windows?

Logmein, Teamviewer, VNC, MS Remote Desktop are the primary remote connectivity tools. Microsoft remote desktop is disabled by default in all versions of Windows....
What tool are you using to verify this mystery token?

Have you thought about getting a Mac?

Please send pictures in your reply!!

[LincolnSpector]

Hi, canuhelpme, and welcome to the forums.

I agree. This doesn't sound like your typical piece of malware. A few questions:

• What security programs were you running before the problem started?
• What additional malware scanners have you run since then, and what did they find?
• Who else has physical access to the computer and the network? This is so persistent that I'm wondering if it's a local job.

One suggestion: Try some on-demand malware scanners that don't require Windows installation, or better yet, don't require Windows. I recommend:

• SUPERAntiSpyware Portable Scanner: Download it from a safecomputer onto a flash drive. Bootyour PC into Windows’ Safe Mode, and run it from there.
• AVG Rescue CD: This is a live Linux distro (like the one you've been using) built especially for antivirus work. You can downloadseparate versions to burn to CD or to put on a flash drive. Either one isbootable.

Lincoln

[canuhelpme]

LincolnSpector, on 17 June 2011 - 08:09 AM, said:

Hi, canuhelpme, and welcome to the forums.

I agree. This doesn't sound like your typical piece of malware. A few questions:

• What security programs were you running before the problem started?
• What additional malware scanners have you run since then, and what did they find?
• Who else has physical access to the computer and the network? This is so persistent that I'm wondering if it's a local job.

One suggestion: Try some on-demand malware scanners that don't require Windows installation, or better yet, don't require Windows. I recommend:

• SUPERAntiSpyware Portable Scanner: Download it from a safecomputer onto a flash drive. Bootyour PC into Windows’ Safe Mode, and run it from there.
• AVG Rescue CD: This is a live Linux distro (like the one you've been using) built especially for antivirus work. You can downloadseparate versions to burn to CD or to put on a flash drive. Either one isbootable.

Lincoln

Hi again

I have tried at the command prompt to identify ip addresses and I was able to capture one. I changed directory to " admin " and access denied, I tried " default user " it changed to the directory, but running this command netstat >stats.txt it returned access denied.

I have tried malware bytes in standard mode, safe mode, microsofts security essentials, mircosofts emergency support tool ( scanner )

I made a boot disk ( flash drive ) and it gave the same error as the tracking of the network. ( pic 1 )
The thing changes my system time, caused my system to roll back to an earlier date while documenting by screen shots and placing them in paint to my desktop. I had approx 20 images and my system started to crash and when I restarted it the roll back lost the evidence.
I have configured window firewall to log all events ( sucess and failure ) my event log for security was deleted ( pic 2 )

I guess they are too big
one got there

I have tried to re-install several times (isolated from internet) with different os disks ( ruling out malware on a retail disk ) with win 7 prof, win 7 ult., xp 2005 mce, and win 98. all end up with the malware. The disks on the laptops have a "hpa" with the restore / utilities area that it is almost impossible to get rid of.

I have looked at the install file and apparently the log states many references to amd64 ( I have intel i5 ) Could it be that somehow my bios was flashed with an amd and now there is exploits involved with this. It doesn't make sense that a new hard drive and isolated from the world ( internet ) allow it to return unless it is on the main board somewhere.

Let me send this and I will write somemore of the stuff I documentated.
Before my system crashes ( It is able to send code apparently via "null / default" permissions to gain remote user ability to my system. I have witnessed several items in resource monitor that indicates dllhost.exe and it ability to do things.

[canuhelpme]

canuhelpme, on 17 June 2011 - 09:59 PM, said:

LincolnSpector, on 17 June 2011 - 08:09 AM, said:

Hi, canuhelpme, and welcome to the forums.

I agree. This doesn't sound like your typical piece of malware. A few questions:

• What security programs were you running before the problem started?
• What additional malware scanners have you run since then, and what did they find?
• Who else has physical access to the computer and the network? This is so persistent that I'm wondering if it's a local job.

One suggestion: Try some on-demand malware scanners that don't require Windows installation, or better yet, don't require Windows. I recommend:

• SUPERAntiSpyware Portable Scanner: Download it from a safecomputer onto a flash drive. Bootyour PC into Windows’ Safe Mode, and run it from there.
• AVG Rescue CD: This is a live Linux distro (like the one you've been using) built especially for antivirus work. You can downloadseparate versions to burn to CD or to put on a flash drive. Either one isbootable.

Lincoln

Hi again

I have tried at the command prompt to identify ip addresses and I was able to capture one. I changed directory to " admin " and access denied, I tried " default user " it changed to the directory, but running this command netstat >stats.txt it returned access denied.

I have tried malware bytes in standard mode, safe mode, microsofts security essentials, mircosofts emergency support tool ( scanner )

I made a boot disk ( flash drive ) and it gave the same error as the tracking of the network. ( pic 1 )
The thing changes my system time, caused my system to roll back to an earlier date while documenting by screen shots and placing them in paint to my desktop. I had approx 20 images and my system started to crash and when I restarted it the roll back lost the evidence.
I have configured window firewall to log all events ( sucess and failure ) my event log for security was deleted ( pic 2 )

I guess they are too big
one got there

I have tried to re-install several times (isolated from internet) with different os disks ( ruling out malware on a retail disk ) with win 7 prof, win 7 ult., xp 2005 mce, and win 98. all end up with the malware. The disks on the laptops have a "hpa" with the restore / utilities area that it is almost impossible to get rid of.

I have looked at the install file and apparently the log states many references to amd64 ( I have intel i5 ) Could it be that somehow my bios was flashed with an amd and now there is exploits involved with this. It doesn't make sense that a new hard drive and isolated from the world ( internet ) allow it to return unless it is on the main board somewhere.

Let me send this and I will write somemore of the stuff I documentated.
Before my system crashes ( It is able to send code apparently via "null / default" permissions to gain remote user ability to my system. I have witnessed several items in resource monitor that indicates dllhost.exe and it ability to do things.

apparently the screen shots can't be uploaded. I am not a geek, just a moderetly experienced user at putting systems together. What dos commands I know I have learned over the years on my own.

Is there a way to force net monitoring when it will not let me (access denied) apparently the remote hosts can elevate his code above the admin account privledges I have on my system. Once I had 71 internet connections listed when I suspended kaspersky antivirus to scan with another antivirus program in real time. (71) I have had 2 desktops compromised and 3 laptops. ( Loss of ability to get passed the login screen ) same password on all and apparently easily cracked. All were on the same wireless network and it has been doing this for awhile. Comcasts doesn't care. I had all my email accounts blocked / compromised. I finally got them back so I still have the mail in them, although I don't know if the perp was able to or did violate that info.
I am at a loss on how to proceed, as I would like someone to figure this out so everyone out there won't have this issue ( prevented ) from this!!!

Attached thumbnail(s)

• 

[canuhelpme]

If interested you can read my postings on pchelp forums dot com ( screamingeagle ), answers.microsoft dot com ( violated and violated again ) as this telling the same story every place I ask for help getting old.....

[canuhelpme]

I don't know anything about photobucket
Please help so I can post them for all
Is it possible to force netstat on "access denied"

the software was a retail version bought from fry's when I did the build ( mem, chip, mb, case, etc. )
Of note, I looked at the install log and it referenced amd I have an intel i5 should it not reference intell when it installs or is this common. I have not flashed the bios as it will not let me use a boot media

This post has been edited by canuhelpme: 17 June 2011 - 10:39 PM

[SpiritWind]

Hi :

I would not bother trying to get "help" from a "microsoft"
related Site . There are highly trained and experienced,
certified, Volunteer "Malware Removal Specialists"
available on many Advanced malware removal forums and I
recommend you see IF one or more MAY possibly help you !?
The forum I usually recommend is at
http://www.geekstogo.com/forum . I have referred several
from these PCWorld forums that have been greatly helped at
Geekstogo, but their problem(s) were not as bad as yours .

[canuhelpme]

http://s1236.photobu...eamingeagle911/

I guess I have to learn on the fly

I have more on my digital camera of the many different try's and documented items. Some might be of interest, some might be nothing at all. I need to locate my CF flash reader and see if it works. I have had problems staying online as this remote user is able to manipulate my machine.
Let me know if anyone wants to see them as it might be a day before I can upload them (they are raw images) and I don't know if photo bucket will accept them. I got an error code uploading the .png files but are viewable using a computer
I am almost out of posting ability here

[crazy4laptops]

Now that I see some of the stuff that's going on, for starters, calm down! What you see is normal operation of Windows 7... W7 uses a unique security model, if you are logged in as an admin, it can do those type of filesystem operations without need for authorization... what you have posted are not hacks/attacks/or remote logon events.

Notice how on your screenshots on the Task Category it says Filesystem, Windows is changing something in the filesystem... possibly updating the MFT or Read Attributes on some system files on the screenshot I saw...
In my Security log there are 30,390 Audit Success entries in my security log, 12-27-10 thru 6-18-11. So I really wouldn't be too worried about it.

Please see my screenshots for a reference...

Also, download wireshark- http://www.wireshark.org/
Wireshark will let you see all internet/network activity on your computer in real-time... If you don't know how to read wireshark data, just save the pcap file, then zip the file, and attach it here.

If you take a look at mine (attached) I ran wireshark, then googled for the wireshark link (that is what all that green HTTP traffic is) and then my Apple iPhone is querying the network for an IP update... that is the nutshell overview.

I hope this helps!
-C

Attached thumbnail(s)

• 
• 

Attached File(s)

•  crazy's wireshark.zip (43.95K)
  Number of downloads: 2

[canuhelpme]

crazy4laptops, on 18 June 2011 - 09:07 AM, said:

Now that I see some of the stuff that's going on, for starters, calm down! What you see is normal operation of Windows 7... W7 uses a unique security model, if you are logged in as an admin, it can do those type of filesystem operations without need for authorization... what you have posted are not hacks/attacks/or remote logon events.

Notice how on your screenshots on the Task Category it says Filesystem, Windows is changing something in the filesystem... possibly updating the MFT or Read Attributes on some system files on the screenshot I saw...
In my Security log there are 30,390 Audit Success entries in my security log, 12-27-10 thru 6-18-11. So I really wouldn't be too worried about it.

Please see my screenshots for a reference...

Also, download wireshark- http://www.wireshark.org/
Wireshark will let you see all internet/network activity on your computer in real-time... If you don't know how to read wireshark data, just save the pcap file, then zip the file, and attach it here.

If you take a look at mine (attached) I ran wireshark, then googled for the wireshark link (that is what all that green HTTP traffic is) and then my Apple iPhone is querying the network for an IP update... that is the nutshell overview.

I hope this helps!
-C

I am thankfull for your response as I don't know what to look for as far as malware activity. I do want to make sure that my system is clean prior to doing my buisness on the internet again.

Please tell me what you "experts" would do at this point to verify that the computer is clean, and what software is reccommended to hopefully avoid another exploit by "remote access".

[crazy4laptops]

canuhelpme, on 26 June 2011 - 07:10 PM, said:

I am thankfull for your response as I don't know what to look for as far as malware activity. I do want to make sure that my system is clean prior to doing my buisness on the internet again.
Please tell me what you "experts" would do at this point to verify that the computer is clean, and what software is reccommended to hopefully avoid another exploit by "remote access".

Use 1password to secure business data- http://agilebits.com...ducts/1Password
If you installed windows from scratch (erased hard drive first) your system is clean

For home use, Microsoft Security Essentials is pretty good provided you couple safe browsing habits with WOT on Firefox or Chrome- http://www.mywot.com/
For securing your system to a higher degree- http://personalfirewall.comodo.com/

To avoid remote-access exploits-
1. Make sure your computer is plugged into the wifi router (plugged directly into a cable modem is not a good idea)
2. Know safe browsing habits and always remember that the "YOUR COMPUTER IS INFECTED" website is fake and is meant to scare the living daylights out of you.
3. Keep Malwarebytes up-to-date (scan weekly)
4. Unplug your computer from the internet if you don't feel safe...
5. Be sure to keep your wifi secured with a strong password and WPA2 encryption
6. Remote Access is very hard if you've disabled the Administrator account and set your account password to something strong and secure

[LiveBrianD]

Oh, and watch out for scam email. My dad got an email from "at&t" that claimed he owed $212. Odd - he'd just paid the bill a few days ago, and it was $60. It looked quite realistic. Guess what? All the links went to some site he'd never heard of. Who knows what would've been there.

As for wifi, use a random password. Although 28CNhvjFih6xF@ is hard to remember, it takes exponentially longer to hack than 'fido'.