Hello,
I apologize if I have posted to the wrong area. I understand the FAQ in terms of my responsibility to help myself. I found this forum in my attempts to help myself, despite my incredible lack of necessary knowledge. From your tools library, I was astonished to discover that someone actually realized that the tools needed to be protected/hidden from the malware. I am hopeful to know that at least some seem to realize that a computer may be infected even if HJT, MBAM and gmer do not find “it”.

In the event the remainder of my post is inappropriate or without interest, could someone please direct me to some information on using the tools to hide other tools. Perhaps use is obvious but my malware has a runonce aspect, so I have learned to be more careful. A long description of the saga and malware follow below. I am observant but lack basic knowledge. My learning is slower that I need or want.

My computers are infected with some sort of currently undetectable malware in combination with other more known items. The reality of malware detection is interesting, except for the fact that “it” has nearly bankrupted me by destroying the capability to run the apps I needed for my work (ArcView). Also interesting is the social portion, whereby many biggie AV companies and Dell cannot find the malware and subsequently conclude that my machines are clean, or have a communicable hardware problem. Sophos has now cancelled support (I am a “special case”) and demanded I work only with their reseller whose unsuccessful attempts to clean my three laptops cost over $1K. The reseller fails to respond to my emails, since I did not find their last joke particularly humorous. I asked for help dealing with the locked registry keys for the antirootkit legacy drivers which prevent the tools from working and the tech sent an email with an X-Files, “I want to believe” gif attached as the tool I needed. I wrote the jerk’s boss and was assured of their competency and responded with the fact that he needed to install a VM, infect the VM with “it” and see what I really had instead of telling that all I had to do was run MBAM. If I were rich, I would sue Sophos for breach of contact/false advertising re: their lack of support, especially since the one tech that actually listened to my descriptions was not allowed to follow through on his plan to image my HD.

I believe I first got this over a year ago, maybe from a server of a company I was consulting for when I attempted to run ArcView on their liscense remotely. One employee is Mongolian and videocams with his buds in Mongolia and his computer was used to upload data from the field. Media player volume control disappeared and in August I could not add files to the Media player. Immediately after, a dialog box appeared asking to network MP with the text “sergzy PC” on it. I did not click on that but searched sergzyPC which was reported on Prex only as being from the vlob Trojan. NOD32 did not find it, likely it stopped working by then. Popups are limited to windows notifications that are fake. When I attempted to go after "it" the infection more apparent. It seems to have improved over time, more resistant and more subtle. Various AV products would find minor infections but the CPU still spiked so I knew the real infection persisted. I could not get the correct drivers to stay installed, settings changed and files kept moving around.

I have many old XP infected computers so if someone wants a cumbersome sample of the malware, I could ship you the HD. I do not seem to be able to get the to "it" since I think it may hide behind a partition(s) on my HD. The pieces that I see are not able to be uploaded for analysis. Other files are invisible in explorer (but can be seen for a while in other file managers) or in use or are said not to be present for upload. Even if I see them, I cannot get to them, regardless of the unlocker tools I tried.

I discovered dependency walker, so I ran many apps in that and can see lots of effects. Entry points are not bound for some items, dlls are delayed or not found. Best of all, the mouse driver is used disable the AV and tools. I can see DW citing the AV when I move the mouse, but I cannot get the AV companies to appreciate that. I have many records of many apps but I at a loss on what to do with the info.

Kernel detective runs on the Vista box (but not on XP- missing driver) and reports lots of info but I am too naďve to know what to do with that great info. Thanks to GamingMaster, (who suggested it just when the thread on sysinternals was closed) and anyone else here who wrote this great tool. KD has appeared to operate beyond the runonce of most tools and is apparently not deluded, or obscured. "It" has now started to include a "empty" folder in the KD folder so I changed the KD exe name and moved all files to a less apparent folder. Maybe silly to try to hide in that way, since I downloaded KD but here are some of the data.

Too brief synopsis:
Processes 46 – 0 Hidden (47 when online)
Threads 5 (I wonder about 5 threads only)
DLL 75 (80 online)
Handles 419 ( 439 online)
Kernel Mode Drivers 147 – Hidden 0 (same online)
Total Services 391 Modified 0 Extra 0 (same online)
System Service Desc Table Shadow 772 Detoured 0 Extra 0 (same online)

Interrupt/Trap/Task 256 Modified 24 Processors 1 (same online)
I do not seem to be able to copy this window but the modifications are 16bit tasks and 32 bit interrupts from ring 0 with no module listed or the ntkrnlpa.exe[.text]
One 16bit trap ring3
Several 32bit int, ring0, hal.dll[PAGELK}
There are several with current and real IRS= 0x0000000 and no other data.

Kernel Hooks 4 (same online)
0x8245BFF8 ntkrnlpa.exe [.text]::RtlPrefetchMemoryNonTemporal Len=1 State=CodeMod CV=90 OV=C3 DM= -
0x8245FB59 ntkrnlpa.exe [.text] Len=1 CodeMod CV=06 OV=05 DM=-
0x824BCDEA ntkrnlpa.exe [.text] Len=18 Code Mod CV=E0 25 7F FF FF FF 0F 22 E0 0D 80 00 00 00 0F 22 E0 C3 OV=D8 0F 22 D8 C3 0F 20 E0 25 7F FF FF FF 0F 22 E0 0D 80 DM=-
0x824BCE02 ntkrnlpa.exe [.text] Len=1 Code Mod CV=00 OV=C3 DM=-

Apologies for any frustration due to lack of complete data. I noticed that the malicious code execution protection cited 32bit applications, so I wondered if that meant that the 16bit code was not blocked. I think a rootkit is indicated. I realize that the real important data underlies each of these items but I don’t know what to do with that. I could not read Arabic so I don’t know if there are further instructions on the site. Unlikely since there is a reasonable assumption of competency on the part of the user.I would be happy to learn more but likely not fast enough. A basic ref would be appreciated, though.

-All the drivers are installed remotely by the malware and appear to be valid to most tools.
-Monitor and screen resolution is degraded to match malware images
-downloaded images conceal info according the whim of the malware.
-C++ redistributable was installed in some machines,
-permissions are changed in favor of the remote owner.
-elements: random character file naming in temp, registry, admin, user, sys32,and other seldom used folders. .ini, .sys, .log, .bat, .lnk , icons are bad. Perf and pagefiles, are bad. I cannot get any of those to upload for submission. The graphic resolution is different so I can tell what icon is compromised.
-there are multiple infections: vlob, virtumonde/vundo, adobe reader are implied from symptoms reported by MS database.
-registry keys locked or restored
-unable to disable system restore in either vista or xp
-unable to update, although updates are said to be installed in one window, yet not really in the other window.
-safe mode is not really safe mode, simply a screen resolution change
I am sure I neglected to mention may other items.

-“It” either writes to commercial software CD for eternal wireless antennas or to wireless modems, since I infected an old laptop immediately on install of wireless ext antenna, using CD that had been used on infected machines. I also infected my kid’s new laptop when I put a CD-R, finalized, back in to check AV files at the demands of a Sophos tech who said there was no way that the finalized CD-R could infect her laptop. Wrong. The files were fine, the infected machine would not read the CD and the formerly clean computer is infected.

-“Clean installs”, including what was said to be a lowlevel format was unsuccessful. I am uncertain what was done to the boot portion of the HD. The lack of knowledge, mythology surrounding the HD/bootsector /master boot record is astonishing. I have been told nearly everything from “nothing can survive an OS clean install with reformat to there is no way to remove a bootsector infection, buy a new HD. Dell replaced the HD and motherboard twice on one laptop, but I think I managed to subsequently infect that machine since I think I have infected the network at the community college. (The community college was unconcerned by my confession.)

-“It” is some sort of remote bot/root/bootkit and the BIOS may be controlled in some way:
The CD/DVD drive is intermittently disabled when I attempt to boot from a clean ISO (I hope that is the correct verbage)-got a clean image from the reimage.com service in an attempt to reinstall the OS but the computer only seems to use the CD OS source and when I try to use clean CD for AV scan, the CD cannot be read. “It” is a bit stupid since it also will not let me read my archive financial info CDs, other content is acceptable. When accessed remotely by a tech, the CD contents are visible. Conversely, “it” is simply obscuring the window with a fake window, so perhaps the BIOS surmise is incorrect. The CD drive is controlled, since the disk stops spinning.

If anything is of interest, I am happy to respond in anyway I can. If someone wants a HD I am happy to fully infect it with the newly updated versions of “it” (and whatever else is here) and ship it. I am short of funds so would be easier to send it a US address, to someone who might know how to get the data off. I gave up on saving my data months ago, so there is little on these drives. I have lots of infected data on ext drives and CDs that I read on one box as necessary. Maybe in five or six years, there will be a way to clean some of it.

I think there must be more than garden variety known malware that I am too dumb to get off since AV tools are not effective. Many AV cannot find it, although I have not retried all the ones again recently, but there has been some progress in the last year, since boot sector infections are no longer denied. Some tools may have been more effective if I had the option to get them from a clean computer, but I likely have not done that, since I now think the college computers are infected. I can find someone to download them for me on a clean computer, but it is likely the drive will not read the CD anyhow.

Thank you for reading the long post
Quirkly

thought this post was fake it was so long. Thought it might be this: http://www.woodmann.com/forum/showthread.php?t=12561&highlight=bios but i doubt something used the idea that long ago. Anyways you should post on malware forums, but here goes: get a live boot cd using sysinternals administration pack. You can find it on torrent sites. Before you make the repair/boot cd (you could also used bartpe maybe) load malware-bytes.org and update it on there. Load Spybot Search & Destroy and update it. Load two av's maybe nod32 & another good one (not norton shit, something lightweight and good). Boot off the live cd. You may have to move the hdd to another computer to do this, or it should work right off your current computer. If its a laptop hdd, use a external usb enclosure they sell them for $15 online or in stores. Now scan that drive as a secondary drive using all of those tools. The boot cd will ensure the virus will not spread any further. See if it detects it.

Sab,
Thank you for your reply, sorry for the length of that post and this one, too.. Re: the BIOS attack, I wrote to Alfredo, who replied with advice but neither of us has the others language adequately. He thought my problem was lack of Windows updates but I am unable to do Windows updates, regardless.

I have posted to several forums, but the malware forum personnel are do more than HiJackThis, gmer, etc. so I am always considered to have a clean computer. The malware forum people disregard the dependency walker info.

I am aware of the live boot cd (bart PE) and also there is a Sophos Linux repair CD. I tried a CD with bootable ISO. If the CD is the _only_ boot option(in the BIOS), the computer fails to boot. But if the HDD is included as an option (in the BIOS) then the computer boots. Is it necessary to include the HDD as a boot option for the machine to run? I have no way to check on an uninfected machine. Sorry it that is a stupid question but I have searched and cannot find an answer. In my case, I think the boot was faked off the CD but really the OS was loaded from the HDD. Based on your statement about containing the infection using the boot from CD, the HDD should not be necessary.

I have removed the HD from an old laptop to use as an external drive so I can do that. Maybe the AV databases are better than they were last September, but I paid a tech to do clean installs, on two laptops HDDs, (externally attached) and to scan three external HDDs that I used to store data. All remained infected, so whatever was not in the databases. That whole process was repeated again 7 more times with three different computer “pros” (in two states). No malware was found by one tech (2X, October, using spybot and some AV); Oct, found minor malware (2x with spybot, adaware and TrendMicro w/ 1 clean install); Oct, Nov, Dec - Sophos reseller : 1. scanned w/ Sophos, found more serious infections, said he did clean install/reformat, found numerous partitions on HD (but my files were present, so he could not have reformatted), computers booted up by themselves during shipment back, then AV scan hung/ no windows update. 2. clean install, low level format, CMOS reset/BIOS flashed, said to be clean but Sophos would not run by the next day. 3. clean install/low level format, Kept them for a month since Vista would not boot if the Sophos client firewall was installed. (previously worked) but sophos support & the tech ignored that and said the computers were clean. Again, no windows update and Sophos identified itself as malware and stopped running.

All the above was done with the HDD as an external to the other computer. Malware is found by scanning the drives, but then "it" survives subsequent clean installs. Maybe all the “pros” computers were infected since none booted their computers off a CD? Or with all the reformats, could this be boot sector/MBR or elsewhere resident? AV scans do not remove boot sector/MBR or elsewhere resident malware, do they?

I really appreciate your input. Thank you
Quirkly

Howdy,

I am currently battling a similar problem with some company boxes.
I now carry a disc and a USB drive with some tools to help me.
So far they seem to be working but I have one that is still acting funny.

Anything on any of your comps is junk. Nothing currently installed will work.
It may not be in the MBR or BIOS. It may just be morphing itself with a new name each time you try to kill it.

Here are the tools to try. You will need all of them.
Avira
Avast
Malwarebytes
Combofix
Spyware doctor
Registry cleaner

Via either USB drive or CD, you need to have each one on separate media.
Start with Avast. If you can get it installed, dont run it. Find the option for scan on boot, Hard kill the box ie; pull the plug, then restart it.

If you cant get it installed, try each utility until you get one installed, except the reg cleaner.

If you cant get any of those installed report back.

If you do manage to get something installed and running, do not reboot if asked. Install another utility and run it.
Continue on in that manner.

When you install Avira, dont run it. Find the option for root kit scan and run that first.

If by any chance you can get them working and can delete some of the infection, start dumping the old compromised AV's and spyware tools.
Run the registry cleaner after that.

When you think you have enough removed, reboot.
Now start running Avast. Give it a minute or two and start Avira.
If you box has any balls, start either Combo fix or Malwarebytes. Ignore the popups to shut off your running AV's and run them.

Dont bother with the updates with any of them when you get them running. You can do that when you get control of the system.
Actually, disable the network connections/wireless connections.

If you manage to get some stability back, download the tools again from a clean net connection, not a previously infected box. Burn them the same way as before. Delete all the old untilities and reinstall them all over again.

If you use a USB drive be extremely careful. They can be easily infected.
Never use CD or DVD RW media. Use all disks once and discard.

Report back.

Woodmann

Thank you thank you thank you
Yeah, different protocol, makes sense.
Exactly what is considered wrong
Great ideas
I will let you know
Quirk

pctools is another tool you should try it out

esther,
Thank you. I agree. I figured I would try it also. Yeah, they were the first AV I purchased when I tried to get rid of infection on my own. I got the whole package, including spyware dr. Installing it on my infecting machine was not effective. I think it lasted a couple of hours until it started causing problems. Seems like they have been working on some more problematic malware lately and I dont seem to have any registry entries left over from them.
I also purchased their Registry Mechanic. RM was robust enough that I could install and uninstall it so that it was effective for a few months. I tried to use the results of 500+ instances of registry changes as indicative of the fact that I had an infected computer, even if HJT indicated nothing, in their view. The response, without exception, from AV support and malware forums was that I should not use registry cleaners, since they tend to cause problems. Without RM, I would not have been able to finish my contracts and get paid.
I will get to use a clean (I hope) box on Monday to get all the tools and start in on my least infected boxes.
Thank you for reading and replying, I appreciate your help.
Quirks

Hi,

I'll just throw in a couple of suggestions if your still struggling and can get your pc to boot from CD

http://www.givemesolution.org/my-software-collection/36-my-software-collection/48-hirens-boot-cd.html

Great cd with a hell of alot of tools, it has an xp lite boot options on it also, allow you to get into your windows from the cd and run tools from the cd, various malware/adware removers on it, iv saved many a pc with it

http://dl1.pro.antivir.de/package/rescue_system/common/en/rescue_system-common-en.iso

a bootable cd from avira, always upto date

and like woodmann said above malwarebytes (www.malwarebytes.org) is a very good tool if you can get into your windows

Goodluck

Darren

Darren,
Thank you for suggestions. Sometimes the CD drive works but I do not think I have ever really gotten it to boot off a CD, just the illusion.

I have used MBAM many many times, but it always comes up clean. Also an illusion. There are MBAM "legacy" registry keys and drivers that are placed by the malware. Also for many other AV apps/tools also. Plus a runonce setting which seems to be linked to the creation of the legacy keys and drivers.

Woodmann's suggestions differ from everything I have ever tried in the aspect of simultaneous AV tools. That is more likely to work than anything since it is so contrary suggested practice and this thing is set to take down all the conventional approaches.

I plan to go after it with all I can get to load at first and then go back and do the "right" way with several different boot-from-cd tools. Thanks for your suggestion of the 48-hirens cd. I have not used that one, so maybe I can get that one to boot. On one computer, it took out the CD driver completely and I cannot get it to load a replacement or update driver. Maybe, the windows images are overlaid such that I cannot see where to hit the button properly. The necessary choices are often greyed out on the images I get. I have used showin to know there are windows below, I just cannot get to them.

I will let you all know what happens next. Thank you so much. Your help, and that of the others here, is so meaningful. I know at least a dozen others with the same thing. We all keep getting dumped from boards since we are considered paranoids, etc. but in comparing notes, the symptomology is the same. I am seeing an increasing frequency of new posts to the malware boards describing the same things this year, so it is spreading now.

Quirks

Spreading is an under statement.

These new rebuilds of old virii and malware will define the next generation of tools to remove them. I foresee new cutting edge tools coming from unknown companies that are willing to look beyond standard virus database technology.

As for registry cleaners, I guess theres nothing better than leaving infected keys behind, right?.

Woodmann

Sorry about the quotes having a hard time posting so I tried to email to woodman, no luck there either. Here is the latest story

Things are getting worse with my malware, but the good news is that I have found it. I tried the avast, installed, and really killed the box. Now it will not boot at all-only to blue screen no matter what. But that makes sense in terms of the reality of the thing-- So on another computer. That vista laptop was getting stranger so I tried to boot in safe mode off the vista disk. I ended up in a continuous reboot but finally got to the place where: if you see your operating system -choose that or -hit the button to load drivers. I was tired of loading the same not working drivers, so I hit the button (totally contrary to std practice, but so is this malware)

I get a screen to choose the set up and discover that I now have two hard drives! One is the Local Drive C: and then there is Boot and also vista disk in the CD. The Boot X: partition contains all my malware-- all the drivers, essence of the malware.

Boot X:
folders and subfolders listed below
Program Files
Common Files
microsoft shared
ado
de-DE
es-ES
en-US
ja-JP
fr-FR
Oledb
msadc
system
ink
lots of language files here
triedit
language files as under ado
Internet Explorer
could not see anything
Users
Public
Documents
Music
VIdeos
Downloads
Pictures
Sources
6.0.6000.16386_x86
de-de
en-us
fr-fr
ja-jp
recovery
servicingstackmisc
adprep
dlmanifests
es-es
inf
license
servicing
spinstall
and drivers:
sfpat2k
sfpatxp
sfpat
sfpatlh
upgcompat

Windows
boot
debug
en-US
fonts
globalization
inf
L2schemas
Logs
panther
resources
service profiles
system 32
tracing
branding
de-DE
es-ES
fr-FR
Help
ja-JP
LiveKernelReports
Microsoft.NET
Policy Definitions
Security
Servicing
Temp
Winsxs


Maybe someone has seen this before? There are many more files within several of the above folder such as sys32 and dlmanifests, etc. but I am worried that I might not be able to send this email since the typing is getting wierd.

I have been talking to Microsoft about this-interesting response this time. I have gotten escalated 3 times or so. After the beginning statement where "malware cannot make partitions" he then actually listened, and he wants all the data I have, etc. He plans to see what can be done, talk to his collegues, and figure out what to do--although he was bright enough to say he could not do anything over the phone, a good first step, I think.

Mixed blessing, this info. At least I saw what I thought was there but at a loss on what to do. I cannot repair the drive. It just gets around anything. I cannot boot up to another OS on disk. So I have to find a "pro" who will believe me. No luck in the past.

I am having a very hard time reading email but I wanted to say thanks for the ideas and to let you know what a wierd thing this is. But it makes complete sense in terms of what I have seen, both in behaviour and in the affected files.

The future of malware seems to be here. The dates are May, 08 which also fits, but may be bogus too.

Does anyone know what this is?

Quirkly

[EDIT JMI] quirkly: I have attempted to fix your formating issues with the Post. If I broke any of the sentences in the wrong place, you should be able to fix them now.

Howdy,

No one knows what it is. If they say they do they are full of shit.
I have had malwares stop and freeze a box mid AV scan and then refuse to
run without a great deal of effort.
The base of the problem is the infection is self replicating and it morphs.
The second it senses there is an AV running it copies itself multiple times with different names and file extensions.

If you really want to continue trying to save this drive you will need to remove the drive, hook it into another machine, set it as slave and have an AV ready to scan on boot.

And then PRAY like hell you dont huff the other box.


ORRRRRRR, throw away that infected drive and buy a new one.
Flash the BIOS and dont insert any home burned media.

Report back, Woodmann

QUIRKLY, you written Kilobytes of poetry..
instead, why you not upload samples from your PC!?

-evaluator
what would you like? I cannot upload the malware proper. It gets out of zip files, or moves out of the way.
I have dependency walker files or screen shots of kernel detective indicating that the kernel code has been rewritten. If you want a HDD I can mail you one if you are in the states.
thanks
Quirkly

Woodmann,
Thanks. I get the impression you are struggling with this thing. Yeah, AV freezes in midscan.
No people refuse to admit this thing exists. Sophos has now denied me customer service. Certainly they will not discover the reality with that approach.
When did you become aware of this thing? Other people seem to date their's back to 05, but mine showed up in mid 08.

Scans by others on a slaved drive still do not find it. I probably have infected lots of others. I got one new drive/motherboard from dell-proceeded to reinfect that one from the local community college which I have infected also.
(they did not care) Will talk to dell about getting new insides for the the other boxes still under warranty.
Let me know if you come up with anything,
Thanks
Quirkly

that all is like magic..
for example, get list of directory SYSTEM32\DRIVERS\

Howdy,

I have seen payload files dating back to 08.
It quietly went about its business for 3-4 months before anyone noticed.

On my boxes, I noticed odd behavior like screen blinks and a deleted icon came back. When the icon came back I knew something was fucked up.

When I ask others with dirty boxes about why they think there is a problem they say the same types of things or the box is so slow it wont run.

After I cleaned mine, saved my data, scanned the saved data DVD's and cleaned them again.
I deleted all my partitions then format. MBR enima to make sure that was clean. One box had one sector of the MBR on the hard drive physically damaged. I re-installed but windows doesnt like to be forced to read on
un-alloted MBR space so that drive hit the trash.

This box I am using now got re-infected three more times. I believe from my own burned discs so they all got tossed in the dumpster.
A thumb drive that was infected and physically damaged said goodbye.

My rootkit toolkit disc was DOA after about 6 uses.

There were many other things that happened just on my 3 boxes. Nevermind work boxes and friends.

You wanna know the good part? I dont have one sample of this thing saved.
I became so irritated I threw out at least 3 dozen burned disks, a hard drive and a thumb drive.

If it happens again I will just buy a new rig each time one of these becomes dirty.

I do not think there is anyway to recover a box to 100% health after this shit has infected it. You just manage it to keep it somewhat controlled.

One last thing for anyone who might be wondering. When it starts to morph it writes its spawn as just about any file extension.
The only thing that seemed somewhat typical was that most of the files had non-sense names like hjusckleustwm.dll or 90452917263.tmp.
They were all hidden and only a boot scan would stop them.

Its the hidden master file that I could never really find. Everything would work good for a week or so and then the shit came right back again.

Woodmann

quick reply as i keep getting kicked out

Device Name Device ID
XAudio ROOT\LEGACY_XAUDIO\0000
Kernel Mode Driver Frameworks service ROOT\LEGACY_WDF01000\0000
Remote Access IPv6 ARP Driver ROOT\LEGACY_WANARPV6\0000
Storage volumes ROOT\LEGACY_VOLSNAP\0000
Dynamic Volume Manager ROOT\LEGACY_VOLMGRX\0000
VgaSave ROOT\LEGACY_VGASAVE\0000
NetIO Legacy TDI Support Driver ROOT\LEGACY_TDX\0000
TCP/IP Registry Compatibility ROOT\LEGACY_TCPIPREG\0000
TCP/IP Protocol Driver ROOT\LEGACY_TCPIP\0000
Security Processor Loader Driver ROOT\LEGACY_SPLDR\0000
Message-oriented TCP/IP and TCP/IPv6 Protocol (SMB session) ROOT\LEGACY_SMB\0000
Security Driver ROOT\LEGACY_SECDRV\0000
Link-Layer Topology Discovery Responder ROOT\LEGACY_RSPNDR\0000
RDP Encoder Mirror Driver ROOT\LEGACY_RDPENCDD\0000
RDPCDD ROOT\LEGACY_RDPCDD\0000
Remote Access Auto Connection Driver ROOT\LEGACY_RASACD\0000
QoS Packet Scheduler ROOT\LEGACY_PSCHED\0000
PEAUTH ROOT\LEGACY_PEAUTH\0000
Null ROOT\LEGACY_NULL\0000
NSI proxy service ROOT\LEGACY_NSIPROXY\0000
NETBT ROOT\LEGACY_NETBT\0000
NDProxy ROOT\LEGACY_NDPROXY\0000
NDIS Usermode I/O Protocol ROOT\LEGACY_NDISUIO\0000
NDIS System Driver ROOT\LEGACY_NDIS\0000
NativeWiFi Filter ROOT\LEGACY_NATIVEWIFIP\0000
ISA/EISA Class Driver ROOT\LEGACY_MSISADRV\0000
msahci ROOT\LEGACY_MSAHCI\0000
Windows Firewall Authorization Driver ROOT\LEGACY_MPSDRV\0000
Mount Point Manager ROOT\LEGACY_MOUNTMGR\0000
Link-Layer Topology Discovery Mapper I/O Driver ROOT\LEGACY_LLTDIO\0000
KSecDD ROOT\LEGACY_KSECDD\0000
HTTP ROOT\LEGACY_HTTP\0000
LDDM Graphics Subsystem ROOT\LEGACY_DXGKRNL\0000
Crcdisk Filter Driver ROOT\LEGACY_CRCDISK\0000
Common Log (CLFS) ROOT\LEGACY_CLFS\0000
Beep ROOT\LEGACY_BEEP\0000
Ancilliary Function Driver for Winsock ROOT\LEGACY_AFD\0000
Not Available HTREE\ROOT\0

for evaluator
I keep getting logged out of the forum (not really, just malware)
on above drivers signing, "not available" as also driver version driver date, manufac, inf name, driver name.

I have more that are relevant
will post as I can.
thanks for your interest
Q

I don't mean to hijack another member's thread, but when I read the opening post, my heart pretty much jumped out of my chest. I have the exact same issue described in the OP. It is the most frustrating ordeal I've ever encountered in 15 years of PC ownership. And the worst part is that none of the so-called experts I've called for help (at Microsoft, Dell, Kaspersky and Trend Micro) would even acknowlege that the phenomena I described were even possible. Only one person, a very conscientious tech support rep at Dell, had the patience to let me prove to him that my computer has serious issues. Still, he insisted that I perform another factory image reinstall and then use my computer for a few days before trying anything else. That was yesterday. Today I am writing this post from my cell phone, because my computer is already unusable.

I would like very much to describe some additional things I've observed with this incredible malware, and a few theories I've developed, but I will stop here and wait for someone to reply in the affirmative before I continue. I don't want to waste anyone's time if you've already solved the problem or don't have time to read another epic post on this subject. Thank you in advance to anyone who will listen.

Hi,
Yeah, I am down to the last working computer now, so I cannot afford to try new (unsuccessful) approaches on this one.

I have had some success with Dell also but not enough to get rid of this thing.
Microsoft tech support officially gave up as no phone support helps.

I read one technet post where a guy had to reinstall some firmware, but on a server, so I cannot translate that to my computers. XP and vista.

What are your experiences and ideas?

Thanks for writing
Quirkly

Hi Quirkly - I'm glad you're still here, but sorry you still have the virus problem. I'm not sure my observations will be useful, but we might be able to identify some common elements to help each other get a more complete picture of this thing.

I am pretty sure my system was infected with a more typical virus before I got what I have been calling the boot driver rootkit. I first thought I was dealing with a hardware compatibility problem, and I decided to update some drivers including the BIOS driver. Big mistake. From then on I was dealing with something far worse. At the time I was running XP SP2 on a P4 3.0GHz desktop from Gateway. I tried everything including boot disk utilitles, diagnostic scans and lots of command line programs in Windows PE. But nothing helped. I did a full factory image restore, but I could tell the virus was already awake and running while the restore disk was booting up. The virus would roar to life as soon as I pressed the power button.

I apologize for the multiple short posts, but I am still posting from a cell phone, and it keeps erasing the text before I can post. (Yes, I seem to have aquired some sort of cell phone malware, possibly by following a bogus link promising virus solutions or discussion. Everything slows way down now when I type, which did not happen before. Also, I cannot type a search into Google. My phone freezes up after I type a single letter or numeral.

Up next: I will continue explaining what happened while running infected XP desktop.

Again, sorry for spam-like posts, but I cannot even edit my posts to add more while using cell phone. It was a long journey of trial and error to discover the few weaknesses of this virus. It is extremely clever - the programmers anticipated how an infected user might respond, and they figured out ways to use that expected behavior to their advantage. I have run four reputable anti-virus programs since contracting the virus, and in each case the same result appears to have occurred: The virus clones the primary anti-virus engine, preferably the 32-bit command-line version if one is available, and it uses that to undo any of the users efforts to use the AV software against it. Primarily this occurs by creating ecxeptions that the AV scan ignores, by adjusting the environment variables to set certain parts of the hard disk off limits to the AV software, and thirdly by hiding other malicious programs in the Program Files folder or subfolders of the anti-virus software. It appears that some AV software - Kaspersky Internet Security 2009 comes to mind - does not bother to check its own folders for malware.

Up next: More counterintuitive lessons I learned.

One point of clarification regarding my previous post: The virus can only subvert AV software when a reboot is required to install it. Therefore, some online scans and simpler tools that do not require a reboot are more effective at detecting it. In XP I was able to see a malware program using both Rootkit Revealer and GMER. In both cases I had to disable the main antivirus software for this to work. The results were disturbing: the rootkit (sometimes two of them) had the names of legitimate Microsoft system or third-party device drivers. False positives, perhaps? In retrospect I don't think so. Those drivers had never shown up in rootkit scans before, and on a few occasions I was able to force update the drivers to legitimate ones, which did not show up in rootkit scans. In most cases, they returned to corrupted form within one or two reboots.

The virus seems to choose either a graphics card driver, network card or hard disk driver as its launcher of choice, but it also can use an audio driver if need be. These are ideal vehicles because they typically launch before Windows startup even in an uninfected system, and so their presence is less likely to raise any red flags while giving the virus ample time to undo or change config or registry settings, run password-crack attempts and set comspec to hide or fool the user about what's really going on. It's like a shell game in which the con artist gets to begin shuffling the shells before you even walk up to the table.

Up next: From Swiss cheese to sponge - The virus "jumps" to new PC running Vista,

One last word on XP before moving on to Vista: I was making some progress toward identifying malware by running cross scans, as I believe Woodmann already mentioned as a possible solution. By running scans simultaneously and repeatedly with Kaspersky, PCTools Anti-Spyware, Spybot S&D and Trend-Micro Internet Security, I got a few scattered hits. Unfortunately, it was apparent that the anti-virus programs did not know exactly what they were seeing - only that it appeared to be malicious. In one scan-bomb attempt Kaspersky detected "heur.invader," which is a generic reference to an unknown malware identified by heuristic scan. I should add that in most cases the AV software reported successful cleaning/deletion of file, but the virus always came back. I believe the driver rootkit keeps a copy of itself archived in a safe location, maybe even encrypted, in the boot sector or firmware such as motherboard or graphics card RAM/ROM. Perhaps even DVD-R drive RAM/ROM. It seems to be memory-resident and can survive a "reboot," which is often just an entering into sleep and then wake state with the virus displaying the proper screen caps to give the appearance of a reboot. Still, how can anyone explain the virus transferring from one computer to another via the transplanting of a GeForce graphics card and nothing else? I don't know enough about firmware BIOS to know if such a thing is physically possible. It appears to have happened to me, but there's another possible explanation: IP/MAC address reinfection targeting.

Up next: How Vista's advanced security features transformed a monumental challenge into an impossible one.

It is my sincere belief that one day, far in the future, the phrase "Windows Vista" will become a household euphemism for man's great and tragic hubris. For it is no less than the Edsel of the electronic age, the Spruce GoOSe of our millennium. All a hacker has to do is crack the driver-signature security system, and suddenly she has at her disposal a cornucopia of clever Microsoft - authored tools so brilliantly adept at their presumably unintended uses of misdirection and subterfuge that one is nearly awestruck by their mediocrity with regard to the actual uses for which they were designed. Top it off with a learning curve that makes Linux OS look like a Speak 'n' Spell, and you have the ultimate Cybercriminal's Buffet. Exhibit A:

Sally: "Look at the cool clippy thing. I can copy the Microsoft(c) Windows(c) Vista(c) logo over here and paste it over there. Neato."

Sally's virus: "Look at the cool clippy thing. I can use it to make thousands of small, precise changes to Sally's desktop's appearance to hide critical system warnings, conceal running programs, fake a shutdown or startup, or generate fake UAC prompts that will help me swipe Sally's credit card numbers while enslaving her Hello Kitty special-edition Vaio for use in my botnet armada

(Phone virus kicked me off before Sally's virus could utter its punchline:"Neato.

I apologize for the pointless rant. It's been a long day. If anyone is even reading after all that, let me know and I will get back to the point.

is it possible RESET bios to factory-default? remove timer-battery & any other.

Hi evaluator - What you suggest is a good idea, and it does reset the CMOS to default. On the two XP boxes I've had and now the Vista box, the virus will never allow Windows to boot up from a just-reset CMOS. It will invariably provide some excuse such as "CMOS battery low, press F1 to continue, F2 to change settings, or F5 to run diagnostic scan." F1 does nothing - you can bang on it all day long and not a thing happens. It wants you to hit F2 so it can reinfect the BIOS, which is actually good news in a way. It means the motherboard is not permanently infected, such as via a bad EEPROM, which means this thing is still software and not some miracle firmware hack. I read recently about a computer security conference in which two software engineers demonstrated how a tiny archived file in the MBR could be unpacked and launched during bootup, and any changes it needed to make would be loaded into memory - not a single file on the hard drive was ever infected and yet the virus has total control. Infected memory-resident processes are automatically cleaned by the virus before shutdown. Aside from that single, 8Kb archive in the MBR, there is no trace of a virus on the inactive hard drive. It simply is not there. It think we are approaching the age of the two-desktop workstation, where only one desktop will be networked, and it will be infected with viruses. The best any ITdepartment will be able to do is keep it in a usable state. The other desktop, the clean one, will never be allowed to to connect to the network. No flash media or burned media will be allowed to touch it, unless it has only touched other non-networked computers.

Just a quick question and then I will stop multi-posting. Does anyone know what this virus actually does? Like what its purpose is? I was over at my buddy's house this weekend and realized that he also has it. Bu his computer is behaving quite normally. Since he hasn't disturbed the virus it hasn't disturbed him. I told him not to use his credit card information online, but short of that I don't really know what the danger is. Maybe I am just worn out from fighting with it, but I'm starting to wonder what's the harm in just leaving it alone. This PC is for personal use - the one I use for work is clean. I never commingle hardware or software and they are never connected. Is that an irresponsible attitude? I sort of envy my blissfully ignorant friend, who doesn't seem to care that his PC is infected.

traffic needs to be filtered from infected PC, so owner will see: if something wrong connections happens /or not

It depends on when he got it and how long it quietly runs before it decides to wreak havoc on his system. And it will sooner or later.

The purpose can only be known by you since these are some freaky morphing mals/virs and no two people experience the same thing.

All I can tell you is to try some of the better malware/virus removal tools and see if you can kill it. You probably cant but it will buy you some time so you can decide what you want to do.

Woodmann

Getting very difficult to post here now because of my cell phone infection. If I hit the "CLR" key it deletes entire message. Unrecoverable. Anyway I have big news but now I'm on my fourth attempt at posting and I need to get to sleep. Will try again tomorrow

I'll be brief because my phone keeps disconnecting from the Web. Last night I was finally able to get around the malware's curtain of environment variables. I started Windows Media Center and began playing a DVD movie. It eats up a lot of RAM. Then launched Windows Mail from quick launch key on Microsoft wireless USB keyboard. Clicked on compose new e-mail then on add an attachment. From there I was able to browse my complete C drive. I found a bunch of folders and files that had been hidden even with show hidden files turned on. From Windows Mail I was able to launch a scan bomb (see previous posts in this thread) and I also began deleting everything on C drive. Did full disk cleanup, turned off recycle bin, shadow volumes and system restore. Used Mail browser to search with wildcard *.* and deleted everything. Pulled plug on computer, disconnected hard drive and cd drive. Turned on computerand reset cmos settings. Now reconnecting drives and about to do full reinstall from windows dvd. Will let you know what happens.

Could you just install a floppy drive to your machine? Create a dos based boot floppy that could read the bios and compare it with a real one? Create it with somebody elses computer, just to be on a safe side.

So first find out what bios your computer uses (Award, AMI etc.), find the necessary tools that can save your bios to a floppy, find out what version of the bios your computer has and compare it with the same version downloaded from your manufacturers website.

Also if booting from a floppy is possible then it might be a possible to boot a linux live cd with sbm (http://paulski.com/zpages.php?id=1612) and clone your hdd if anyone else is interested in investigating it. Also, if booting from cd works then you could run anti-virus check from the live cd.

Very interesting topic even if it looks to me like faulty hardware acting out.

Thanks for the suggestion, sfeet. I will try to do what you recommended. I don't actually have a floppy drive, but I am going to buy some cheap thumb drives to load AV scan programs and anything else that might help. At the moment I am going through all the windows setup files in the boot drive to get a better understanding of what the problem is. It's slow going because I have never done this before and need to check frequently against the normal setup files. I can finally do this now because the virus is momentarily silenced and I can browse the Windows installation DVD with no interference. I also picked up a copy of the Windows Vista Resource Kit DVD, which contains some very useful templates of typical setup files. Will update after I have something conclusive to report.

"tragic" final!?
you deleted all "misterious"-malware, instead of saving it for us?
i'm cry..

BTW, Don Wooma, already 2 person claimed: their phones infected, while trying get help from our forum.. 8~D

Well, I bet there are loads of people who would love to get their hands on a real virus that resides in bios so that's why you need tools that have nothing to do with Windows: Linux, BSD, DOS, you name it.

Do you have any actual desktop PC's and if you do please let me know all the details (motherboard brand/model) so I can assist finding any tools you might need.

Well, I finally beat it. Beat them, I should say. Four viruses detected and deleted, and my system now appears to be at peace. However, there are a couple of archived files that are proving to be stubborn when I try to delete them. I want to make sure they are gone before I do what I hope will be the final system restore in a while.

I understand the skepticism from other people on this and other forums -- especially when we seem to be making impossible claims about the behavior of these virus programs. I still can't explain the behavior, but I can at least tell you what was doing it.

After I reconnected and reinstalled, I immediately started installing as many AV programs as I could find, including some of the tools from this forum. I installed my retail copies of Kaspersky Internet Security 2009 and Trend Micro Internet Security 2008 one after the other. I had gotten an idea from something Woodmann had said earlier about viruses resisting removal attempts because the user is behaving in a predictable manner. I decided to do something unpredictable. I set up an ambush.

I had noticed the last time I was able to get a true picture of my system that three unfamiliar executable files were located in the Kaspersky folder in Program Files, and I had suspected that the virus was hiding in the Kaspersky folder because it was safer right under the program's nose. Maybe Kaspersky IS doesn't scan its own folder or something. I installed Kaspersky and rebooted.

After reboot I started installing and running scans with every AV scan I had downloaded, plus Windows Defender and Trend Micro, but not Kaspersky. Then as those multiple scans were churning away, I UNINSTALLED Kaspersky. I think I almost could hear the virus say, "Oh, s**t."

Trend Micro immediately detected and deleted the following (TM's names):
TROJ_SWIZZOR.URW
TROJ_VUNDO.LMP
TROJ_SWIZZOR.UTS

and about 30 seconds later, the ringleader:
Cryp_Xed-10

Quirkly, I highly recommend you give this a try. I don't think it has to be Kaspersky. I think these viruses are programmed to hide among the files of your installed AV software no matter which brand it is. Start with a clean system restore, then install your "decoy" AV program, reboot, and then start loading and running the other AV programs as fast as you can. Run each one as soon as it's enabled. The virus will quickly react and try to disable some of them. That's when you spring your trap by uninstalling the first AV program.

I also figured out a way to delay the viruses' recovery from a reboot. Every time you have to power down, swap the SATA ports leading to your hard drive and CD-ROM. It takes the virus a few seconds to adjust, which means it can't do as much damage before you're able to log in. It's not something you'll ever hear Microsoft Tech Support tell you to do, but it helps.

In the end, it took a combination of manipulating both hardware and software to root out these baddies and give 'em the stomp. I can't imagine Dell or Microsoft ever talking anyone through a fix like that. I think we're all going to have to develop and share our own creative fixes to these new malware programs as they continue to evolve.

And, yes, my cell phone (LG Navigator) does have a simple virus now which partially disables the Web browser. Is it really that hard to believe?

I have infected my ipod and my phone.
No surprise there . If you connect it to an infected box it will most likely become infected.

All you mal experts need to step up and do a better job of helping lamers like me who are addicted to bad places.

A couple of footnotes on my ordeal, should anyone happen upon this thread who's going through what I did. It's extremely important to pull the plug on your computer, remove the CMOS battery for a few minutes and/or reset via the jumpers when it appears that the virus has the upper hand. Conversely, it's important NOT to do those things when you need to shut down and YOU appear to have the upper hand. For instance, repairing the registry is pointless if you do not then pull the plug immediately. But you need to boot right back in before those changes are removed from memory. You can disable the virus momentarily at restart by swapping the SATA connections for hard disk and dvd-rom before you turn the power back on. Also, when the virus has disabled so many programs that you are just sitting there while it is buzzing along, shut down and do a full reinstall with Windows CD. The most effective approach is to plan what you're going to do in advance, like running multiple virus scans, then power on and do it quickly. then pull the power plug as soon as the scans are done' especially if your AV finds and deletes a virus. Also, early on you should try your best to completely disable Task Scheduler, Shadow Volumes, System Restore and Event Monitor. It's easier said than done, and you should check really quickly each time you log on and re-disable if you have to. These valuable Windows "services" will undo everything you have been working at. I also used some command line utilities that really helped, but I'll list them in my next post.

I forgot to comment on Woodmann's post about BIOS viruses. Now that I know how these particular viruses I had get the job done, I realize it has nothing to do with infecting any firmware. They really don't need to. They can survive reinstalls and disk wipes simply by using encryption and by altering the application environment. They are also extremely resourceful at using tools already present via Windows or other applications. For instance, at one point I needed to extract a RAR file, so I downloaded UnZipThemAll. Within minutes, the damn virus was using it, too! It generally launches its own copy of whatever program the user launches, and it checks for a COM version first because it doesn't have to bother with VBS scripting, which slows it down. Another thing I forgot to mention is the way it uses BITS and the VGASave program to hide its activity and deceive the user. Try to disable those, and also set your windows appearance settings to high performance, to remove all the bells and whistles which only make things easier for the virus. Finally, I completely forgot to say how important it is to always choose "show hidden" everthing. I deleted scheduled tasks for a few days with no effect before I realized there are also hidden tasks, and you must choose to have them show up. Those are the sorts of thing I desperately needed to know when I started having this issue but had to figure out through miserable trial and error. Anyway thanks to Woodmann, Quirkly and everyone else who contributed advice. No way I would have deleted those viruses if I had not stumbled upon Quirkly's thread.

I am SHOCKED, SHOCKED I tell you, to learn that our Woody is "addicted" to "bad places". I am reasonably sure his mother warned him about doing that!



Hum. Better be more careful about where I go with the new iPhone. Still learning how to use it.

Now back to the "real" discussion, which is very interesting.

Regards,

Didn't your mothers teach you to use UNIX when going to bad places?

Well now...........

It's nice to know that someone had the diligence to plow through and see how that shit worked. I am not as patient.

And since I have learned my lesson the hard way, I always scan everything incoming with multiple scanners before I click install.

Thanks Vistaphobic

Woodmann

Just WOW. I must say, i only registered here because of this thread. I've been a long-time cracking/reversing fan, but never really bothered to learn a lot, and when i did learn something i didn't go on with it and forgot it. However i do mod drivers every now and then, if i need some extra functionality that should have been there i try to add it, and always spread the love as free software.

This rootkit you talk of seems really clever. Since i sometimes make $$$ off cleaning peoples' computers, i've seen my share of interesting viruses but nothing like this. I want to share with you my opinion....

First of all, it could not be possibly hiding in the BIOS. The BIOS in current computers is a piece of spaghetti code in itself, it really takes a genius to hack one. And i doubt malware authors bother with it anymore. It could be hiding in the MBR, since that is a fairly well documented piece of code. From all i've learned, the best way to a proper MBR is booting a win98 floppy and typing in fdisk /mbr (am i old fashioned or what? i'm just 18, but yea i still have a floppy drive in my main PC, and a USB floppy for my laptops).

Second, i find it obvious that it would try to hide in AV exclusions. I've heard of some versions of NOD32 having a critical bug which would allow ANY program to be injected into them and never detected, no reason why it couldn't be true for other AV products.

Third, i'm curious of this clever malware's actual purpose. Viruses that simply damage files are so 90's. And here comes my own experience (yes another long post).

I have purchased a brand spanking new HP DV5 laptop two months ago, for my 18th birthday. It came preloaded with Vista Home Premium 32-bit. Apart from the driver issues, audio stutters (DPC latency, crappy wireless drivers that HP didn't bother to update), video lag and ton of bloatware that its stock install had, and the fact that i had to take it apart to replace the touchpad cable since they twisted it so bad at the factory that it broke after 2 weeks of use due to the heat produced inside, i had another interesting issue. Now what could it be except viruses.

I had connected the laptop to the internet for 10 minutes, when shit started popping up. Now, i don't run a real-time AV on any of my boxes, and have been virus-free for over 3 years. Safe browsing habits and regular updates are the best defense against viruses of any kind. So i was stumped - no virus for 3 years on multiple computers with multiple Windows versions and as soon as i connect my new laptop to the internet things start going south? Apparently the malware autor wasn't so smart as it would constantly crash Explorer, besides Task Manager and the Registry Editor, so it was damn obvious that something was going on. This also was the first time i'd seen a virus get into Safe Mode - things were still crashing happily over there. I went straight to ComboFix but the virus kept closing it. Eventually i had killed the thing with the ever-so-basic tools - Task Manager, Registry Editor and Command Prompt. All i had to do is act quickly, and DISCONNECT FROM THE F'N INTERNET. But one thing really worried me about this malware - one of the infected file names was hp.exe. So it knew i had a HP machine, and the name would easily pass to the less technical PC user, and possibly even to HP tech support, as legit. Now, either HP's software is full of holes, or there's a conspiracy about this. I then wiped the drive clean and installed Ubuntu, played with it for a month and then quit and went for Windows 7 RTM 64-bit which i love. (btw in the meantime i have gotten another cool laptop for really cheap, and coincidence makes it a HP too, it's a dv9000 series, more specifically the 9750ed. that went straight for a clean install of win7 x64 so no virus issues on that)

I have not installed any of HP's software on Windows 7, and developed my own little proggie to handle the QuickPlay hotkeys and make them do whatever i please. I have been virus free since. But still, the thought crosses my brain - where are the holes, were they made on purpose (to sell that BS norton), and what are they planning exactly. Since i've seen the first fake AVs i knew this was going to turn into a business, and so it did, since there will always be unknowing people to fool. But one of the largest computer resellers being involved in this? It doesn't sound too good. With the myriad of configurations out there no one knows really, but one thing's for sure - malware development is now far from being just script kiddie stuff, it's an industry. And it's a growing one at that. I'm ending this post here, but there's a ton more i'd like to discuss - hopefully you'll see me around.

It boggles the mind how a lot of people seem to be under government/intelligence network/New World Order/you-name-it surveillance with undetectable/unremovable rootkits/malware that generally only lurks/harasses/annoys and no antivirus/OS vendor can really help. Fascinating and it all seems to have been started/developed over the last few years .

You think there aren't geniuses out there who either have BIOS source code or specialize in hacking BIOSes? After it's been done for one version of the firmware keeping it up to date for newer releases would not be too difficult though dumping or writing a new BIOS should get rid of it though if the BIOS is thoroughly hacked then theoretically the dump may hide the hack and writing it may just fake update the firmware (version and date change) as unless there was truly a significant change (like a new menu option), would you truly know the difference? Writing it could also succeed but if the OS is also hacked then in time a fixed "hacked" BIOS will be inevitable. A very tough game to win - see the off topic thread about router hacks. Unless you have a 100% guaranteed way to dump the BIOS out of the firmware chip then that game is already over.

I'm not saying there aren't. I've read Phrack so i know it is possible. But there are too many configurations out there so a "generic" BIOS infector isn't possible, besides, it would be too risky. Instead of getting passwords and account numbers they would get nothing because the BIOS crashed and the computer became useless. Since malware became a business they are more interested in making money quickly rather than challenged to write complicated code that isn't 100% sure to work. This is why we see more and more malware written in VB and AutoIt and a whole lot less ASM viruses.

After surfing about the possibility of creating a bios-based virus I came across this:

http://www.coresecurity.com/content/Persistent-Bios-Infection

"We infected an Phoenix-Award bios"

It's been months since anyone has posted here - just thought I'd add for the record that my malware problem came back and is still with me. I pretty much don't use my computer anymore. I don't want to be part of some stupid botnet, and I can't get my system clean. I've spent money to have professionals do low-level disk wipes, but they never fix it. I don't know if I am reinfecting the PC somehow or if this malware has a new trick that the repair shops haven't learned about yet. Either way I am tired of debating people about it. I'm a lot happier just doing other things and not thinking about it. Fuck the Digital Age anyway.

Assuming they did do a true low level format (which they probably did), i'll have to ask where is your data stored and how do you get it back onto the computer after you format it.

If your backup is infected it's obvious the virus will come back. But, if you can do without your computer that's fine. You can read your emails on just about everything these days, so if your work doesn't need you to use a computer, and you don't play games on it either, then there's no real need to use it.

Edit: I just remembered your first post - you do need it for your work, and it doesn't look like a trivial program either. That's a bit tough then. Like i said above, check your backup for infection before you do anything else. Anyway, you said that a tech wanted to image your computer in a VM and check it out but his boss didn't let him. I can do that for you if you want to. I have the hardware needed to run a virtual machine and the ArcView software inside it too, so i can tell exactly what works and what doesn't for me. Oh you may ask me what would happen if i get infected. Well, my main computer is in need of a reformat anyway (i'll get a new motherboard soon so i'll have to do it), so don't worry.

But of course, you can't put your trust into a random guy off the interwebs so it's your call. If you want me to check it out drop me a PM.

Edit 2: The first post was by a different author, duh... Regardless, i'm willing to take a look at it. I'll be getting both new motherboard and new HDD so if my computer does get infected it'll be retired.