I have a problem and hope you can help me out. Microsoft tech support is useless, after multiple calls, IM sessions, and remote help. Here are a few symptoms,
1. Disguises itself as a system32 file and blows right through almost all firewalls unless locked down tight. AVS, Win, Norton, Comodo allow it right in from an IP outside of my network. Immediatly in event viewer I see warnings and messages of registry changes and security changes.
2. Changes security and admin permissions until the computer will not do a thing, tells me "you do not have permission" and I say to open the start menu? Then I am forced to try the system restore which sometimes I am unable (tells me I don't have permission to restore) so I boot from the DVD and I have had it tell me I don't have permission to access the disk when a format /c: or fdisk /s command was given in the cmd prompt.
3. Even when it has allowed a system restore I see a window that pops up while the system loads and tells me the registry was changed and when the "fresh" install boots I am not able to access admin protected pages.
4. I just discovered it makes multiple hidden partitions. I just bought a new HP with a 1tb drive yesterday. Brought it home and right after it booted I watched a system32 file walk right through the Norton firewall that of course is trusted because it is a system file. Problem is the file came from a different IP. I find out next as I am quick to hit the system restore eject button that it must rewrite the recovery partition so it was loaded during the restore, because there is a laundry list of registry changes and software changes in the event viewer by the time I am able to take a look. I did not send the new HP into shark infested waters knowingly. I thought all the other computers on the network were clean. As I crashed every one of them and did fresh installs yesterday. Not knowing the restore partition on 2 dells and 1 other HP had been altered. I saw no signs of the maleware until the new HP came online, then all the computers seemed to load up with any CPU meters maxed out, just like all the fans. And just like before all are useless once again. This maybe coincidence but it is what my wife and I observed. I shut down the 2 hr old HP after all permissions had been revoked and loaded [email protected] Disk which counted 84 partitions of all different sizes. With what looks like bits and pieces of system files, HP recovery files, pre loaded software from HP files, all mixed up within the partitions. on a brand new drive, that windows or cmd prompt in system restore did not show. This was within 2 hours of unpacking it from new.
I have one semi operable computer out of 8 and I think the reason is I went through and changed the local security policies to not allow stuff like "any IP under the sun come on in and take over when it wants" type rules. I then pinned it to my task bar and now if I try to open it or any admin auth required programs I get a pop up asking if I want system32\secpol.mcs /s that has an expired certificate from Microsoft to change the registry. I have a feeling I would lose this computer if I checked yes.
I got Malewarebytes to run and the log is below. GMER tells me the system could not find the file specified and only has 4 boxes on the bottom right able to select. Everything else is grayed out. I have renamed the file before I extracted it and tried multiple download locations. OTL seems to work except it will not shut down. Scans over and over now. The most recent log is attached.
Some of this may be unrelated and simply a coincidence or a product of my growing paranoia as this gets stranger and stranger. Let me know what you think. Thanks