Major virus, trojan, worm, hack whatever...please help

I have a pretty serious problem on my system that I can't figure out for the life of me. I have scanned with just about every single App, portable, rescue disk, online scan, and just about everything you can think of under the sun. I don't think there is a single product mentioned on this site in the threads I haven't tried yet, AND ABSOLUTELY NOTHING is detecting it.

I have DBAN'd my drive to the fullest, started over from scratch twice, backed up and restored with various images at different stages, flashed bios, router, and just about everything else I can think of. I am hard wired and wireless is completely turned off. The only thing that is wireless is mouse and keyboard.

Something is either hacking me or laying dormant on my system that I can't get rid of. It usually waits about 12 hours after my latest install or backup, then is activated somehow. I am not downloading anything outside of some apps mentioned on this site or manufacturer:

Emisoft Online Gaurd (Pro)
Emisoft Malware (Pro)
7Zip
CCleaner + Winapp2.ini
Intel Chipset Drivers
Firefox 8.0.1
__________________________________
Avast (Free)
Super Antispyware (Pro)
Firefox Configure and Addons - NoScript, Adblock Plus, Better Privacy, Addblock Plus, WOT, Ghostery, Cookies Manager, Ref Control
aimp music player
Nvidia Video Drivers
MPC-HomeCinema
Mouse
Hijack This
Cyberpanel
OpenVPN
________________________________________
Geo location firefox
Firefox, update to 9
keyscrambler
Installed Java ver 6 update 29
________________________________________
Hitman Pro (trial)
Keyscrambler (free)
Puran Defrag
Zemana
Utorrent

The line breaks represent different image stages I have taken. Outside of this stuff, I haven't downloaded a single thing or started to use Utorrent.

Whatever I have is walking around OA like it isn't even there. It is deleting the log files and opening up ports like I don't even have a firewall at all. It is killing my event viewer logs so I can't see changes made to security or apps. It disables the keylogger, keyscrambler, MBAB, Avast, and after a short time, makes it just about impossible for me to function on my system.

One of the things it does for sure is opens ports, then goes right for my hard disk at about 100% use, and looks like it is dumping it out to the net.

I a so clueless as to what to do or how to make this stop. Before you suggestion that I try one of the major scanners, I literally have tried just about every single one I could find in thread you all mentioned:

Kaspersky
Emsisoft
ESET
MBAB Pro
Spybot
DrWeb
Trend
BitDefender
Comodo
HitmanPro
Avast (was primary)
Norton
and a bunch of online scans that I could find.

What could be attacking me this bad that it can get around ALL this stuff undetected? I am starting to think it isn't a virus as much as it is a hack. I have tried scaling down a ton of services, check my autostarts, and just about everything I can think of, and it still keeps coming back.

The only last two things I can think of is to go back to Comodo in paranoid mode, move the router over to ddwrt, and try another antivirus that I haven't used yet which I am clueless at this point which one (which might end up being ESET for now).

I know every possible remote admin in router and system are off. I use a VPN, and I don't go anywhere dangerous or download anything outside of stuff mentioned on this site until I can get the "all clear" sign.

I have been trying to peg this problem down for weeks now, and every time I think I have it under control, it reappears again. As of my most recent reload, Zemana started going off like crazy for Firefox plugin container, Explorer.exe, and Logitech drivers. I didn't have the keylogger problem until after the first one appeared when I tried using that VPNCheck progam. I have never seen Zemana go off before, then when I was testing that program, that was the first time it went off, and I have had it go off multiple times since. Although on my latest restore, I don't have VPNCheck on my machine at all.

Are the apps I listed above 100% safe?
Is there a chance I could be picking something up from this site, including a PO'd sub? I know the politically correct answer, but I need to ask.
Could something be laying dormant on my HDD that even DBAN can't get rid of?
If it is a hack, where could they possible be coming in from at this point?
How could something disable and paralyze just about every security software known to man and not even give me any type of warning it is doing just that until I happen to notice in the system tray it is disabled or gone?
How could something walk around OA with the highest settings like it wasn't even there?

I have run Hijack this and nothing at all seems out of the ordinary. There isn't a single line item in there that I have a question about. It doesn't matter how far back I roll the system back, it is still there.

At this point it seems kind of pointless to keep reloading the system if I am not finding the root cause. That is also why I am wondering if this is a very sophisticated hack rather than a virus. It almost seems like it knows where and what I am going to look for next as things get more difficult for me. Once I start looking into the event viewer or resource monitor more indepth, and tracking files to original locations, that is when it usually blows up on me and I can't use the system anymore.

I am soooooooooooooooo clueless at this point, please help...

 

Just a thought as I see you have not used IObit Malware Fighter. Perhaps try the 'free' version and do a scan.
IObit.com.
It gets good reviews and I have it as an extra layer on my system together with ESET Smart Security Suite.

KOR-

 

What about a hardware keylogger?

 

Bootkit?
BitDefender’s Bootkit Removal Tool is one advertised remedy but google Bootkit Removal as I think there are others.

https://www.wilderssecurity.com/showthread.php?t=314738&highlight=bootkit

Here is a search on wilders..."bootkit"
Good luck
https://www.wilderssecurity.com/search.php?searchid=4421378

 

Fighting unknowns on a somehow compromised system may not be your best bet. Back up what data you want to keep, wipe your disks, and do a clean Windows install. Image your new Windows installation before restoring anything. It might be wise to use Linux as your recovery environment, and run Windows as a VM.

 

• Fully format the HD, Install the OS from original disk.
• Turn ON windows firewall, Update OS with all patches (Win7 better). Reflash router with latest firmware and change password (if on WIFI, use WPA2 + Long random password).
• Update flashplayer to latest version, java to latest version (update 30). Now install one only security suite (KIS, ZAX, WSA) directly from company websites.
• Don't use backups

Leave all the rest OUT. Done.

If you have still problem then either you are a real security cluless or you are watching too many spy movies the worst mistake is to become paranoid about security. You will ever feel secured and always feel been monitored by an unknown entity out there.

 

As previously mentioned, do not trust any software you've got backed up now nor any of the images.
Download a linux livecd (at a friends place if necessary) to be able to run in a (relatively) secure environment and to download programs towards a (scrubbed) flashdrive.
Have you checked online whether your router comes up as easily hackable?
Do you live on your own or perhaps have room/house/dorm mates or a relative pulling a prank?
Don't use 2 AV's as in your list; Avast and EAM, that's asking for trouble of course.
Have you zero'd the entire drive or perhaps only one partition? Have you checked if the first MB's on the drive are actually all zeros?
Is your Windows OS copy legit? If so, follow the steps from the post above from fax.

 

Perhaps one of your downloads got infected by a virus. After a clean installation, download the programs again, if you're not already doing so. As others have mentioned, install as little as possible at first.

---

There have been reports of a BIOS rootkit in the wild.

---

If you're installing the original Windows XP, perhaps you're being infected before Windows Update can complete.

 

• 
  This, if you have tried everything and nothing works, just FORMAT
  
  That's why everytime i want to clean a PC i don't look for software or anything else, the first step is format Which cleans my PC entirely.

 

The OP already DBAN'ed the drive and flashed the BIOS. There's not a whole lot of mention about symptoms, nor an O/S used that I can see, except that it comes back after about 12 hrs. This seems impossible under normal circumstances, but it's hard to say, really, without being there or knowing a lot more about the problem.

EDIT

unless all those "various images" the OP's restoring are infected? I would agree with others to format or wipe, then re-install, if not behind a router, then disconnected from the network until a firewall is enabled.

 

This isn't an option for me financially right now.

 

I will look over this thanks.

 

I know nothing about linux at all.[/QUOTE]

No I haven't I will look into this. It's a Linksys WRT54GL

I am the absolute only person with access at all.

I have never used two Antivirus' at the same time. This is just a list on different rebuilds.

I have Dban'd the hard drives, all the hard drives, and have never had more than 1 in at a time on a rebuild. Yes they are zeroed.

Yes, it is legit.

 

This is where I am at right now in my thinking. One thing I forgot to mention, it's getting around my BIOS password and disabling it. I am the ONLY person with access to the machine at all. I will read up on this some more. Thanks.

 

I am running Win 7. Yes the drive has been Dban'd, the bios flashed, router flashed.

As for symptoms, it's hard to give a lot because once I start getting into the meat of it and looking, the system becomes inoperable. The things that happen first is Zemana starts telling me there is keylogger activity in Explorer.exe, Firefox plugin, Logitech mouse drivers. However, none of this has been consistent within each rebuild. Just something that "has" come up.

It goes into OA and opens up ports 0-63k or 0-53k (I don't have it available to look at now on a new rebuild) and opens it for outgoing and incoming. Pretty much, every port.

My hard drive starts going crazy running at 100% and all these log files start getting produced all over the place. The one that seems to take up the most activity is something like $d:
\volume log or something of the sort which D: is my program files on a separate partition.

I know this sounds crazy, but it is almost like it knows where I am going next to look for the problem. If I leave it alone for the most part, my system stays working. If I start going into Resource Monitor and following the files that are utilizing the most resources, that is when the system stops responding and all I can do is a system restart.

I will try to get more screen shots the "next" time this happens, but it is hard to do.

 

Sorry for the slow responses, I have been down the last 2 days since posting doing yet another rebuild. I have tried just about everything you guys mentioned in this thread, I kid you not. I am on a stable and somewhat clean rebuild again. See how long this lasts.

The thing I forgot to mention in my OP is that it is getting around my BIOS password somehow and disabling it. Nobody but me has access to my home or my system at all. Unless they are getting in without me knowing, which is a possibility, but I doubt it since I setup traps to know, I have no clue how they could do this.

I will be closely monitoring now, and see what more info I can give you guys when it happens.

I have switched away from OA and put Comodo on in paranoid mode. I put ESET on without HIPS enabled at the moment, but am willing to change that once I understand it better. It is driving me absolutely nuts as the moment with alerts, but none of which I think I need to be alarmed about. Just need to be more educated on it. I don't really like this program at all so far, but it's the only one I haven't tried for the most part on a new build (outside of AVG). I also have SuperAntiSpyware Pro installed.

No flash, no java at the moment.

I did put on a couple of utilities that I need like CCleaner, OpenVPN, Firefox 9 (which I am thinking about switching back to 8 because have the addon's I use for security don't work with it). I trimmed down some more services outside the norm like:

Disabled Services:
- Server
- TCP/IP Netbios
- Firewall
- Homegroup Listener
- HOmegroup Provider
- Parental Controls
- Tablet PC
- Volume Shadow Copy
- Windows Remote Management (WS-Management)
- Windows Browser

When I say "norm" I mean like all the remote services are already disabled.

Nothing is shared on my system, I don't have any homegroups enabled or working. I put on important drivers, but I haven't even put on Logitech drivers for my mouse since that always seems to be a part of the equation.

I might have missed a couple of things to talk about, but we will see.

I am really starting to think this is more the work of a very professional hack than a virus. It's hard to say why, but just what I think at the moment. What I can't figure out is how they are getting in, or why they "keep" getting in. There is absolutely nothing on my system datawise that has any value or worth getting. I haven't logged onto any accounts that I need to worry about, and there is ZERO information to take.

Any other thoughts or questions would be appreciated.

Thanks

 

After doing all that, you reinstalled Windows 7. From where? Did you use the original install disk? If so, are you sure that it's legitimate? If you used a backup image, maybe it's compromised. Maybe the machine was already compromised when you bought it.

 

Yes, reinstalled win 7 several times. It is an official Windows 7 CD. I built the machine from the ground up literally myself a couple of years ago. Could it have been compromised since? Possibly, but not by anyone having access to it without me knowing...in other words, entry without me knowing about it. Nobody has touched my PC in my presence since it has been built.

The version I am on currently, is an image though of just Win 7 and office, with all the patches already done, moved over to a Dban'd drive. I don't care if it pops back up right now, I want to see if this specific image which is as clean as it gets outside having reflect on it, does the same thing to me. If this one blows up, I will Dban the drive again, flash all equipment bios, and put yet another win7 clean install on it. See if it happens again. I wanted to see what happens with this image though just for the kicks at this point. I have 3 Dban'd drives behind it all zeroed out, not currently connected to this OS in any way, waiting to go if it happens.

When and if I can get clean, I will reload everything from scratch and start over anyway. I want to see if the Bios gets disabled again on this build. Until I can figure out how they are getting in the BIOS (if that is what is happening) then I didn't want to put all the effort into reloading win and office again with patches, if it is in the BIOS anyway.

 

Deprive the Virtual Infection of attention and it will go away.

Stop looking for it, leave it alone, and it will leave you alone, it will go away all by its self.
Virtual Infections have no boundaries, nothing can destroy or stop them, especially relentless attention.
Virtual Infections thrive off of attention.


HKEY1952

 

@ The Oracle ...

I wasn't recommending that you purchase anything.
I am suggesting that you check to see if you have a hardware keylogger onboard.
Software can't detect them.
Start looking for one, usually inline between the keyboard and the tower.
Hardware Keylogger Detection
Hardware keylogger

 

If you are hinting at the "placebo" theory, then no. When I say, "leave it alone" I mean not going into resource monitor, seeing which specific files are raging out of control, and then "starting" to follow their path specifically and/or trying to go into event logs and seeing to see security changes being made and the system locking up. Systems just don't lock up because you start to trace or follow these paths. Placebo would be me thinking something is wrong, and creating more problems. Placebo also doesn't explain BIOS password disappearing, antivirus and spyware become disabled by not a thing I have done, or the event viewer logs mysteriously disappearing.

If this isn't what you mean, I have no idea what you are getting at and if you could be more specific it would help.

 

OK I can do that. However, I do use wireless mouse and keyboard. Could they be getting in through there easily?

 

Google --> wireless hardware keylogger

 

I traced all wiring everything is legit nothing in-between. I should also mention I have Bluetooth service disabled, wireless service disabled, and wireless network card disabled in device manager and Network adapters. Wires between modem, router, and system are all legit and clean.

Unless they got in and replaced my Logitech USB chip itself with something that is suppose to look like the original (which at this point, nothing would surprise me) then everything looks legit.

 

When did you create this image? Did you create it after your problems started? Maybe this image is compromised. I get that you're playing with this. But if you aren't sure that you're starting with a clean image, you won't get useful results.