Frost Wire LLC, Remote access, Boot:X Drive, unable to resolve

[mellowkill]

Hey Shane, I like your statement of wanting to help others. I also think it a cool and interesting statement about if it's not broken why fix it?" "to make it better. With that being said; I have spent the last two months trying to rid my computers of a ghost in the machine.

I chose to download files off of Frost Wire and shortly thereafter started having problems. I watched all of my files being systematically uploaded to God knows where and deleted as they were being uploaded. I of course immediately copied what files I could to disc and unplugged my external drives.

I called Microsoft and paid them to remotely access my computer and they ran a series of malware, spyware and virus removal tools, i.e., Adware Cleaner, Malwarebytes, Eset node32, Hitman Pro and Sunbelt Viper. They failed! I spent the next two months doing research, I used Draik's Boot and Nuke, and ErAce from SourgeForce to wipe the hard drives All to no avail!

I battled with the discovery of my laptop being connected to the internet even though the Device Manager showed that my Wlan, and WiFi drivers were not installed.

I soon discovered that my computer was connected publicly and that my "home" computer was being used as a work station and connected as a business computer. I also discovered that here was a lock on my personal logged on account ( something I have never had on my computer(s) over the last 15 years I have used computers. Along with this came the loss of permissions to access my files and shortly thereafter the use of my DVD rom which was limited to a generic Cd rom as this was the only driver installed. I tried to battle it out with whomever or whatever this anomaly was by resetting the Group Policy Settings or the App Locker Settings, again all to no avail!

I found a number of tools through bleeping computer.com and I attempted to use those without any success. The "All In One" Repair Tool reset a lot of the settings but the demon just returns.

I have taken all of the necessary steps to protect the identity of family by reporting this to authorities and changing all of the bank account and credit card information but am still suck with the problem of getting rid of  the intrusion. I have placed a business level protection on my system and it continues to clean the same two files daily. I will post screen shots in next post after hearing your thoughts. I am limited on funds at the moment but willing to put in the work. I am a savvy basic computer user if that makes any sense and have become instantly interested in going to battle with the knuckle heads that chose to behave in such a manner. I believe it to be the most cowardice way to be a criminal I have ever came across. Thanks for your time.

[Shane]

You have a rootkit infection. These are normally very well hidden and if non of the scanners know what to look for they will miss it.

Combofix has been good at a lot of these, but only supports Windows 7 and older, you didnt tell me what version of Windows you are on.

Then the scanners are always updating, after all they play catch up to all the new infections. So running malwarebytes anti rootkit, adwcleaner and so on all over again would be a good idea, and to run them from safe mode with networking.

But the only way you can be 100% sure that you are clean with something like this is to do a fresh reinstall of Windows. Not something a lot of people want to do, but isnt as bad as you may think.

Now normally when a customer brings a computer to me like this I trace and see what programs have access to the net and trace down where the infection is at. I have been seeing some new infections that are infecting the windows system files themselves and because of that most scanners wont touch the windows system files and so a lot of scanners skip it.

I have been manually finding and cleaning some new infections over the last few weeks that not a single scanner was finding but I was able to find manually. It will be only a matter of time before the scanners catch up and start detecting it, but that doesnt do any good now.

There have also been mast boot record viruses that even reinstalling windows doesnt fix it, because it is on the MBR of the drive. So anytime I reinstall Windows fresh I have the windows setup destroy the file system and make it new, thus making sure the drive gets the MBR wiped and remade.

Right now it is hard to tell what you have, but you are infected, that is for sure. So lets see what we can find, so what version of Windows? When was the last time you ran the scanners? And when you ran them did you run them in safe mode with networking and make sure they could update themselves?

Shane