FINALLY I found other people who have experienced this problem!!
Posted in this Group and others. I posted this as a reply in another
group, but thought for expediancy, I would start a new thread in this
post.

OK.....

I have been dealing with a persistant malware problem since early this
year. I have had not only problems with the malware affecting my
laptop, but also from the numerous boards and forums where I would try
to seek help, and after following instructions (although I am fairly
computer savvy), they typically would believe I was lying or not
following their instructions. I am using (currently) Vista Home Prem.
x64 on a HP Pavillion dv4 1225dx.

I noticed this string of registry key changes as the previous posters
noted. And I have seen this happen on my PC : (a) after re-
installation of my OS, (b) after performing a dd if=/dev/urandom of=/
dev/sda bs=10M conv=notrunc from a LIVE linux CD--thereby wiping my
drive with random characters, and THEN reinstalling my OS, and (c)
after I decided to get mad, and I went out and bought a new HDD for my
laptop.... then reinstalled my OS.

But none of those things changed anything. This is a rootkit, and I
believe it is a PCI rootkit. I do not know how it got on my machine
initially, but the sad thing is, it occurred back in February, and
then I bought a new laptop in April and accidentally stuck a USB pen
drive (Doh!) into it, and I saw my screen flicker, and I knew what I
had done (I had not even been out of Best Buy where I bought it for
more than 20 minutes). I should have just made up some excuse to
return the laptop then, but I figured "How hard can it be to remove a
virus/rootkit? If I have to reinstall my OS, I will"

But this rootkit does not care if you reinstall your OS. I have even
re-installed my OS, and halfway through the reinstallation, I
unplugged the machine abruptly, took out the battery, and the 4GB of
DIMMS in the laptop, and let the whole thing sit for 4 hours. I then
continued my reinstallation. It didn't matter.

It is some form of ROM rootkit, because after installation, if I set
my firewall to advanced, and make sure I check all outbound and
inbound traffic FIRST, I notice several things.... 1. LSASS.exe
tries to access the net (to an IP in China or other exotic places, all
which are probably proxies), but there is no LSASS.EXE other than the
one in windows/system32 -- right where it is supposed to be. 2.
Services.exe accesses the net (I thought that this might be normal,
but I read it is only under certain circumstances related to PnP....
(which by the way, the PNP service cannot be disabled as the whole
dialog box on that service is grayed out. 3. I do not have
administrative rights... I have invoked the super "Administrator",
set a NSA-style passphrase for it (even wrote a random character gen
script in Perl, and then copied a 20 char string from it, and pasted
it into the Password Box. (Then I printed the Perl output so I would
never forget this random character string). And I will try to use
several network monitoring applications which I download for trial
use, and even as THE ADMINISTRATOR (I delete all other users), it
states I do not have administrative rights to run the application!

I have installed windows, then installed a debian/ubuntu based Linux
(backtrack 4 or Linux Mint), as a dual-boot, and ultimately, both of
these OSs will get corrupted to!!! i NEVER setup smb/samba in Linux,
and make sure any daemons are not using Samba, but somehow, whatever
access has been made through my windows partition, migrates to my new
Linux partition, and infects it.

This probably sounds crazy, and I know it has lowered my quality of
life. But I have already bought a second laptop, I cannot imagine
there is not away around this to eradicate it.

Lastly, during Thanksgiving 2 days ago, I was at friends and I noticed
he had an old Netgear router/firewall. He let me have it and I am
running it now. I shut off UPnP on the router, and turned up the
built-in firewall to a rather strict level. It seems to be doing OK,
but that may be because whatever rootkit I am infected with cannot get
unfettered access to the net because of the hardware firewall (it
always walked right through any software firewall in a matter of
days), and therefore cannot grow and take over my system.

But I have been hoping to meet a Windows expert with an open mind...
maybe there is someone here who fits this description. Far to often I
will seek help, and the Windows expert who is assisting me, will spend
1/3 of the time spewing platitudes like "you shouldn't use the
Administrator user" or asking me if my Windows update has been turned
on.

Just as an FYI, Since this started I read Stanek's Windows Command
Line probably 3x, and the SAMS Windows Vista: Management and
Administration perhaps 2x. THis additional information has sometimes
allowed me to slow this malware down, but never have I been able to
stop it. It seems to change/morph so rapidly to whatever obstacles I
try to put in its place that I sometimes feel as if someone was
specifically interested in hacking my PC as opposed to some mindless
Bot-agent that get orders from some central server. Otherwise,
whoever coded this beast is brilliant and must have a database
somewhere updating this code for a myriad of situations.

So.... I hope someone can respond to this. I have stacks of
screenshots using Sysinterals applications which show things I believe
to be evidence of this RAT, and overall more knowledge than I care to
have about it too.

But that registry update the other poster mentions... (there are 569
registry changes that take place upon bootup that are part of this
rootkit's expansion into the system-- it happens on maybe the 3rd or
4th boot after I enable network/internet access--- but the last one is
in fact a change to "SDTable" and it stays on the screen for about 3
seconds before it continues the boot into windows. This is why
everyone remembers it.

I also think I am in some active domain and therefore my "local
administrator's rights" have been made subject to the domain
controller.

I work at home.... as far as I know, no one has ever had physical
access to my PC.

Paul

A reinstall of the O/S gets rid of nothing!

If you are so severely infected, you must delete all of the partitions on
your hard drive. Then you commit those changes. Now there is nothing on your
drive, no partition tables, no MBR etc.

Now you create a new partition and install the operating system fresh on the
bare hardware. Whatever ailed you will NOT be there any longer. A rootkit
is, after all, only code. By doing the aforementioned you have eliminated
all code on the drive and the pointers to where that code was stored on the
drive.

Again, a reinstall is worthless in your case. You just carry over the
problems to the reinstalled system because whatever was there is migrated to
the reinstalled O/S.

--

Richard Urban
Microsoft MVP
Windows Desktop Experience & Security


"PaulLukitsch" <plukitsch******.com> wrote in message
news:a87c0799-ed02-40c5-a537-04f5ba9b4b42@c34g2000yqn.googlegroups.com...[color=blue]
> FINALLY I found other people who have experienced this problem!!
> Posted in this Group and others. I posted this as a reply in another
> group, but thought for expediancy, I would start a new thread in this
> post.
>
> OK.....
>
> I have been dealing with a persistant malware problem since early this
> year. I have had not only problems with the malware affecting my
> laptop, but also from the numerous boards and forums where I would try
> to seek help, and after following instructions (although I am fairly
> computer savvy), they typically would believe I was lying or not
> following their instructions. I am using (currently) Vista Home Prem.
> x64 on a HP Pavillion dv4 1225dx.
>
> I noticed this string of registry key changes as the previous posters
> noted. And I have seen this happen on my PC : (a) after re-
> installation of my OS, (b) after performing a dd if=/dev/urandom of=/
> dev/sda bs=10M conv=notrunc from a LIVE linux CD--thereby wiping my
> drive with random characters, and THEN reinstalling my OS, and (c)
> after I decided to get mad, and I went out and bought a new HDD for my
> laptop.... then reinstalled my OS.
>
> But none of those things changed anything. This is a rootkit, and I
> believe it is a PCI rootkit. I do not know how it got on my machine
> initially, but the sad thing is, it occurred back in February, and
> then I bought a new laptop in April and accidentally stuck a USB pen
> drive (Doh!) into it, and I saw my screen flicker, and I knew what I
> had done (I had not even been out of Best Buy where I bought it for
> more than 20 minutes). I should have just made up some excuse to
> return the laptop then, but I figured "How hard can it be to remove a
> virus/rootkit? If I have to reinstall my OS, I will"
>
> But this rootkit does not care if you reinstall your OS. I have even
> re-installed my OS, and halfway through the reinstallation, I
> unplugged the machine abruptly, took out the battery, and the 4GB of
> DIMMS in the laptop, and let the whole thing sit for 4 hours. I then
> continued my reinstallation. It didn't matter.
>
> It is some form of ROM rootkit, because after installation, if I set
> my firewall to advanced, and make sure I check all outbound and
> inbound traffic FIRST, I notice several things.... 1. LSASS.exe
> tries to access the net (to an IP in China or other exotic places, all
> which are probably proxies), but there is no LSASS.EXE other than the
> one in windows/system32 -- right where it is supposed to be. 2.
> Services.exe accesses the net (I thought that this might be normal,
> but I read it is only under certain circumstances related to PnP....
> (which by the way, the PNP service cannot be disabled as the whole
> dialog box on that service is grayed out. 3. I do not have
> administrative rights... I have invoked the super "Administrator",
> set a NSA-style passphrase for it (even wrote a random character gen
> script in Perl, and then copied a 20 char string from it, and pasted
> it into the Password Box. (Then I printed the Perl output so I would
> never forget this random character string). And I will try to use
> several network monitoring applications which I download for trial
> use, and even as THE ADMINISTRATOR (I delete all other users), it
> states I do not have administrative rights to run the application!
>
> I have installed windows, then installed a debian/ubuntu based Linux
> (backtrack 4 or Linux Mint), as a dual-boot, and ultimately, both of
> these OSs will get corrupted to!!! i NEVER setup smb/samba in Linux,
> and make sure any daemons are not using Samba, but somehow, whatever
> access has been made through my windows partition, migrates to my new
> Linux partition, and infects it.
>
> This probably sounds crazy, and I know it has lowered my quality of
> life. But I have already bought a second laptop, I cannot imagine
> there is not away around this to eradicate it.
>
> Lastly, during Thanksgiving 2 days ago, I was at friends and I noticed
> he had an old Netgear router/firewall. He let me have it and I am
> running it now. I shut off UPnP on the router, and turned up the
> built-in firewall to a rather strict level. It seems to be doing OK,
> but that may be because whatever rootkit I am infected with cannot get
> unfettered access to the net because of the hardware firewall (it
> always walked right through any software firewall in a matter of
> days), and therefore cannot grow and take over my system.
>
> But I have been hoping to meet a Windows expert with an open mind...
> maybe there is someone here who fits this description. Far to often I
> will seek help, and the Windows expert who is assisting me, will spend
> 1/3 of the time spewing platitudes like "you shouldn't use the
> Administrator user" or asking me if my Windows update has been turned
> on.
>
> Just as an FYI, Since this started I read Stanek's Windows Command
> Line probably 3x, and the SAMS Windows Vista: Management and
> Administration perhaps 2x. THis additional information has sometimes
> allowed me to slow this malware down, but never have I been able to
> stop it. It seems to change/morph so rapidly to whatever obstacles I
> try to put in its place that I sometimes feel as if someone was
> specifically interested in hacking my PC as opposed to some mindless
> Bot-agent that get orders from some central server. Otherwise,
> whoever coded this beast is brilliant and must have a database
> somewhere updating this code for a myriad of situations.
>
> So.... I hope someone can respond to this. I have stacks of
> screenshots using Sysinterals applications which show things I believe
> to be evidence of this RAT, and overall more knowledge than I care to
> have about it too.
>
> But that registry update the other poster mentions... (there are 569
> registry changes that take place upon bootup that are part of this
> rootkit's expansion into the system-- it happens on maybe the 3rd or
> 4th boot after I enable network/internet access--- but the last one is
> in fact a change to "SDTable" and it stays on the screen for about 3
> seconds before it continues the boot into windows. This is why
> everyone remembers it.
>
> I also think I am in some active domain and therefore my "local
> administrator's rights" have been made subject to the domain
> controller.
>
> I work at home.... as far as I know, no one has ever had physical
> access to my PC.
>
> Paul[/color]

Listen, try this also:

Don't format yet. DELETE ALL PARTITIONS, this will render disk unusuable
(when you boot, you shoudl receive a severe error like "invalid disk").
Obviously you can only do that by running commands from EXTERNAL drive
because yours cannot run & wipe out ITSELF.

After that create a new partition or multiple partitions if that's your
preference.
Only then format partition (or each one if multiple).

Demolishing both partitions & reformat, should be near-close to that
Hitachi,/IBM/whatever utility I mention, though not as perfect.
This should get rid of infection. And if not, as I explained in previous
messages, do a deep reformat which writes Zeroes to every bit of harddisk,
MBR, everything is wiped.