Hi, I have the advapi bug problem, but it goes much further than that. I have run all of this past a good friend of mine, semi-retired, one of the top programmers at Seagate -- he has also discussed this with a number of his colleagues -- the collective opinion is that this is one of the most advanced hack infestations they've heard of, giving the appearance of making "impossible" modifications to the system. But even before I had gone to them for assistance, it was clear to me that my entire computer has been hijacked.
Every file slips by every scan that I've run, including the big guns (Norton, McAfee, ZoneAlarm), the files are all hiding as legitimtate system files. Any file which I delete, whether an apparently legit system file of a likely virus file, is quickly replaced. All of this right after a 5-pass DoD wipe of the hard drive, no internet connection, ALL DSL modem, AC adapters, ethernet cables unplugged. The hack has activated nearly a dozen various WANminiports (showing up under Device Manager's hidden devices), most of them on various USB hub connections, and indicating that they're sharing, sometimes 3 at a time, the same IRQs and memory addresses. These devices cannot be disabled or uninstalled, the locations of the (virtual) devices and drivers being located a ROOT/ ... (no %...%/..., just ROOT).
I've found dozens of bogus files in the Windows directory, how they're redirecting the bios to their own on a virtual (non-existent) floppy drive B (I've disconnected my actual floppy drive). Descriptions of how they're emulating the appearance of the windows bootup and logon process (show this screen with a timeout of x seconds, etc.). I found a log describing their steps in moving the memory address of my graphics driver to perfectly match that of their own devices. They've even installed Bluetooth drivers (I have no such devices). They describe making the necessary registry changes to eliminate the appearances of any hack flags. Also system files describing modifications of USB ports to serve their purposes. Another document describes how they're implementing bogus time-stamps.
I've been running ZoneAlarm at max security since before any of this began, a week or so ago ZA began logging massive attempts by the WMI service attempting to lower its security settings, which were logged as blocked, but the next day ZA had been uninstalled, and the system hasn't allowed me to re-install. I set up Windows Firewall as the best available replacement, but then it becomes disabled as the Security System service is shut down.
BTW, this is the first time I've been back online since ZA was uninstalled.
Nothing which I delete, no security changes, no disabling of system services, stick -- the system is quickly taken over by LOCAL SYSTEM, NT AUTHORITY, etc, and my own administrative privileges are quickly disabled after a clean reinstallation of WindowsXP, either home or professional. They appear to be making use of the pagefile and System Volume Information directories. I know how to use CACLS to gain access to these, delete everything and immediately everwrite the empty disc space with garbage (not sure if that overwriting helps, but I know that just leaving it open space deletes nothing), but subsequent monitoring of those directories shows immediate modification.
I bought a second, inexpensive Dell (OptiplexGT270) as an internet-dedicated machine, having no connection with my infected system, WindowsXP Pro pre-installed, but as soon as I started it up (had NOT gone online), it was already infected. Discovered later (see below) that the bug had been carried by my Logitech MX1100 mouse!
I've called several local (this is a major city) computer tech shops for help, but when I describe the problems, in particular how it seems to infected harware, they've not wanted (so far) to do anything which would involve attaching any of their own diagnostic equipment to my system, so no luck yet with them.
I've gathered a sizeable amount of documentation, logs and system file txt printounts on all of this -- for now I'll just attach my HijackThis log from my Dell 410XPS (not much help probably, as again I cannot permanently delete anything even though I'm offline), and also a systems info analysis of the OptiplexGT270 (jpg's of the screen -- as far as relevant info, should be about the same as my main computer) which I run from a boot CD, Windows not running. And I do hope that all of this gets to you without corruption!
This has become an urgent problem, as of yesterday ... I could, though it would hurt, trash my complete system and buy all new, but before I had realized that the mouse was able to transmit the bug I had gone to my mother's to access the web, and as luck would have it her mouse had not been working, so I thought nothing of bringing mine with me to use. This of course infected her machine, but also her husband's through their LAN, despite his having Norton running. He is a Regents Professor at the University, so any data loss for him would be catastrophic. Before my mom's computer had reached the desktop during bootup I noticed an inappropriate amount of HD activity on her computer and immediately hit the machine's off button, then ran into her husband's study shouting for him to turn his computer off immediately, but it was too late for both.
As far as backing up at this point, most of my directories are marked to delete on copy, which did occur when I tried, but I found that by zipping them first I could get them off. But this would be quite a task with a TB or so of data! lol Do you think that ghosting a drive would bypass this potential deletion on copy? It would still be infected of course, but would still be a backup of sorts.
When I'm done here, I'm going to install an Ubuntu OS -- hopefully this would be beyond their boolean if/then contingencies and I might be able to implement some more effective solutions.
I'll just remind once again, all of this has been verified by my very qualified friend and his associates at Seagate. Thanks for *any* help!!