Devious Infection

[FireHawk]

I was notified by my internet provider that I downloaded 87 gb worth of data in one day. While this may be trivial downloads to Netflix customers - I was not even home.
I scanned the system with full versions of Malwarebytes and Kaspersky (and neither found anything).
I then started a VM that had ClamAV on it, updated ClamAV, and started the scan.
It found....
win.trojan.ramnit -2215
virtool.clearlog found
win.worm.palevo-4055
For some reason this is where Malwarebytes decided to kick in on the machine, and it started popups all over the screen (blank windows), but stating malware was found.
I dug further and found that my hard drive was nearly full (temporary internet files starting with $ (numeric values)
There were folders that were locked, and I was unable to access. i.e. (folders that you would have normal access to).
I found all sorts of folders and files that were created in Windows/System32 dir and the list goes on...
What is strange is the system acted "completely normal" given that it was pwned. It was not sluggish, and until I started the scans, it seemed relatively "ok".
I knew that this system was completely pwnd, and was most likely downloading other variants of malware, which brings me to my original problem...
I cannot tell which malware infected the system, and where to attack.
I low-level wiped the HDD once (and reinstalled Win7 64 bit) - the world was good, and all was well.
Then I connected to the internet.
I was updating Windows updates, Malwarebytes, and Kaspersky
You guessed it - my HDD space was completely full a few hours later, and I found certain folders were inaccessable by the Admin account.
Sadly - I had fully updated (again) Malwarebytes and Kaspersky - which found nothing.
I am in the process of a low level wipe of the system again.
I have loaded up a temporary laptop on the home network and am NOT experencing any problems (thinking it could be an infected Cisco router???)
I am 1/2 way done, and no problems thusfar.
Now I am concerned... I have an HP Phoenix h9-1210t and wondering where this persistence infection is hiding. To be persistent you need either RAM or storage (which makes sense) I have killed the RAM - just by shutting the system off. Where could this malware be hiding?
I thought BIOS - but is that possible?
If so, I am having problems just getting the BIOS to boot from CD - it does not allow me to change the boot order.
I thought this may be due to the system being UEFI - again, I am unsure.
Any thoughts you have would be most appreciated.
I am beyond frustrated and would appreciate direction.
Thank you in advance...

 

[TwinHeadedEagle]

Hi,

Before we begin, I want you to have this in mind:

• At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
• Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  
• All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
• If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
• I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
  
• Please attach all report using
  
  button below. Doing this, you make it easier for me to analyze and fix your problem.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.