so, i got distracted and still haven't started yet. i wanted to see if i could manage to actually delete all of these weird files from memory, and i did succeed by changing the acl on them to me and only me, but then i started noticing that the catroot was updating, that there were windows update logfiles, and i got my lock screen pretty quickly.
so, i formatted the drive again, did a clean reinstall and copied over it with my known good image. i hope the cops like pushing that boulder up the hill...
i've added a few more entries to the firewall and group policy, so hopefully it's that much harder to get through the defenses this time. all i can do is make progress....
but, i'm getting a better understanding of what's happening.
while i was sorting through the process, i noticed that the weird files are actually present immediately in a completely clean install, but they had slightly different names. so, i may have been approaching this a little bit wrong - rather than try to delete these files, i should have been trying to replace them. the files have been replaced with the ones from the clean install.
oddly, the files in the clean install do not have an owner and seem to run in stealth, attached to every process in the gui - explorer.exe, firefox, notepad, even the taskbar. it's anything that you can load in the gui. so, if i shut down explorer.exe, i can delete them, but they come back when i reload explorer.exe. so, fucking windows, right?
see, here's the problem, bill - i don't know what the fuck is going on. these files show up on a clean install, but they aren't copyrighted to microsoft. they seem to look and act like a trojan. so, is my disc infected, then? is the rootkit able to survive a five-pass format? or is this some kind of microsoft spyware, perhaps in collusion with law enforcement?
it's really one or the other; this is obviously spyware. so, i'm either infected with a trojan, or i'm reverse engineering windows spyware. and, it really seems like the latter....
the files are present in a lot of peoples' computers, and a lot of people seem to have questions, but nobody seems to know what they actually do. sometimes, viruses use them, but we can see why, and that doesn't mean the files are infected, a priori. they seem to have something to do with the right-click context menu, or at least are using that as a sneaky way to launch. so, they have something to do with the file system, which is as consistent with a shell handler as it is with a root kit! so, the internet isn't helping - they may be utilized by a virus, but that doesn't mean they are one.
in fact, virustotal consistently says they're clean. if that's true, then that would suggest that microsoft is essentially dropping trojans.
it doesn't seem like i can stop them from regenerating, or at least if i can i don't know how to. sfc is completely dismantled on this machine. as mentioned, i've got the firewall turned up a little higher, in an attempt to block them from communicating with the internet via normal system processes. i deleted some legacy protocols, as well - things like netbios that appeared to be listening. but, all i can do is wait to see if it's better or not.
what's happening, then, seems to be that the files are coming in through firefox as a windows update package and replacing the default windows spyware. i am strongly leaning towards this being law enforcement essentially commandeering some built in windows spyware. and, the os seems to get very upset when you try to turn it off.
let's hope the firewall holds and that's enough.
for now, i'm going to take that shower, and we'll see if i can stay up much longer. baby steps....i think i'm making progress...