Jump to content

EniNeu

Members
  • Posts

    12
  • Joined

  • Last visited

Reputation

0 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Okay, this is kind of crazy... I did create a new user profile and that did seem to fix the issues. I was going to copy over my files from the corrupt user profile but... it doesn't exist? I have no folder for this user account in the Users folder, but the two new user accounts I created are there, and I have no trouble logging into the account, obviously. Further, I double checked and the account is definitely set as a local account and not a Microsoft account. How is that even possible? I do have a folder in Users called Default.migrated but there's essentially nothing in it. I also have a Public folder, but there are no personal files there. Help?
  2. Okay, I ran TFC and it cleared up 803mb but I still can't use the bottom corner of my desktop.
  3. Okay, done. Please see the logs attached. Event Viewer Log 02-24-17.txt
  4. I did follow your instructions and attempted to fix Windows Search, but the utility said it couldn't find any problems with search. I haven't noticed any sort of performance issue with search, and as far as I can tell it does function as expected. I do seem to have other issues, however, such as Malwarebytes starting with exploit protection switched off. I still have dead space at the bottom left of my desktop that I can't move icons or anything into, and I do still periodically have Windows Explorer crashes and hangs, but that could just be because Windows is a terrible, terrible product.
  5. Sorry for the delayed response, my cold medicine knocked me out last night! I followed your instructions and then ran FRST again, and these were the results. FRST.txt Addition.txt
  6. Okay done, thanks very much for all your help Ron. I notice in the logs that my default search in Chrome is changed and there are a lot of fake extensions in Opera and Chrome. Neither the extensions nor the new fake default search page are actually showing in either browser. Sophos scanned clean. Addition - 2-21-17.txt FRST - 2-21-17.txt JRT - 2-21-17.txt
  7. Thanks so much for your response, Ron. I did run FRST again as instructed, please see the txt file below. Fixlog.txt
  8. I am pretty positive I have a rootkit. It's a quiet and crafty sort; from the beginning there were no obvious signs of infection, there wasn't any slowing or memory leaking, no unusual traffic noted. I felt like something was off, but I couldn't pinpoint what until I got the first warning message from MBAM 3.0.6 Premium (see Exploit Blocking below). Now I notice that all my desktop icons are rearranged on relog and suddenly there is a bit of dead space at the bottom where I can no longer move any icons, though that's kind of the least of my worries. Sometimes the screen sort of freezes, almost like a screenshot, but then it clears up again right away. I'm running Windows 10 Home Premium, x64, on an Asus X756UXM. Please see all the notes below and txt files. Please note that things might be a little out of order from how I actually scanned things, because this started almost a week ago and I don't remember that far back. I believe the initial infection came from a popup/pop under (can't recall which, sorry!) at http:// www (dot) nowvideo (dot) sx/video/11bb079eff255 while using Chrome. I run AdBlock Plus, Ghostery, and some script blocker thingie, and have all my many browsers configured to block popups, and I never have any issues on any other sites, but this one managed to get around all that. I threw everything I could think of at this but I really just feel like I'm chasing it from one corner to another. Any help would be thoroughly appreciated. MBAM: * Initial error message that an exploit was blocked in Powershell (see txt file) * Scans Clean - All Scans * Starts up as normal, except Web Protection is shut off * On first load, Web Protection can be re-enabled * At some point, Web Protection with return to off, and Exploit Protection goes with it * Exploit Protection can be re-enabled, but it will switch off again * On attempting to re-enable Web Protection, it will forever say "Starting..." until next reboot ~~~ MBAR: * Scans clean ~~~ Avast: * Scans clean ~~~ TrendMicro Housecall: * Scans clean ~~~ GMER: * Found the following: Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [BOOT] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [BOOT] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden ***) [AUTO] WinDefend <-- ROOTKIT !!! * Attempted deletion (through GMER) of all three, but WdBoot failed. ~~~ aswMBR: * Ran after GMER. The service below popped up, but aswMBR was unable to fix the issue (see full log). 23:05:02.343 Service WdBoot C:\WINDOWS\system32\drivers\WdBoot.sys **LOCKED** * Subsequent attempts to run aswMBR result in BSOD for the reason "Page fault in non-paged area" and then forced restart. ~~~ JRT: * Nothing to report ~~~ HitmanPro: * Found buckets of cookies in all browsers, including Internet Explorer and Edge which I NEVER use. All cookies were deleted. This was the initial confirmation something was up. ~~~ rKill: * A couple of issues popped up, nothing glaring... See txt. ~~~ ADW Cleaner: * No issues found ~~~ FRST: * See txt ~~~ RootKitRemover (McAffee): * Scanned Clean ~~~ TDSSKiller: * Scanned Clean ~~~ Bootlog: * See Txt ~~~ MBAM Chameleon: * Ran from safe mode, all 13 or however many buttons failed identically. See txt. HijackThis 2-14-17.log MBAM - Exploit Blocked.txt Notes.txt Rkill 2-13-17.txt aswMBR 2-14-17.txt BootLog 2-17-17.txt Chameleon Fail 2-15-17.txt FRST 2-14-17.txt GMER 2-15-17.log
  9. Thanks very much for the feedback, MBMemes. I did try running Chameleon from Safe Mode, as you suggested. I didn't save 13 logfiles, but I did copy one. Suffice it to say they all failed identically. I will make a note to check out uBlock also. I probably should have mentioned in my initial post that I'm running Windows 10 x64. My default browser right now is Chrome, but I also use Opera, Firefox and Tor. If there are any other ideas I'm all ears!
  10. Okay, I think this is probably my first post on the forums, so I apologize for being a noob and doing whatever annoying things noobs do before they get a clue. That said, I am pretty positive I have a rootkit. It's a quiet and crafty sort; from the beginning there were no obvious signs of infection, there wasn't any slowing or memory leaking, no unusual traffic noted. I felt like something was off, but I couldn't pinpoint what until I got the first warning message from MBAM (see Exploit Blocking below). Now I notice that all my desktop icons are rearranged and suddenly there is a bit of dead space at the bottom where I can no longer move any icons, though that's kind of the least of my worries. Please see all the notes below and txt files (assuming I can figure out how to attach them!). I believe the initial infection came from a popup/pop under (can't recall which, sorry!) at http://www (dot) nowvideo (dot) sx/video/11bb079eff255 while using Chrome. Yes, I run AdBlock Plus, Ghostery, and have all my many browsers configured to block popups, and I never have any issues on any other sites, but this one managed to get around all that. I threw everything I could think of at this but I really just feel like I'm chasing it from one corner to another. Any help would be thoroughly appreciated. MBAM: * Initial error message that an exploit was blocked in Powershell (see txt file) * Scans Clean - All Scans * Starts up as normal, except Web Protection is shut off * On first load, Web Protection can be re-enabled * At some point, Web Protection with return to off, and Exploit Protection goes with it * Exploit Protection can be re-enabled, but it will switch off again * On attempting to re-enable Web Protection, it will forever say "Starting..." until next reboot ~~~ MBAR: * Scans clean ~~~ Avast: * Scans clean ~~~ TrendMicro Housecall: * Scans clean ~~~ GMER: * Initially found the following: Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [BOOT] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [BOOT] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden ***) [AUTO] WinDefend <-- ROOTKIT !!! * Attempted deletion (through GMER) of all three, but WdBoot failed. ~~~ aswMBR: * Ran after GMER. The service below popped up, but aswMBR was unable to fix the issue (see full log). 23:05:02.343 Service WdBoot C:\WINDOWS\system32\drivers\WdBoot.sys **LOCKED** * Subsequent attempts to run aswMBR result in BSOD for the reason "Page fault in non-paged area" and then forced restart. ~~~ JRT: * Nothing to report ~~~ HitmanPro: * Found buckets of cookies in all browsers, including Internet Explorer and Edge which I NEVER use. All cookies were deleted. This was the initial confirmation something was up. ~~~ rKill: * A couple of issues popped up, nothing glaring... See txt. ~~~ ADW Cleaner: * No issues found ~~~ FRST: * See txt ~~~ RootKitRemover (McAffee): * Scanned Clean hijackthis 2-14-17.log MBAM - Exploit Blocked.txt Rkill 2-13-17.txt aswMBR 2-14-17.txt FRST 2-14-17.txt GMER Full 2-15-17.log GMER Pert 2-15-17.txt
  11. I don't think the disabling of Malwarebytes was accidental... I had trouble a couple weeks ago installing the anniversary update so I tried again today, and this was successful, but I noticed that Malwarbytes Anti-Malware (but not Anti-Exploit) was disabled upon first load of the anniversary update. Further, I found that Windows Defender had set itself running and as default and really did not want to go back down. I still don't see any listing for MB-AM in the startup apps, though it did apparently launch okay on this restart. *grumbles to herself in an insane fashion about M$ sucking audibly*
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.