I have had what appears to be malware on possibly 3 Windows10 machines. It seemed to coincide with the latest Windows 10 Creators Update (1703) in late November.
Background
The initial problem occurred on my Wife's machine (called Wife) when the screen resized from the normal 1920*1080 to 1360*1024. A search of the forums did not seem to refer to any problems with the MS update so initially assumed a video driver or monitor definition had got corrupted. Then while attempting to diagnose the screen resolution problem noted that the same problem appeared on another machine on my LAN (called Richard). At that that point I shut down my wife's machine, NAS file server, made some basic observations of the newly "infected" machine, before shutting that down.
I was then in the position to bring in a clean machine (from my Mother in law (called MiL) ) that had not been connected to the network for over a year. The intention was to use that to download AV tools to diagnose the infected machines in as near clean conditions as I could manage, which included using only one windows machine on the LAN at a time. Sadly due to a distraction I started the infected machine at the same time as the clean machine and again the malware seemed to jump to the clean machine.
At that time I was running McAfee on all the machines and the signatures were reported as being up to date. On recommendation from at IT Colleague in the Security Team I downloaded and ran MalwareBytes in Safemode. It did not reveal any problems. Given the symptoms I was seeing I began looking for reports of Malware that caused the screen to resize. One of the current examples noted was XPCTRA a banking trojan that loaded a Remote Access Terminal (RAT) and Proxy.
I have now completed two progressively deeper rebuilds of my Wife's machine and a rebuild of the the MiL machine on a new SSD disk, but still I am seeing Malware Symptoms. I have Malwarebytes running on both of these machines (I have purchased premium for all my machines and android devices). I downloaded and installed MWB in Safemode although it would not allow me to enable real time scanning when in safe mode. I have turned on all of the features including Rootkit Scan when scanning on a "normal boot". The only "mistake" that i believe I may now have made was to use the same USB stick to re-install Office on first my wife's and then MiL machine. (This was previously new stick that I had freshly bought for the purposes of reloading software from a clean machine) .
Current Situation
I am now experiencing problems on WIFE and MiL machines where if I leave the machines running and connected to the network I invariably get a message when I attempt to log out that there is another user logged in. So far this has NOT occurred if I have started the machines disconnected from the networks, this leads me to believe that I have a RAT infestation () that is persisting in the boot sector of the SSD disks or USB stick. I have not yet seen this symptom on the "Richard" machine. When accessing HTTPS enabled sites I am checking the certificates and their paths and they seem to be valid.
I have also run CISCO AMP (Triage mode) on these two machines and that has not reported any issues either. I did get a report on (Richard) for a w32.auto.9c4162.MASH.SR.SBX.VIOC but this was in a non current package for the Arduino IDE and was reported as successfully quarantined. Also "Richard" machine has not been running and connected to the network at the same time as any of the other machines since the initial infection.
Do you have any ideas as to how I can move forwards from here? As I have no hard evidence from an Anti-Malware tool on the two machines currently showing symptoms. My next proposed step is to run DBAN on both WIFE and MiL machines and rebuild again one machine at a time on the network.
My only "known clean" machines now are android devices through which I can download to a USB stick. Do you know how I can "sterilise" a USB stick, including its boot sector as I have a growing pile of recently purchased, large capacity USB sticks that I don't trust. I also have a genuine Microsoft Installation DVD to work from.
You support would be appreciated.
