Jump to content

Search the Community

Showing results for tags 'rootkit'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

  1. Hi, I've been trying to play some games on my computer recently and have been prevented from doing so by what seems to be a rootkit. Every time I try to open literally any anti-malware or anti-rootkit program I can find, they are all prevented from opening with the message "The requested resource is in use." I've followed numerous other tutorials on how to remove rootkits and none have worked as the programs that they tell me to use are all blocked by the rootkit including Malwarebytes, RKill and the Malwarebytes Anti-Rootkit program. I am seriously at a loss here knowing there's a very serious problem on my computer and have absolutely no idea what to do about it at this point. It's already blocking me from using Origin and every antivirus available, I don't want to think of what might come next.
  2. So i was doing an AVG scan yesterday and found out i had 40 line hook viruses that cannot be removed. i Then scanned later and they were gone. Then i scanned again and they were back. since then i have switched from avg to avast and so far avast hasn't detected it and i have done multiple scans so far of everything possible to scan. I really need help getting rid of them all as im pretty sure they are all still there. Thanks for reading Hootis
  3. when trying to run any malware/virus cleaning programs this error occurs, "The requested resource is in use".
  4. Hello, I have issue with Initialpage 123 browser hijacker who has infected the chrome browser and I also use firefox which seems free from it now. I used Malwarebytes trial, Unhackme and Adware cleaner. I checked all the processes and startups and registry and found something that might be associated and deleted. I found the Initialpage123 software in the program list but Windows10 and CCleaner could not remove it. Tried to remove from folder called Fehadon. Today found folder named .mus removed that. I also found local64SPL.dll and deleted. Its not first time i experience browser hijack, but I cant seem to remove it from chrome it always comes back after every restart. Malwarebytes always blocks the safesearch site it re-directs to but that is not helping. Malwarebytes also often blocks d2buh1bf1g584w.cloudfront.net that is used by msiexec.exe. I have fresh installed Windows 10 64X it would be a hassel to reinstall programs again so I need solution to get rid of this hijacker for good. FRST.txt Addition.txt zaraza.txt
  5. Greetings. I was wondering if the option to scan for rootkits is supposed to be accessible for free users. No matter what I do, it still shows as disabled in the reports. Summary.txt MB-CheckResults.txt
  6. So I'm infected with a rootkit and I've tried to remove myself, but I haven't been successful, it restricts access to malwarebytes and malwarebytes rootkit removal. I get the message " requested resource is in use" when I try to open an .exe such as malwarebytes. I've tried going into safe mode to delete the infected files but the virus still works in safe mode and prevents me from doing anything to try and remove it. Any help would be appreciated thanks!
  7. I have rootkit detection enabled on Windows 10 (all updates applied) and MWB3 (Premium). All well for several months, but in last two days the following files associated with Bluetooth drivers, have been "detected" and have been quarantined. c:\windows\system32\drivers\bthenum.sys and c:\windows\system32\drivers\bthusb.sys After quarantine, one (bthenum.sys) re-appeared the next day and has been quarantined again in a subsequent scan. I have turned off rootkit scanning temporarily, but wonder if anyone else has experienced the same "problem". Is this a real or false-positive issue? Thanks for suggestions. EXAMPLE FILE REPORT: "applicationVersion" : "3.0.6.1469", "clientID" : "ScanScheduler", "clientType" : "scheduledScan", "componentsUpdatePackageVersion" : "1.0.103", "cpu" : "x64", "dbSDKUpdatePackageVersion" : "1.0.1862", "detectionDateTime" : "2017-05-03T17:10:22Z", "fileSystem" : "NTFS", "id" : "642b6326-3023-11e7-9d83-40167e223f1d", "isUserAdmin" : true, "licenseState" : "licensed", "linkagePhaseComplete" : true, "loggedOnUserName" : "System", "machineID" : "", "os" : "Windows 10", "schemaVersion" : 2, "sourceDetails" : { "objectsScanned" : 502892, "scanEndTime" : "2017-05-03T17:14:21Z", "scanOptions" : { "scanArchives" : true, "scanFileSystem" : true, "scanMemoryObjects" : true, "scanPUMs" : true, "scanPUPs" : true, "scanRookits" : true, "scanStartupAndRegistry" : true, "scanType" : "threat", "useHeuristics" : true }, "scanResult" : "completed", "scanStartTime" : "2017-05-03T17:10:22Z", "scanState" : "completed", "type" : "scan" }, "threats" : [ { "linkedTraces" : [ ], "mainTrace" : { "cleanAction" : "quarantine", "cleanContext" : { "fileReplaceData" : { "replacementDataFileName" : "C:\\PROGRAMDATA\\MALWAREBYTES\\MBAMSERVICE\\ScanResults\\bthenum.sys6d0bcc6a-3023-11e7-94cd-40167e223f1d-r.mbam" } }, "cleanResult" : "dorQueued", "cleanResultErrorCode" : 0, "cleanTime" : "2017-05-03T17:14:26Z", "generatedByPostCleanupAction" : false, "id" : "6d14cd60-3023-11e7-a8a0-40167e223f1d", "linkType" : "none", "objectMD5" : "8474F34BDF3CBA9648544964461667F4", "objectPath" : "C:\\WINDOWS\\System32\\drivers\\bthenum.sys", "objectSha256" : "7E3C6634DC72AAF14FD5171E14F520E81E2BF7E77FD28AA7B59AB99BFF4FA706", "objectType" : "file", "suggestedAction" : { "fileDelete" : false, "fileReplace" : true, "fileTxtReplace" : false, "folderDelete" : false, "minimalWhiteListing" : false, "moduleUnload" : false, "noLinking" : true, "physicalSectorReplace" : false, "priorityHigh" : false, "priorityNormal" : false, "priorityUrgent" : true, "processUnload" : false, "regKeyDelete" : false, "regValueDelete" : false, "regValueReplace" : false, "treatAsRootkit" : true, "useDDA" : true } }, "ruleID" : 0, "rulesVersion" : "0.0.0", "threatID" : 0, "threatName" : "Unknown.Rootkit.Driver" } ], "threatsDetected" : 1
  8. Hey guys, sorry about necro-ing this thread but I do have the exact same issue as EniNeu A scan with GMER reveals this as well : Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [BOOT] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [BOOT] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden ***) [AUTO] WinDefend <-- ROOTKIT !!! I am wondering if I should attempt deletion through GMER or if there is a better way. Just in case this might be a false positive I've attached a log of the complete scan. Thank you in advance CHRONOS gmer scan 03.05.17.log
  9. My data usage quadrupled in a month. Checked windows data usage and it said "SYSTEM" used 332gbs in the past month. Knew something was up. Ran a bunch of scans, plus I have norton, nothing. Disconnected router to scan wifi devices. Hooked the router back up and something started trying to call out. MBAM caught it, norton did not. Ran a scan and sure enough...(see att 1)lksdfk;las.txt Im also attaching the FRST. Lets see if anythings left.sdfhhseghsd.txt
  10. I've just downloaded MBAM for my computer and works perfectly fine (scan for rootkits disabled), however, when rootkits scan is enabled it brings up a BSoD and restarts. Running a scan in safe mode (scan for rootkits enabled) works fine. Thanx in advance MB-CheckResult.txt Addition.txt logs.zip FRST.txt
  11. I somehow got these trojan files on my computer through a download, and while I would normally just run MBAR to fix them whenever I try to run any AV software besides Emsisoft Emergency Kit it pops up and says the requested resource is in use; booting into non safe mode leads to a BSOD saying IRQL DRIVER NOT LESS THAN OR EQUAL about 30 seconds after logging in. This is what EEK outputs in the logs: Emsisoft Emergency Kit - Version 2017.2 Last update: 4/15/2017 02:47:34 User account: DESKTOP-OF8ED87\REAL NAME Computer name: DESKTOP-OF8ED87 OS version: Windows 10x64 Scan settings: Scan type: Malware Scan Objects: Rootkits, Memory, Traces, Files Detect PUPs: On Scan archives: Off ADS Scan: On File extension filter: Off Direct disk access: Off Scan start: 4/15/2017 03:35:04 Key: HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DRMKPRO64 detected: Trojan.Trafmous (A) [286845] Key: HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\DRMKPRO64 detected: Trojan.Trafmous (A) [286845] C:\Users\REAL NAME\AppData\Local\fctusjpt\qdcomsvc.exe detected: Trojan.GenericKD.4757139 (B) [krnl.xmd] Scanned 142330 Found 3 Scan end: 4/15/2017 03:40:37 Scan time: 0:05:33
  12. So, recently, my computer BSODed and I managed to fix that problem by messing around with service settings. However, now, when I try to install any antivirus, It says that the resource is in use, even right after a reboot. I believe this is a rootkit, because it happens in safe mode as well. I am attaching the FRST logs from a scan. Addition.txt FRST.txt
  13. Note Updated on October 27, 2017 If you are trying to start Malwarebytes and you receive an error message that the resource is already in use then you may be infected with Adware.Yelloader. Please follow the instructions below to remove the infection. 1. Download version 1.10.3.1001of Malwarebytes Anti Rootkit (MBAR) https://malwarebytes.app.box.com/s/flmkkcawxhohv6jf6wlkentlvycq0f3z 2. Run the exe as administrator by right clicking and select run as administrator. Click ok to extract. If Mbar wont run please download the zip copy from this article and follow the instructions at the link to get running. Then Continue at Step 3. https://support.malwarebytes.com/docs/DOC-1267 3. After extraction MBAR should start. Click next. 4. Update by hitting the update button. After the update completes hit next. 5. Hit the scan button. Please let it finish the scan. This rootkit may slow your machine down and MBAR may look like it will freeze but it will continue to scan. Please allow it to do so. If you get the following error message: Click Yes and your computer will reboot. After the reboot, the MBAR window should automatically open. Note: If your Desktop is missing/black, do not worry. This is normal. Please proceed with the remaining instructions below. Click Next followed by Next. Click Scan. If the scan successfully completes, please skip to the Remediation bullet points below. If you receive the same message, "Could not load DDA driver", click Yes. Click OK. Your computer will automatically boot into the Recovery Environment. Proceed with the instructions below afterwards. If Windows did not boot into the recovery environment hold the SHIFT key and click restart computer while holding the shift key down. You should then boot into the boot options menu. Select repair your computer from the list and follow the instructions below. If still not successfull from a command prompt in normal windows run the following command: bcdedit.exe /set {bootmgr} displaybootmenu yes Windows 7: Select your desired keyboard layout and click Next. Select your user account, enter your user account password (leave blank if you don't have one and click OK. Click Command Prompt. Windows 10: Click Troubleshoot. Click Advanced Options followed by Command Prompt. Select your account and enter your password if you have one. Command Prompt in Recovery Environment: Type the following text below into the Command Prompt and press Enter on the keyboard: C:\mbstart.cmd Note: If you encounter an error stating the command is not recognized, replace "C" with the letter "D" (e.g. D:\mbstart.cmd). Note: Repeat with each letter of the alphabet until the command successfully executes. Once the command is successfully executed, your computer will automatically boot back into Normal Mode. The MBAR window should automatically open. Click Next. Click update Click Scan Remediation: If threats are detected, click the Cleanup button. If you are prompted to restart, please hit Yes . Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created. Both files can be found in the extracted MBAR folder on your Desktop. Please attach both files in your next reply. 7. Malwarebytes functionality should be restored. You must run a Malwarebytes custom scan with rootkit on so any remaining detections are removed. This should remedy the rootkit. If you are still having issues please post in this forum or open a helpdesk ticket. Changelog: Made compatible if Malwarebytes 3 was already pre-installed. Updated bundled defintions to more recent package. Updated on 09-13-2017 for latest variants. Updated on 10-14-2017 for latest variant. Updated on 10-27-2017 for latest variant and better success with dda driver loading without Recovery environment.
  14. I've run mbar, and I get the same message- 'The requested resource is in use'. I can't open Malwarebytes and Chameleon isn't working either. Addition.txt FRST.txt
  15. having the same issue.. ongoing since January I think. or December. This didn't work.
  16. After upgrading to Malwarebytes (MB) 3.0.6 Premium, a scan would hang (stop processing) on a few files (i.e. item 517 or 518 or etc.) if rootkits were included in the scan. Googling this issue led me to think it had something to do with Macrium Reflect (MR) Backup Software. When I upgraded MR from version 6 to version 7, I thought the problem would go away. Not the case as the problem persisted. Followed all the advice from MB Support but no avail. Then one day, a patch was available for MR. MB scan with rootkit successfully executed. I thought the problem was fixed BUT after a reboot the problem came back. I was more convinced though that the issue had something to do with MR. A few days ago, I got an Event ID 4 with the Source as FilterManager in my Event Viewer. The error said "failed to attach to volume \Device\HarddiskVolumeShadowCopy8". In researching this issue I came across a message thread relating to Macrium Reflect VSS error troubleshooting. The MR troubleshooting document shared many potential fixes. One of the fixes was easy to execute. It said to turn the "VSS Service" from Manual to Automatic. After doing this, BINGO, a MB scan with rootkits enable executed successfully. It has been repeatable over multiple reboots and various other non-related tasks. So the fix is holding. Either just turning the VSS Service from Manual to Automatic is THE fix OR it's a fix in combination with the various MR version 7 patches. MB Support is aware of this solution. Maybe I was the only one who had this issue but in case there are others, thought I'd share this solution.
  17. Hello malware bytes just detected a file known as: Unknown.rootkit.driver which seemed to have infected: C:\WINDOWS\System32\drivers\agilevpn.sys i am wondering if this is a false positive? These are the logs: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/20/17 Scan Time: 11:27 PM Logfile: Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.75 Update Package Version: 1.0.1549 License: Free -System Information- OS: Windows 10 CPU: x64 File System: NTFS User: LAURIDS-PC\LauridsFrej -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 380961 Time Elapsed: 23 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Unknown.Rootkit.Driver, C:\WINDOWS\System32\drivers\agilevpn.sys, Replace-on-Reboot, [0], [0],0.0.0 Physical Sector: 0 (No malicious items detected) (end)
  18. I previously posted in early February that Malwarebytes 3.06 would hang when scanning with rootkits enabled. Malwarebytes support had been looking into the issue for many weeks. In the end, the issue was related to a conflict between Malwarebytes and Macrium Reflect Backup Software. Macrium Reflect released a series of patches to their new updated version 7 software. An unrelated patch to this software released March 16th, 2017 fixed the issue. With Macrium Reflect updated to v7.0.2079, the issue has been resolved. I've passed information to the Malwarebyte support folks so they at least know how this conflict arose.
  19. I'm trying to remove SysWOW64 because it has been causing problems for me, I have tried giving my account full control but no dice, I need help because i've been living with this virus for MONTHS, please, any help would be appreciated! SysWOW is in my Windows folder and it's not hidden, I just can't delete it.
  20. What is Adware.Yelloader? The Malwarebytes research team has determined that Adware.Yelloader is adware. These adware applications display advertisements not originating from the sites you are browsing. How do I know if my computer is affected by Adware.Yelloader? This adware is installed as a rootkit, so you may notice no other signs besides the unexplainable advertisements. This one also disables a long list of security programs. Doctor Web Ltd. Check Point Software Technologies Ltd. VIRUSBLOKADA ODO Beijing Kingsoft Security software Co., Ltd Qihoo 360 Software(Beijing) Company Limited Doctor Web System Healer Tech Sp.Zo.o. Safer Networking Ltd. BrightFort LLC Enigma Software Group USA, LLC Gridinsoft, LLC Auslogics Labs Pty Ltd Datpol Janusz Siemienowicz Zemana Ltd. Piriform Ltd IObit Information Technology Check Point VIRUSBLOKADA Sophos ThreatTrack Blue Coat Glarysoft SurfRight Computer Associates International Shanghai 2345 Network Beijing Kingsoft Security Beijing Rising Information Qihoo 360 Software Malwarebytes Symantec How did Adware.Yelloader get on my computer? Adware applications use different methods for distributing themselves. This particular one was bundled with other software. How do I remove Adware.Yelloader? Our program Malwarebytes can detect and remove this potentially unwanted program. Please download Malwarebytes to your desktop. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program. Then click Finish. Once the program has fully updated, make sure that you enable the Scan for rootkits option on the Protection tab under Scan Options. Then select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure. When the scan is complete, make sure that all Threats are selected, and click Remove Selected. Restart your computer when prompted to do so. Is there anything else I need to do to get rid of Adware.Yelloader? No, Malwarebytes removes Adware.Yelloader completely. How would the full version of Malwarebytes help protect me? We hope our application and this guide have helped you eradicate this adware. As you can see below the full version of Malwarebytes would have protected you against the Adware.Yelloader adware. It would have warned you before the adware could install itself, giving you a chance to stop it before it became too late. Technical details for experts Possible signs in FRST logs: (ct Corp.) C:\Users\{username}\AppData\Local\Temp\20170313\ct.exe R2 windowsmanagementservice; C:\Users\{username}\AppData\Local\Temp\20170313\ct.exe [724480 2017-02-22] (ct Corp.) [File not signed] Visible alterations made by the installer: Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice] "DelayedAutostart"="REG_DWORD", 1 "Description"="REG_SZ", "Provide management service for system." "DisplayName"="REG_SZ", "Windows Management Service" "ErrorControl"="REG_DWORD", 1 "ImagePath"="REG_EXPAND_SZ, "C:\Users\{username}1\AppData\Local\Temp\20170313\ct.exe" "ObjectName"="REG_SZ", "LocalSystem" "Start"="REG_DWORD", 2 "Type"="REG_DWORD", 16 "WOW64"="REG_DWORD", 1 Malwarebytes log: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/13/17 Scan Time: 2:35 PM Logfile: mbamAdwareRootkit.txt Administrator: Yes -Software Information- Version: 3.0.6.1469 Components Version: 1.0.75 Update Package Version: 1.0.1490 License: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {computername}\{username} -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 321362 Time Elapsed: 2 min, 27 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 1 Adware.Yelloader, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\windowsmanagementservice, Delete-on-Reboot, [4873], [377105],1.0.1490 Registry Value: 1 Trojan.Clicker, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWSMANAGEMENTSERVICE|IMAGEPATH, Delete-on-Reboot, [43], [377141],1.0.1490 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 1 Trojan.Clicker, C:\USERS\{username}\APPDATA\LOCAL\TEMP\20170313, Delete-on-Reboot, [43], [377133],1.0.1490 File: 7 Adware.Yelloader, C:\USERS\{username}\APPDATA\LOCAL\TEMP\20170313\CT.EXE, Delete-on-Reboot, [4873], [377105],1.0.1490 Adware.Yelloader, C:\USERS\{username}\APPDATA\LOCAL\TEMP\20170313\CT.EXE, Delete-on-Reboot, [4873], [377105],1.0.1490 Adware.Yelloader, C:\USERS\{username}\DESKTOP\S5-20150702.EXE, Delete-on-Reboot, [4873], [377100],1.0.1490 Rootkit.Agent.PUA, C:\USERS\{username}\APPDATA\LOCAL\TEMP\20170313\DRMKPRO64.SYS, Delete-on-Reboot, [8263], [375178],1.0.1490 Adware.Yelloader, C:\USERS\{username}\APPDATA\LOCAL\TEMP\20170313\NVVSVC.EXE, Delete-on-Reboot, [4873], [377104],1.0.1490 Trojan.Clicker, C:\USERS\{username}\APPDATA\LOCAL\TEMP\20170313\CT.ZIP, Delete-on-Reboot, [43], [377133],1.0.1490 Adware.Yelloader, C:\USERS\{username}\DESKTOP\ROOTKIT\S5-20150702.ZIP, Delete-on-Reboot, [4873], [377100],1.0.1490 Physical Sector: 0 (No malicious items detected) (end) As mentioned before the full version of Malwarebytes could have protected your computer against this threat. We use different ways of protecting your computer(s): Dynamically Blocks Malware Sites & Servers Malware Execution Prevention Save yourself the hassle and get protected.
  21. So recently I downloaded a program called Hitfilm pro 2017 and I cant open it because of the memory and some time a program will freeze my computer alot I need some help!
  22. My older computer kept getting this Boost_interprocess folder in my appdata file.It would remain on the computer even through completely wiping my whole computer, flashing bios, flashing firmware. I got a new laptop a couple weeks ago. My main harddrive keeps filling up with multiple gb worth of temp files and folder. Many of which are like mp4 files from the edge browser. I do not download anything only watch youtube videos, do moderate gaming, and visual studio and C++ programming on this laptop. The boost_interprocess folder appeared along with I also noticed I have a PreEmptivesolutions folder in the appdata as well. Computer is brand new really laggy. My surfacepen will randomly not work, OneNote freezes up. Mouse starts moving slow. Also the sound will ocassionally get distorted on sounds like strange. Its really weird
  23. I am pretty positive I have a rootkit. It's a quiet and crafty sort; from the beginning there were no obvious signs of infection, there wasn't any slowing or memory leaking, no unusual traffic noted. I felt like something was off, but I couldn't pinpoint what until I got the first warning message from MBAM 3.0.6 Premium (see Exploit Blocking below). Now I notice that all my desktop icons are rearranged on relog and suddenly there is a bit of dead space at the bottom where I can no longer move any icons, though that's kind of the least of my worries. Sometimes the screen sort of freezes, almost like a screenshot, but then it clears up again right away. I'm running Windows 10 Home Premium, x64, on an Asus X756UXM. Please see all the notes below and txt files. Please note that things might be a little out of order from how I actually scanned things, because this started almost a week ago and I don't remember that far back. I believe the initial infection came from a popup/pop under (can't recall which, sorry!) at http:// www (dot) nowvideo (dot) sx/video/11bb079eff255 while using Chrome. I run AdBlock Plus, Ghostery, and some script blocker thingie, and have all my many browsers configured to block popups, and I never have any issues on any other sites, but this one managed to get around all that. I threw everything I could think of at this but I really just feel like I'm chasing it from one corner to another. Any help would be thoroughly appreciated. MBAM: * Initial error message that an exploit was blocked in Powershell (see txt file) * Scans Clean - All Scans * Starts up as normal, except Web Protection is shut off * On first load, Web Protection can be re-enabled * At some point, Web Protection with return to off, and Exploit Protection goes with it * Exploit Protection can be re-enabled, but it will switch off again * On attempting to re-enable Web Protection, it will forever say "Starting..." until next reboot ~~~ MBAR: * Scans clean ~~~ Avast: * Scans clean ~~~ TrendMicro Housecall: * Scans clean ~~~ GMER: * Found the following: Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [BOOT] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [BOOT] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden ***) [AUTO] WinDefend <-- ROOTKIT !!! * Attempted deletion (through GMER) of all three, but WdBoot failed. ~~~ aswMBR: * Ran after GMER. The service below popped up, but aswMBR was unable to fix the issue (see full log). 23:05:02.343 Service WdBoot C:\WINDOWS\system32\drivers\WdBoot.sys **LOCKED** * Subsequent attempts to run aswMBR result in BSOD for the reason "Page fault in non-paged area" and then forced restart. ~~~ JRT: * Nothing to report ~~~ HitmanPro: * Found buckets of cookies in all browsers, including Internet Explorer and Edge which I NEVER use. All cookies were deleted. This was the initial confirmation something was up. ~~~ rKill: * A couple of issues popped up, nothing glaring... See txt. ~~~ ADW Cleaner: * No issues found ~~~ FRST: * See txt ~~~ RootKitRemover (McAffee): * Scanned Clean ~~~ TDSSKiller: * Scanned Clean ~~~ Bootlog: * See Txt ~~~ MBAM Chameleon: * Ran from safe mode, all 13 or however many buttons failed identically. See txt. HijackThis 2-14-17.log MBAM - Exploit Blocked.txt Notes.txt Rkill 2-13-17.txt aswMBR 2-14-17.txt BootLog 2-17-17.txt Chameleon Fail 2-15-17.txt FRST 2-14-17.txt GMER 2-15-17.log
  24. Okay, I think this is probably my first post on the forums, so I apologize for being a noob and doing whatever annoying things noobs do before they get a clue. That said, I am pretty positive I have a rootkit. It's a quiet and crafty sort; from the beginning there were no obvious signs of infection, there wasn't any slowing or memory leaking, no unusual traffic noted. I felt like something was off, but I couldn't pinpoint what until I got the first warning message from MBAM (see Exploit Blocking below). Now I notice that all my desktop icons are rearranged and suddenly there is a bit of dead space at the bottom where I can no longer move any icons, though that's kind of the least of my worries. Please see all the notes below and txt files (assuming I can figure out how to attach them!). I believe the initial infection came from a popup/pop under (can't recall which, sorry!) at http://www (dot) nowvideo (dot) sx/video/11bb079eff255 while using Chrome. Yes, I run AdBlock Plus, Ghostery, and have all my many browsers configured to block popups, and I never have any issues on any other sites, but this one managed to get around all that. I threw everything I could think of at this but I really just feel like I'm chasing it from one corner to another. Any help would be thoroughly appreciated. MBAM: * Initial error message that an exploit was blocked in Powershell (see txt file) * Scans Clean - All Scans * Starts up as normal, except Web Protection is shut off * On first load, Web Protection can be re-enabled * At some point, Web Protection with return to off, and Exploit Protection goes with it * Exploit Protection can be re-enabled, but it will switch off again * On attempting to re-enable Web Protection, it will forever say "Starting..." until next reboot ~~~ MBAR: * Scans clean ~~~ Avast: * Scans clean ~~~ TrendMicro Housecall: * Scans clean ~~~ GMER: * Initially found the following: Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [BOOT] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [BOOT] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden ***) [AUTO] WinDefend <-- ROOTKIT !!! * Attempted deletion (through GMER) of all three, but WdBoot failed. ~~~ aswMBR: * Ran after GMER. The service below popped up, but aswMBR was unable to fix the issue (see full log). 23:05:02.343 Service WdBoot C:\WINDOWS\system32\drivers\WdBoot.sys **LOCKED** * Subsequent attempts to run aswMBR result in BSOD for the reason "Page fault in non-paged area" and then forced restart. ~~~ JRT: * Nothing to report ~~~ HitmanPro: * Found buckets of cookies in all browsers, including Internet Explorer and Edge which I NEVER use. All cookies were deleted. This was the initial confirmation something was up. ~~~ rKill: * A couple of issues popped up, nothing glaring... See txt. ~~~ ADW Cleaner: * No issues found ~~~ FRST: * See txt ~~~ RootKitRemover (McAffee): * Scanned Clean hijackthis 2-14-17.log MBAM - Exploit Blocked.txt Rkill 2-13-17.txt aswMBR 2-14-17.txt FRST 2-14-17.txt GMER Full 2-15-17.log GMER Pert 2-15-17.txt
  25. Recently I've been having a popup that states Malwarebytes has detected and blocked an exploit. When I view the report, there is nothing available. I have rebooted my system several times. Inside the MalwareBytes tool, I am not able to enable the Web Protection setting. While whatever is happening on my system, it seems MalwareBytes is blocking it, but it is my best interest to remove whatever rootkit, or malware is loaded on my system. I am currently running the Malwarebytes Anti-Rootkit and once completed I will upload the logs. MB-CheckResult.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.