EniNeu Posted February 15, 2017 ID:1102104 Share Posted February 15, 2017 Okay, I think this is probably my first post on the forums, so I apologize for being a noob and doing whatever annoying things noobs do before they get a clue. That said, I am pretty positive I have a rootkit. It's a quiet and crafty sort; from the beginning there were no obvious signs of infection, there wasn't any slowing or memory leaking, no unusual traffic noted. I felt like something was off, but I couldn't pinpoint what until I got the first warning message from MBAM (see Exploit Blocking below). Now I notice that all my desktop icons are rearranged and suddenly there is a bit of dead space at the bottom where I can no longer move any icons, though that's kind of the least of my worries. Please see all the notes below and txt files (assuming I can figure out how to attach them!). I believe the initial infection came from a popup/pop under (can't recall which, sorry!) at http://www (dot) nowvideo (dot) sx/video/11bb079eff255 while using Chrome. Yes, I run AdBlock Plus, Ghostery, and have all my many browsers configured to block popups, and I never have any issues on any other sites, but this one managed to get around all that. I threw everything I could think of at this but I really just feel like I'm chasing it from one corner to another. Any help would be thoroughly appreciated. MBAM: * Initial error message that an exploit was blocked in Powershell (see txt file) * Scans Clean - All Scans * Starts up as normal, except Web Protection is shut off * On first load, Web Protection can be re-enabled * At some point, Web Protection with return to off, and Exploit Protection goes with it * Exploit Protection can be re-enabled, but it will switch off again * On attempting to re-enable Web Protection, it will forever say "Starting..." until next reboot ~~~ MBAR: * Scans clean ~~~ Avast: * Scans clean ~~~ TrendMicro Housecall: * Scans clean ~~~ GMER: * Initially found the following: Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [BOOT] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [BOOT] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden ***) [AUTO] WinDefend <-- ROOTKIT !!! * Attempted deletion (through GMER) of all three, but WdBoot failed. ~~~ aswMBR: * Ran after GMER. The service below popped up, but aswMBR was unable to fix the issue (see full log). 23:05:02.343 Service WdBoot C:\WINDOWS\system32\drivers\WdBoot.sys **LOCKED** * Subsequent attempts to run aswMBR result in BSOD for the reason "Page fault in non-paged area" and then forced restart. ~~~ JRT: * Nothing to report ~~~ HitmanPro: * Found buckets of cookies in all browsers, including Internet Explorer and Edge which I NEVER use. All cookies were deleted. This was the initial confirmation something was up. ~~~ rKill: * A couple of issues popped up, nothing glaring... See txt. ~~~ ADW Cleaner: * No issues found ~~~ FRST: * See txt ~~~ RootKitRemover (McAffee): * Scanned Clean hijackthis 2-14-17.log MBAM - Exploit Blocked.txt Rkill 2-13-17.txt aswMBR 2-14-17.txt FRST 2-14-17.txt GMER Full 2-15-17.log GMER Pert 2-15-17.txt Link to post Share on other sites More sharing options...
EniNeu Posted February 16, 2017 Author ID:1102141 Share Posted February 16, 2017 Thanks very much for the feedback, MBMemes. I did try running Chameleon from Safe Mode, as you suggested. I didn't save 13 logfiles, but I did copy one. Suffice it to say they all failed identically. I will make a note to check out uBlock also. I probably should have mentioned in my initial post that I'm running Windows 10 x64. My default browser right now is Chrome, but I also use Opera, Firefox and Tor. If there are any other ideas I'm all ears! Link to post Share on other sites More sharing options...
EniNeu Posted February 18, 2017 Author ID:1102782 Share Posted February 18, 2017 Still full of the tangley roots... Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 20, 2017 Root Admin ID:1103197 Share Posted February 20, 2017 Hello @EniNeu Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Thank you Ron Link to post Share on other sites More sharing options...
EniNeu Posted February 21, 2017 Author ID:1103217 Share Posted February 21, 2017 Thanks so much for your response, Ron. I did run FRST again as instructed, please see the txt file below. Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 21, 2017 Root Admin ID:1103219 Share Posted February 21, 2017 Thanks. I know you've ran most of this already but let me get some new logs now since we've done these resets. STEP 01 Please download Junkware Removal Tool to your desktop. Shutdown your antivirus to avoid any conflicts. Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP. The tool will open and start scanning your system. Please be patient as this can take a while to complete. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next reply message When completed make sure to re-enable your antivirus STEP 02 Fix with AdwCleaner Please download AdwCleaner by Xplode and save the file to your Desktop. Right-click on icon and select Run as Administrator to start the tool. Accept the Terms of use. Wait until the database is updated. Click Scan. When finished, please click Clean. Your PC should reboot now. After reboot, logfile will be opened. Copy its content into your next reply. Note: Reports will be saved in your system partition, usually at C:\Adwcleaner STEP 03 Download Sophos Free Virus Removal Tool and save it to your desktop. Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View Log file (bottom left-hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found, please confirm that result. STEP 04 Please download the Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens, click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here. Please attach the Additions.txt log to your reply as well. Thanks Link to post Share on other sites More sharing options...
EniNeu Posted February 21, 2017 Author ID:1103240 Share Posted February 21, 2017 Okay done, thanks very much for all your help Ron. I notice in the logs that my default search in Chrome is changed and there are a lot of fake extensions in Opera and Chrome. Neither the extensions nor the new fake default search page are actually showing in either browser. Sophos scanned clean. Addition - 2-21-17.txt FRST - 2-21-17.txt JRT - 2-21-17.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 21, 2017 Root Admin ID:1103254 Share Posted February 21, 2017 Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues. If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in. Internet ExplorerHow to reset Internet Explorer settings Firefox Click on Help / Troubleshooting Information then click on the Reset Firefox button. Chrome I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome. You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed. Then I need you to go to >> Google Sync << and sign into your account. Scroll down until you see the “reset sync” button and click on the button At the prompt click on “Ok”. .Reset Your Browser Settings . In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines) Select “Settings”. At the bottom, click “Show advanced settings…” Scroll down until you see “Reset settings”, Then click on the button “Reset Settings”. In the dialog that appears, click “Reset”. .Close Chrome and restart it and check it out for me please Link to post Share on other sites More sharing options...
EniNeu Posted February 21, 2017 Author ID:1103437 Share Posted February 21, 2017 Sorry for the delayed response, my cold medicine knocked me out last night! I followed your instructions and then ran FRST again, and these were the results. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 23, 2017 Root Admin ID:1103897 Share Posted February 23, 2017 The logs indicate that Windows Search is broken. Which can affect other programs on the system and how they run. Please review the following link and see if you can fix your Windows Search http://www.thewindowsclub.com/fix-repair-broken-windows-search-windows-7-easily Link to post Share on other sites More sharing options...
EniNeu Posted February 23, 2017 Author ID:1104011 Share Posted February 23, 2017 I did follow your instructions and attempted to fix Windows Search, but the utility said it couldn't find any problems with search. I haven't noticed any sort of performance issue with search, and as far as I can tell it does function as expected. I do seem to have other issues, however, such as Malwarebytes starting with exploit protection switched off. I still have dead space at the bottom left of my desktop that I can't move icons or anything into, and I do still periodically have Windows Explorer crashes and hangs, but that could just be because Windows is a terrible, terrible product. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 24, 2017 Root Admin ID:1104022 Share Posted February 24, 2017 Let's go ahead and have you run a full disk check, then we'll run some other scans, fixes to see if it helps. Please click on the "Search the web and Windows" box. Then type in CMD.EXE and when it shows on the start menu right click and select "Run as administrator" In the command prompt please type the following exactly. CHKDSK C: /R This will tell Windows to run a full disk check, however you'll get the following, telling you it cannot run because it's in use. Press the Y key to tell it to run on the next restart of the computer. Quote Microsoft Windows [Version 10.0.10586] (c) 2015 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>CHKDSK C: /R The type of the file system is NTFS. Cannot lock current drive. Chkdsk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts? (Y/N) Then restart the computer and let it run. Then find and copy the disk check entry from the Event Logs and paste back the results here. How to Read Event Viewer Log for Chkdsk (Check Disk) in Windows 10 Link to post Share on other sites More sharing options...
EniNeu Posted February 24, 2017 Author ID:1104204 Share Posted February 24, 2017 Okay, done. Please see the logs attached. Event Viewer Log 02-24-17.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 24, 2017 Root Admin ID:1104208 Share Posted February 24, 2017 Okay, so far the logs do not indicate any type of rootkit activity or similar infections. Just a bit of PUP type junk overall. Let me have you run the following temp cleaner to remove a bit of left over junk. Please first make a new System Restore Point for safety purposes. Then run the following tool. You may need to temporarily disable your antivirus as it may alert the tool is infected, it is not. It simply written in AutoIT which is often flagged as a threat. Please Run TFC by OldTimer to clear temporary files: Download TFC from here and save it to your desktop. http://oldtimer.geekstogo.com/TFC.exe Close any open programs and Internet browsers. Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning. Please be patient as clearing out temp files may take a while. Once it completes you may be prompted to restart your computer, please do so. Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files. Once that's done try to move things around on your desktop. If it's still an issue then it may be that your profile is corrupted and you might have to create a new user account to test it out. Let me know. Link to post Share on other sites More sharing options...
EniNeu Posted February 25, 2017 Author ID:1104230 Share Posted February 25, 2017 Okay, I ran TFC and it cleared up 803mb but I still can't use the bottom corner of my desktop. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 25, 2017 Root Admin ID:1104233 Share Posted February 25, 2017 Please create a new user account with Admin level rights and login to that account and see if everything works okay for you now. Link to post Share on other sites More sharing options...
EniNeu Posted February 25, 2017 Author ID:1104365 Share Posted February 25, 2017 Okay, this is kind of crazy... I did create a new user profile and that did seem to fix the issues. I was going to copy over my files from the corrupt user profile but... it doesn't exist? I have no folder for this user account in the Users folder, but the two new user accounts I created are there, and I have no trouble logging into the account, obviously. Further, I double checked and the account is definitely set as a local account and not a Microsoft account. How is that even possible? I do have a folder in Users called Default.migrated but there's essentially nothing in it. I also have a Public folder, but there are no personal files there. Help? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 26, 2017 Root Admin ID:1104473 Share Posted February 26, 2017 Probably just need to enable showing hidden files and folders. Please see the link here. https://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Though at least temporarily you may wish to set the options as I have them shown. Then see if you can locate your files to copy. Link to post Share on other sites More sharing options...
Recommended Posts