Jump to content

Recommended Posts

Okay, I think this is probably my first post on the forums, so I apologize for being a noob and doing whatever annoying things noobs do before they get a clue. That said, I am pretty positive I have a rootkit. It's a quiet and crafty sort; from the beginning there were no obvious signs of infection, there wasn't any slowing or memory leaking, no unusual traffic noted. I felt like something was off, but I couldn't pinpoint what until I got the first warning message from MBAM (see Exploit Blocking below). Now I notice that all my desktop icons are rearranged and suddenly there is a bit of dead space at the bottom where I can no longer move any icons, though that's kind of the least of my worries. Please see all the notes below and txt files (assuming I can figure out how to attach them!). I believe the initial infection came from a popup/pop under (can't recall which, sorry!) at http://www (dot) nowvideo (dot) sx/video/11bb079eff255 while using Chrome. Yes, I run AdBlock Plus, Ghostery, and have all my many browsers configured to block popups, and I never have any issues on any other sites, but this one managed to get around all that. I threw everything I could think of at this but I really just feel like I'm chasing it from one corner to another. Any help would be thoroughly appreciated.


MBAM:

* Initial error message that an exploit was blocked in Powershell (see txt file)
* Scans Clean - All Scans
* Starts up as normal, except Web Protection is shut off
* On first load, Web Protection can be re-enabled
* At some point, Web Protection with return to off, and Exploit Protection goes with it
* Exploit Protection can be re-enabled, but it will switch off again
* On attempting to re-enable Web Protection, it will forever say "Starting..." until next reboot

~~~

MBAR:

* Scans clean

~~~

Avast:

* Scans clean

~~~

TrendMicro Housecall:

* Scans clean

~~~
GMER:

* Initially found the following:

Service  C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** )
[BOOT] WdBoot        <-- ROOTKIT !!!

Service  C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** )
[BOOT] WdFilter        <-- ROOTKIT !!!

Service  C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden ***)
[AUTO] WinDefend    <-- ROOTKIT !!!

* Attempted deletion (through GMER) of all three, but WdBoot failed.

~~~

aswMBR:

* Ran after GMER. The service below popped up, but aswMBR was unable to fix the issue (see full log). 

23:05:02.343    Service WdBoot C:\WINDOWS\system32\drivers\WdBoot.sys **LOCKED**

* Subsequent attempts to run aswMBR result in BSOD for the reason "Page fault in non-paged area" and then forced restart.

~~~

JRT: 

* Nothing to report

~~~

HitmanPro:

* Found buckets of cookies in all browsers, including Internet Explorer and Edge which I NEVER use. All cookies were deleted. This was the initial confirmation something was up.

~~~

rKill:

* A couple of issues popped up, nothing glaring... See txt.

~~~

ADW Cleaner:

* No issues found

~~~

FRST:

* See txt

~~~

RootKitRemover (McAffee):

* Scanned Clean
 

hijackthis 2-14-17.log

MBAM - Exploit Blocked.txt

Rkill 2-13-17.txt

aswMBR 2-14-17.txt

FRST 2-14-17.txt

GMER Full 2-15-17.log

GMER Pert 2-15-17.txt

Link to post
Share on other sites

Thanks very much for the feedback, MBMemes. I did try running Chameleon from Safe Mode, as you suggested. I didn't save 13 logfiles, but I did copy one. Suffice it to say they all failed identically. I will make a note to check out uBlock also. I probably should have mentioned in my initial post that I'm running Windows 10 x64. My default browser right now is Chrome, but I also use Opera, Firefox and Tor. If there are any other ideas I'm all ears!

Link to post
Share on other sites

  • Root Admin

Hello @EniNeu


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Thank you

Ron

Link to post
Share on other sites

  • Root Admin

Thanks. I know you've ran most of this already but let me get some new logs now since we've done these resets.

 

STEP 01

 

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

Okay done, thanks very much for all your help Ron. I notice in the logs that my default search in Chrome is changed and there are a lot of fake extensions in Opera and Chrome. Neither the extensions nor the new fake default search page are actually showing in either browser. Sophos scanned clean.

Addition - 2-21-17.txt

FRST - 2-21-17.txt

JRT - 2-21-17.txt

Sophos - Clean - 2-21-17.PNG

Link to post
Share on other sites

  • Root Admin

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome

I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.
Scroll down until you see the reset sync button and click on the button
At the prompt click on Ok.

.
Reset Your Browser Settings
.

  1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
  2. Select Settings.
  3. At the bottom, click Show advanced settings…
  4. Scroll down until you see “Reset settings”, Then click on the button Reset Settings.
  5. In the dialog that appears, click Reset.

.
Close Chrome and restart it and check it out for me please

Link to post
Share on other sites

  • Root Admin

The logs indicate that Windows Search is broken. Which can affect other programs on the system and how they run.

Please review the following link and see if you can fix your Windows Search

http://www.thewindowsclub.com/fix-repair-broken-windows-search-windows-7-easily

 

 

Link to post
Share on other sites

I did follow your instructions and attempted to fix Windows Search, but the utility said it couldn't find any problems with search. I haven't noticed any sort of performance issue with search, and as far as I can tell it does function as expected. I do seem to have other issues, however, such as Malwarebytes starting with exploit protection switched off. I still have dead space at the bottom left of my desktop that I can't move icons or anything into, and I do still periodically have Windows Explorer crashes and hangs, but that could just be because Windows is a terrible, terrible product. 

Link to post
Share on other sites

  • Root Admin

Let's go ahead and have you run a full disk check, then we'll run some other scans, fixes to see if it helps.

 

 

 


Please click on the "Search the web and Windows" box.

win10search.jpg.ab49407705b2ffa8728339ae


Then type in CMD.EXE and when it shows on the start menu right click and select "Run as administrator"

 

cmd_prompt_run_as_administrator.jpg.252a

 

In the command prompt please type the following exactly.

CHKDSK  C:  /R

This will tell Windows to run a full disk check, however you'll get the following, telling you it cannot run because it's in use.

Press the Y key to tell it to run on the next restart of the computer.

 

Quote

Microsoft Windows [Version 10.0.10586]


(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>CHKDSK C: /R
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process.  Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N)

 

Then restart the computer and let it run.
Then find and copy the disk check entry from the Event Logs and paste back the results here.

How to Read Event Viewer Log for Chkdsk (Check Disk) in Windows 10

 

Link to post
Share on other sites

  • Root Admin

Okay, so far the logs do not indicate any type of rootkit activity or similar infections. Just a bit of PUP type junk overall. Let me have you run the following temp cleaner to remove a bit of left over junk.

Please first make a new System Restore Point for safety purposes. Then run the following tool. You may need to temporarily disable your antivirus as it may alert the tool is infected, it is not. It simply written in AutoIT which is often flagged as a threat.

 

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

Once that's done try to move things around on your desktop. If it's still an issue then it may be that your profile is corrupted and you might have to create a new user account to test it out.

Let me know.

 

Link to post
Share on other sites

Okay, this is kind of crazy... I did create a new user profile and that did seem to fix the issues. I was going to copy over my files from the corrupt user profile but... it doesn't exist? I have no folder for this user account in the Users folder, but the two new user accounts I created are there, and I have no trouble logging into the account, obviously. Further, I double checked and the account is definitely set as a local account and not a Microsoft account. :blink: How is that even possible? I do have a folder in Users called Default.migrated but there's essentially nothing in it. I also have a Public folder, but there are no personal files there. Help?

Link to post
Share on other sites

  • Root Admin

Probably just need to enable showing hidden files and folders. Please see the link here.

https://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Though at least temporarily you may wish to set the options as I have them shown.

folder_options.jpg

Then see if you can locate your files to copy.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.