EniNeu Posted February 18, 2017 ID:1102796 Share Posted February 18, 2017 I am pretty positive I have a rootkit. It's a quiet and crafty sort; from the beginning there were no obvious signs of infection, there wasn't any slowing or memory leaking, no unusual traffic noted. I felt like something was off, but I couldn't pinpoint what until I got the first warning message from MBAM 3.0.6 Premium (see Exploit Blocking below). Now I notice that all my desktop icons are rearranged on relog and suddenly there is a bit of dead space at the bottom where I can no longer move any icons, though that's kind of the least of my worries. Sometimes the screen sort of freezes, almost like a screenshot, but then it clears up again right away. I'm running Windows 10 Home Premium, x64, on an Asus X756UXM. Please see all the notes below and txt files. Please note that things might be a little out of order from how I actually scanned things, because this started almost a week ago and I don't remember that far back. I believe the initial infection came from a popup/pop under (can't recall which, sorry!) at http:// www (dot) nowvideo (dot) sx/video/11bb079eff255 while using Chrome. I run AdBlock Plus, Ghostery, and some script blocker thingie, and have all my many browsers configured to block popups, and I never have any issues on any other sites, but this one managed to get around all that. I threw everything I could think of at this but I really just feel like I'm chasing it from one corner to another. Any help would be thoroughly appreciated. MBAM: * Initial error message that an exploit was blocked in Powershell (see txt file) * Scans Clean - All Scans * Starts up as normal, except Web Protection is shut off * On first load, Web Protection can be re-enabled * At some point, Web Protection with return to off, and Exploit Protection goes with it * Exploit Protection can be re-enabled, but it will switch off again * On attempting to re-enable Web Protection, it will forever say "Starting..." until next reboot ~~~ MBAR: * Scans clean ~~~ Avast: * Scans clean ~~~ TrendMicro Housecall: * Scans clean ~~~ GMER: * Found the following: Service C:\WINDOWS\system32\drivers\WdBoot.sys (*** hidden *** ) [BOOT] WdBoot <-- ROOTKIT !!! Service C:\WINDOWS\system32\drivers\WdFilter.sys (*** hidden *** ) [BOOT] WdFilter <-- ROOTKIT !!! Service C:\Program Files (x86)\Windows Defender\MsMpEng.exe (*** hidden ***) [AUTO] WinDefend <-- ROOTKIT !!! * Attempted deletion (through GMER) of all three, but WdBoot failed. ~~~ aswMBR: * Ran after GMER. The service below popped up, but aswMBR was unable to fix the issue (see full log). 23:05:02.343 Service WdBoot C:\WINDOWS\system32\drivers\WdBoot.sys **LOCKED** * Subsequent attempts to run aswMBR result in BSOD for the reason "Page fault in non-paged area" and then forced restart. ~~~ JRT: * Nothing to report ~~~ HitmanPro: * Found buckets of cookies in all browsers, including Internet Explorer and Edge which I NEVER use. All cookies were deleted. This was the initial confirmation something was up. ~~~ rKill: * A couple of issues popped up, nothing glaring... See txt. ~~~ ADW Cleaner: * No issues found ~~~ FRST: * See txt ~~~ RootKitRemover (McAffee): * Scanned Clean ~~~ TDSSKiller: * Scanned Clean ~~~ Bootlog: * See Txt ~~~ MBAM Chameleon: * Ran from safe mode, all 13 or however many buttons failed identically. See txt. HijackThis 2-14-17.log MBAM - Exploit Blocked.txt Notes.txt Rkill 2-13-17.txt aswMBR 2-14-17.txt BootLog 2-17-17.txt Chameleon Fail 2-15-17.txt FRST 2-14-17.txt GMER 2-15-17.log Link to post Share on other sites More sharing options...
Recommended Posts