- Apr 19, 2015
- 111
- 0
- 18,710
So here is my story:
I missed the all Windows 10 Professional updates since 2016 due to not having used this rig in a while. I just had started using it again a few days ago and everything was normal. After a few hiccups, I'm wondering if I may have been infected by a rootkit or worm from the University network. It is either that or my windows files may have been corrupted. Either way it shouldn't matter, as I plan on doing a drive reformat and a fresh install for separate reasons anyway. I'm not looking for help fixing the issue, just wondering what you experts think is the more likely cause: System file corruption, or Rootkit/Bootkit.
In chronological order, here are my symptoms:
Connect to the university network while on 1703 (Having forgot that the PC hasn't updated yet).
All is well for weeks, no strange behavior or symptoms.
After a while, dozens of System32 processes suddenly showing up with increasing frequency in task manager. None of which had ever shown up prior to my knowledge. All of which are legitimate process names, but some seem to be running at all times, which is definately new behavior.
Constantly being kicked from full screen applications as if I had pressed escape. (e.g. Netflix and Youtube exit fullscreen mode, games on steam alt+tab out) at random intervals.
Blue screen, which has never once happened on this rig before, occurs twice in the span on two days.
Avast Boot-Time scan returns nothing (0 infected files according to the log file)
The infamous forced update to Windows 10 Pro 1709 fails due to power outage, canceling the download process at 2% downloading. <-- I know shutting down during an update can cause windows files to be corrupted, but I was only downloading not installing.
PowerOff, Restart, and Sleep functions suddenly dissapear from the start menu, leaving a blank grey box with no options or messages.
Attempts made to repair using SFC and DISM fail. When I run DISM /Online /Cleanup-Image /RestoreHealth from the admin console I get an error code: 605 "The specified buffer contains ill-formed data."
SFC starts running, but stops at Verification 23% both times and gives the message "Windows Resource Protection could not perform the requested operation."
Attempts made to open the Update and Security parts of windows settings menu cause Windows Settings to instantly exit every time. Other settings in the same menu work just fine. This prevents me from Updating or Rolling back through the Update and security panel.<-- Very suspicious
Booting into safe mode has all of the same symptoms, except open the power options from the log in screen causes explorer.exe to crash and restart.
Running system restore with an existing restore point that I created weeks prior appears to work, until booting into windows 10 to find an error message stating "System Restore did not complete sucessfully. Your system files and settings were not changed." In the same box, it states "System restore failed to extract the original copy of the directory from the restore point ... Source: %ProgramFiles%\WindowsApps.... The restore point was damaged or deleted during the restore."
Upon opening system restore again, I find all my restore points back to the begging of time suddenly missing, including the one i just tried to use. <----Extremely suspicious
Disk-check prompts me to run it at startup on the C: drive. I let it run but it fails suddenly exiting with no results, errors, prompts or other indication that it exited normally at all.
On restart there is sometimes this quick flash of what looks like a 0x0pixel window that displays for literally one frame before showing the BIOS splash screen. I kinda looks like a windows dialogue box with close, and minimize buttons, but nothing inside it. It is hard to tell if I saw that right though, as it only happens sometimes and appears for a single frame. Whatever it is it's very concerning that it appears before the BIOS splash screen!
Again, Avast Boot-Time scan returns nothing (0 infected files according to the log file)
The rig is a dual boot configuration. So I tried booting into windows 7 with the Windows 10 drive disconnected. Windows 7 is completely fine.
All previous symptoms are still present in Windows 10, but when I boot into windows 7 everything is fine and there are no symptoms.
It seems like an intelligent software is actively trying to prevent me from Updating windows 10, rolling back, or restoring. Although, almost all of these symptoms can also be explained by corrupted system files from the update when the power went out. I am just curious what you guys think is more likely: Corruption or rootkit. I'm leaning towards rootkit for sure right now. Thanks for being patient enough to read all this! I look forward to hearing your opinions.
-Bahazbz
I missed the all Windows 10 Professional updates since 2016 due to not having used this rig in a while. I just had started using it again a few days ago and everything was normal. After a few hiccups, I'm wondering if I may have been infected by a rootkit or worm from the University network. It is either that or my windows files may have been corrupted. Either way it shouldn't matter, as I plan on doing a drive reformat and a fresh install for separate reasons anyway. I'm not looking for help fixing the issue, just wondering what you experts think is the more likely cause: System file corruption, or Rootkit/Bootkit.
In chronological order, here are my symptoms:
Connect to the university network while on 1703 (Having forgot that the PC hasn't updated yet).
All is well for weeks, no strange behavior or symptoms.
After a while, dozens of System32 processes suddenly showing up with increasing frequency in task manager. None of which had ever shown up prior to my knowledge. All of which are legitimate process names, but some seem to be running at all times, which is definately new behavior.
Constantly being kicked from full screen applications as if I had pressed escape. (e.g. Netflix and Youtube exit fullscreen mode, games on steam alt+tab out) at random intervals.
Blue screen, which has never once happened on this rig before, occurs twice in the span on two days.
Avast Boot-Time scan returns nothing (0 infected files according to the log file)
The infamous forced update to Windows 10 Pro 1709 fails due to power outage, canceling the download process at 2% downloading. <-- I know shutting down during an update can cause windows files to be corrupted, but I was only downloading not installing.
PowerOff, Restart, and Sleep functions suddenly dissapear from the start menu, leaving a blank grey box with no options or messages.
Attempts made to repair using SFC and DISM fail. When I run DISM /Online /Cleanup-Image /RestoreHealth from the admin console I get an error code: 605 "The specified buffer contains ill-formed data."
SFC starts running, but stops at Verification 23% both times and gives the message "Windows Resource Protection could not perform the requested operation."
Attempts made to open the Update and Security parts of windows settings menu cause Windows Settings to instantly exit every time. Other settings in the same menu work just fine. This prevents me from Updating or Rolling back through the Update and security panel.<-- Very suspicious
Booting into safe mode has all of the same symptoms, except open the power options from the log in screen causes explorer.exe to crash and restart.
Running system restore with an existing restore point that I created weeks prior appears to work, until booting into windows 10 to find an error message stating "System Restore did not complete sucessfully. Your system files and settings were not changed." In the same box, it states "System restore failed to extract the original copy of the directory from the restore point ... Source: %ProgramFiles%\WindowsApps.... The restore point was damaged or deleted during the restore."
Upon opening system restore again, I find all my restore points back to the begging of time suddenly missing, including the one i just tried to use. <----Extremely suspicious
Disk-check prompts me to run it at startup on the C: drive. I let it run but it fails suddenly exiting with no results, errors, prompts or other indication that it exited normally at all.
On restart there is sometimes this quick flash of what looks like a 0x0pixel window that displays for literally one frame before showing the BIOS splash screen. I kinda looks like a windows dialogue box with close, and minimize buttons, but nothing inside it. It is hard to tell if I saw that right though, as it only happens sometimes and appears for a single frame. Whatever it is it's very concerning that it appears before the BIOS splash screen!
Again, Avast Boot-Time scan returns nothing (0 infected files according to the log file)
The rig is a dual boot configuration. So I tried booting into windows 7 with the Windows 10 drive disconnected. Windows 7 is completely fine.
All previous symptoms are still present in Windows 10, but when I boot into windows 7 everything is fine and there are no symptoms.
It seems like an intelligent software is actively trying to prevent me from Updating windows 10, rolling back, or restoring. Although, almost all of these symptoms can also be explained by corrupted system files from the update when the power went out. I am just curious what you guys think is more likely: Corruption or rootkit. I'm leaning towards rootkit for sure right now. Thanks for being patient enough to read all this! I look forward to hearing your opinions.
-Bahazbz
Facebook
Twitter
Instagram