Unfortunately, I've tried to resolve this problem myself before I found this forum so I've already attempted some scans as mentioned below.
I've spent the better half of yesterday attempting to fight back against a problem I couldn't see. Mouse and Keyboard would stop working. Sometimes the mouse would click a button in a program other times it wouldn't. The problem would come and go. Naturally at first I suspected the system to have faulty hardware. However, after remoting into the computer I quickly realized that my remote control was exhibiting the same behavior. The system has a running and legal copy Symantec Small Business Edition Endpoint Protection.Cloud. It doesn't seem to recognize any suspicious activity. I've also ran Combofix, RogueKiller, Junkware Removal Tool, TDSSKiller & Malware Bytes full scan. I loaded up GMER but it doesn't indicate anything rogue.
I definitely know there's suspicious activity based on Explorer.exe randomly crashing, Internet Explorer wanting to be debugged and the random nature of my mouse and keyboard functionality coming and going on a variety of different windows buttons or key strokes in a text field.
I haven't been able to run any off line scans yet nor was I able to run RKILL before the scanning as I was remoted in to said PC and RKill would terminate my connection. I've downloaded Sophos Anti-root kit scan tool but I haven't had the chance to run it. I've attempted to try and spot any suspicious dll's that fly by on Process monitor but so far none have caught my eye.
I've attempted to run most scans from Safe mode with networking and when I chose to run MalwareBytes Rootkit scanner which took 6 1/2 hrs it never did properly complete as the scan seemed to hang during heuristic scanning.
Also running SFC /scannow doesn’t complete as it comes back with a Resource Protection error around 67% in both normal mode and safe mode. I was however successful in running a thorough "chkdsk /f /r" on the primary boot\system partition and I don't suspect a problem with the hard-drives. I have attached a STOP error which occurred while I was trying to revert to an older system restore point with the intentions of breaking the infection enough to make it visible to remove.
This possibly could be an MBR Boot rootkit as I wasn't able to retrieve the MBR information using mbr -t from the command line. Not sure if Windows or the Antivirus may have blocked my request when I ran said command from the Windows folder.
For good measure I reset TCP/IP "Netsh int ip reset reset.txt" & "Netsh winsock reset" & flushed the DNS after a reboot. I've inspected the System Path Environmental Variables to make sure nothing rogue has added itself to the path and I've run Microsoft SysInternals Autoruns to check the start-up nature of the system with no indications of anything unusual. I suspect the infection is attaching itself to device drivers and it makes its way from one device to another as I do my scans since I experience different oddities that come and go while I try and source the problematic software.
Any help or suggestions to fight back against this nasty infection would be much appreciate. Thank you.
Edited by pbolduc, 13 September 2018 - 11:42 AM.