Ran Eset SysRescue and it didn't find anything.Īt this point, I fired up Process Explorer and low and behold, sitting at the top of the list was a svchost.exe entry. I have PE configured to show processes in load order and svchost.exe never ever appeared at the top of the list. The service I believe was name 'location.' Note there is no such Win 10 service. Still a no go on that bogus service entry.
Last thing left to do prior to a reformat and reinstall of Win 10 was to delete the hiberfil. I also believe this rootkit was on my system for a while and might be coin miner related. I don't have my tower case fans constantly spinning up as occurred previously. Since this malware was SMB related, it might track to a suspicious SMB incident about 6 months ago.Here’s the boot sequence of a classic machine (ESET courtesy). Below is a picture of what it looks like.īoot processĪs seen in the picture above, the first component to be called is the Master Boot Record (MBR), which is the sector 0 of a physical hard drive. MBR describes how many partitions are defined on the hard drive, if they are bootable, their size plus location, and the filesystem used on them.
