Rootkit/malware removal

Solamen

New Member
Joined
Dec 29, 2017
Messages
1
OS
Windows 7
Antivirus
Microsoft
#1
Tried downloading buildbox game maker and ended up being filled with trojans. got most cleaned off but some remnants remain. some questionable EXE's running are:

upmebwxsvc.exe
cgakwsz.exe
svrtizo.exe
igfxmtc.exe

Attached are Mbar, FRST, Addition, and below is GMER basic scan log:
GMER 2.2.19882 - GMER - Rootkit Detector and Remover
Rootkit scan 2017-12-29 00:58:11
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000082 ATA_____ rev.CB6Q 465.76GB
Running: w1y60ggf.exe; Driver: C:\Users\Amen\AppData\Local\Temp\kwtdrpog.sys


---- Threads - GMER 2.2 ----

Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6892] 000007fef9a02be0
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:5456] 000007fede328a28
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6492] 000007fede28d668
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6476] 000007fede328a28
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6624] 000007fef4b55124
---- Processes - GMER 2.2 ----

Library C:\Users\Amen\AppData\Local\cgakwsz\cgakwsz.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\cgakwsz.exe [3552] 00000000012e0000
Library C:\Users\Amen\AppData\Local\igfxmtc\igfxmtc.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\igfxmtc\igfxmtc.exe [4528] 0000000000ac0000
Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [2196] 0000000000200000
Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [3620] 0000000000200000
Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [1168] 0000000000200000
Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [848] 0000000000200000

---- Services - GMER 2.2 ----

Service C:\Windows\system32\drivers\5515452A.sys (*** hidden *** ) [DISABLED] 5515452A <-- ROOTKIT !!!
Service system32\drivers\coeosvyb.sys (*** hidden *** ) [BOOT] bkduogv <-- ROOTKIT !!!
Service C:\Windows\system32\drivers\mbamchameleon.sys (*** hidden *** ) [SYSTEM] mbamchameleon <-- ROOTKIT !!!

---- EOF - GMER 2.2 ----
 

Attachments

TwinHeadedEagle

Removal Expert
MalwareTips Staff
Joined
Mar 8, 2013
Messages
22,277
OS
Windows 10
Antivirus
ESET
#2
Hello,


Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.
  • Now you should get a window like this where you need to click Troubleshoot.

  • In the next window, click Advanced options and select Command Prompt.
  • Now you should log in into your account and after that Command Promptwindow.
Access the notepad and identify your USB drive

In the Command Prompt please type in:
Code:
notepad
and press Enter.
  • When the notepad opens, go to File menu.
  • Select Open.
  • Go to Computer and search there for your USB drive letter.
  • Note down the letter and close the notepad.


Scan with Farbar Recovery Scan Tool

Once back in the command prompt window, please do the following:
  • Type in e:\frst64.exe and press Enter.
    You need to replace e with the letter of your USB drive taken from notepad!
  • FRST will start to run. Give him a minute or so to load itself.
  • Click Yes to Disclaimer.
  • In the main console, please click Scan and wait.
  • When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.

Transfer it to your clean machine and include it in your next reply.
 
Forgot your password?