Rootkit/malware removal

Discussion in 'Malware Removal Assistance For Windows' started by Solamen, Dec 29, 2017.

Need Malware Removal Help?

We offer free malware removal assistance to our members. Sign Up now, and get free malware removal support.

  1. Solamen

    Solamen New Member

    Dec 29, 2017
    1
    0
    USA
    Windows 7
    Microsoft
    Operating System:
    Windows 7
    Are you using a 32-bit or 64-bit operating system?:
    64-bit (x64)
    Infection date and initial symptoms:
    12/23/2017
    Current issues and symptoms:
    Programs running in background cant close, Hijack this auto closes.
    Steps taken in order to remove the infection:
    Mbar. Malware bytes scan, microsoft security essentials.
    Logs added to help request:
    • FRST.txt
    • Addition.txt
    • I've also uploaded logs from other scans that I've performed
    Tried downloading buildbox game maker and ended up being filled with trojans. got most cleaned off but some remnants remain. some questionable EXE's running are:

    upmebwxsvc.exe
    cgakwsz.exe
    svrtizo.exe
    igfxmtc.exe

    Attached are Mbar, FRST, Addition, and below is GMER basic scan log:
    GMER 2.2.19882 - GMER - Rootkit Detector and Remover
    Rootkit scan 2017-12-29 00:58:11
    Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000082 ATA_____ rev.CB6Q 465.76GB
    Running: w1y60ggf.exe; Driver: C:\Users\Amen\AppData\Local\Temp\kwtdrpog.sys


    ---- Threads - GMER 2.2 ----

    Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6892] 000007fef9a02be0
    Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:5456] 000007fede328a28
    Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6492] 000007fede28d668
    Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6476] 000007fede328a28
    Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6624] 000007fef4b55124
    ---- Processes - GMER 2.2 ----

    Library C:\Users\Amen\AppData\Local\cgakwsz\cgakwsz.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\cgakwsz.exe [3552] 00000000012e0000
    Library C:\Users\Amen\AppData\Local\igfxmtc\igfxmtc.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\igfxmtc\igfxmtc.exe [4528] 0000000000ac0000
    Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [2196] 0000000000200000
    Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [3620] 0000000000200000
    Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [1168] 0000000000200000
    Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [848] 0000000000200000

    ---- Services - GMER 2.2 ----

    Service C:\Windows\system32\drivers\5515452A.sys (*** hidden *** ) [DISABLED] 5515452A <-- ROOTKIT !!!
    Service system32\drivers\coeosvyb.sys (*** hidden *** ) [BOOT] bkduogv <-- ROOTKIT !!!
    Service C:\Windows\system32\drivers\mbamchameleon.sys (*** hidden *** ) [SYSTEM] mbamchameleon <-- ROOTKIT !!!

    ---- EOF - GMER 2.2 ----
     

    Attached Files:

  2. TwinHeadedEagle

    TwinHeadedEagle Removal Expert
    Staff Member

    Mar 8, 2013
    21,734
    2,655
    Malware Removal, Gaming
    Windows 7
    ESET
    Hello,


    Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.
    • Now you should get a window like this where you need to click Troubleshoot.
    [​IMG]
    • In the next window, click Advanced options and select Command Prompt.
    • Now you should log in into your account and after that Command Promptwindow.
    [​IMG] Access the notepad and identify your USB drive

    In the Command Prompt please type in:
    Code:
    notepad
    and press Enter.
    • When the notepad opens, go to File menu.
    • Select Open.
    • Go to Computer and search there for your USB drive letter.
    • Note down the letter and close the notepad.


    [​IMG] Scan with Farbar Recovery Scan Tool

    Once back in the command prompt window, please do the following:
    • Type in e:\frst64.exe and press Enter.
      You need to replace e with the letter of your USB drive taken from notepad!
    • FRST will start to run. Give him a minute or so to load itself.
    • Click Yes to Disclaimer.
    • In the main console, please click Scan and wait.
    • When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.

    Transfer it to your clean machine and include it in your next reply.
     
Loading...
Similar Threads Forum Date
Rootkit/Malware identification and/or removal Malware Removal Assistance For Windows Jan 4, 2018
unable to run tdskiller, ccleaner and rootkit removal by malwarebytes Malware Removal Assistance For Windows Oct 16, 2016
Something seems off.. (also cannot turn on rootkit removal in malwarebytes antimalware) Malware Removal Assistance For Windows Jun 12, 2015