Rootkit/malware removal

Solamen

New Member
Joined
Dec 29, 2017
Messages
1
OS
Windows 7
Antivirus
Microsoft
#1
Tried downloading buildbox game maker and ended up being filled with trojans. got most cleaned off but some remnants remain. some questionable EXE's running are:

upmebwxsvc.exe
cgakwsz.exe
svrtizo.exe
igfxmtc.exe

Attached are Mbar, FRST, Addition, and below is GMER basic scan log:
GMER 2.2.19882 - GMER - Rootkit Detector and Remover
Rootkit scan 2017-12-29 00:58:11
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000082 ATA_____ rev.CB6Q 465.76GB
Running: w1y60ggf.exe; Driver: C:\Users\Amen\AppData\Local\Temp\kwtdrpog.sys


---- Threads - GMER 2.2 ----

Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6892] 000007fef9a02be0
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:5456] 000007fede328a28
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6492] 000007fede28d668
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6476] 000007fede328a28
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6148:6624] 000007fef4b55124
---- Processes - GMER 2.2 ----

Library C:\Users\Amen\AppData\Local\cgakwsz\cgakwsz.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\cgakwsz.exe [3552] 00000000012e0000
Library C:\Users\Amen\AppData\Local\igfxmtc\igfxmtc.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\igfxmtc\igfxmtc.exe [4528] 0000000000ac0000
Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [2196] 0000000000200000
Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [3620] 0000000000200000
Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [1168] 0000000000200000
Library C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe (*** suspicious ***) @ C:\Users\Amen\AppData\Local\cgakwsz\svrtizo.exe [848] 0000000000200000

---- Services - GMER 2.2 ----

Service C:\Windows\system32\drivers\5515452A.sys (*** hidden *** ) [DISABLED] 5515452A <-- ROOTKIT !!!
Service system32\drivers\coeosvyb.sys (*** hidden *** ) [BOOT] bkduogv <-- ROOTKIT !!!
Service C:\Windows\system32\drivers\mbamchameleon.sys (*** hidden *** ) [SYSTEM] mbamchameleon <-- ROOTKIT !!!

---- EOF - GMER 2.2 ----
 

Attachments

TwinHeadedEagle

Removal Expert
MalwareTips Staff
Verified
Joined
Mar 8, 2013
Messages
22,358
OS
Windows 10
Antivirus
ESET
#2
Hello,


Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.
  • Now you should get a window like this where you need to click Troubleshoot.

  • In the next window, click Advanced options and select Command Prompt.
  • Now you should log in into your account and after that Command Promptwindow.
Access the notepad and identify your USB drive

In the Command Prompt please type in:
Code:
notepad
and press Enter.
  • When the notepad opens, go to File menu.
  • Select Open.
  • Go to Computer and search there for your USB drive letter.
  • Note down the letter and close the notepad.


Scan with Farbar Recovery Scan Tool

Once back in the command prompt window, please do the following:
  • Type in e:\frst64.exe and press Enter.
    You need to replace e with the letter of your USB drive taken from notepad!
  • FRST will start to run. Give him a minute or so to load itself.
  • Click Yes to Disclaimer.
  • In the main console, please click Scan and wait.
  • When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.

Transfer it to your clean machine and include it in your next reply.