Igfmxtc

[fueryin]

Hey all, got infected by several rootkits/smartservice. browsed around the forums and came to this 

So i downloaded farbar and did a scan and got my logs attached. could someone make me a fix file.

and just a fyi, ran mb rootkit removal, and all the other removal programs. dont do anything and this virus blocks me from opening any antivirus.

FRST.txt

Addition.txt

[fueryin]

also would like to add that these are my original FrsT and addition log files attached in this reply. In my op i ran it again to make sure it was  accurate. the reason Im putting this here is because three things stick out to me which arent in my OP frst.txt

() C:\Users\BIG TIME BALLER\AppData\Local\uskglpx\uskglpx.exe
() C:\Users\BIG TIME BALLER\AppData\Local\uskglpx\avotsdw.exe
() C:\Users\BIG TIME BALLER\AppData\Local\igfxmtc\igfxmtc.exe

I believe these are the three viruses giving me trouble. 

Also would like to add another virus showing up in my task manager i cant close out. sinklgosvc is located in windows/systems32 unlike the others located in %appdata$/local

FRST.txt

Addition.txt

[kevinf80]

Hello fueryin and welcome to Malwarebytes,

Run the following and post logs to your reply..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download PowerTool and save to your Desktop, ensure to get the correct version: PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx Please follow the instructions below: Right click on PowerTool, Select "Run as Administrator" Windows 10 users may see the following, if so select "More Info" In the next Window select "Run Anyway" Initially click on sq image to enlarge window to full screen (As shown in the image below) Now click on Kernel tab (No. 1 on the image below) Then click on Kernel Notify Routine (No. 2 on the image below) Also click on Path so you sort the list by name (No. 3 on the image below) Right click anywhere on listed items under path (No. 4 on the image above) and select Export. Save exported file to your Desktop, zip up that file and attach to your reply.... Thank you, Kevin......

fixlist.txt

[fueryin]

Alright done! Files are attached, and just want to give a heads up that I do have to move the fxlist.txt onto a usb, boot into safe mode (which is odd because the rootkit still runs in sf) and then run farbar, otherwise my comp will auto corrupt the fixlst.txt file. I then restarted my computer back into normal boot up and used Powertool.

notify.7z

Fixlog.txt

[kevinf80]

Hello fueryin,

Can you stay in safe mode with networking if possible. Keep FRST on your USB, open FRST go no further for now just leave it open..

Select these keys together Ctlrl - Y a blank notepad page will open.. Copy/paste the following script to that open page:

Start::
C:\Windows\System32\sinklgosvc.exe
C:\Users\BIG TIME BALLER\AppData\Local\uskglpx\uskglpx.exe
C:\Users\BIG TIME BALLER\AppData\Local\uskglpx\avotsdw.exe
C:\Users\BIG TIME BALLER\AppData\Local\igfxmtc\igfxmtc.exe
S1 msidntfs; system32\drivers\msidntfs.sys [X]
S3 udiskMgr; system32\drivers\vycfil.sys [X]
C:\WINDOWS\system32\Drivers\vdeybehl.sys
C:\Users\BIG TIME BALLER\AppData\Local\winbzeh
2017-12-02 14:12 - 2017-12-03 02:20 - 000000000 ____D C:\Users\BIG TIME BALLER\AppData\Local\uskglpx
2017-12-02 14:12 - 2017-12-02 14:15 - 000000000 ____D C:\Users\BIG TIME BALLER\AppData\Local\igfxmtc
2017-12-02 14:11 - 2017-12-02 14:11 - 000000000 ____D C:\WINDOWS\SysWOW64\iakoted
2017-12-02 14:11 - 2017-12-02 14:11 - 000000000 ____D C:\WINDOWS\system32\iakoted
C:\Windows\System32\vdebehlo.sys
C:\Windows\System32\vde*
end::

Do not name or alter that file, now select these keys together: Ctrl - S close that file. A random named file will save..

FRST is still open, select the Fix tab just once. FRST will run, a log will be saved fixlog.txt

Let me see that log in your reply...

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Thanks,

Kevin

 

[fueryin]

Which FrST file, the one in my OP or my reply? 

 

EDIT: oh ok i thought you meant the .txt files XD

Edited December 3, 2017 by fueryin

[kevinf80]

All you should have on your USB is the tool FRST, run it so you can see the main interface with command tabs, Scan, Scan Files, Scan Registry and Fix. Leave that as it is OPEN....

Select these keys together Ctlrl - Y a blank notepad page will open.. Copy/paste the following script to that open page:

Start::
C:\Windows\System32\sinklgosvc.exe
C:\Users\BIG TIME BALLER\AppData\Local\uskglpx\uskglpx.exe
C:\Users\BIG TIME BALLER\AppData\Local\uskglpx\avotsdw.exe
C:\Users\BIG TIME BALLER\AppData\Local\igfxmtc\igfxmtc.exe
S1 msidntfs; system32\drivers\msidntfs.sys [X]
S3 udiskMgr; system32\drivers\vycfil.sys [X]
C:\WINDOWS\system32\Drivers\vdeybehl.sys
C:\Users\BIG TIME BALLER\AppData\Local\winbzeh
2017-12-02 14:12 - 2017-12-03 02:20 - 000000000 ____D C:\Users\BIG TIME BALLER\AppData\Local\uskglpx
2017-12-02 14:12 - 2017-12-02 14:15 - 000000000 ____D C:\Users\BIG TIME BALLER\AppData\Local\igfxmtc
2017-12-02 14:11 - 2017-12-02 14:11 - 000000000 ____D C:\WINDOWS\SysWOW64\iakoted
2017-12-02 14:11 - 2017-12-02 14:11 - 000000000 ____D C:\WINDOWS\system32\iakoted
C:\Windows\System32\vdebehlo.sys
C:\Windows\System32\vde*
end::

Do not name or alter that file, now select these keys together: Ctrl - S  close that file. A random named file will save..

FRST is still open, select the Fix tab just once. FRST will run, a log will be saved fixlog.txt

Let me see that log in your reply...

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Thanks,

Kevin

 

[fueryin]

Alright, log is attached. just a fyi, both are still running in task manager.

Fixlog.txt

Edited December 3, 2017 by fueryin

[kevinf80]

That log is not correct, it is the one you already attached in reply # 4

[fueryin]

My bad. did it again and the fixlog.txt opened, i just cant find where it got saved to?

Edited December 3, 2017 by fueryin

[kevinf80]

You will not see anything,  select ctrl - s then manually close out the file... then hit the fix tab on FRST

[fueryin]

Here we go, sorry about that

Fixlog.txt

[kevinf80]

That was unsuccessful, we will need to run the fix from Recovery Environment...... More than likely the rootkit driver will have re-spawned and re-named itself...

Can you run PowerTool as you did previously, post the zipfile you make...

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Do you know how to access the recovery environment, if not i`ll help..

 

 

[fueryin]

No I dont.

[kevinf80]

ok, get them logs and i`ll post instructions..

[fueryin]

Tried running powertools, says drivers cannot be loaded, run again as admin, even though i am. Should I try this out of safe mode?

[kevinf80]

Yes you can try from Safemode, you must right click on the tool and select "Run as Administrator"

[fueryin]

Here you go. I was running it as admin, finally just went out of safe mode and it worked. 

notify.7z

FRST.txt

Addition.txt

[kevinf80]

Ok will post back shortly, just need to go over the logs ...

[kevinf80]

Open your usb flash drive, delete all files etc, leave FRST64.exe intact. Open FRST64.exe, leave open.

Select these keys together Ctrl - Y Notepad will open a blank page. Copy/paste the following script onto that page:

C:\Windows\System32\sinklgosvc.exe
C:\Users\BIG TIME BALLER\AppData\Local\uskglpx\uskglpx.exe
C:\Users\BIG TIME BALLER\AppData\Local\uskglpx\avotsdw.exe
C:\Users\BIG TIME BALLER\AppData\Local\igfxmtc\igfxmtc.exe
R3 udiskMgr; system32\drivers\lorvyb.sys [X]
C:\WINDOWS\system32\Drivers\vdebehlo.sys
C:\WINDOWS\system32\Drivers\vde*
C:\WINDOWS\system32\Drivers\1943477D.sys
C:\Users\BIG TIME BALLER\AppData\Local\winbzeh
C:\Users\BIG TIME BALLER\AppData\Local\uskglpx
C:\Users\BIG TIME BALLER\AppData\Local\igfxmtc
C:\WINDOWS\system32\iakoted
2017-12-03 14:53 - 2017-12-03 14:53 - 002391552 _____ (Farbar) C:\Users\BIG TIME BALLER\AppData\Local\Temp\4A92.tmp.exe
2017-12-03 15:07 - 2017-12-03 15:07 - 002391552 _____ (Farbar) C:\Users\BIG TIME BALLER\AppData\Local\Temp\4FF6.tmp.exe
2017-12-03 15:01 - 2017-12-03 15:01 - 002391552 _____ (Farbar) C:\Users\BIG TIME BALLER\AppData\Local\Temp\6180.tmp.exe
2017-12-02 14:11 - 2017-12-02 14:11 - 022851472 _____ (Malwarebytes                                                ) C:\Users\BIG TIME BALLER\AppData\Local\Temp\65D7.tmp.exe
2017-12-03 15:06 - 2017-12-03 15:06 - 002391552 _____ (Farbar) C:\Users\BIG TIME BALLER\AppData\Local\Temp\82B3.tmp.exe
2017-12-03 03:28 - 2017-12-03 03:28 - 000400256 _____ (Sysinternals - www.sysinternals.com) C:\Users\BIG TIME BALLER\AppData\Local\Temp\ANKSHTWNGP.exe
2017-12-03 15:43 - 2017-12-03 15:43 - 002391552 _____ (Farbar) C:\Users\BIG TIME BALLER\AppData\Local\Temp\C688.tmp.exe
2017-12-02 22:39 - 2017-12-02 22:39 - 000351104 _____ (Sysinternals - www.sysinternals.com) C:\Users\BIG TIME BALLER\AppData\Local\Temp\CDBCQ.exe
2017-12-03 02:16 - 2017-12-03 02:16 - 002391552 _____ (Farbar) C:\Users\BIG TIME BALLER\AppData\Local\Temp\D810.tmp.exe
2017-12-02 22:46 - 2017-12-02 22:46 - 000473984 _____ (Sysinternals - www.sysinternals.com) C:\Users\BIG TIME BALLER\AppData\Local\Temp\ETIIEWVXR.exe
2017-12-03 01:43 - 2017-12-03 01:43 - 078346672 _____ (Malwarebytes                                                ) C:\Users\BIG TIME BALLER\AppData\Local\Temp\mb3-setup-consumer-3.3.1.2183.exe
2017-12-02 15:09 - 2017-12-02 15:08 - 078346672 _____ (Malwarebytes                                                ) C:\Users\BIG TIME BALLER\AppData\Local\Temp\mbam-setup.exe
2017-12-02 22:40 - 2017-12-02 22:40 - 000367488 _____ (Sysinternals - www.sysinternals.com) C:\Users\BIG TIME BALLER\AppData\Local\Temp\MGRKGJI.exe
2017-12-03 03:28 - 2017-12-03 03:28 - 000449408 _____ (Sysinternals - www.sysinternals.com) C:\Users\BIG TIME BALLER\AppData\Local\Temp\PHSBJPO.exe
2017-12-02 23:09 - 2017-12-02 23:09 - 000367488 _____ (Sysinternals - www.sysinternals.com) C:\Users\BIG TIME BALLER\AppData\Local\Temp\SGJNMBAJVT.exe
C:\Windows\System32\vdebehlo.sys
C:\Windows\System32\vde*

Select the following keys together Ctrl - S now manually close that file, you can also close FRST64.exe. All you should have on the usb flash drive is FRST64.exe and a random named text file....

Next,

Download boot_into_RE_2.zip and unzip to your Desktop, you will now have boot_into_RE_2.bat right click on that batch file and select "Run as Administrator" Your PC should boot to Recovery Environment, from the "Choose an Option" window, select "Troubleshoot" From the next window select "Advanced Options" From the next window select "Command Prompt" Ensure to plug the Flashdrive into an open USB port, Continue with the following:   In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" or "My PC" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. <<<----vey important The tool will start to run. When the tool opens click Yes to disclaimer. Press Fix button. It will make a log (Fixlog.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC... To boot back to windows, type exit at the prompt and hit enter Please copy and paste or attach FRST log to your reply. Thanks, Kevin

boot_into_RE_2.zip

[fueryin]

Did not reboot into recovery environment. Run as admin. Tried this before coming to forums, pretty sure the rootkit disabled this part of windows 10

Edited December 3, 2017 by fueryin

[kevinf80]

Ok run the following fix with FRST64, see if RE is restored:

Open FRST64  and leave it open, do not select any of its tabs....

Select these keys together Ctlrl - Y a blank notepad page will open.. Copy/paste the following script to that open page:

CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes

Do not name or alter that file, now select these keys together: Ctrl - S  close that file. A random named file will save..

FRST is still open, select the Fix tab just once. FRST will run, a log will be saved fixlog.txt

Let me see that log in your reply...

 

[fueryin]

Ok got into recovery, but when i try and launch frst64 through the command prompt its says the .exe is not compatible with my version of windows. I know my system is 64bit and frst runs fine when not in recovery environment.

[kevinf80]

That sounds like the tool FRST64.exe is corrupt, can you download a fresh version and try again.....

If that still fails we can stay in the recovery environment and see if we can remove smartservice infection entries manually from the command prompt....

This appears to be your C:\Drive where the problem files reside, it may be named different in Recovery Drive. Drive c: () (Fixed) (Total:231.95 GB) (Free:85.5 GB) NTFS To identify the named letter do the following at the command prompt it maybe identified as X presently.... Type diskpart hit enter Type list volume hit enter. You will now see a list of drives, identify the one that is similar to C:\ above, it maybe named different. Type exit hit enter You should be back at the command prompt again. Continue with the following commands, i`ve named the drive as C:\ make sure to name yours as identified... it maybe C:\ D:\ E:\ etc... Type or copy/paste the following entries at the cmd prompt, hitting enter after each one: DEL /F /S /Q /A "C:\Windows\System32\sinklgosvc.exe" DEL /F /S /Q /A "C:\Windows\System32\vdebehlo.sys" DEL /F /S /Q /A "C:\Windows\System32\vde*.sys" DEL /F /S /Q /A "C:\Users\BIG TIME BALLER\AppData\Local\uskglpx\uskglpx.exe" DEL /F /S /Q /A "C:\Users\BIG TIME BALLER\AppData\Local\uskglpx\avotsdw.exe" DEL /F /S /Q /A "C:\Users\BIG TIME BALLER\AppData\Local\igfxmtc\igfxmtc.exe" DEL /F /S /Q /A "C:\WINDOWS\system32\Drivers\1943477D.sys" DEL /F /S /Q /A "C:\WINDOWS\system32\Drivers\vdeybehl.sys" DEL /F /S /Q /A "C:\WINDOWS\system32\drivers\lorvyb.sys" DEL /F /S /Q /A "C:\Users\BIG TIME BALLER\AppData\Local\winbzeh\*" DEL /F /S /Q /A "C:\Users\BIG TIME BALLER\AppData\Local\uskglpx\*" DEL /F /S /Q /A "C:\Users\BIG TIME BALLER\AppData\Local\igfxmtc\*" DEL /F /S /Q /A "C:\WINDOWS\system32\iakoted\*" You maybe asked to confirm each step, please do so..... When complete type exit and boot back to Normal Windows.... From there Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Thanks, Kevin...

[fueryin]

Ok typed out each command. Got most deleted but it was unable to find vdebhlo.sys, lorvyb.sys, vdeybehl.sys and when I did tried local\igfxmtc\*" I hit enter and it didn't say anything. Didn't say it was deleted or if it was not found. 

Currently still sitting at the command prompt if you can think of any scripts, don't wanna reboot my computer and have them respawn.