Dwmtck/COM Surrogate & Igfxtc

[awexd]

Hello, I've recently encountered a malware.
Upon discovering, I ran a couple of scans to clear my computer; SuperAntiSpyware and Malwarebytes. I got a notice from Malwarebytes asking to restart my computer after a scan so it could delete the malware. After rebooting, I get an error saying "Unable to connect to service". I tried using mbar to delete any roots and it worked for a little until I just got 1 malware that would not disappear after each scan. Things that appeared or changed were my search engine for Google Chrome to Yahoo, 3-4 dwmtckz.exe in my Task Manager that I cannot end task, 4 igfxtc in the background processes.

FRST.txt

Addition.txt

[kevinf80]

Hello awexd and welcome to Malwarebytes,

You have "smartservice"infection, that infection can be very difficult to remove depending on the version you have...... Do the following and post the produced logs...

Open FRST64.exe, do not use any of its functions for now, just leave it open.....

Next,

Select these two keys together Ctrl - Y that will open a blank Notepad page. Copy/Paste the following script to that blank page:

Quote

start::
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: fltmc instances
CMD: dir C:\Windows\system32\drivers
end::

Do not name or change that page, Select these two keys together Ctrl - S that will save that page as a random named text file. Close out that page.

Back to FRST64, select the Fix tab just once, FRST will save a log fixlog.txt attach that to your reply...

Next,

Download PowerTool and save to your Desktop, ensure to get the correct version: PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx Please follow the instructions below: Right click on PowerTool, Select "Run as Administrator" Windows 8/8.1/10 users may see the following, if so select "More Info" In the next Window select "Run Anyway" Initially click on sq image to enlarge window to full screen (As shown in the image below) Now click on Kernel tab (No. 1 on the image below) Then click on Kernel Notify Routine (No. 2 on the image below) Also click on Path so you sort the list by name (No. 3 on the image below) Right click anywhere on listed items under path (No. 4 on the image above) and select Export. Save exported file to your Desktop, zip up that file and attach to your reply....   Right click on the file > select > send to > compressed (zipped) folder) Attach that zip file to your reply...   Next,   Do you have a USB flashdrive (memory stick) 4GB or above, do you have access to another PC, preferably same version of Windows...   Thank you, Kevin......

Edited December 6, 2017 by kevinf80
typing error

[awexd]

Hello, I have followed as much as I can but I have encountered a problem.
I tried exporting the files to my desktop but I am receiving an error. I posted a picture in the attachments. I do have a file called that on my desktop.
I do not have access to another computer and a USB will need some time to find one.

Edited December 6, 2017 by awexd

[kevinf80]

Can you zip up notify.csv and attach to your reply...? We will need a USB flash drive 4GB or above to run FRST fix via Recovery Environment...

[awexd]

Here is a zip file. Could I use a CD?

notify.zip

[kevinf80]

You can access the recovery environment from an installation DVD, but a USB flash drive would still be needed to run FRST... it would need to be 4GB size.

[awexd]

I have found USB. What is the next process?

Edited December 7, 2017 by awexd

[kevinf80]

I still need to see the log from FRST fix, first part of my reply in reply #2

 

 

 

 

 

 

 

 

 

 

 

 

 

[awexd]

Fixlog.txt

[kevinf80]

Thanks for the log, Download FRST: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Save FRST64.exe to your Flash drive. Open FRST64 so that you can see the main interface with command tabs:  Scan > Search files > Search Registry > Fix. Just leave it like that...

Select these two keys together Ctrl - Y that will open a blank Notepad page. Copy/Paste the following script to that blank page:

Quote

Start::
DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\twcgzhi
DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UDiskMgr
C:\Windows\system32\avoruxbh.sys
C:\Windows\system32\avo*.sys
C:\Windows\System32\rtkahdnsvc.exe
C:\Users\Kevin\AppData\Local\wihrsgl\wihrsgl.exe
C:\Users\Kevin\AppData\Local\igfxmtc\igfxmtc.exe
C:\Users\Kevin\AppData\Local\wihrsgl\dwmtckz.exe
HKLM\...\Run: [coprocessors] => "C:\Program Files (x86)\Curable\forbear.exe"
C:\Program Files (x86)\Curable
HKLM\...\Run: [coprocessorssecretaries] => "C:\Program Files (x86)\appears\considerably.exe"
C:\Program Files (x86)\appears
HKLM\...\Run: [coprocessorscoprocessors] => "C:\Program Files (x86)\Cheerleader\forbear.exe"
C:\Program Files (x86)\Cheerleader
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\Run: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\Kevin\AppData\Roaming\Microsoft\Protect\d65560-5e7ca1-66e14080-acaea0-7cd0.rs" <==== ATTENTION
C:\Users\Kevin\AppData\Roaming\Microsoft\Protect\d65560-5e7ca1-66e14080-acaea0-7cd0.rs
HKU\S-1-5-18\...\Run: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\Kevin\AppData\Roaming\Microsoft\Protect\d65560-5e7ca1-66e14080-acaea0-7cd0.rs" <==== ATTENTION
HKU\S-1-5-18\...\RunOnce: [WinResSync] => C:\WINDOWS\system32\regsvr32.exe /s "C:\Users\Kevin\AppData\Roaming\Microsoft\Protect\d65560-5e7ca1-66e14080-acaea0-7cd0.rs" <==== ATTENTION
Startup: C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chorizo.lnk [2017-12-05]
ShortcutTarget: chorizo.lnk -> C:\Program Files (x86)\Curable\forbear.exe (No File)
Startup: C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chorizochorizo.lnk [2017-12-05]
ShortcutTarget: chorizochorizo.lnk -> C:\Program Files (x86)\appears\considerably.exe (No File)
Startup: C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rakoff.lnk [2017-09-09]
Startup: C:\Users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Tool Notifier.exe [2016-09-12] (Oracle Corporation)
S2 59b70b9c8770a3f8f308f0c4e5ec7c15; C:\WINDOWS\59b70b9c8770a3f8f308f0c4e5ec7c15.dll [965632 2017-12-05] () [File not signed]
C:\WINDOWS\59b70b9c8770a3f8f308f0c4e5ec7c15.dll
S4 33810401; C:\WINDOWS\System32\drivers\33810401.sys [255928 2017-12-05] (Malwarebytes)
C:\WINDOWS\System32\drivers\33810401.sys
R3 udiskMgr; system32\drivers\rvybei.sys [X]
2017-12-05 23:09 - 2017-09-15 18:04 - 000000000 ____D C:\WINDOWS\system32\%LOCALAPPDATA%
C:\WINDOWS\system32\drivers\avoruxbh.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION
Task: {C913C668-61DA-45C2-8492-24332756DCA7} - System32\Tasks\CCZTRLLVOR => C:\Users\Kevin\AppData\Local\Temp\17c97f0c967347a8a4d32c42099926d0\SilentCMD.exe <==== ATTENTION
AlternateDataStreams: C:\Users\Kevin\AppData\Local\Temp:$DATA? [16]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\33810401 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mbamchameleon => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\33810401 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mbamchameleon => ""="Driver"
MSCONFIG\startupreg: BingSvc => C:\Users\Kevin\AppData\Local\Microsoft\BingSvc\BingSvc.exe
HKLM\...\StartupApproved\Run: => "Fences"
HKLM\...\StartupApproved\Run: => "coprocessorssecretaries"
HKLM\...\StartupApproved\Run: => "coprocessorscoprocessors"
HKLM\...\StartupApproved\Run: => "coprocessors"
HKLM\...\StartupApproved\Run32: => "AnonymizerGadget"
HKLM\...\StartupApproved\Run32: => "Fences"
HKLM\...\StartupApproved\Run32: => "carcinomasgrandly"
HKLM\...\StartupApproved\Run32: => "carcinomascarcinomas"
HKLM\...\StartupApproved\Run32: => "carcinomas"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\StartupFolder: => "Update Tool Notifier.exe"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\StartupFolder: => "rakoff.lnk"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\StartupFolder: => "chorizochorizo.lnk"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\StartupFolder: => "chorizo.lnk"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\Run: => "Fences"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\Run: => "caufield"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\Run: => "Chromium"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\Run: => "secretariescoprocessors"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\Run: => "grandlycarcinomas"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\Run: => "flinn"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\Run: => "secretariessecretaries"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\Run: => "secretaries"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\Run: => "grandlygrandly"
HKU\S-1-5-21-2863847496-3265621566-2125445497-1001\...\StartupApproved\Run: => "grandly"
End::

Do not name or change that page, Select these two keys together Ctrl - S that will save that page as a random named text file. Close out that page. So on your Flash drive will be FRST64 and a random named text file......

Next,

Download the attached file boot_into_RE_2.zip and unzip to your Desktop, you will now have boot_into_RE_2.bat right click on that batch file and select "Run as Administrator" Your PC will boot to the "Choose an Option" window, from that window select "Troubleshoot" From the next window select "Advanced Options" From the next window select "Command Prompt" Ensure to plug the Flashdrive into an open USB port, Continue with the following:   In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" or "My PC" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. <<<----vey important The tool will start to run. When the tool opens click Yes to disclaimer. Press Fix button. It will make a log (Fixlog.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC... To boot back to windows, type exit at the prompt and hit enter Please copy and paste or attach FRST log to your reply. Next, From normal Windows run Powertools again and attach a fresh Zip file... Thanks, Kevin...

boot_into_RE_2.zip

[awexd]

I could not access Recovery Environment mode with the .bat file, instead, I rebooted into Safe Mode with Command Prompt by simply restarting and enter into advanced options. I came into a pop up saying: "No fixlist.txt found. The fixlist.txt should be in the same folder/directory the tool is located". I did save the  .txt file on the same flash drive but the name is random. Should I change it to "fixlist.txt"?

[kevinf80]

That happened because the infection cleared the text file. The only way to get a fix is to remake the text file again, exactly as previously. Then your PC must be booted to the recovery environment. Once in the recovery environment plug in the Flash drive.... 

To enter the Recovery Environment with Windows 10, follow the instructions in This Tutorial on TenForums Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out This Tutorial on TenForums. From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10 From that window select "Troubleshoot" From the next window select "Advance Options" From that Window select "Command Prompt" Ensure to plug the flash drive into a USB port only when booted to Recovery Environment... You should now be in Recovery Environment with the Command Prompt Window open...... Continue with the following:   Select Command Prompt In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" or "My PC" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. The tool will start to run. When the tool opens click Yes to disclaimer. Press Fix button. It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply.

[awexd]

I was able to make a CD with aRE. While in Command Prompt, I typed E:\frst64 and it shows that it was not compatible with my version of windows. So I downloaded the 32bit and redid the process but typed E:\frst and again showed that it was not compatible with my version of windows. 

[kevinf80]

Thanks for that update, this new version of smartservice is proving a real PITA to deal with. The only way to get this fix to work is to d/l FRST and create text file fix on a different PC to the infected one. Do you have any possibility of access to another PC...

[awexd]

I can always use a friend's computer.
Would I create the text file on a different computer, put it on my USB and continue?

[kevinf80]

Because of how this infection works yes it is essential to load FRST on a clean PC, definitely not the one with the infection... Because that flash drive has been on the exploited system it is essential to format that flash drive on a clean PC before it is used again.... I do not believe there will be cross infection....

So if you have access to another PC do the following:

Plug Flash drive to clean PC, open via Computer or My PC depending on version of windows. Right click on Flash drive, select "Format" the quick option is ok... When format is complete do this:

Download and save both versions of FRST and save to the flas drive from here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Download and save the attached fixlist.txt file to same Flash drive, it critical that this Flash drive does not come into the PC with smartservice until that PC is booted to Recovery Environment.....

Next,

You have made Repair CD, do not plug flash drive into sick PC yet. Close down your sick PC, re-boot from the repair CD, you maybe asked which system to boot and password, when you`ve selected repair.

continue until you are back at command prompt in RE....

Ensure to now plug the Flashdrive into an open USB port, Continue with the following:   In the command window type in notepad and press Enter. The notepad opens. Under File menu select Open. Select "Computer" or "My PC" and find your flash drive letter and close the notepad. In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive. <<<----vey important The tool will start to run. When the tool opens click Yes to disclaimer. Press Fix button. It will make a log (Fixlog.txt) on the flash drive. You will need to boot back to Normal windows to post the log, or if applicable do that action from a spare PC... To boot back to windows, type exit at the prompt and hit enter Please copy and paste or attach FRST log to your reply. Thanks, Kevin...

fixlist.txt

[awexd]

Hello, I am replying to let you know I have not abandoned this forum. I won't be able to have access to another computer until Tues. I will be using a different USB as well. 

[kevinf80]

Thanks for the update, catch up later...

[awexd]

Hello,
I was able to reformat my USB and redownloaded the fixlist and was able to run FRST64 without any error. I have attached the fixlog for you under attachments. 
Upon looking at my windows task manager,  some (25%) of the malware application was deleted leaving some malware still on my computer. The Malware still prevents me from using Malwarebytes. 

Note: Forgot to unplug USB upon reboot, may need to reformat again if USB is infected.

Fixlog.txt

[kevinf80]

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

 

[awexd]

Here you are.
I redid the process and ensured that all the boxes were checked off under "whitelist" and only Additional.txt under "Optional scan".
Note: when I made the new Additional.txt file it was after being in Recover Environment and it was run from a flash drive.

Fixlog.txt

Addition.txt

FRST.txt

[kevinf80]

You can run the following off your flash drive and windows in Normal mode:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Next,

Open Malwarebytes Anti-Malware.   On the Settings tab > Protection Scroll to and make sure the following are selected: Scan for Rootkits Scan within Archives   Scroll further to Potential Threat Protection make sure the following are set as follows: Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended) Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)   Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following:   Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs, also tell me if there are any remaining issues or concerns... Thank you, Kevin...

 

 

fixlist.txt

[awexd]

Ran the fixlist.txt with FRST64 on my flash drive.
I did not open the fixlist.txt file.
Proceeded to open Malwarebytes Anti-Malware, but i get an error saying "unable to connect to server".

Attached Fixlog.txt file from running fixlist.txt on my flashdrive.

Fixlog.txt

[kevinf80]

Malwarebytes will need to be removed/reinstalled..

Totally Remove Malwarebytes from your system: Download the latest version of Malwarebytes cleanup tool from here: https://downloads.malwarebytes.com/file/mb_clean and save to your Desktop.. If applicable, backup your Malwarebytes license key information and deactivate the product. Close all open applications and deactivate Malwarebytes <---- Very important, do not miss that step To deactivate Malwarebytes: Right click on tray icon, from the opened list select "Quit Malwarebytes" an UAC alert will open, select "Yes" to deactivate Malwarebytes...   Double-click mb-clean.exe to run it A prompt to confirm the cleanup will appear, select Yes or No Yes - will proceed with the cleanup process <---- Select this option to start the tool No - will exit the utility The Utility will launch a Command Prompt window which will disappear once the the cleanup process completes. Once completed, a log file ("mb-cleanresult.txt") will be on your desktop and you'll be prompted to reboot We recommend an immediate reboot <--- Do Not miss out this step Suppressing the reboot may result in an incomplete cleanup Upon reboot Malwarebytes will be totally removed from your system To re-install Malwarebytes: Download Malwarebytes version 3 from the following link: https://www.malwarebytes.com/mwb-download/thankyou/   Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions.... When the install completes and is updated do the following: Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

[awexd]

Here are some more logs. 
I do have a concern. I was led to believe that COM Surrogate and Igfxtc were malware since I have never seen them before. I'm on the fence about them being on my task manager now, and I do not know if it is still a malware application.

AdwCleaner[C0].txt

AdwCleaner[S0].txt

MalwarebytesLog.txt

mb-clean-results.txt

mrt.log