Ed Roesch

CLOSED Help!! Rootkit.SmartService (A) [290143]

Recommended Posts

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

CloseProcesses:
(TOSHIBA CORPORATION) C:\Windows\Temp\mshxwicsrv.exe
ShellExecuteHooks: No Name - {5F51FFFE-7463-4220-B711-E5B9ACB8EDFE} -  -> No File
Startup: C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2017-09-20] ()
GroupPolicy\User: Restriction <==== ATTENTION
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-1355226257-2420813712-2020016212-1001 -> {1711FC25-F05A-40CE-B859-A0C1CF01FD18} URL =
SearchScopes: HKU\S-1-5-21-1355226257-2420813712-2020016212-1001 -> {8042F505-D287-4CFD-A760-F2F6A661320B} URL =
SearchScopes: HKU\S-1-5-21-1355226257-2420813712-2020016212-1008 -> {8042F505-D287-4CFD-A760-F2F6A661320B} URL =
SearchScopes: HKU\S-1-5-21-1355226257-2420813712-2020016212-500 -> {8042F505-D287-4CFD-A760-F2F6A661320B} URL =
Toolbar: HKU\S-1-5-21-1355226257-2420813712-2020016212-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
S3 --; no ImagePath
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 pgt_svc; C:\Program Files (x86)\ProxyGate\MainService.exe [X] <==== ATTENTION
S2 TCPSvc; "C:\Users\Ed\AppData\Local\Temp\csrss\proxy\Tor\tor.exe" --nt-service --SocksPort 7050 --Log "notice file C:\WINDOWS\rss\t" <==== ATTENTION
S4 SMR501; System32\drivers\SMR501.SYS [X]
S4 ucdrv; \??\C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [X] <==== ATTENTION
2017-09-18 17:53 - 2017-09-25 01:22 - 000000000 ____D C:\Program Files\YKI7I5MTOY
2017-09-18 17:34 - 2017-09-25 01:22 - 000000000 ____D C:\Program Files\WRO8VFEWGA
2017-09-18 16:31 - 2017-09-25 01:19 - 000000000 ____D C:\WINDOWS\rss
2016-07-28 20:52 - 2016-07-28 20:52 - 007065600 _____ () C:\Program Files (x86)\GUT2E47.tmpShellIconOverlayIdentifiers: [1MegaSync0Synced] -> {A52C9916-2007-4C7F-A2D7-0C9612427BD2} =>  -> No File
ShellIconOverlayIdentifiers: [1MegaSync1Pended] -> {A34CE349-F239-4DA5-9551-4660962F6CD9} =>  -> No File
ContextMenuHandlers1-x32: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshlstb.dll -> No File
ContextMenuHandlers4-x32: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshlstb.dll -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6-x32-x32: [WinZip] -> {E0D79304-84BE-11CE-9641-444553540000} => C:\Program Files\WinZip\wzshlstb.dll -> No File
Task: {23A3C20C-0560-43B8-95DD-E030D6BAB7AA} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {2B7413F3-58D5-4B0C-ABA4-8341D2AEA6B2} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {2C85C976-39F3-423D-8178-76ED62D5E5D7} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {3C5ACAD3-F4FC-42B5-8F6D-1C2A864733FD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {43C69D8D-F401-4A65-B343-33801AEB9923} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {4609FE79-9EC7-4C3A-90CB-15049724C0D9} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {4F4725C1-047E-4E70-AA6D-4D18108EB720} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {B237A9F3-F028-441C-BC37-63CD2D1339EF} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {BE28A9CE-0C85-4AF3-A7A7-E0764674E361} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {D10B1168-CF37-4BEE-84D8-EF46EB917B12} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {E5C242CB-DFC6-435A-817A-9285A420045E} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:038F4577 [416]
AlternateDataStreams: C:\ProgramData\Temp:15E76ABF [260]
AlternateDataStreams: C:\ProgramData\Temp:2CB9631F [134]
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "FK4TPTTS4G0ZYKB"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "NRYOJRVQ7R8G4C3"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "IEISQ9OGX52674B"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "MRDEGFOC0QZ52B9"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "PLWOYN9JT8LW769"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "ZAOY5OV70IOJZI1"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "NV3QQYHVPW9EA7S"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "4Y4G1H477F48BND"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "oii20e2trbu"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "a1jsrkirbtk"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "vkh0c2shadd"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "dv5mmpovssz"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "u3fljkb1cye"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "bih11ks5ggd"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "lskcqyw0wi4"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "5srjwkkyjav"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "f4cw4lyb45g"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "4mclbld01yu"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "w5ximopc0t0"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "drgoot"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "msiql"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "XVHNBRKOAW.exe"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "YBTGSWCWKC.exe"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "ocgwdk54jtp"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "suzgnhq2qcu"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "asmrlwzqmmc"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "mmbenjn0h0l"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "aahux51cdzr"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "agpbazwppdx"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "epb3nwt3gky"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "qufirbffx4t"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "hfrdyjtec0a"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "is3xalsacbd"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "clpjdnttjyu"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "crroqss2ssb"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "k5w0yza3idp"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "d2gketk3nvg"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "ne2zjyi22c4"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "nsz43lobzd1"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "x3dywhokhwu"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "uvioooeiimg"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "MQGUAJVESU1568L"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "9YVCZE6EZNHL2S3"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "C3R6YITQUXPY2WJ"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "P7Z13PK7LD19X9N"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "I0IM2TC24OPCK1G"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "HAEMLKWB9M7GFSR"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "J52REZ7WJ9GQG99"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "XN3JGKCV5J0SEYG"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "Q8Q9YRU8SVL5JVM"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "AVYTMJHTXIX5YNV"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "KYX48K6U6M8AEN9"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "80SKD2QI3EIXS1T"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "1C20NW1NNKP0YOA"
HKU\S-1-5-21-1355226257-2420813712-2020016212-1001\...\StartupApproved\Run: => "L7344YF227C309N"
FirewallRules: [{30133FD5-93EF-4A4A-AC92-F87E5D0A13E5}] => (Allow) C:\WINDOWS\rss\csrss.exe
FirewallRules: [{0A6AF399-E3C8-4BF1-9B12-F3456B9086F0}] => (Allow) C:\WINDOWS\rss\csrss.exe
C:\Windows\Temp\mshxwicsrv.exe
C:\WINDOWS\System32\Drivers\rdpknrux.sys
C:\Users\Ed\AppData\Local\Temp\csrss\proxy\Tor
C:\Users\Ed\AppData\Local\Temp\csrss\proxy
C:\Users\Ed\AppData\Local\Temp\csrss

Close Notepad.



NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Kevin, Thank You for assisting me in the removal process.  This did not work. After applying this fix. I rebooted, ran a malware scan and it was still there. I ran the update for the Scan tool then ran fixlist.txt fix a second time. Neither time did it restart automatically after waiting over an hour for it to do so. I powered off then was able to restart. Ran Malware scan a second time with similar results… See attached scan log. Then I Ran the FRST64 scan again in order to provide freshly updated information for your review. I would really like to remove this Rootkit if possible. Please get back to me on this..

 

Ed Roesch

Addition.txt

Fixlog.txt

FRST.txt

scan_171011-124614.txt

Share this post


Link to post
Share on other sites

Kevin,

That last fix tool worked perfect. Was very simple to use. Re scanned for malware after the tool completed and no more rootkit...I would recommend rescanning after removal of this rootkit The Malware scan found multiple other remnants that were hidden I suppose.. But Emsisoft Malware scan was able to easily remove them. Now all my scans are clean... Seems like it is gone now... Thanks for your help!!!  

Share this post


Link to post
Share on other sites

Ed,

Glad to hear that worked for you.

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
  • Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.