Jump to content

Rootkit.SmartService (A) [290143]


Recommended Posts

my comp specs,
Intel Core i7 I7-4790K 4 GHz Quad-Core Processor, 2x 4gb, corsair vengeance ram pro ddr3 ,
nvidia gtx 770 graphics card,sandisk ultraplus 256g main hd, 1tb secondary not a "sandisk" and another for backup,asrock z97 pro4 motherboard, g15 gamer keyboard, sades 7.1 blk/red surround sound headphones, asus 27" flat hd screen..before you start telling me to download and install stuff i can't everytime i try to install anything i get " requested resource in use" on every virus program i try, windows defender offline, found crap, advanced system care i pay for finds crap but somehow this program finds 
C:\WINDOWS\System32\Drivers\moudclyc.sys      Rootkit.SmartService (A) [290143] and wont let me get rid of it... no options for system restore anymore also...

i already tried to install the stuff from the other Rootkit.SmartService (A) [290143]  but again it wont let me install it.. my browser said search sixty engine was being used also which is a known virus
i also tried  SFC (system file checker)
run DISM (Deployment Imaging and Servicing Management)
Clean Boot 
none worked

Link to comment
Share on other sites

In order to do anything about it I need additional information.

SmartService can be difficult to remove, but before I can begin I will need 2 logs from FRST.

Download Farbar Recovery Scan Tool and save it to your desktop.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
For x64 (x64) bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Link to comment
Share on other sites

Copy FRST64.exe to a USB thumb drive

Copy the below code to Notepad; Save As fixlist.txt to your USB thumb drive.

(TOSHIBA CORPORATION) C:\Windows\Temp\msdaypwsrv.exe
() C:\Users\Salvi\AppData\Local\xxkdvbku\uqnqtsdv\ct.exe
HKU\S-1-5-21-2346114282-4100301174-3088884860-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
GroupPolicy: Restriction <==== ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_iobitfs_17_25&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0DtDyDtDzyzytAyEyD0CzyyC0EyByCzytN0D0Tzu0StCzyzyzytN1L2XzutAtFtBzytFtCtDyEtFyDtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0FtAyCyDtDtC0FtGtBtBzy0CtG0BzytC0EtGyCtA0B0BtGyByE0CtDyE0C0EzytD0D0CyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0ByBtCyDyEtD0BtGyEtC0A0AtGyEyCtAtAtGzz0B0B0FtGyCyCyByE0DtCtC0A0D0C0C0C2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtAtCyByB%26cr%3D500324988%26a%3Dwncy_iobitfs_17_25%26os_ver%3D6.3%26os%3DWindows%2B8.1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_iobitfs_17_25&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0DtDyDtDzyzytAyEyD0CzyyC0EyByCzytN0D0Tzu0StCzyzyzytN1L2XzutAtFtBzytFtCtDyEtFyDtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0FtAyCyDtDtC0FtGtBtBzy0CtG0BzytC0EtGyCtA0B0BtGyByE0CtDyE0C0EzytD0D0CyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0ByBtCyDyEtD0BtGyEtC0A0AtGyEyCtAtAtGzz0B0B0FtGyCyCyByE0DtCtC0A0D0C0C0C2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtAtCyByB%26cr%3D500324988%26a%3Dwncy_iobitfs_17_25%26os_ver%3D6.3%26os%3DWindows%2B8.1
HKU\S-1-5-21-2346114282-4100301174-3088884860-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?gws_rd=ssl
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_iobitfs_17_25&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0DtDyDtDzyzytAyEyD0CzyyC0EyByCzytN0D0Tzu0StCzyzyzytN1L2XzutAtFtBzytFtCtDyEtFyDtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0FtAyCyDtDtC0FtGtBtBzy0CtG0BzytC0EtGyCtA0B0BtGyByE0CtDyE0C0EzytD0D0CyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0ByBtCyDyEtD0BtGyEtC0A0AtGyEyCtAtAtGzz0B0B0FtGyCyCyByE0DtCtC0A0D0C0C0C2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtAtCyByB%26cr%3D500324988%26a%3Dwncy_iobitfs_17_25%26os_ver%3D6.3%26os%3DWindows%2B8.1&p={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_iobitfs_17_25&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0DtDyDtDzyzytAyEyD0CzyyC0EyByCzytN0D0Tzu0StCzyzyzytN1L2XzutAtFtBzytFtCtDyEtFyDtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0FtAyCyDtDtC0FtGtBtBzy0CtG0BzytC0EtGyCtA0B0BtGyByE0CtDyE0C0EzytD0D0CyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0ByBtCyDyEtD0BtGyEtC0A0AtGyEyCtAtAtGzz0B0B0FtGyCyCyByE0DtCtC0A0D0C0C0C2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtAtCyByB%26cr%3D500324988%26a%3Dwncy_iobitfs_17_25%26os_ver%3D6.3%26os%3DWindows%2B8.1&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_iobitfs_17_25&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0DtDyDtDzyzytAyEyD0CzyyC0EyByCzytN0D0Tzu0StCzyzyzytN1L2XzutAtFtBzytFtCtDyEtFyDtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0FtAyCyDtDtC0FtGtBtBzy0CtG0BzytC0EtGyCtA0B0BtGyByE0CtDyE0C0EzytD0D0CyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0ByBtCyDyEtD0BtGyEtC0A0AtGyEyCtAtAtGzz0B0B0FtGyCyCyByE0DtCtC0A0D0C0C0C2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtAtCyByB%26cr%3D500324988%26a%3Dwncy_iobitfs_17_25%26os_ver%3D6.3%26os%3DWindows%2B8.1&p={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_iobitfs_17_25&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1Qzu0DtDyDtDzyzytAyEyD0CzyyC0EyByCzytN0D0Tzu0StCzyzyzytN1L2XzutAtFtBzytFtCtDyEtFyDtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2StA0FtAyCyDtDtC0FtGtBtBzy0CtG0BzytC0EtGyCtA0B0BtGyByE0CtDyE0C0EzytD0D0CyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0ByBtCyDyEtD0BtGyEtC0A0AtGyEyCtAtAtGzz0B0B0FtGyCyCyByE0DtCtC0A0D0C0C0C2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtAtCyByB%26cr%3D500324988%26a%3Dwncy_iobitfs_17_25%26os_ver%3D6.3%26os%3DWindows%2B8.1&p={searchTerms}
Handler: skypec2c - No CLSID Value
R2 windowsmanagementservice; C:\Users\Salvi\AppData\Local\xxkdvbku\uqnqtsdv\ct.exe [535552 2017-08-08] () [File not signed] <==== ATTENTION
S2 clsid6849; no ImagePath
C:\WINDOWS\system32\drivers\moudclyc.sys -> MD5 = D41D8CD98F00B204E9800998ECF8427E (0-byte MD5) <======= ATTENTION
2017-08-08 20:40 - 2017-08-08 20:40 - 000535552 _____ () C:\Users\Salvi\AppData\Local\xxkdvbku\uqnqtsdv\ct.exe

Close Notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Plug the flashdrive into the infected PC.

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please attach it to your reply.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
Link to comment
Share on other sites


as for 

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
    f8 does nothing,f12 does nothing del does nothing.. the only thing that seems to do anything is f2 and that doesn't have these options.. just once i would love something from windows to be as is in their stupid descriptions..  every time they show pics of things how it should look it never ever looks like it and never works right....ever!!!!!!! i put the stupid windows cd it says press r to begin repair.. i press r nothing happens..ofc!! it wants me to keep entering the cd key  w/e i load it after it asks me if i want to update windows then it gives me 3 options to reset and all that but none of them is the god damn repair option...ahhh!!!!! wtf do they make everything so damn complicated!!!!
Link to comment
Share on other sites

It is difficult with keeping up with MS changes in how people get into the RE with each version of Windows.  It's like they don't what anybody using the RE.

Boot into Normal Mode and run Fresh scans with EAM and FRST, attach the new EAM and FRST scan reports to your nest reply.

Link to comment
Share on other sites

Doing a Windows Repair should not affect any of your files, settings, or installed Windows Apps.  However, you may need to reinstall any third-party software.

The SmartService infection is still present, if you are not able to use the Recovery Environment then we will not be able to disable the rootkit and remove the rest of the infection.

Doing a Windows Repair may be you best option.

Link to comment
Share on other sites

 3rd party software thats like games and things? i don't know much about comps lol, i do but a lot of is it self-taught from messing around on older comps i don't use anymore or dealing with past issues, but when it comes to the technical stuff i don't really have a clue lol. to me its the thing in the folder on the top or w/e haha. ty for your time on this also..

 oh i also did a custom scan with my advanced system care and it did find the rootkit and a few others with it but it still wont deal with the issues, just says quarantine on reboot then i do the scan after the reboot and they are back again.
the other virus name or infected file is called  niszdpw.exe wincglq.exe  here is a pic of the scan. atm i'm backing up my comp to an external hd incase anything goes wrong when i repair and lose stuff. will repair asap and after the repair would you like another scan and resend those files you asked for earlier? i also added the log from the scan.

Antivirus report.log

Link to comment
Share on other sites

 just really hope this doesnt uninstall everything on my comp . rather stick with the virus than having to deal with all of that if its a guaranteed wipe of 3rd party stuff.. i dont want to deal with getting everything back if thats the 100% case... i really dont understand why a repair would do such a thing anyways..

also i never backed up a comp before. if it does wipe it i would like to put everything back. how would i do that if it was the case?

Link to comment
Share on other sites

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
  • Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

  • Like 1
Link to comment
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

  • Like 1
Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...