shysneeze

CLOSED Cannot remove smartservice rootkit

Recommended Posts

I have the smartservice rootkit on my machine, and I can't remove it. I have been unable to start malwarebytes, windows defender, or avast.

 

Emsisoft Emergency Kit has been able to detect this rootkit at C:\WINDOWS\System32\Drivers\mouvqrty.sys. However, it has been unable to delete this file. EEK says that this file cannot be removed for your own safety, and it says a computer restart is required. However, after restarting the virus is still there. I tried multiple EEK scans to no avail. I also used Zemana anti malware to detect it, but it cannot remove smartservice either. Help would be appreciated.

 

Share this post


Link to post
Share on other sites

Please read through these instructions before starting. If you think you can handle all this, move forward. If you don't, please get someone involved who can.

SmartService IS possible to remove, and for someone savvy enough, actually pretty easy. For most people though, SmartService is a pretty big pain to remove. Do you have access to a clean, uninfected Windows 10 machine? If you do, we can use the recovery environment of a Windows 10 installation USB stick (8GB or larger, you'll need one of those too) to get rid of it.

Things to consider:
1. SmartService disables recovery mode in Windows 10, so we have to make a recovery boot USB stick from a clean computer, and configure the infected computer to boot from it.
2. SmartService knows how to patch FRST64.exe so it will not run in recovery mode, so we must make sure SmartService never 'sees' the FRST64.exe program used for this next set of steps.
3. If regular Windows boots while either the Windows 10 recovery USB stick or the FRST USB stick are inserted, you need to format the USB stick and start over. It is safe to format it using the clean computer.

How savvy are you with such things? Here's what to do:

1. Create a Windows 10 recovery USB stick: https://www.techrepublic.com/article/be-prepared-create-a-windows-10-recovery-drive/
2. Using the clean machine, download a fresh copy of FRST64.exe that has never touched the 'sick' machine, and copy it to a separate USB stick. DO NOT INSERT THE USB STICK INTO THE 'SICK' MACHINE YET.
3. Once you're ready with the USB stick and the Windows 10 recovery USB stick (yes, two sticks), shut down the sick computer completely. As in shut down power off. Follow the instructions here to boot from the Windows 10 recovery USB stick: https://craftedflash.com/info/how-boot-computer-from-usb-flash-drive
4. Use the Repair -> Troubleshoot -> Command Prompt option within recovery mode. Once there, plug in the second USB stick that has FRST64 on it. Find your USB drive by running notepad.exe, clicking File->Open, then noting which drive says "Boot". Normally that is D: or E:, depending on how many drives are in your machine. Either way, we're looking for the USB stick drive letter. You can also find it by typing (in the command prompt) "dir d:", "dir e:" etc. until you find the FRST64.exe program you downloaded earlier.
5. Type "FRST64" to run it. Click the Scan button. Please send the FRST.txt file that it creates. If all goes well, FRST64 will have killed the SmartService driver, and you'll be able to reboot into normal mode where we can finish the removal.

If these instructions are too much, it may be better to get someone involved who has enough experience to do it - while this is not an inherently dangerous exercise, it's not exactly for the faint of heart.

Until SmartService is killed, nothing we do on this machine is going to work properly in way of getting rid of malware.

Share this post


Link to post
Share on other sites

Hi Kevin,

I appreciate the help! I have followed the steps as you said, and here is the FRST.txt file.

FRST.txt

 

I see that FRST has found the rootkit at 

HKLM-x32\...\Run: [svcvmx] => "C:\Users\shibb\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup <==== ATTENTION

What are the removal steps? I have not rebooted the infected PC yet; I left it in recovery mode.

Share this post


Link to post
Share on other sites

Restart the computer and enter normal mode.  Run a fresh scan with  FRST, attach the fresh FRST scan reports to your reply.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.