igfxmtc.exe trojan

My neighbor complained about her machine running really slowly and being
basically unusable. I found that AVG AV was not running, not a good
sign, and I couldn't install Panda AV or run Trend Micro Housecall to
scan it. I could run MBAM and it found some files and registry entries
but quarantining them and rebooting was never sufficient to permanently
remove them, either they got quarantined then re-created by the time the
machine was rebooted, or they were never quarantined at all. I ran MBAR
(rootkit scanner) and it found igfxmtc.exe, which I found running in the
task list and could not kill, and which I found in the user profile
appdata local folder but could not delete so I tried to boot into Safe
Mode (holding down F8 during boot, holding Shift while clicking Restart,
using Msconfig, using System Settings Update & security Advanced
startup etc., nothing worked to get it in to safemode so I could try to
run MBAR or Sophos Rootkit scanner from Safe Mode. Sophos would not run
normally. And I tried disabling Secure Boot to boot a known good Linux
CD but the computer would not boot from the CD, that is probably a
different issue. Next I removed the hdd and deleted the igfxmtc folder
and its contents using my w7 machine, reinstalled it and booted, a
different infected folder appeared in the same appdata local folder, and
then the igfxmtc folder was recreated as well! So I never got to the
source of the infection that was writing those files. I read that a lot
of work has gone into this bitminer to make it immune to simple attacks,
and they have me stymied. What is the procedure for dealing with
pernicious infections of this sort? There are many pro cleaners that
claim to work but I don't know which ones to trust. At this point I
asked the user to back up all of her files and consider a clean OS
install, or restore to Factory Defaults if the machine will do that. Any
suggestions will be appreciated.

On 2/8/2018 2:54 PM, KenW wrote:
On Thu, 8 Feb 2018 14:02:36 -0800, Mike S wrote:

My neighbor complained about her machine running really slowly and being
basically unusable. I found that AVG AV was not running, not a good
sign, and I couldn't install Panda AV or run Trend Micro Housecall to
scan it. I could run MBAM and it found some files and registry entries
but quarantining them and rebooting was never sufficient to permanently
remove them, either they got quarantined then re-created by the time the
machine was rebooted, or they were never quarantined at all. I ran MBAR
(rootkit scanner) and it found igfxmtc.exe, which I found running in the
task list and could not kill, and which I found in the user profile
appdata local folder but could not delete so I tried to boot into Safe
Mode (holding down F8 during boot, holding Shift while clicking Restart,
using Msconfig, using System Settings Update & security Advanced
startup etc., nothing worked to get it in to safemode so I could try to
run MBAR or Sophos Rootkit scanner from Safe Mode. Sophos would not run
normally. And I tried disabling Secure Boot to boot a known good Linux
CD but the computer would not boot from the CD, that is probably a
different issue. Next I removed the hdd and deleted the igfxmtc folder
and its contents using my w7 machine, reinstalled it and booted, a
different infected folder appeared in the same appdata local folder, and
then the igfxmtc folder was recreated as well! So I never got to the
source of the infection that was writing those files. I read that a lot
of work has gone into this bitminer to make it immune to simple attacks,
and they have me stymied. What is the procedure for dealing with
pernicious infections of this sort? There are many pro cleaners that
claim to work but I don't know which ones to trust. At this point I
asked the user to back up all of her files and consider a clean OS
install, or restore to Factory Defaults if the machine will do that. Any
suggestions will be appreciated.

Wipe the drive and install Windows 10 from an ISO. Ccleaner free can
do that.
KenW

The owner is considering that option, it seems like massive overkill for
one infection, but without safe mode or a scanner that can remove it,
that may be necessary.

On 2/8/2018 6:30 PM, Mike S wrote:
On 2/8/2018 2:54 PM, KenW wrote:
On Thu, 8 Feb 2018 14:02:36 -0800, Mike S wrote:

My neighbor complained about her machine running really slowly and being
basically unusable. I found that AVG AV was not running, not a good
sign, and I couldn't install Panda AV or run Trend Micro Housecall to
scan it. I could run MBAM and it found some files and registry entries
but quarantining them and rebooting was never sufficient to permanently
remove them, either they got quarantined then re-created by the time the
machine was rebooted, or they were never quarantined at all. I ran MBAR
(rootkit scanner) and it found igfxmtc.exe, which I found running in the
task list and could not kill, and which I found in the user profile
appdata local folder but could not delete so I tried to boot into Safe
Mode (holding down F8 during boot, holding Shift while clicking Restart,
using Msconfig, using System Settings Update & security Advanced
startup etc., nothing worked to get it in to safemode so I could try to
run MBAR or Sophos Rootkit scanner from Safe Mode. Sophos would not run
normally. And I tried disabling Secure Boot to boot a known good Linux
CD but the computer would not boot from the CD, that is probably a
different issue. Next I removed the hdd and deleted the igfxmtc folder
and its contents using my w7 machine, reinstalled it and booted, a
different infected folder appeared in the same appdata local folder, and
then the igfxmtc folder was recreated as well! So I never got to the
source of the infection that was writing those files. I read that a lot
of work has gone into this bitminer to make it immune to simple attacks,
and they have me stymied.Â* What is the procedure for dealing with
pernicious infections of this sort? There are many pro cleaners that
claim to work but I don't know which ones to trust. At this point I
asked the user to back up all of her files and consider a clean OS
install, or restore to Factory Defaults if the machine will do that. Any
suggestions will be appreciated.

Wipe the drive and install Windows 10 from an ISO. Ccleaner free can
do that.
KenW

The owner is considering that option, it seems like massive overkill for
one infection, but without safe mode or a scanner that can remove it,
that may be necessary.

You might be able to clean things by booting one of the Live Linux
DVD's. Once Linux is running you can mount the original hard drive and
clean it up with the same or similar anti programs you wanted to run.

If nothing else you should be able to download and burn/run one of the
Rescue systems from here; https://livecdlist.com/

Mike S wrote:
My neighbor complained about her machine running really slowly and being
basically unusable. I found that AVG AV was not running, not a good
sign, and I couldn't install Panda AV or run Trend Micro Housecall to
scan it. I could run MBAM and it found some files and registry entries
but quarantining them and rebooting was never sufficient to permanently
remove them, either they got quarantined then re-created by the time the
machine was rebooted, or they were never quarantined at all. I ran MBAR
(rootkit scanner) and it found igfxmtc.exe, which I found running in the
task list and could not kill, and which I found in the user profile
appdata local folder but could not delete so I tried to boot into Safe
Mode (holding down F8 during boot, holding Shift while clicking Restart,
using Msconfig, using System Settings Update & security Advanced
startup etc., nothing worked to get it in to safemode so I could try to
run MBAR or Sophos Rootkit scanner from Safe Mode. Sophos would not run
normally. And I tried disabling Secure Boot to boot a known good Linux
CD but the computer would not boot from the CD, that is probably a
different issue. Next I removed the hdd and deleted the igfxmtc folder
and its contents using my w7 machine, reinstalled it and booted, a
different infected folder appeared in the same appdata local folder, and
then the igfxmtc folder was recreated as well! So I never got to the
source of the infection that was writing those files. I read that a lot
of work has gone into this bitminer to make it immune to simple attacks,
and they have me stymied. What is the procedure for dealing with
pernicious infections of this sort? There are many pro cleaners that
claim to work but I don't know which ones to trust. At this point I
asked the user to back up all of her files and consider a clean OS
install, or restore to Factory Defaults if the machine will do that. Any
suggestions will be appreciated.

https://forums.malwarebytes.com/topi...tcexe-trouble/

It contains a pointer to another packaged version of MBAR.

https://forums.malwarebytes.com/topi...-malwarebytes/

If Mbar wont run please download the zip copy from this article
and follow the instructions at the link to get running.

https://support.malwarebytes.com/docs/DOC-1267

Paul

"Mike S" wrote in message news
My neighbor complained about her machine running really slowly and being
basically unusable. I found that AVG AV was not running, not a good
sign, and I couldn't install Panda AV or run Trend Micro Housecall to
scan it. I could run MBAM and it found some files and registry entries
but quarantining them and rebooting was never sufficient to permanently
remove them, either they got quarantined then re-created by the time the
machine was rebooted, or they were never quarantined at all. I ran MBAR
(rootkit scanner) and it found igfxmtc.exe, which I found running in the
task list and could not kill, and which I found in the user profile
appdata local folder but could not delete so I tried to boot into Safe
Mode (holding down F8 during boot, holding Shift while clicking Restart,
using Msconfig, using System Settings Update & security Advanced
startup etc., nothing worked to get it in to safemode so I could try to
run MBAR or Sophos Rootkit scanner from Safe Mode. Sophos would not run
normally. And I tried disabling Secure Boot to boot a known good Linux
CD but the computer would not boot from the CD, that is probably a
different issue. Next I removed the hdd and deleted the igfxmtc folder
and its contents using my w7 machine, reinstalled it and booted, a
different infected folder appeared in the same appdata local folder, and
then the igfxmtc folder was recreated as well! So I never got to the
source of the infection that was writing those files. I read that a lot
of work has gone into this bitminer to make it immune to simple attacks,
and they have me stymied. What is the procedure for dealing with
pernicious infections of this sort? There are many pro cleaners that
claim to work but I don't know which ones to trust. At this point I
asked the user to back up all of her files and consider a clean OS
install, or restore to Factory Defaults if the machine will do that. Any
suggestions will be appreciated.

Mike,

Try this https://us.norton.com/support/tools/npe.html

It's free and has been improved. When it opens you have 3 options - just
start from the top and follow the bouncing ball. It may also direct you to
one of the sites to do an online scan.

Bob S.

On 2/8/2018 5:48 PM, KenW wrote:

The owner is considering that option, it seems like massive overkill for
one infection, but without safe mode or a scanner that can remove it,
that may be necessary.

There are a few programs out there that are free. If you can find the
name of the infection, there are specific free programs for them. You
could try running some programs from a usb stick if they won't
install. There are many ways to 'skin a cat'.
KenW


Thanks KenW and GlowingBlueMist, thinking about it from this angle I
found this page (link below) but I was imagining a situation where the
scanner deleted infected system files and the machine would no longer
boot. Do you know if it's possible for me to burn a Win10 DVD that will
allow me to run scanners and repair or replace system files? I don't
want to wipe out files that make the machine unbootable and then not be
able to fix it. Or should I do it in 2 steps, first use one of these
bootable scanners to hopefully clean the disk, then boot from a Win10
DVD and repair or replace any damaged or missing system files?
"15 Free Bootable Antivirus Tools"
https://www.lifewire.com/free-bootab...-tools-2625785

On 2/8/2018 5:49 PM, Bob_S wrote:


"Mike S"Â* wrote in message news
My neighbor complained about her machine running really slowly and being
basically unusable. I found that AVG AV was not running, not a good
sign, and I couldn't install Panda AV or run Trend Micro Housecall to
scan it. I could run MBAM and it found some files and registry entries
but quarantining them and rebooting was never sufficient to permanently
remove them, either they got quarantined then re-created by the time the
machine was rebooted, or they were never quarantined at all. I ran MBAR
(rootkit scanner) and it found igfxmtc.exe, which I found running in the
task list and could not kill, and which I found in the user profile
appdata local folder but could not delete so I tried to boot into Safe
Mode (holding down F8 during boot, holding Shift while clicking Restart,
using Msconfig, using System Settings Update & security Advanced
startup etc., nothing worked to get it in to safemode so I could try to
run MBAR or Sophos Rootkit scanner from Safe Mode. Sophos would not run
normally. And I tried disabling Secure Boot to boot a known good Linux
CD but the computer would not boot from the CD, that is probably a
different issue. Next I removed the hdd and deleted the igfxmtc folder
and its contents using my w7 machine, reinstalled it and booted, a
different infected folder appeared in the same appdata local folder, and
then the igfxmtc folder was recreated as well! So I never got to the
source of the infection that was writing those files. I read that a lot
of work has gone into this bitminer to make it immune to simple attacks,
and they have me stymied.Â* What is the procedure for dealing with
pernicious infections of this sort? There are many pro cleaners that
claim to work but I don't know which ones to trust. At this point I
asked the user to back up all of her files and consider a clean OS
install, or restore to Factory Defaults if the machine will do that. Any
suggestions will be appreciated.

Mike,

Try this https://us.norton.com/support/tools/npe.html

It's free and has been improved.Â* When it opens you have 3 options -
just start from the top and follow the bouncing ball.Â* It may also
direct you to one of the sites to do an online scan.

Bob S.

Thanks Bob, I was just trying this
Use Windows Defender Offline to remove tough viruses from your Windows 10 PC
https://www.windowscentral.com/use-w...-windows-10-pc
I disabled Secure Boot and moved the CD/DVD drive to the top of the boot
order list, I didn't enable Legacy Boot yet, and I was unable to boot
from the CD. The CD activity light flashed a lot for a few seconds, then
stopped, and it proceeded to boot form the hdd. Do you know if I need to
enable Legacy Boot to boot one of these types of repair CD/DVDs?

On 2/8/2018 6:20 PM, Mike S wrote:
On 2/8/2018 5:49 PM, Bob_S wrote:


"Mike S"Â* wrote in message news
My neighbor complained about her machine running really slowly and being
basically unusable. I found that AVG AV was not running, not a good
sign, and I couldn't install Panda AV or run Trend Micro Housecall to
scan it. I could run MBAM and it found some files and registry entries
but quarantining them and rebooting was never sufficient to permanently
remove them, either they got quarantined then re-created by the time the
machine was rebooted, or they were never quarantined at all. I ran MBAR
(rootkit scanner) and it found igfxmtc.exe, which I found running in the
task list and could not kill, and which I found in the user profile
appdata local folder but could not delete so I tried to boot into Safe
Mode (holding down F8 during boot, holding Shift while clicking Restart,
using Msconfig, using System Settings Update & security Advanced
startup etc., nothing worked to get it in to safemode so I could try to
run MBAR or Sophos Rootkit scanner from Safe Mode. Sophos would not run
normally. And I tried disabling Secure Boot to boot a known good Linux
CD but the computer would not boot from the CD, that is probably a
different issue. Next I removed the hdd and deleted the igfxmtc folder
and its contents using my w7 machine, reinstalled it and booted, a
different infected folder appeared in the same appdata local folder, and
then the igfxmtc folder was recreated as well! So I never got to the
source of the infection that was writing those files. I read that a lot
of work has gone into this bitminer to make it immune to simple attacks,
and they have me stymied.Â* What is the procedure for dealing with
pernicious infections of this sort? There are many pro cleaners that
claim to work but I don't know which ones to trust. At this point I
asked the user to back up all of her files and consider a clean OS
install, or restore to Factory Defaults if the machine will do that. Any
suggestions will be appreciated.

Mike,

Try this https://us.norton.com/support/tools/npe.html

It's free and has been improved.Â* When it opens you have 3 options -
just start from the top and follow the bouncing ball.Â* It may also
direct you to one of the sites to do an online scan.

Bob S.

Thanks Bob, I was just trying this
Use Windows Defender Offline to remove tough viruses from your Windows
10 PC
https://www.windowscentral.com/use-w...-windows-10-pc

I disabled Secure Boot and moved the CD/DVD drive to the top of the boot
order list, I didn't enable Legacy Boot yet, and I was unable to boot
from the CD. The CD activity light flashed a lot for a few seconds, then
stopped, and it proceeded to boot form the hdd. Do you know if I need to
enable Legacy Boot to boot one of these types of repair CD/DVDs?

I enabled Legacy Boot (CSM) and made sure the boot order and legacy boot
order both had the internal cd-rom drive at the top of the list, still
boots to the hdd.

On 2/8/2018 6:24 PM, KenW wrote:
On Thu, 8 Feb 2018 17:58:31 -0800, Mike S wrote:

On 2/8/2018 5:48 PM, KenW wrote:

The owner is considering that option, it seems like massive overkill for
one infection, but without safe mode or a scanner that can remove it,
that may be necessary.

There are a few programs out there that are free. If you can find the
name of the infection, there are specific free programs for them. You
could try running some programs from a usb stick if they won't
install. There are many ways to 'skin a cat'.
KenW


Thanks KenW and GlowingBlueMist, thinking about it from this angle I
found this page (link below) but I was imagining a situation where the
scanner deleted infected system files and the machine would no longer
boot. Do you know if it's possible for me to burn a Win10 DVD that will
allow me to run scanners and repair or replace system files? I don't
want to wipe out files that make the machine unbootable and then not be
able to fix it. Or should I do it in 2 steps, first use one of these
bootable scanners to hopefully clean the disk, then boot from a Win10
DVD and repair or replace any damaged or missing system files?
"15 Free Bootable Antivirus Tools"
https://www.lifewire.com/free-bootab...-tools-2625785

All these years and I never had to restore a single file from a dvd !
With Windows 10 you can do a repair reinstall just as easy as with XP.
Just run setup.exe ( or what ever ) from within Win 10 on the dvd. Do
not boot the dvd.

I thought some others would show up in this thread with help.


KenW

Thanks KenW. The owner doesn't know if it came with 7 or 10, she did say
it's about 6 or 7 yrs old, and there was a Windows 10 Update Assistant
icon on the desktop, so I'm guessing it was originally w7. If they did
an u/g can I download any version w10 ISO and do the repair reinstall?

On 2/8/2018 6:24 PM, KenW wrote:
On Thu, 8 Feb 2018 17:58:31 -0800, Mike S wrote:

On 2/8/2018 5:48 PM, KenW wrote:

The owner is considering that option, it seems like massive overkill for
one infection, but without safe mode or a scanner that can remove it,
that may be necessary.

There are a few programs out there that are free. If you can find the
name of the infection, there are specific free programs for them. You
could try running some programs from a usb stick if they won't
install. There are many ways to 'skin a cat'.
KenW


Thanks KenW and GlowingBlueMist, thinking about it from this angle I
found this page (link below) but I was imagining a situation where the
scanner deleted infected system files and the machine would no longer
boot. Do you know if it's possible for me to burn a Win10 DVD that will
allow me to run scanners and repair or replace system files? I don't
want to wipe out files that make the machine unbootable and then not be
able to fix it. Or should I do it in 2 steps, first use one of these
bootable scanners to hopefully clean the disk, then boot from a Win10
DVD and repair or replace any damaged or missing system files?
"15 Free Bootable Antivirus Tools"
https://www.lifewire.com/free-bootab...-tools-2625785

All these years and I never had to restore a single file from a dvd !
With Windows 10 you can do a repair reinstall just as easy as with XP.
Just run setup.exe ( or what ever ) from within Win 10 on the dvd. Do
not boot the dvd.

I thought some others would show up in this thread with help.


KenW

KenW, I may have found how to do what you're suggesting. I ran ProduKey
to get the Windows Key from the infected computer, and am burning a w10
DVD from here. Thanks for pointing me in the right direction.
https://www.microsoft.com/en-us/soft...load/windows10

"Mike S" wrote in message news
On 2/8/2018 5:49 PM, Bob_S wrote:


"Mike S" wrote in message news
My neighbor complained about her machine running really slowly and being
basically unusable. I found that AVG AV was not running, not a good
sign, and I couldn't install Panda AV or run Trend Micro Housecall to
scan it. I could run MBAM and it found some files and registry entries
but quarantining them and rebooting was never sufficient to permanently
remove them, either they got quarantined then re-created by the time the
machine was rebooted, or they were never quarantined at all. I ran MBAR
(rootkit scanner) and it found igfxmtc.exe, which I found running in the
task list and could not kill, and which I found in the user profile
appdata local folder but could not delete so I tried to boot into Safe
Mode (holding down F8 during boot, holding Shift while clicking Restart,
using Msconfig, using System Settings Update & security Advanced
startup etc., nothing worked to get it in to safemode so I could try to
run MBAR or Sophos Rootkit scanner from Safe Mode. Sophos would not run
normally. And I tried disabling Secure Boot to boot a known good Linux
CD but the computer would not boot from the CD, that is probably a
different issue. Next I removed the hdd and deleted the igfxmtc folder
and its contents using my w7 machine, reinstalled it and booted, a
different infected folder appeared in the same appdata local folder, and
then the igfxmtc folder was recreated as well! So I never got to the
source of the infection that was writing those files. I read that a lot
of work has gone into this bitminer to make it immune to simple attacks,
and they have me stymied. What is the procedure for dealing with
pernicious infections of this sort? There are many pro cleaners that
claim to work but I don't know which ones to trust. At this point I
asked the user to back up all of her files and consider a clean OS
install, or restore to Factory Defaults if the machine will do that. Any
suggestions will be appreciated.

Mike,

Try this https://us.norton.com/support/tools/npe.html

It's free and has been improved. When it opens you have 3 options - just
start from the top and follow the bouncing ball. It may also direct you
to one of the sites to do an online scan.

Bob S.

Thanks Bob, I was just trying this
Use Windows Defender Offline to remove tough viruses from your Windows 10 PC
https://www.windowscentral.com/use-w...-windows-10-pc
I disabled Secure Boot and moved the CD/DVD drive to the top of the boot
order list, I didn't enable Legacy Boot yet, and I was unable to boot
from the CD. The CD activity light flashed a lot for a few seconds, then
stopped, and it proceeded to boot form the hdd. Do you know if I need to
enable Legacy Boot to boot one of these types of repair CD/DVDs?

Mike,

I don't know your hardware configuration and if you switch to legacy mode
you can cause yourself some boot problems when you go back to the hard
drive.

So back off of that Windows Defender Offline for now. There is a lot of
other things that can be done but I suggested NPE tool because it is
thorough. It can also turn up a lot of false positives on benign software.
Once it has completed a scan and shows a window full of "Bad" entries -
apply a dose of caution and go thru the list. At the top, use the checkbox
to unselect everything and then go down thru the "Bad" entries. Those
showing as "PUPs" (Potentially Unwanted Programs) may or may not be bad so
don't get to nervous about those. You're looking for the ones that standout
and have Trojan, Virus, Malware associated with them.

I should have prefaced my use of this tool with "It's a hammer", use it
softly. By being selective with the items it finds, this should get you to
a point where MBAM or others can find other malware associated with this
infection. RougueKiller is another hammer type approach. It shows a number
of false positives such as calling UltraVNC a Trojan (Generic).

Not knowing what software is installed on the system and trying to determine
what's been infected and how is really difficult and the best advice is to
use your best judgment when you look at the output of programs like NPE or
RogueKiller. Try to determine what was installed recently or downloaded.
I'm sure you've read just about everything on igfxmtc.exe and have seen
everyone trying to sell the software to remove it or to download some
dubious other software.

Even MBAB tech support doesn't know how to get rid of it (yet). One of
their approaches involves running RogueKiller and they also want a ton of
logs collected and finally after reading several threads, you never do see
MBAM's solution but I did read that Windows "Malicious Software Removal
Tool" was helpful.

https://www.microsoft.com/en-us/down...l-details.aspx

Download it and let it run a full scan.

Wish I could tell you which false positives to ignore but if the company
that makes these tools can't do it - neither can I. Worst case, if you
guess wrong by deleting some software/application, it can be reinstalled.

Right now the object is to get you back in control and I think the best you
can hope for is ending up with a hobbled system of some fashion that in the
end will need to be restored. So maybe the plan should be:

1. Start looking for and copying any documents, photo's, etc. that your
neighbor deems important and copy those to a USB stick or an external drive
that is not connected to your system so you don't get your system infected.

2. Run the tools but try this order a) Windows Removal tool b) RogueKiller
c) NPE

3. It's going to get bloody so tell your neighbor that at best, you can
probably save their files but the rest is toast.

4. Direct them to an online store or a local BestBuy to purchase a USB drive
and backup software (I prefer Acronis - warts and all) and show them how to
make regular scheduled backups.

Bob S.

On 2/8/2018 7:11 PM, Bob_S wrote:


"Mike S"Â* wrote in message news
On 2/8/2018 5:49 PM, Bob_S wrote:


"Mike S"Â* wrote in message news
My neighbor complained about her machine running really slowly and being
basically unusable. I found that AVG AV was not running, not a good
sign, and I couldn't install Panda AV or run Trend Micro Housecall to
scan it. I could run MBAM and it found some files and registry entries
but quarantining them and rebooting was never sufficient to permanently
remove them, either they got quarantined then re-created by the time the
machine was rebooted, or they were never quarantined at all. I ran MBAR
(rootkit scanner) and it found igfxmtc.exe, which I found running in the
task list and could not kill, and which I found in the user profile
appdata local folder but could not delete so I tried to boot into Safe
Mode (holding down F8 during boot, holding Shift while clicking Restart,
using Msconfig, using System Settings Update & security Advanced
startup etc., nothing worked to get it in to safemode so I could try to
run MBAR or Sophos Rootkit scanner from Safe Mode. Sophos would not run
normally. And I tried disabling Secure Boot to boot a known good Linux
CD but the computer would not boot from the CD, that is probably a
different issue. Next I removed the hdd and deleted the igfxmtc folder
and its contents using my w7 machine, reinstalled it and booted, a
different infected folder appeared in the same appdata local folder, and
then the igfxmtc folder was recreated as well! So I never got to the
source of the infection that was writing those files. I read that a lot
of work has gone into this bitminer to make it immune to simple attacks,
and they have me stymied.Â* What is the procedure for dealing with
pernicious infections of this sort? There are many pro cleaners that
claim to work but I don't know which ones to trust. At this point I
asked the user to back up all of her files and consider a clean OS
install, or restore to Factory Defaults if the machine will do that. Any
suggestions will be appreciated.

Mike,

Try this https://us.norton.com/support/tools/npe.html

It's free and has been improved.Â* When it opens you have 3 options -
just start from the top and follow the bouncing ball.Â* It may also
direct you to one of the sites to do an online scan.

Bob S.

Thanks Bob, I was just trying this
Use Windows Defender Offline to remove tough viruses from your Windows
10 PC
https://www.windowscentral.com/use-w...-windows-10-pc

I disabled Secure Boot and moved the CD/DVD drive to the top of the boot
order list, I didn't enable Legacy Boot yet, and I was unable to boot
from the CD. The CD activity light flashed a lot for a few seconds, then
stopped, and it proceeded to boot form the hdd. Do you know if I need to
enable Legacy Boot to boot one of these types of repair CD/DVDs?

Mike,

I don't know your hardware configuration and if you switch to legacy
mode you can cause yourself some boot problems when you go back to the
hard drive.

So back off of that Windows Defender Offline for now.Â* There is a lot of
other things that can be done but I suggested NPE tool because it is
thorough.Â* It can also turn up a lot of false positives on benign
software. Once it has completed a scan and shows a window full of "Bad"
entries - apply a dose of caution and go thru the list.Â* At the top, use
the checkbox to unselect everything and then go down thru the "Bad"
entries.Â* Those showing as "PUPs" (Potentially Unwanted Programs) may or
may not be bad so don't get to nervous about those.Â* You're looking for
the ones that standout and have Trojan, Virus, Malware associated with
them.

I should have prefaced my use of this tool with "It's a hammer", use it
softly.Â* By being selective with the items it finds, this should get you
to a point where MBAM or others can find other malware associated with
this infection.Â* RougueKiller is another hammer type approach.Â* It shows
a number of false positives such as calling UltraVNC a Trojan (Generic).

Not knowing what software is installed on the system and trying to
determine what's been infected and how is really difficult and the best
advice is to use your best judgment when you look at the output of
programs like NPE or RogueKiller.Â*Â* Try to determine what was installed
recently or downloaded. I'm sure you've read just about everything on
igfxmtc.exe and have seen everyone trying to sell the software to remove
it or to download some dubious other software.

Even MBAB tech support doesn't know how to get rid of it (yet).Â* One of
their approaches involves running RogueKiller and they also want a ton
of logs collected and finally after reading several threads, you never
do see MBAM's solution but I did read that Windows "Malicious Software
Removal Tool" was helpful.

https://www.microsoft.com/en-us/down...l-details.aspx


Download it and let it run a full scan.

Wish I could tell you which false positives to ignore but if the company
that makes these tools can't do it - neither can I.Â* Worst case, if you
guess wrong by deleting some software/application, it can be reinstalled.

Right now the object is to get you back in control and I think the best
you can hope for is ending up with a hobbled system of some fashion that
in the end will need to be restored.Â* So maybe the plan should be:

1. Start looking for and copying any documents, photo's, etc. that your
neighbor deems important and copy those to a USB stick or an external
drive that is not connected to your system so you don't get your system
infected.

2. Run the tools but try this order a) Windows Removal toolÂ* b)
RogueKiller c) NPE

3.Â* It's going to get bloody so tell your neighbor that at best, you can
probably save their files but the rest is toast.

4. Direct them to an online store or a local BestBuy to purchase a USB
drive and backup software (I prefer Acronis - warts and all) and show
them how to make regular scheduled backups.

Bob S.

Thanks very much, I downloaded the win10 iso and ran ProduKey to get the
key in case I needed it, am running the startup repair right now, if
that lets me run scanners on the next boot, great, otherwise it will be
hammer time. Thanks again.

"Mike S" wrote in message news
On 2/8/2018 7:11 PM, Bob_S wrote:


"Mike S" wrote in message news
On 2/8/2018 5:49 PM, Bob_S wrote:


"Mike S" wrote in message news
My neighbor complained about her machine running really slowly and being
basically unusable. I found that AVG AV was not running, not a good
sign, and I couldn't install Panda AV or run Trend Micro Housecall to
scan it. I could run MBAM and it found some files and registry entries
but quarantining them and rebooting was never sufficient to permanently
remove them, either they got quarantined then re-created by the time the
machine was rebooted, or they were never quarantined at all. I ran MBAR
(rootkit scanner) and it found igfxmtc.exe, which I found running in the
task list and could not kill, and which I found in the user profile
appdata local folder but could not delete so I tried to boot into Safe
Mode (holding down F8 during boot, holding Shift while clicking Restart,
using Msconfig, using System Settings Update & security Advanced
startup etc., nothing worked to get it in to safemode so I could try to
run MBAR or Sophos Rootkit scanner from Safe Mode. Sophos would not run
normally. And I tried disabling Secure Boot to boot a known good Linux
CD but the computer would not boot from the CD, that is probably a
different issue. Next I removed the hdd and deleted the igfxmtc folder
and its contents using my w7 machine, reinstalled it and booted, a
different infected folder appeared in the same appdata local folder, and
then the igfxmtc folder was recreated as well! So I never got to the
source of the infection that was writing those files. I read that a lot
of work has gone into this bitminer to make it immune to simple attacks,
and they have me stymied. What is the procedure for dealing with
pernicious infections of this sort? There are many pro cleaners that
claim to work but I don't know which ones to trust. At this point I
asked the user to back up all of her files and consider a clean OS
install, or restore to Factory Defaults if the machine will do that. Any
suggestions will be appreciated.

Mike,

Try this https://us.norton.com/support/tools/npe.html

It's free and has been improved. When it opens you have 3 options - just
start from the top and follow the bouncing ball. It may also direct you
to one of the sites to do an online scan.

Bob S.

Thanks Bob, I was just trying this
Use Windows Defender Offline to remove tough viruses from your Windows 10
PC
https://www.windowscentral.com/use-w...-windows-10-pc
I disabled Secure Boot and moved the CD/DVD drive to the top of the boot
order list, I didn't enable Legacy Boot yet, and I was unable to boot
from the CD. The CD activity light flashed a lot for a few seconds, then
stopped, and it proceeded to boot form the hdd. Do you know if I need to
enable Legacy Boot to boot one of these types of repair CD/DVDs?

Mike,

I don't know your hardware configuration and if you switch to legacy mode
you can cause yourself some boot problems when you go back to the hard
drive.

So back off of that Windows Defender Offline for now. There is a lot of
other things that can be done but I suggested NPE tool because it is
thorough. It can also turn up a lot of false positives on benign
software. Once it has completed a scan and shows a window full of "Bad"
entries - apply a dose of caution and go thru the list. At the top, use
the checkbox to unselect everything and then go down thru the "Bad"
entries. Those showing as "PUPs" (Potentially Unwanted Programs) may or
may not be bad so don't get to nervous about those. You're looking for
the ones that standout and have Trojan, Virus, Malware associated with
them.

I should have prefaced my use of this tool with "It's a hammer", use it
softly. By being selective with the items it finds, this should get you
to a point where MBAM or others can find other malware associated with
this infection. RougueKiller is another hammer type approach. It shows a
number of false positives such as calling UltraVNC a Trojan (Generic).

Not knowing what software is installed on the system and trying to
determine what's been infected and how is really difficult and the best
advice is to use your best judgment when you look at the output of
programs like NPE or RogueKiller. Try to determine what was installed
recently or downloaded. I'm sure you've read just about everything on
igfxmtc.exe and have seen everyone trying to sell the software to remove
it or to download some dubious other software.

Even MBAB tech support doesn't know how to get rid of it (yet). One of
their approaches involves running RogueKiller and they also want a ton of
logs collected and finally after reading several threads, you never do see
MBAM's solution but I did read that Windows "Malicious Software Removal
Tool" was helpful.

https://www.microsoft.com/en-us/down...l-details.aspx

Download it and let it run a full scan.

Wish I could tell you which false positives to ignore but if the company
that makes these tools can't do it - neither can I. Worst case, if you
guess wrong by deleting some software/application, it can be reinstalled.

Right now the object is to get you back in control and I think the best
you can hope for is ending up with a hobbled system of some fashion that
in the end will need to be restored. So maybe the plan should be:

1. Start looking for and copying any documents, photo's, etc. that your
neighbor deems important and copy those to a USB stick or an external
drive that is not connected to your system so you don't get your system
infected.

2. Run the tools but try this order a) Windows Removal tool b)
RogueKiller c) NPE

3. It's going to get bloody so tell your neighbor that at best, you can
probably save their files but the rest is toast.

4. Direct them to an online store or a local BestBuy to purchase a USB
drive and backup software (I prefer Acronis - warts and all) and show them
how to make regular scheduled backups.

Bob S.

Thanks very much, I downloaded the win10 iso and ran ProduKey to get the
key in case I needed it, am running the startup repair right now, if
that lets me run scanners on the next boot, great, otherwise it will be
hammer time. Thanks again.

Mike,

If that computer had Win10 on it, you won't need the product key. It will
have a digital key associated with the install of Win10 when it was
upgraded. When the window comes up asking for the product key just click on
"I don't have a product key".

If you don't connect it to the internet during the install you will save
some time. Get it up and running, do what you need and then connect to the
internet. It will then activate automatically.

Bob S.

On 2/8/2018 8:25 PM, Bob_S wrote:


"Mike S"Â* wrote in message news
On 2/8/2018 7:11 PM, Bob_S wrote:


"Mike S"Â* wrote in message news
On 2/8/2018 5:49 PM, Bob_S wrote:


"Mike S"Â* wrote in message news
My neighbor complained about her machine running really slowly and being
basically unusable. I found that AVG AV was not running, not a good
sign, and I couldn't install Panda AV or run Trend Micro Housecall to
scan it. I could run MBAM and it found some files and registry entries
but quarantining them and rebooting was never sufficient to permanently
remove them, either they got quarantined then re-created by the time the
machine was rebooted, or they were never quarantined at all. I ran MBAR
(rootkit scanner) and it found igfxmtc.exe, which I found running in the
task list and could not kill, and which I found in the user profile
appdata local folder but could not delete so I tried to boot into Safe
Mode (holding down F8 during boot, holding Shift while clicking Restart,
using Msconfig, using System Settings Update & security Advanced
startup etc., nothing worked to get it in to safemode so I could try to
run MBAR or Sophos Rootkit scanner from Safe Mode. Sophos would not run
normally. And I tried disabling Secure Boot to boot a known good Linux
CD but the computer would not boot from the CD, that is probably a
different issue. Next I removed the hdd and deleted the igfxmtc folder
and its contents using my w7 machine, reinstalled it and booted, a
different infected folder appeared in the same appdata local folder, and
then the igfxmtc folder was recreated as well! So I never got to the
source of the infection that was writing those files. I read that a lot
of work has gone into this bitminer to make it immune to simple attacks,
and they have me stymied.Â* What is the procedure for dealing with
pernicious infections of this sort? There are many pro cleaners that
claim to work but I don't know which ones to trust. At this point I
asked the user to back up all of her files and consider a clean OS
install, or restore to Factory Defaults if the machine will do that. Any
suggestions will be appreciated.

Mike,

Try this https://us.norton.com/support/tools/npe.html

It's free and has been improved.Â* When it opens you have 3 options -
just start from the top and follow the bouncing ball.Â* It may also
direct you to one of the sites to do an online scan.

Bob S.

Thanks Bob, I was just trying this
Use Windows Defender Offline to remove tough viruses from your Windows
10 PC
https://www.windowscentral.com/use-w...-windows-10-pc

I disabled Secure Boot and moved the CD/DVD drive to the top of the boot
order list, I didn't enable Legacy Boot yet, and I was unable to boot
from the CD. The CD activity light flashed a lot for a few seconds, then
stopped, and it proceeded to boot form the hdd. Do you know if I need to
enable Legacy Boot to boot one of these types of repair CD/DVDs?

Mike,

I don't know your hardware configuration and if you switch to legacy
mode you can cause yourself some boot problems when you go back to the
hard drive.

So back off of that Windows Defender Offline for now.Â* There is a lot
of other things that can be done but I suggested NPE tool because it
is thorough.Â* It can also turn up a lot of false positives on benign
software. Once it has completed a scan and shows a window full of
"Bad" entries - apply a dose of caution and go thru the list.Â* At the
top, use the checkbox to unselect everything and then go down thru the
"Bad" entries.Â* Those showing as "PUPs" (Potentially Unwanted
Programs) may or may not be bad so don't get to nervous about those.
You're looking for the ones that standout and have Trojan, Virus,
Malware associated with them.

I should have prefaced my use of this tool with "It's a hammer", use
it softly.Â* By being selective with the items it finds, this should
get you to a point where MBAM or others can find other malware
associated with this infection.Â* RougueKiller is another hammer type
approach.Â* It shows a number of false positives such as calling
UltraVNC a Trojan (Generic).

Not knowing what software is installed on the system and trying to
determine what's been infected and how is really difficult and the
best advice is to use your best judgment when you look at the output
of programs like NPE or RogueKiller.Â*Â* Try to determine what was
installed recently or downloaded. I'm sure you've read just about
everything on igfxmtc.exe and have seen everyone trying to sell the
software to remove it or to download some dubious other software.

Even MBAB tech support doesn't know how to get rid of it (yet).Â* One
of their approaches involves running RogueKiller and they also want a
ton of logs collected and finally after reading several threads, you
never do see MBAM's solution but I did read that Windows "Malicious
Software Removal Tool" was helpful.

https://www.microsoft.com/en-us/down...l-details.aspx


Download it and let it run a full scan.

Wish I could tell you which false positives to ignore but if the
company that makes these tools can't do it - neither can I.Â* Worst
case, if you guess wrong by deleting some software/application, it can
be reinstalled.

Right now the object is to get you back in control and I think the
best you can hope for is ending up with a hobbled system of some
fashion that in the end will need to be restored.Â* So maybe the plan
should be:

1. Start looking for and copying any documents, photo's, etc. that
your neighbor deems important and copy those to a USB stick or an
external drive that is not connected to your system so you don't get
your system infected.

2. Run the tools but try this order a) Windows Removal toolÂ* b)
RogueKiller c) NPE

3.Â* It's going to get bloody so tell your neighbor that at best, you
can probably save their files but the rest is toast.

4. Direct them to an online store or a local BestBuy to purchase a USB
drive and backup software (I prefer Acronis - warts and all) and show
them how to make regular scheduled backups.

Bob S.

Thanks very much, I downloaded the win10 iso and ran ProduKey to get the
key in case I needed it, am running the startup repair right now, if
that lets me run scanners on the next boot, great, otherwise it will be
hammer time. Thanks again.

Mike,

If that computer had Win10 on it, you won't need the product key.Â* It
will have a digital key associated with the install of Win10 when it was
upgraded.Â* When the window comes up asking for the product key just
click on "I don't have a product key".

If you don't connect it to the internet during the install you will save
some time.Â* Get it up and running, do what you need and then connect to
the internet.Â* It will then activate automatically.

Bob S.

Thanks Bob S. I'm feeling a lot better about this project.

Mike,

Just one last thought. You are a good neighbor to have. Taking the time
and the headaches involved in diagnosing and trying to save the install
takes patience and skill and sometimes the best solution is exactly what you
are doing to insure the system is malware free. Get them doing backups so
the next time is just a quick reimage. Make sure that you turn on the
option for System Restore to create restore points too.

Ya did good and I'm sure your neighbor will appreciate your efforts and your
generosity.

(if not I got this virus you can plant on their hard drive...;-)

Bob S.