igfxmtc.exe trojan

On 2/8/2018 9:26 PM, Bob_S wrote:
Mike,

Just one last thought.Â* You are a good neighbor to have.Â* Taking the
time and the headaches involved in diagnosing and trying to save the
install takes patience and skill and sometimes the best solution is
exactly what you are doing to insure the system is malware free.Â* Get
them doing backups so the next time is just a quick reimage.Â* Make sure
that you turn on the option for System Restore to create restore points
too.

Ya did good and I'm sure your neighbor will appreciate your efforts and
your generosity.

(if not I got this virus you can plant on their hard drive...;-)

Bob S.

Thanks Rob,
I couldn't have done it without help l like yours. Thanks for the laugh
too.
Mike

Mike S wrote:
On 2/8/2018 6:24 PM, KenW wrote:
On Thu, 8 Feb 2018 17:58:31 -0800, Mike S wrote:

On 2/8/2018 5:48 PM, KenW wrote:

The owner is considering that option, it seems like massive
overkill for
one infection, but without safe mode or a scanner that can remove it,
that may be necessary.

There are a few programs out there that are free. If you can find the
name of the infection, there are specific free programs for them. You
could try running some programs from a usb stick if they won't
install. There are many ways to 'skin a cat'.
KenW


Thanks KenW and GlowingBlueMist, thinking about it from this angle I
found this page (link below) but I was imagining a situation where the
scanner deleted infected system files and the machine would no longer
boot. Do you know if it's possible for me to burn a Win10 DVD that will
allow me to run scanners and repair or replace system files? I don't
want to wipe out files that make the machine unbootable and then not be
able to fix it. Or should I do it in 2 steps, first use one of these
bootable scanners to hopefully clean the disk, then boot from a Win10
DVD and repair or replace any damaged or missing system files?
"15 Free Bootable Antivirus Tools"
https://www.lifewire.com/free-bootab...-tools-2625785

All these years and I never had to restore a single file from a dvd !
With Windows 10 you can do a repair reinstall just as easy as with XP.
Just run setup.exe ( or what ever ) from within Win 10 on the dvd. Do
not boot the dvd.

I thought some others would show up in this thread with help.


KenW

KenW, I may have found how to do what you're suggesting. I ran ProduKey
to get the Windows Key from the infected computer, and am burning a w10
DVD from here. Thanks for pointing me in the right direction.
https://www.microsoft.com/en-us/soft...load/windows10

Windows 10 uses Digital Entitlement for the free Win7/Win8.1 to
Windows 10 upgrade.

After a user has successfully upgraded from Win7/Win8.1, the
actual key is stored on the MS server, and a "hash" of hardware
identifiers such as the MAC address, is used to verify the
license on subsequent re-installs. Activation is automated.

What ProduKey would return for Windows 10 upgraders, is the "bogus"
key ending in 3V66T (for Pro). These are examples of some bogus
keys, that when entered into the Windows 10 key dialog, will
be ignored or rejected.

VK7JG-NPHTM-C97JM-9MPGT-3V66T (Windows 10 Professional)
YTMG3-N6DKC-DKB77-7M9GH-8HVX7 (Windows 10 Home - multi language)
BT79Q-G7N6G-PGBYW-4YWX6-6F4BT (Windows 10 Home - single language)

A person who owns a $150 copy of a Retail Windows 10, would
have entered a "real" "unique" key at the time of key entry.
And that's the kind of thing you use on a brand new
hardware build. The ProduKey is probably valid on that.

If the individual was running Win7, again, it would depend
on where the OS came from, as to whether the ProduKey value
is of usage. A royalty OEM key would be a generic one.
The COA sticker on a Win7 laptop would use an entirely
different key, than would be returned by ProduKey for
the OEM installed OS. The COA sticker key is the one
you want for any "emergency re-installations" of Win7.
And many times the COA sticker text is worn off. If you can't
find a COA sticker on a Win7 laptop, look in the battery
bay, a place where the sticker won't get worn.

Brand new Win10 gear doesn't use COA stickers, so you
don't need to look for that on those. The key on a
newly purchased Win10 machine, is in the BIOS, in the
MSDM ACPI table. And that one happens to be unique per machine.

Paul

On Thu, 8 Feb 2018 18:30:24 -0800, Mike S wrote:

Thanks KenW. The owner doesn't know if it came with 7 or 10, she did say
it's about 6 or 7 yrs old, and there was a Windows 10 Update Assistant
icon on the desktop, so I'm guessing it was originally w7



If it's 6 or 7 years old, it definitely did not come with Windows 10.
Windows 10 was released in July 2015.

On 2/9/2018 12:31 AM, Paul wrote:
Mike S wrote:
On 2/8/2018 6:24 PM, KenW wrote:
On Thu, 8 Feb 2018 17:58:31 -0800, Mike S wrote:

On 2/8/2018 5:48 PM, KenW wrote:

The owner is considering that option, it seems like massive
overkill for
one infection, but without safe mode or a scanner that can remove it,
that may be necessary.

There are a few programs out there that are free. If you can find the
name of the infection, there are specific free programs for them. You
could try running some programs from a usb stick if they won't
install. There are many ways to 'skin a cat'.
KenW


Thanks KenW and GlowingBlueMist, thinking about it from this angle I
found this page (link below) but I was imagining a situation where the
scanner deleted infected system files and the machine would no longer
boot. Do you know if it's possible for me to burn a Win10 DVD that will
allow me to run scanners and repair or replace system files? I don't
want to wipe out files that make the machine unbootable and then not be
able to fix it. Or should I do it in 2 steps, first use one of these
bootable scanners to hopefully clean the disk, then boot from a Win10
DVD and repair or replace any damaged or missing system files?
"15 Free Bootable Antivirus Tools"
https://www.lifewire.com/free-bootab...-tools-2625785

All these years and I never had to restore a single file from a dvd !
With Windows 10 you can do a repair reinstall just as easy as with XP.
Just run setup.exe ( or what ever ) from within Win 10 on the dvd. Do
not boot the dvd.

I thought some others would show up in this thread with help.


KenW

KenW, I may have found how to do what you're suggesting. I ran
ProduKey to get the Windows Key from the infected computer, and am
burning a w10 DVD from here. Thanks for pointing me in the right
direction.
https://www.microsoft.com/en-us/soft...load/windows10

Windows 10 uses Digital Entitlement for the free Win7/Win8.1 to
Windows 10 upgrade.

After a user has successfully upgraded from Win7/Win8.1, the
actual key is stored on the MS server, and a "hash" of hardware
identifiers such as the MAC address, is used to verify the
license on subsequent re-installs. Activation is automated.

What ProduKey would return for Windows 10 upgraders, is the "bogus"
key ending in 3V66T (for Pro). These are examples of some bogus
keys, that when entered into the Windows 10 key dialog, will
be ignored or rejected.

VK7JG-NPHTM-C97JM-9MPGT-3V66T (Windows 10 Professional)
YTMG3-N6DKC-DKB77-7M9GH-8HVX7 (Windows 10 Home - multi language)
BT79Q-G7N6G-PGBYW-4YWX6-6F4BT (Windows 10 Home - single language)

A person who owns a $150 copy of a Retail Windows 10, would
have entered a "real" "unique" key at the time of key entry.
And that's the kind of thing you use on a brand new
hardware build. The ProduKey is probably valid on that.

If the individual was running Win7, again, it would depend
on where the OS came from, as to whether the ProduKey value
is of usage. A royalty OEM key would be a generic one.
The COA sticker on a Win7 laptop would use an entirely
different key, than would be returned by ProduKey for
the OEM installed OS. The COA sticker key is the one
you want for any "emergency re-installations" of Win7.
And many times the COA sticker text is worn off. If you can't
find a COA sticker on a Win7 laptop, look in the battery
bay, a place where the sticker won't get worn.

Brand new Win10 gear doesn't use COA stickers, so you
don't need to look for that on those. The key on a
newly purchased Win10 machine, is in the BIOS, in the
MSDM ACPI table. And that one happens to be unique per machine.

Â*Â* Paul

There's no COA sticker, the owner is not technical at all and is very
sketchy on anything having to do with a computer. Her son did a lot of
stuff with the computer and I have no idea what he did or what he knows,
so I'm assuming the machine would benefit from some cleaning and
optimization. Produkey returned a Windows 10 Home key ending with 3J3DQ.
I'm going to do a repair install once she finishes backing up her family
photos, so I'll try clicking "I don't have the product key", or entering
the one ProduKey returned, in that order, if necessary. Thanks for the
detailed post.

On 2/8/2018 9:26 PM, Bob_S wrote:
Mike,

Just one last thought.Â* You are a good neighbor to have.Â* Taking the
time and the headaches involved in diagnosing and trying to save the
install takes patience and skill and sometimes the best solution is
exactly what you are doing to insure the system is malware free.Â* Get
them doing backups so the next time is just a quick reimage.Â* Make sure
that you turn on the option for System Restore to create restore points
too.

Ya did good and I'm sure your neighbor will appreciate your efforts and
your generosity.

(if not I got this virus you can plant on their hard drive...;-)

Bob S.

Bob S.,

Doing tech support for my neighbors and friends keeps my head in the
game and makes for good relations with my neighbors. Thanks for all of
your great advice, I did these steps

w10 Repair Install
Microsoft Windows Malicious Software Removal Tool
Rogue Killer (c:\windows\system32\searchfilterhost.exe)
Norton Power Eraser (unwanted program scan, system scan)
Sophos Virus Removal Tool
Malwarebytes Anti-Rootkit BETA
Trend Micro Housecall
Malwarebytes Anti-Malware
sfc/scannow

Deleted 2 bugs with no problem as soon as they were identified, Rogue
Killer said system32\searchfilterhost.exe was infected but none of the
others did so I'm hoping that was a false positive.
Everything is working normally so I'm going to hope this is finished.

Thanks for all of your help.
Mike

One last thing - System Restore points option.

I know you've probably read the threads from some who have used System
Restore and say it doesn't work and not worth the effort. That's not a true
statement. Yes, some restore points will not work and/or it goes thru the
restore process, reboots and tells you nothing was restored. Aggravating
but a high percentage of the time it's usually the fault of a 3rd party
antivirus, malware program or added-on firewall. Turning those off before
doing a System Restore allows the restore to complete. If the restore
points have been corrupted - then no, they won't work. If a system went to
a BSOD (stop error/system crash), System Restore is a great tool to have and
can save you a ton of troubleshooting.

System Restore will not get rid of malware. That's a rather broad statement
but for the most part it is the assumption to make. But getting a system
back to a normal state due to a bad update, failed program install (that use
the windows msi installer) and some other mishaps, like losing power during
an update or install, it is very useful and should be one of the first
things to try. But it first must be turned on for each drive that you want
to protect.

Now that Win10 has the option for storing documents, apps and programs, etc.
to other drives on the system, you have to give consideration to the drive
being used in addition to C: drive. This is a nice feature for netbooks and
tablets with little main storage available. With Win10 Home taking about
17GB-20GB on a system with only 32GB of main storage, adding a micro SD card
or a USB thumb drive can provide the additional storage needed.

Turn it on and do yourself and your neighbors a favor. To those that want
to argue the point - it's a good bet in your favor and other than a few
seconds of your time and some disc space, it doesn't cost you anything.
Win10 will make automatic restore points and you can always initiate one
yourself if you are doing something like adding some unknown freeware and
want some insurance.

Bob S.

On 2/11/2018 7:11 PM, Bob_S wrote:
One last thing - System Restore points option.

I know you've probably read the threads from some who have used System
Restore and say it doesn't work and not worth the effort.Â* That's not a
true statement.Â* Yes, some restore points will not work and/or it goes
thru the restore process, reboots and tells you nothing was restored.
Aggravating but a high percentage of the time it's usually the fault of
a 3rd party antivirus, malware program or added-on firewall. Turning
those off before doing a System Restore allows the restore to complete.
If the restore points have been corrupted - then no, they won't work.
If a system went to a BSOD (stop error/system crash), System Restore is
a great tool to have and can save you a ton of troubleshooting.

System Restore will not get rid of malware.Â* That's a rather broad
statement but for the most part it is the assumption to make.Â* But
getting a system back to a normal state due to a bad update, failed
program install (that use the windows msi installer) and some other
mishaps, like losing power during an update or install, it is very
useful and should be one of the first things to try.Â* But it first must
be turned on for each drive that you want to protect.

Now that Win10 has the option for storing documents, apps and programs,
etc. to other drives on the system, you have to give consideration to
the drive being used in addition to C: drive.Â* This is a nice feature
for netbooks and tablets with little main storage available.Â* With Win10
Home taking about 17GB-20GB on a system with only 32GB of main storage,
adding a micro SD card or a USB thumb drive can provide the additional
storage needed.

Turn it on and do yourself and your neighbors a favor.Â* To those that
want to argue the point - it's a good bet in your favor and other than a
few seconds of your time and some disc space, it doesn't cost you
anything. Win10 will make automatic restore points and you can always
initiate one yourself if you are doing something like adding some
unknown freeware and want some insurance.

Bob S.

I made a couple of restore points after cleaning the machine and
optimizing w10 for speed. Will give that a try if she bsod's it again.

"Mike S" wrote

| My neighbor complained about her machine running really slowly and being
| basically unusable....

If you want to deal with it yourself you might find this useful:

https://channel9.msdn.com/Events/Tec...2014/DCIM-B368
https://sec.ch9.ms/sessions/teched/n.../DCIM-B368.mp4

It's a video by Mark Russinovich about how to use
his Sysinternals tools to handle malware. As he
says repeatedly, Task Manager is not the best tool.

On Sun, 11 Feb 2018 22:11:32 -0500, "Bob_S" wrote:


System Restore will not get rid of malware.


What, never?


That's a rather broad statement but for the most part it is the assumption to make.


OK. I agree with "for the most part," but not with the sentence quoted
above.



But getting a system
back to a normal state due to a bad update, failed program install (that use
the windows msi installer) and some other mishaps, like losing power during
an update or install, it is very useful and should be one of the first
things to try.


Yes, I agree. No guarantee it will solve the problem, but because it's
quick and easy to try, It's almost always worth trying as a first
step.


But it first must be turned on for each drive that you want
to protect.



It's only useful for the drive on which Windows is installed.

"Ken Blake" wrote in message
...

On Sun, 11 Feb 2018 22:11:32 -0500, "Bob_S" wrote:


System Restore will not get rid of malware.


What, never?


That's a rather broad statement but for the most part it is the assumption
to make.


OK. I agree with "for the most part," but not with the sentence quoted
above.



But getting a system
back to a normal state due to a bad update, failed program install (that
use
the windows msi installer) and some other mishaps, like losing power during
an update or install, it is very useful and should be one of the first
things to try.


Yes, I agree. No guarantee it will solve the problem, but because it's
quick and easy to try, It's almost always worth trying as a first
step.


But it first must be turned on for each drive that you want
to protect.



It's only useful for the drive on which Windows is installed.



Ken,

If you are running Win10 check out the options for making restore points
(you can select all drives) and then type Storage in the search window and
go to Storage. Scroll to "More Storage settings" and select "Change where
new content is saved". If you have a USB thumb drive or a micro SD card
installed, it will show those as storage devices that can then be selected
under each category such as shown (New apps will save to and then you can
select the device.

So if you have apps installed on a storage device other than C: and you or
the system make a restore point, it will include the references to the
storage device and restore the registry and setting needed.

Not sure if you are the same Ken Blake but here's a post I found:
https://answers.microsoft.com/en-us/...88c5cb2?auth=1

This is one reference about the recovery options in Win10:
https://support.microsoft.com/en-us/...covery-options.

You can do a search yourself to discover what others think about the
effectiveness of using a restore point to get rid of malware. You will find
quite the opposite. But that aside, you agree with the basic premise. I
did not say 'never" in my comments and I qualified it in the following
sentence. I think you're over analyzing things.

Bob S.

"Mayayana" wrote in message news
"Mike S" wrote

| My neighbor complained about her machine running really slowly and being
| basically unusable....

If you want to deal with it yourself you might find this useful:

https://channel9.msdn.com/Events/Tec...2014/DCIM-B368
https://sec.ch9.ms/sessions/teched/n.../DCIM-B368.mp4

It's a video by Mark Russinovich about how to use
his Sysinternals tools to handle malware. As he
says repeatedly, Task Manager is not the best tool.

Thanks. Had not seen that video in the past but was worth watching to see
how to use some of the more detailed features in his tools. The .mp4
version is a bit easier on the eyes.

Bob S.

On 2/12/2018 4:41 AM, Mayayana wrote:
"Mike S" wrote

| My neighbor complained about her machine running really slowly and being
| basically unusable....

If you want to deal with it yourself you might find this useful:

https://channel9.msdn.com/Events/Tec...2014/DCIM-B368
https://sec.ch9.ms/sessions/teched/n.../DCIM-B368.mp4

It's a video by Mark Russinovich about how to use
his Sysinternals tools to handle malware. As he
says repeatedly, Task Manager is not the best tool.

A w10 repair install andscans with 5 scanners and sfc/scannow has it
looking good, hope I got all of the bugs.

I'm watching the video now, thanks!

On 2/12/2018 4:41 AM, Mayayana wrote:
"Mike S" wrote

| My neighbor complained about her machine running really slowly and being
| basically unusable....

If you want to deal with it yourself you might find this useful:

https://channel9.msdn.com/Events/Tec...2014/DCIM-B368
https://sec.ch9.ms/sessions/teched/n.../DCIM-B368.mp4

It's a video by Mark Russinovich about how to use
his Sysinternals tools to handle malware. As he
says repeatedly, Task Manager is not the best tool.

Mayayana,

GREAT video, thank you. I downloaded the video and Sysinternals to a USB
stick for future use.

For anyone curious

Scan/Clean Strategy
- Disconnect from network
- Identify malicious processes and drivers
- Terminate identified processes
- Identify and delete malware autostarts
- Delete malware files
- Reboot and repeat

Look for processes that
- have no icon
- have no description or company name
- unsigned MS images
- live in Windows directory or user profile
- are packed (compressed or encrypted)
- include strange urls in their strings
- have open tcp/ip end points
- host suspicious dlls or services

Use Process Explorer (vs Task Manager)
- looks for dll versioning problems
- finds locked files
- looks for memory leaks, hung processes
- it has a window finder which shows you which process owns a window
- pink are windows processes, blue are your processes
- can verify all process digital signatures, e.g. present/valid/revoked
(must be connected to network)
- has integrated malware scanner (uses VirusTotal.com online malware
scanner)

Sysinternals Suite
By Mark Russinovich
Updated: December 12, 2017
Download Sysinternals Suite (22.6 MB)
https://docs.microsoft.com/en-us/sys...nternals-suite

Major Geeks
Microsoft Sysinternals Suite February, 2018
Author: Microsoft Corp.
Date: 02/12/2018 08:10 AM
http://www.majorgeeks.com/files/deta...als_suite.html