Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WINVMX & "The Requested Resource Is In Use" - Tried all suggestions on forum...


  • This topic is locked This topic is locked
11 replies to this topic

#1 Will_B

Will_B

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 26 March 2017 - 05:52 PM

Earlier today it seems I was infected with a virus, after digging around it looks like it's the WINVMX virus as well as a trojan Win32 Self.Del.B.  I've spent the entire day trying to figure out how to remove this, but no such luck. 

 

I have downloaded a huge variety of anti virus/malware tools, but almost all of them don't open and just provide the "Requested Resource is in Use Error".  One of the strange things I've noticed is that occasionally it will let me open some tools/run a scan - for example I was able to use Rogue Killer which found 22 errors and deleted them.  However it didn't really change any of the issues and then stopped working after the first scan.

 

It seems like my computer blocks not just Anti-virus/malware, but just EXE files in general, although I've spent most of the time dealing with files related to removing this.

 

I was able to run FRST and I've attached the logs here.  I'm at my wits end and just can't figure it out, I'm especially concerned since this computer is pretty much brand new!  I would prefer not to re-install Windows if possible, but at least I'm not losing a ton of data if it comes to that.  I'm not sure that solution would work however at this point.

 

Any help is greatly appreciated!

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:38 PM

Posted 27 March 2017 - 06:16 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Let me see the logs and will reply back.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 Will_B

Will_B
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 27 March 2017 - 06:45 AM

Hi Georgi,

 

Thanks for responding back so quickly.  I actually spent quite a bit more time last night and I "think" I may have removed the mal-ware,  I managed to get MalwareBytes Anti-Rootkit to run a few times and remove it, as well as MWB and HitmanPro.  I used the same steps as a guide I found in a thread just a day or two either here or MWB forum.

 

The issue that was creating biggest pain was how the mal-ware was blocking pretty much all anti-virus and even most EXE files from running even in Safe Mode.  What eventually worked for me so that others might try this method, was running within Safe Mode and right clicking any program and using "Troubleshooting".  I was then able to go in and elevate permission to Administrator from there (when other times running as Admin did not change the error messages).  I occasionally needed to try a couple times, but this got me through and allowed me to run the software needed to remove it.

 

I ran MWB Anti-Root Kit 2 or 3 times, until there was nothing additional found.  I then ran the clean uninstaller for MWB and removed the program, then reinstalled a new clean version.  I ran this a few times to check for anything additional.  I then ran HitmanPro which found one additional piece of Malware potentially unrelated to the original issues.

 

I haven't seen any further sign of infection since all of this, but if I can provide any more details or log files it would really appreciate any additional assurance that it's been removed.  I've never quite seen an infection this frustrating or bad before, certainly makes me more cautious now.


Edited by Will_B, 27 March 2017 - 06:46 AM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:38 PM

Posted 27 March 2017 - 07:03 AM

Hi,

 

 

We will need to run this fix in the Recovery Environment. You will need a USB Flash drive.

Please download the attached file => Attached File  fixlist.txt   2.37KB   15 downloads and save it to your USB flash drive.

 

Next please download Farbar Recovery Scan Tool and save it to your USB flash drive.

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

 

Note: In case you can not enter System Recovery Options by using the methods described in the article above, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 10 consult:
https://www.tenforums.com/tutorials/36083-create-system-repair-disc-windows-10-a.html

To enter System Recovery Options by using Windows installation disc:

 

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Select your language preferences, and click/tap on Next.
  • Click Repair your computer.
  • After that, it will show you the three options and now you’ll need to select the second one called “Troubleshoot” and then right under the troubleshoot menu, select the third option called “Advanced options”.
  • On the System Recovery Options menu you will get the following options:
  • Select Command Prompt

 

Once in the Command Prompt:

 

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

Restart the computer. Please copy and paste its contents in your next reply.

 

Regards,

Georgi


cXfZ4wS.png


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:38 PM

Posted 27 March 2017 - 07:05 AM

Hi,

 

You can skip the steps above then.

Run a new scan with FRST and post back the results.

 

 

Regards,

Georgi


cXfZ4wS.png


#6 Will_B

Will_B
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 27 March 2017 - 04:33 PM

Hi,

 

Sorry for the delay getting back to you, I've been at work all day and just had a chance to run FRST.  Attached below are the logs.  I really appreciate the help!

 

 

Attached Files



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:38 PM

Posted 28 March 2017 - 04:49 AM

Hi,

 

 

I can still see some malware remnants in the logs.

 

Please download the following file => Attached File  fixlist.txt   1.87KB   15 downloads and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

This script was written specifically for you, for use on that particular machine.

 

Let me know how are things after the fix above.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 28 March 2017 - 04:49 AM.

cXfZ4wS.png


#8 Will_B

Will_B
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 28 March 2017 - 05:17 AM

Hi,

 

Thanks for the quick response, below is the Fixlog.txt after I ran the script you provided.  Let me know if there's anything further left, this was very helpful I thought it had been completely removed.

Attached Files


Edited by Will_B, 28 March 2017 - 05:35 AM.


#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:38 PM

Posted 28 March 2017 - 06:26 AM

Hi Willi,

 

Do you know what this file is?

 

C:\Program Files\Oculus.exe

 

Can you upload it to VirusTotal and post back the link with the results?

 

I noticed that you ran a lot of malware removal tools on your own but I want to be sure that your system is completely malware free.

 

Here are the last set of steps just to make sure nothing is lurking in the dark corners.

 

 

STEP 1

 
Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click mb3-setup-consumer-3.0.6.1469.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.

How to get logs: (Export log to save as txt)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.

(Copy to clipboard for pasting into forum replies or tickets)

  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'

 

 

STEP 2


1.Please download HitmanPro.

2.Launch the program by double clicking on the HitmanPro icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 5 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
96QH4u9.jpg
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.
 

 

 

STEP 3
 

 

  • Download EmsisoftEmergencyKit, run the exe and extract the content in a folder of your choice like (C:\EEK) by clicking the Extract button.
  • Double-click the desktop-shortcut called Start Emsisoft Emergency Kit to start the tool.
  • Click on the "Yes" button when asked to obtain the latest malware definitions.
  • Once the update is complete click "Scan".
  • Click on the "Yes" button when asked to enable the scan for Potentially Unwanted Applications.
  • Next click on the Custom Scan and select only drive C:\ to be scanned and remove the rest of the drives from the list. When the scan complete, click on the View Report button (don't delete or quarantine anything).
  • Please attach the content of the report in your next reply.

 

 

STEP 4

 

 

And finally I'd like us to scan your machine with ESET OnlineScan

 

  • Please download and run ESET Online Scanner
  • Check qy7AMI8.jpg (if available) and click on the ePL5oyv.jpg button.
  • Check the option beside: Enable detection of potentially unwanted applications.
  • Now click on Advanced Settings and make sure that the option Clean threats automatically is NOT checked, and select the following:

 

  • Enable detection of potentially unsafe applications
  • Enable detection of suspicious applications
  • Scan archives
  • Enable Anti-Stealth Technology

 

  • Click on the Change button and select only Operating memory, Autostart locations and drive C:\ to be scanned.

yKulboi.jpg

 

  • Push the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes a list of found threats will open automatically (if any malicious files are found).
  • Push save to text file and save the file to your desktop using a unique name, such as ESETScan.txt. Include the contents of this report in your next reply.
  • Push the do not clean button.
  • Push a3dBJq5.jpg and the close the application.

 

 

Regards,

Georgi


cXfZ4wS.png


#10 Will_B

Will_B
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:38 PM

Posted 28 March 2017 - 07:37 AM

Hi,

 

I wondered the same thing regarding the Oculus.exe file.  Looking at the description of the file, it's titled "ConsoleApplication1".  This computer is very new and featured as "Oculus VR Ready", and I just noticed a small logo on the front of the tower with the same icon logo that's on the EXE.  I suspect it is legitimate, perhaps small bloatware, but let me know your thoughts.

 

I went ahead and scanned it, here is the link from VirusTotal. 

 

I have also attached the export from MalwareBytes scan, HitmanPro, EEK as well for further review, looks like nothing was picked up but maybe I'm missing it.  ESET scanner didn't find anything and I didn't see an option for saving log.  I can re-run that once I get back from work however if needed.

 

I really appreciate your time helping with this, have a beer on me, enjoy!

Attached Files



#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:38 PM

Posted 28 March 2017 - 09:43 AM

Hi,

 

 

Thank you for the beers default_beer.gifdefault_beer11.gif

 

All logs are clean which is a good sign.

 

Now that we are at the end of our journey I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.

 

 

STEP 1 - UPDATING TASKS

 

 

  • It is possible for programs on your computer to have security vulnerability that can allow malware to infect you.
  • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
  • You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC.
  • You may take a look at UCheck as well.

 

 
Visit Microsoft's Windows Update Site Frequently

 

  • It is important that you check for Windows Updates regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

 

STEP 2 - CLEANUP


Here are a few additional steps on how to remove all of the tools we used:

 

  • Please download Delfix.exe by Xplode and save it to your desktop.
  • Please start it and check the box next to "Remove disinfection tools" and uncheck the rest and click on the run button.
  • The tool will delete itself once it finishes.

Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

 

You can delete the following folders:

 

C:\ProgramData\HitmanPro => to delete the leftovers from HitmanPro
C:\EEK => to delete the leftovers from EmsisoftEmergencyKit

C:\Users\tierz\AppData\Local\ESET => to delete the leftovers from Eset Online Scanner

I suggest you leave Malwarebytes installed for on-demand scans but if you want to uninstall it then you can use this tool

 

 

STEP 3 - SECURITY ADVISES
 

 

Keep your antivirus software turned on and up-to-date

 

  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  • Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Note2: You should scan your computer with an antimalware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software. Be sure to check for and download any definition updates prior to performing a scan. Also keep in mind that MBAM is not a replacement for antivirus software, it is meant to complement the protection provided by a full antivirus product and is designed to detect the threats that are missed by most antivirus software.

 

 

Be prepared for CryptoLocker and similar threats:

 

 

Since the prevention is better than cure you can purchase a license for Malwarebytes Anti-Malware (because Malwarebytes Anti-Ransomware and Malwarebytes Anti-Exploit are also included in the Premium version of Malwarebytes Anti-Malware 3) or try a free program such as Kaspersky Antiransomware for business.

In addition to whatever you choose to use I would suggest you to add CryptoPrevent to supplement them to secure the PC against these lockers. Also make regular backups of your important documents.

 

You can use a standard user account with UAC enabled. If you need administrative privileges to perform some tasks, then you can use Run As or log on as the administrator account for that specific task.

 

 

Practice Safe Internet


One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.  Below are a list of simple precautions to take to keep your computer clean and running securely:

  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • .zip, .exe, .com, .bat, .pif, .scr, .cmd, .cab .vbs or .js do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams.  For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. I suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use Bitdefender TrafficLight or Avira Browser Safety to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
  • You may want to install Unchecky to prevent adware bundled into many free programs to install.
  • Make the extensions for known file types visible: Be worried of files with a double extension such as image.jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.
  • Disable Autorun: It's a good idea to disable the Autorun functionality to prevent spreading of the infections from USB flash drives. Check the article here for more information. Also you can install McShield - to prevent infections spread by removable media.
  • Disable and Windows Scripting Host: If you don't use any script files then you can go ahead and disable Windows Scripting Host using the tool provided by Symantec - NoScript.exe. Simple download and run it and click on the Disable button and reboot the computer. If you need to run any js. or vbs scripts at a later stage you should run NoScript.exe again and select Enable, then reboot the computer.
  • Install Adblock Plus to surf the web without annoying ads!

 

 
Create an image of your system (you can use the built-in Windows software as well if you prefer)

 

 

  • Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
  • Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
  • The download link is here.
  • The tutorial on how to create an system image can be found here.
  • It's a good idea to add Macrium to the boot menu to access it if Windows won't start and you don't have a Rescue CD.
  • The tutorial on how to restore an system image can be found here.
  • Be sure to read the tutorials first.

 

 

Follow this list and your potential for being infected again will reduce dramatically.

 

Safe Surfing !

 

Regards,
Georgi


Edited by B-boy/StyLe/, 28 March 2017 - 09:45 AM.

cXfZ4wS.png


#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:11:38 PM

Posted 30 March 2017 - 05:25 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users