Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ughhh yes svcvmx and smart service


  • This topic is locked This topic is locked
61 replies to this topic

#1 NickRaboya

NickRaboya

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 18 May 2017 - 10:50 PM

So...yeah trojan i get it..."requested resource is in use" means no anti-malware.exe, i get it. Man Aura i swear if u had seen this virus in its hayday (aka a week ago) you'd probably wet your pants. Mine are still soaked. So heres a little rundown:

 

A week ago I downloaded a file that turned in to an installation prompt. And me being the trusting fellow i am i of course gave it administrative approval. And when i tell you this thing was malicious, i swear on everything, any man in his right mind would think his computer was toast. Luckily though there's this thing called google that mitigated the situation."mitigated"

 

A Week Ago

 

Situation Rundown: Everytime I logged in to my computer after about 30-45 seconds an internet explorer window would pop up and then soon after the infamous BSOD (Blue Screen Of Death, not to be confused with the equally dreadful xbox red ring of death). As i said though google threw me a clean hail mary with a nice Admin Command Prompt script "bcdedit /set {bootmgr} bootdisplaymenu yes"  after this i was able to enter safe mode. something i was unable to do because the virus edited the registry to prevent Shift+Restart from triggering Windows Recovery Environment (which by the way i am still incapable of fixing. SIDE NOTE: Aura is there a way to fix the registry so i can re-enable this feature WinRE)

Anyways as i said I managed to get past the storm but i'm still dealing with choppy waters (if you'd like more detail here's  a url:https://answers.microsoft.com/en-us/windows/forum/windows8_1-update/driver-irql-not-less-or-equal-to-bsod-rootkitvirus/881ad2c8-da74-4ccf-960f-be5a16a2083f hopefully it temporarily helps some people) And this brings me to why im here today:

 

It's been about a week since the incident and I decided to run some anti-virus programs to be safe.

Well... my man smart service wanted to toss me a solid "requested resource is in use". And me being suspicious of the serendipity of the situation i investigated my task manager to find Smart Service and svcvmx working their magic. Now I understand svcvmx is an adware and comparatively harmless to it's despicable counter-part, however I like to surf the waves of the world wide web without the intrusive abruptness of penial enhancement products and other material of a distateful nature. So here are the details:

 

-Smart Sevice as well as svcvmx are not deleting. I have changed the permissions and ownership and even went as far as to edit the registry so that Taking Ownership was an option when i right click on files. No cigar

 

-I tried downloading Rkill to remove the virus along an aray of other programs but no luck. "requested resource is in use" is all i get

 

I know of u Aura because i've been investigating this problem for sometime and you've helped many people. Sadly however Malwarebytes (one of your solves for an equally lost traveller) will not operate with the virus software's resource in use workaround. God this a smart motherbleeper! Hopefully you have a solve and hopefully it won't require logs. I will if i must but...come on Y.

 

P.S.This isn't grossly immediate the only issue right now is the adware slowing up my cpu speed. When I had the original issue a week ago i manually eradicated most of the virus/es but in conjunction with a trojan like smart screen adware may be able to be used to expose certain private online info i dont want out there. Thank god for mobile banking :/ A program called RogueKiller does however work but of course i only have access to the trial version...

 

Help ME :tophat:

 

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 19 May 2017 - 07:32 AM

Hi NickRaboya :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Sadly however Malwarebytes (one of your solves for an equally lost traveller) will not operate with the virus software's resource in use workaround.


Did you run MBAR by following the instructions in the thread below?

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 NickRaboya

NickRaboya
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 19 May 2017 - 11:02 AM

a) how do i give you logs

 

b ) Malwarebytes still wont work i get this error Message:

 

 

Windows Script Host

Script: C:\Users\Nicho\AppData\Local\Temp\mbar.vbs

Line: 8

Chat: 37

Error: Expected end of statement

Code: 800A0410

Source: Microsoft VBScript Compilation Error


Edited by NickRaboya, 19 May 2017 - 11:03 AM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 19 May 2017 - 11:03 AM

You can attach your logs by clicking on the More Reply Options button, followed by Choose Files... under the reply box.

Is this when you launch MBAR.exe? What if you launch MBAR.cmd (which is also in the MBAR folder)?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 NickRaboya

NickRaboya
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 19 May 2017 - 12:31 PM

here's what mbar.cmd does...

Attached Files


Edited by NickRaboya, 19 May 2017 - 12:32 PM.


#6 NickRaboya

NickRaboya
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 19 May 2017 - 12:32 PM

I still don't know where the log files are located on my computer...

 

and no malwarebytes and all applications in it won't work including mbar.cmd.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 19 May 2017 - 12:49 PM

Alright, follow the instructions below.

3DPGbxe.pngTemp File Cleaner (TFC)
  • Download Temp File Cleaner (TFC) and move it to your Desktop;
  • Right-click on TFC.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Simply click on Start to launch the clean-up and wait until it completes;
    s5yB2E8.png
  • Depending on which processes are running, all your programs will be closed and explorer.exe (your Windows shell) will be killed, it will however be relaunched shortly after so do not panic;
  • There's no log to give for this tool;
Once done, try to run MBAR again, and let me know if you get the same error message.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 NickRaboya

NickRaboya
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 19 May 2017 - 01:07 PM

this is what happens when i run tfc.exe

https://youtu.be/y7O4Aa5W1c8

is this normal and if so whats the wait time?

#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 19 May 2017 - 01:09 PM

Yes, that's normal. It's cleaning all your temp files, and if you have a lot of them, it can take a bit.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 NickRaboya

NickRaboya
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 19 May 2017 - 01:11 PM

also is it possible that a virus could edit the registry so it is impossible to delete certain applications. and if so can it be reversed? i swear i have done everything to delete these files, i have edited the right-click drop down to show take ownership and even force deleted these file folders in command prompt admin. always access denied. how does one force access denials in admin command prompt...
also is it possible that a virus could edit the registry so it is impossible to delete certain applications. and if so can it be reversed? i swear i have done everything to delete these files, i have edited the right-click drop down to show take ownership and even force deleted these file folders in command prompt admin. always access denied. how does one force access denials in admin command prompt...

#11 NickRaboya

NickRaboya
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 19 May 2017 - 01:34 PM

its still loading what should i do?

#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 19 May 2017 - 01:57 PM

Give it time.

also is it possible that a virus could edit the registry so it is impossible to delete certain applications. and if so can it be reversed? i swear i have done everything to delete these files, i have edited the right-click drop down to show take ownership and even force deleted these file folders in command prompt admin. always access denied. how does one force access denials in admin command prompt...


It is, but usually, it's something else protecting files from being deleted (like a driver).

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 NickRaboya

NickRaboya
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 19 May 2017 - 02:12 PM

yessir

#14 NickRaboya

NickRaboya
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 19 May 2017 - 03:01 PM

so how will i know when the scan is done?

#15 NickRaboya

NickRaboya
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 19 May 2017 - 04:21 PM

TFC.exe did not allow mbar to open :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users