Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Interstitial information" + "Requested Resource in use" (svcvmx and vmxclient)


  • This topic is locked This topic is locked
4 replies to this topic

#1 Vynl

Vynl

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 May 2017 - 04:19 PM

For the past 5 days, I have been through endless self-help guides and scoured multiple topics related to these two dingleberries.

Let me say, this is the most aggressive malware that I have ever encountered. No AV's will work (I've tried about 20), Rkill will not work (including in renamed .exe's), I can't seem to boot from USB, attempted to disable the malware service (it says disabled, but it does not appear so), attempted to delete the local malware files (apparently I need elevated permissions, even though I am the administrator of this PC), System Refresh / Restore will not launch, and has virtually annihilated any attempts at direct connection to a browser. Almost all of my attempts have been thwarted with "The requested resource is in use" or "You need permissions to preform this action".

 

I believe I have narrowed the main issue files down to "vmxclient.exe" and "svcvmx.exe" under a folder aptly named "svcvmx" in the "C:\Users\Janet\AppData\Local\ntuserlitelist" directory that also contains folders for "dataup", "regtool", and "winscr".

Attached Files


Edited by Vynl, 20 May 2017 - 05:39 PM.


BC AdBot (Login to Remove)

 


#2 RayS

RayS

  • Malware Study Hall Senior
  • 2,226 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:08 AM

Posted 25 May 2017 - 04:06 PM

Hello Vynl,

My name is Ray and I'll be assisting you with your issue. Please give me a day or two to review your logs and prepare a reply. Since I'm still a trainee, all my posts have to be reviewed by my instructor prior to being posted to make sure that you receive the best assistance possible.

Thank you for your understanding, I'll be with you shortly!

RayS


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#3 RayS

RayS

  • Malware Study Hall Senior
  • 2,226 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:08 AM

Posted 29 May 2017 - 05:27 AM

Hello Vynl, and welcome to Bleeping Computer.

Please call me "Ray".

I will be helping you with your computer problem.
 

  • Please do not attach any log files to your replies unless specifically requested. Instead, please copy and paste the entire text of the logs into the body of your reply. Use separate consecutive posts if that's easier for you.
  • Please do not try to fix anything or run (or re-run) any tools without being advised to do so.
  • Always read my entire message before you begin to follow my instructions.
  • It may be helpful for you to print my instructions for easy reference.
  • Perform my instructions in the order as given.
  • Click More Reply Options and then Preview Post before you post a reply. Be sure your message addresses all the issues I raise.
  • Any fixes I provide are for this specific problem on this machine only.
  • Removing malware is hazardous. I will not knowingly advise actions that will damage your computer, but it is impossible to guarantee the safety of your system. It may even become necessary to re-format and re-install your operating system. Before we proceed, you should back up all your data -- preferably to a different computer or to off-line storage.


Some preliminary questions


  • What symptoms did you see when you tried to run RKill? Give full descriptoin including verbatim error messages, if any.
  • What operating system were you attempting to boot from USB?
  • When you boot normally from the internal hard disk, does your PC recognize the USB device?
  • Are you able to read the files and folders contained on the USB device?
  • Which of the following browsers are you able to launch: Chrome, Firefox, Internet Explorer?
  • Are you able to connect to the internet with any browser? If so, which one(s)?
  • Does the PC show any other abnormal symptoms?
  • Do you have a Windows 8 system disk available?

Please provide complete answers to all eight numbered questions.


Overview

 

We will enter Safe Mode and run the Farbar Recovery Scan Tool (FRST) in Fix mode to execute a script. Then we will reboot into Normal mode and obtain logs by running FRST64.exe in Scan mode.


Boot into Safe Mode

How To Boot Into Safe Mode On Windows 8 (The Easy Way)

  • When you see the login screen, hold down the SHIFT key and click Restart.
  • On the troubleshooting screen, click Troubleshoot.
  • Click Advanced options.
  • Click Windows Startup Settings.
  • Click Restart.
  • On the Advanced Boot Options window (black screen), use arrow keys to select Safe Mode and press Enter on your keyboard.


Let's run Farbar Recovery Scan Tool (FRST) in FIX mode

Save your work and exit all programs because Farbar Recovery Scan Tool may reboot your computer.
 

  • Right-click on FRST64.exe and click Run as administrator to open the Farbar Recovery Scan Tool window.
  • Select the entire contents of the following code box. (Place your cursor inside the code box and press Ctrl+A)
  • Now press Ctrl+C to copy the contents into your clipboard.
Start::

CloseProcesses:
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [2183752 2017-04-05] ()
C:\Users\Janet\AppData\Local\ntuserlitelist\
C:\Users\Janet\AppData\Local\ntuserlitelist\svcvmx\
HKLM-x32\...\Run: [svcvmx] => C:\Users\Janet\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [884224 2017-04-21] ()
2017-04-21 15:37 - 2017-04-21 15:37 - 00884224 _____ () C:\Users\Janet\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe
2017-04-21 16:28 - 2017-04-21 16:28 - 01080832 _____ () C:\Users\Janet\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe
2017-01-14 19:40 - 2017-01-14 19:40 - 53460992 _____ () C:\Users\Janet\AppData\Local\ntuserlitelist\svcvmx\libcef.dll
2016-05-31 11:43 - 2016-05-31 11:43 - 01976832 _____ () C:\Users\Janet\AppData\Local\ntuserlitelist\svcvmx\libglesv2.dll
2016-05-31 11:44 - 2016-05-31 11:44 - 00075264 _____ () C:\Users\Janet\AppData\Local\ntuserlitelist\svcvmx\libegl.dll
C:\Users\Janet\AppData\Local\ntuserlitelist\dataup\
2017-01-05 17:36 - 2017-01-05 17:36 - 00077824 _____ () C:\Users\Janet\AppData\Local\ntuserlitelist\dataup\dataup.exe
2017-05-04 11:13 - 2017-05-04 11:13 - 00235520 _____ () C:\Users\Janet\AppData\Local\ntuserlitelist\dataup\help_dll.dll
MSCONFIG\Services: Dataup =>
() C:\Windows\System32\tprdpw64.exe
C:\Windows\System32\tprdpw64.exe
() C:\Users\Janet\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe
C:\Users\Janet\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe
() C:\Users\Janet\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe
C:\Users\Janet\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe
() C:\Users\Janet\AppData\Local\ntuserlitelist\dataup\dataup.exe
C:\Users\Janet\AppData\Local\ntuserlitelist\dataup\dataup.exe
BHO-x32: Ïîèñê@Mail.Ru -> {8E8F97CD-60B5-456F-A201-73065652D099} -> C:\Users\Janet\AppData\Local\Mail.Ru\Sputnik\IESearchPlugin.dll [2017-05-14] (Mail.Ru)
C:\Users\Janet\AppData\Local\Mail.Ru\Sputnik\IESearchPlugin.dll
2017-05-04 11:13 - 2017-05-04 11:13 - 00235520 _____ () C:\Users\Janet\AppData\Local\ntuserlitelist\dataup\help_dll.dll
C:\Users\Janet\AppData\Local\ntuserlitelist\dataup\help_dll.dll
"drmkpro64" => service could not be unlocked. <===== ATTENTION
R5 drmkpro64; <===== ATTENTION: Locked Service
CMD: dir *drmkpro64* /s

End::
  • Click the Fix button in the Farbar Recovery Scan Tool window.
  • Wait until the program completes execution.
  • The tool will create a log (Fixlog.txt). Please post it into your reply.

NOTICE: This script was written specifically for this user to be used on this particular machine. Running this script on another machine may cause damage to your operating system.



Re-scan with Farbar Recovery Scan Tool


  • Right-click FRST64.exe then click Run as administrator.
  • When the tool opens, click Yes to disclaimer.
  • Add a checkmark next to List BCD and Addition.txt
  • Press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory where the tool was run from.
  • Please copy and paste both logs into your next reply.



Summary


  • Confirm that you have backed up all your important files.
  • Please provide answers to the eight numbered questions above.
  • Copy and paste the entire contents of Fixlog.txt into the body of your reply.
  • Copy and paste the entire contents of FRST.txt and Addition.txt into the body of your reply.
  • How is your PC running now?

Please re-read your reply and be sure you have addressed all requested issues before you post.

Thank you,

Ray


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#4 RayS

RayS

  • Malware Study Hall Senior
  • 2,226 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:08 AM

Posted 31 May 2017 - 10:37 PM

Hi Vynl,

3 Day Bump

It has been 3 days since my last post.

  • Do you still need help with this? If not, please let me know as soon as possible. Other people are requesting my help.
  • If you will be away for an extended period, please let me know in advance.
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Thank you,

Ray


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,981 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:08 PM

Posted 03 June 2017 - 02:21 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users