Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Requested resource is in use" even when running mbar and/or rkill from usb


  • This topic is locked This topic is locked
19 replies to this topic

#1 RuskiBroski

RuskiBroski

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 22 August 2017 - 02:12 AM

Started getting a "Requested resource is in use" error when trying to run Malwarebytes. Discovered mbar and it ran the first time but gave the same error after I rebooted. Tried every anti-malware and anti-rootkit program I could find, all getting the same error. I even tried running rkill through a usb under a different name but got the same error. I also wasn't able to get to my computer's advanced start up options other than using a recovery drive, and, without access to the startup settings option, I had to manually activate safe mode w/ cmd using the cmd in the advanced start up options.

 

Below are my FRST.txt, addition.txt, and shortcut.txt when I ran FRST in safe mode w/ cmd from a usb. (figured I'd attach instead of copy-pasting)

 

Attached File  FRST.txt   190.83KB   3 downloads
Attached File  Addition.txt   49.09KB   0 downloads
Attached File  Shortcut.txt   35.35KB   0 downloads

 

From skimming through the FRST.txt I found some programs that seem to be part of the problem (As you will see when looking through the logs as well I assume. Just thought I'd share as much as possible, although it's more than likely that I overlooked something):

drmkpro64.sys

AGProxyCheck

Online Application V2G3

Online Application V2G1

Online Application V2G2.job 

 

 

Can I get a custom fixlist.txt to remove this virus/whatever this is? Thanks in advance!

 

 


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:31 PM

Posted 22 August 2017 - 08:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Malwarebytes Anti-Rootkit

Please download Anti-Rootkit BETA and save it to your Desktop.
  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire content of that log in your next reply;
If you have any problems running either one come back and let me know.
===

If successful in runnin the tool post the log for my review.

Then run the Farbar program and post fresh FRST and Addition.txt logs also.

#3 RuskiBroski

RuskiBroski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 22 August 2017 - 05:22 PM

Nasdaq,
 
As I previously stated, mbar worked for the first time, then gave the "Requested resource is in use" error after the reboot. Nevertheless, I tried it again and it gave the error.

 

As requested, fresh FRST.txt and Addition.txt below:

 

Attached File  FRST.txt   193.4KB   3 downloads

Attached File  Addition.txt   57.29KB   1 downloads



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:31 PM

Posted 23 August 2017 - 01:39 PM

Hi,

ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Press the [b] Windows key + r[/b] on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.

[code]

Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Unlock: C:\Windows\System32\tprdpw64.exe
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" /f
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" /f
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ibtsiva
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ibtsiva" /f
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dataup
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dataup" /f

() C:\Windows\System32\tprdpw64.exe
HKLM-x32\...\Run: [cpx] => "C:\Users\amold\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => "C:\Users\amold\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup
HKLM-x32\...\Run: [] => [X]
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => 127.0.0.1:8003
ProxyEnable: [S-1-5-19] => Proxy is enabled.
ProxyServer: [S-1-5-19] => 127.0.0.1:8003
ProxyEnable: [S-1-5-20] => Proxy is enabled.
ProxyServer: [S-1-5-20] => 127.0.0.1:8003
S2 Dataup; C:\Users\amold\AppData\Local\ntuserlitelist\dataup\dataup.exe [X] <==== ATTENTION
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 windowsmanagementservice; C:\Users\amold\AppData\Local\chzrad\wyyro\ct.exe [X] <==== ATTENTION
CustomCLSID: HKU\S-1-5-21-3079941913-556657276-4236322981-1003_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\amold\AppData\Local\Microsoft\OneDrive\17.3.6917.0607_1\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3079941913-556657276-4236322981-1003_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\amold\AppData\Local\Microsoft\OneDrive\17.3.6917.0607_1\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-3079941913-556657276-4236322981-1003_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\amold\AppData\Local\Microsoft\OneDrive\17.3.6917.0607_1\amd64\FileSyncShell64.dll => No File
Task: {06DF3B08-3485-4B2F-9BD0-D41728375276} - \Online Application V2G2 -> No File <==== ATTENTION
Task: {1C1BB0F5-F6FD-4591-9ED4-348328A8FD03} - \Online Application V2G1 -> No File <==== ATTENTION
Task: {59A78F34-B99A-419D-A3D6-625BE8BA73AA} - \Online Application V2G3 -> No File <==== ATTENTION
Task: {8E7F8C16-19A9-42AD-90F0-5CEC0D35B9F1} - \AGProxyCheck -> No File <==== ATTENTION
2017-05-03 17:11 - 2017-05-03 17:11 - 000619008 ____N () C:\windows\system32\tprdpw64.exe
C:\windows\system32\tprdpw64.exe

C:\Windows\System32\Drivers\052F5C45.sys
C:\Windows\System32\Drivers\05784C2E.sys
C:\Windows\System32\Drivers\0B4F5C27.sys
C:\Windows\System32\Drivers\0C1D0430.sys
C:\Windows\System32\Drivers\0C984A60.sys
C:\Windows\System32\Drivers\151D5FF8.sys
C:\Windows\System32\Drivers\17BA5653.sys
C:\Windows\System32\Drivers\192C3EF2.sys
C:\Windows\System32\Drivers\2D215C52.sys
C:\Windows\System32\Drivers\2D895851.sys
C:\Windows\System32\Drivers\2F2B5C48.sys
C:\Windows\System32\Drivers\31365C3E.sys
C:\Windows\System32\Drivers\354C5C2B.sys
C:\Windows\System32\Drivers\3F195FFB.sys
C:\Windows\System32\Drivers\40624E34.sys
C:\Windows\System32\Drivers\41B65656.sys
C:\Windows\System32\Drivers\529B7D81.sys
C:\Windows\System32\Drivers\571D5C55.sys
C:\Windows\System32\Drivers\58CF468C.sys
C:\Windows\System32\Drivers\5F485C2E.sys
C:\Windows\System32\Drivers\633E5005.sys
C:\Windows\System32\Drivers\6C2540A9.sys
C:\Windows\System32\Drivers\73E84483.sys
C:\Windows\System32\Drivers\74012FA7.sys
C:\Windows\System32\Drivers\76F342C9.sys
C:\Windows\System32\Drivers\7C977D85.sys

RemoveProxy:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

Please post a fresh FRST log for my review. No need for the Addition.txt log.

#5 RuskiBroski

RuskiBroski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 23 August 2017 - 09:08 PM

Nasdaq,

 

I'm still getting the "Requested resource is in use" error for my anti-malware programs.

 

Below are the fixlog.txt and a fresh FRST.txt, as requested. 

 

Attached File  Fixlog.txt   12.09KB   5 downloads

Attached File  FRST.txt   29.35KB   1 downloads



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:31 PM

Posted 24 August 2017 - 09:35 AM

Lets try this.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box (from start to end) below to a new file.
 
Start

CloseProcesses:

Unlock: C:\WINDOWS\System32\drivers\drmkpro64.sys
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" /f
unlock: C:\Users\amold\AppData\Local\ntuserlitelist\dataup\dataup.exe
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\dataup" /f
unlock: C:\Users\amold\AppData\Local\chzrad\wyyro\ct.exe
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" /f
unlock: C:\Users\amold\AppData\Local\ntuserlitelist\svcvmx

HKLM-x32\...\Run: [cpx] => "C:\Users\amold\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\amold\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [884224 2017-08-12] ()

S2 Dataup; C:\Users\amold\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
S2 windowsmanagementservice; C:\Users\amold\AppData\Local\chzrad\wyyro\ct.exe [X] <==== ATTENTION
2017-08-23 19:27 - 2017-08-23 19:48 - 000000000 ____D C:\Users\amold\AppData\Local\llssoft
2017-08-23 19:26 - 2017-08-23 19:27 - 000000000 ____D C:\Users\amold\AppData\Local\ntuserlitelist
C:\Users\amold\AppData\Local\ntuserlitelist\svcvmx
C:\WINDOWS\System32\drivers\drmkpro64.sys

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download Zemana AntiMalware and save it to your Desktop.
- You need to unzip it and start..
- Without changing any options, press Scan to begin.
After the short scan is finished, if threats are detected press Next to remove them.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

- Open Zemana AntiMalware again.
- Click on icon and double click the latest report.
- Now click File > Save As and choose your Desktop before pressing Save.
The only left thing is to attach saved report in your next message.
---

Try to run the Malwarebytes program.
Post the logs if you can.

Please let me know what problem persists with this computer.

==

p.s..
Post a fresh FRST log if the problem persists.

Also if at all possible run the fix ad the probrams in Normal mode.
If not possible run in Safe Mode with Networking.

#7 RuskiBroski

RuskiBroski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 29 August 2017 - 11:37 PM

Here is the Attached File  Fixlog.txt   3.56KB   5 downloads. I ran it in Normal Mode.

 

Ran Zemana AntiMalware and a window pops up saying:

 

Rootkit Detected

 

Your system is infected with Rootkit:WinNT/Adclicker!

 

Click ok to reboot and start cleaning

 

Driver Name: ndistpr64.sys

 

I rebooted. After the reboot the same window pops up but i exited it and it and ran a scan. Rebooted again. The same window pops up.

 

Here is the log: Attached File  2017.08.29-22.20.20-i0-t92-d3.txt   1.94KB   2 downloads

 

Tried to run Malwarebytes to check if the problem was solved. Still getting "Requested resource is in use" error.

 

Here is a fresh Attached File  FRST.txt   67.89KB   1 downloads

 

 

 

 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:31 PM

Posted 30 August 2017 - 07:28 AM



Hi,

Remove the Malwarebytes AntiRootkit downloaded in post No.2.
Remove this program in bold via the Control Panel > Programs > Programs and Features.
===

Download and run this version.

Follow the instructions in the thread below. Make sure to download the MBAR linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the "mbar-log-TODAY'S-DATE.txt" log that is located in the MBAR folder here after.
<<<>>>

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:31 PM

Posted 05 September 2017 - 10:42 AM

Are you still with me?

#10 RuskiBroski

RuskiBroski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 05 September 2017 - 09:47 PM

Yes. I'm still with you. I've just been really busy with work and travel due to a long distance relationship.

 

MBAR wasn't under the "Remove Programs and Features," but I deleted the exe along with all the other folders.

 

This version successfully ran and scanned. I did not yet reboot because when I rebooted last time it made the program not work again. (Should I reboot?)

 

Here is the log: Attached File  mbar-log-2017-09-05 (20-35-19).txt   25.83KB   5 downloads



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:31 PM

Posted 06 September 2017 - 07:16 AM

Hi,

Yes this is the infection that was found.

After the Restart fun the Farbar program and post fresh FRST and Addition.txt files for my review.

p.s.
To create a fresh Addition.txt make sure that the Box to create one is marked.

Let me know what problem persists.

#12 RuskiBroski

RuskiBroski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 06 September 2017 - 05:07 PM

Ran Malwarebytes to check if it works. Got the same error.

 

here is the Attached File  FRST.txt   67.65KB   3 downloads

 

 and the Attached File  Addition.txt   54.24KB   1 downloads



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:31 PM

Posted 07 September 2017 - 07:52 AM



Please download Malwarebytes Anti-Malware from here
Move or copy the file to your Desktop.
DO NOT RUN IT JUST YET.
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Run again the alwarebytes Anti-Rootkit BETA 1.9.4.1001 you have downloaded. See post no. 8.

Let if finish and restart the computer when completed.

===

Now run the Malwarebytes Anti-Malware sugested above and remove everything that will be found.

Restart the computer when completed

How is it now?

p.s.
Post fresh FRST and Addition.txt logs if the problem persists.

#14 RuskiBroski

RuskiBroski
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 08 September 2017 - 03:13 AM

Tried downloading MBAM from the location specified. Running the setup installer gives me the error, so I can't even install MBAM

 

Attached File  FRST.txt   68.31KB   3 downloads

 

Attached File  Addition.txt   59.35KB   1 downloads

 

 



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:31 PM

Posted 08 September 2017 - 08:28 AM


Hi,

Refer again to this topic.
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

Under section 5

5. Unselect sectors and system below. Hit the scan button.


Did you Unsect the Sectors and System

If not plese do and run the program again.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users