Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

smart service trojan SVCVMX


  • This topic is locked This topic is locked
50 replies to this topic

#1 SQuigiDude

SQuigiDude

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 26 August 2017 - 06:46 PM

i saw several similar threads regarding the same problem. responses seemed to consistently start with farbar so i went ahead with that step and attached the txt docs

 

im currently unable to install malewarebytes and many other programs. UnHackMe has found issues but is unable to fix them

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 26 August 2017 - 07:49 PM

Welcome :)

Lets run the fix in the Recovery Console.

Please download Farbar Recovery Scan Tool and save it to a flash drive.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Please also download the attached file and save it in the same location the FRST64 is saved in the flash drive.

Insert the USB drive in the infected computer.

Boot to the Recovery Console's Command prompt.

Entry points into the Windows Recovery Environment (WinRE).

You can access WinRE features through the Boot Options menu, which can be launched from Windows in a few different ways:
  • Option 1: From the login screen, click Shutdown, then hold down the Shift key while selecting Restart.
  • Option 2: In Windows 10, select Start > Settings > Update & security > Recovery > under Advanced Startup, click Restart now.
  • Option 3: Boot to recovery media.
  • Option 4: Use a hardware recovery button (or button combination) configured by the OEM (Computer Manufacturer).
After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. The PC will restart into the WinRE and the selected feature is launched.

On the boot options, select Troubleshooting > Advanced Options > Command prompt.

Once in the Command Prompt:
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button.
  • It will make a log (Fixlog.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 SQuigiDude

SQuigiDude
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 26 August 2017 - 08:00 PM

Is it ok to boot windows at this point? Or should i bring the flash drive to another comp to send the txt?

#4 SQuigiDude

SQuigiDude
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 26 August 2017 - 08:08 PM

still have the comand prompt open, put flash drive in another comp

Attached Files



#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 26 August 2017 - 08:21 PM

No need. Restart the computer.

 

 

  • Please download this version of  Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 SQuigiDude

SQuigiDude
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 26 August 2017 - 09:14 PM

scan complete

Attached Files



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 27 August 2017 - 08:51 AM

  • Highlight the entire content of the quote box below.

Start::  
S2 Dataup; C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Local\ntuserlitelist\dataup\dataup.exe [X] <==== ATTENTION
S2 windowsmanagementservice; C:\Users\squig\AppData\Local\mpazkjj\uomhfpqb\ct.exe [X] <==== ATTENTION
HKLM-x32\...\Run: [cpx] => "C:\Users\squig\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
S2 Dataup; C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Local\ntuserlitelist\dataup\dataup.exe [X] <==== ATTENTION
S2 windowsmanagementservice; C:\Users\squig\AppData\Local\mpazkjj\uomhfpqb\ct.exe [X] <==== ATTENTION
Task: {DE09C189-F970-4655-80D4-2E7944DD74E5} - System32\Tasks\3fc052ae23a1f0418ce614432ba55056 => sc start 3fc052ae23a1f0418ce614432ba55056 <==== ATTENTION
HKLM-x32\...\Run: [cpx] => "C:\Users\squig\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM-x32\...\Run: [svcvmx] => "C:\Users\squig\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup
S2 Dataup; C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Local\ntuserlitelist\dataup\dataup.exe [X] <==== ATTENTION
2017-08-25 23:34 - 2017-08-26 18:44 - 000000000 ____D C:\Users\squig\AppData\Local\ntuserlitelist
2017-08-18 09:55 - 2017-01-04 22:55 - 000544424 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-05-03 17:11 - 2017-05-03 17:11 - 000619008 ____N () C:\windows\system32\tprdpw64.exe
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

65MBhLLb.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 SQuigiDude

SQuigiDude
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 27 August 2017 - 09:23 AM

adware cleaer said nothing found but still wanted a reboot to remove

Attached Files



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 27 August 2017 - 09:42 AM

I still have doubts.

 

favicon-32x32.png Please download Malwarebytes to your desktop.

  • Double-click mb3-setup-1878.1878-3.4.5.2467.exe and follow the prompts to install the program.

  • Once the program has fully updated, Proceed with the Scan options and select "Threat Scan".

  • The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.

02-malwarebytes-premium-scan-methods.jpg
  • After a scan has been executed, scan results are displayed.

  • Put a checkmark on all detected and click on "Quarantine Selected"

  • Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.

You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 SQuigiDude

SQuigiDude
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 27 August 2017 - 10:04 AM

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 8/27/17
Scan Time: 10:48 AM
Log File: c0dcffbc-8b36-11e7-a238-d050995ba1c4.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.186
Update Package Version: 1.0.2668
License: Trial

-System Information-
OS: Windows 10 (Build 15063.540)
CPU: x64
File System: NTFS
User: DESKTOP-5TQVGTS\squig

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 361089
Threats Detected: 23
Threats Quarantined: 23
Time Elapsed: 8 min, 51 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 3
PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-1085609547-2832263797-1701603184-1001\CONSOLE\TASKENG.EXE, Quarantined, [5343], [425125],1.0.2668
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{2f09a2b3}, Quarantined, [22], [260250],1.0.2668
PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-1085609547-2832263797-1701603184-1001\CONSOLE\%SYSTEMROOT%_SYSTEM32_SVCHOST.EXE, Quarantined, [5343], [425124],1.0.2668

Registry Value: 4
PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-1085609547-2832263797-1701603184-1001\CONSOLE\%SYSTEMROOT%_SYSTEM32_WINDOWSPOWERSHELL_V1.0_POWERSHELL.EXE|WINDOWPOSITION, Quarantined, [5343], [425126],1.0.2668
PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-1085609547-2832263797-1701603184-1001\CONSOLE\TASKENG.EXE|WINDOWPOSITION, Quarantined, [5343], [425125],1.0.2668
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{2f09a2b3}|1, Quarantined, [22], [260250],1.0.2668
PUP.Optional.PSScriptLoad.ACMB3, HKU\S-1-5-21-1085609547-2832263797-1701603184-1001\CONSOLE\%SYSTEMROOT%_SYSTEM32_SVCHOST.EXE|WINDOWPOSITION, Quarantined, [5343], [425124],1.0.2668

Registry Data: 6
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|NameServer, Replaced, [22], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, Replaced, [22], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{23ef13b5-b52c-4a69-8b3b-2424329b4a4f}|NameServer, Replaced, [22], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{23ef13b5-b52c-4a69-8b3b-2424329b4a4f}|DhcpNameServer, Replaced, [22], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{26b11a49-585f-4b43-a90c-9af3c3d7b25b}|NameServer, Replaced, [22], [-1],0.0.0
PUP.Optional.DNSUnlocker.ACMB2, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{9622632d-f513-40c5-85d0-96380709710f}|NameServer, Replaced, [22], [-1],0.0.0

Data Stream: 0
(No malicious items detected)

Folder: 1
PUP.Optional.AnonymizerGadget, C:\USERS\SQUIG\APPDATA\ROAMING\AGDATA, Quarantined, [1536], [338259],1.0.2668

File: 9
PUP.Optional.AnonymizerGadget, C:\USERS\SQUIG\APPDATA\ROAMING\AGDATA\CONFIG.JSON, Quarantined, [1536], [338259],1.0.2668
PUP.Optional.AnonymizerGadget, C:\Users\squig\AppData\Roaming\AGData\add.json, Quarantined, [1536], [338259],1.0.2668
PUP.Optional.InstallCore, C:\USERS\SQUIG\DOWNLOADS\HAPPY_WHEELS (3).EXE, Quarantined, [2], [301065],1.0.2668
PUP.Optional.InstallCore, C:\USERS\SQUIG\DOWNLOADS\HAPPY_WHEELS (1).EXE, Quarantined, [2], [301065],1.0.2668
PUP.Optional.InstallCore, C:\USERS\SQUIG\DOWNLOADS\HAPPY_WHEELS (2).EXE, Quarantined, [2], [301065],1.0.2668
PUP.Optional.InstallCore, C:\USERS\SQUIG\DOWNLOADS\HAPPY_WHEELS.EXE, Quarantined, [2], [301065],1.0.2668
Trojan.Clicker, C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\NTUSERLITELIST.DEL\SVCVMX\SVCVMX.EXE, Quarantined, [21], [420472],1.0.2668
Adware.Yelloader, C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\NTUSERLITELIST.DEL\DATAUP\DATAUP.EXE, Quarantined, [1367], [377106],1.0.2668
Adware.Agent, C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\NTUSERLITELIST.DEL\SVCVMX\VMXCLIENT.EXE, Quarantined, [227], [415772],1.0.2668

Physical Sector: 0
(No malicious items detected)


(end)



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 27 August 2017 - 10:36 AM

  • Highlight the entire content of the quote box below.


Start::

C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\NTUSERLITELIST.DEL

End::


  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 

 

How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 SQuigiDude

SQuigiDude
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 27 August 2017 - 10:39 AM

computer appears to be doing well but that was also true last night then it was incredibly slow this morning

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by squig (27-08-2017 11:38:01) Run:3
Running from C:\Users\squig\Desktop
Loaded Profiles: squig (Available Profiles: squig)
Boot Mode: Normal
==============================================

fixlist content:
*****************
C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\NTUSERLITELIST.DEL
*****************

C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\NTUSERLITELIST.DEL => moved successfully

==== End of Fixlog 11:38:01 ====



#13 SQuigiDude

SQuigiDude
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 27 August 2017 - 10:43 AM

also my edge browser no longer works... i also have firefox so its not much of an inconvienience i just find it odd cuz it did work yesterday


but yesterday my discord app was unable to update and installing or running any security program was impossible... those things are fixed and the program causing it is no longer in the computers startup list



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,219 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:03 AM

Posted 27 August 2017 - 11:00 AM

Follow these steps to reinstall Edge:
 
Link 

Link2
 
It will be more useful to copy and paste those commands to assure proper syntax.

 

 

Let me know the outcome.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 SQuigiDude

SQuigiDude
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:03 AM

Posted 27 August 2017 - 11:03 AM

just noticed my windows app store is also affected. both are acting as if i have no internet connection... tho im sending this reply from the same computer in firefox so clearly i do have internet connection


Edited by SQuigiDude, 27 August 2017 - 11:05 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users