Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Svcvmx.exe Virus - Not able to Login to Windows


  • This topic is locked This topic is locked
31 replies to this topic

#1 Ronins8

Ronins8

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 12 September 2017 - 09:44 AM

Hi all,

Thank you in advance for any help you can provide to get my computer back to functioning!  I noticed 'Svcvmx.exe' in my startup, and after attempting to disable it in the msconfig to no avail, I attempted to use windows defender.  I then got a 'resource in use', to which I found that was the case when trying to run any type of ant-removal software (adwcleaner, mbar, mbam etc).  I then attempted to boot Win 10 into Safe mode, which I was able to do, but now I just get the login page WITHOUT the ability to login (screenshot attached) so I can't even get to windows to run logs or do anything.  I attempted to boot windows defender tool offline via a USB, but keep getting the 'This app can't be started' (pic2) message as if the drive isn't able to be detected.  Please help :)

I am able to unplug my hard drives and use my old laptop drive in order to boot up the computer and get on the internet to type this, but I cannot view or see my hard drive with the corrupted win 10 if I try to connect it. :smash:

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 12 September 2017 - 09:47 AM

Hi Ronins8 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Are you able to access the Recovery Environment from the infected computer, and access your drive with the Windows installation on it?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Ronins8

Ronins8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 12 September 2017 - 09:56 AM

Hi Yoan!  Great to meet you and glad to have you helping me with this problem :)

 

Are you able to access the Recovery Environment from the infected computer, and access your drive with the Windows installation on it?

 

No, when I startup the computer using the drive with the Win installation on it I get the pic above where it is the Windows login page, but is blank and nowhere to login.  All I can do is restart or shutdown the computer.  I tried accessing it via a boot usb with windows defender, but get the other pic I attached on my last post.

 

Thanks,

Tom



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 12 September 2017 - 10:00 AM

Technically, a Windows installation media shouldn't boot to the second screenshot. The second screenshot looks like you're booting from the infected Windows installation.

Follow the instructions below to create a Windows 10 installation media using your USB Flash Drive, and boot from it.

http://www.thewindowsclub.com/windows-10-media-creation-tool-create-installation-media-upgrade

Once done, download FRST (64-bit), and copy it on the USB as well.

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Ronins8

Ronins8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 September 2017 - 07:10 PM

Got it! Here is my log - 

Attached Files

  • Attached File  FRST.txt   14.35KB   4 downloads

Edited by Ronins8, 13 September 2017 - 07:30 PM.


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 13 September 2017 - 07:13 PM

Click on the Troubleshoot option, and then Command Prompt.

Once in the command prompt
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for the scan to complete
  • A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Ronins8

Ronins8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 September 2017 - 07:31 PM

  • A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply

 

Attached :)

Attached Files

  • Attached File  FRST.txt   14.35KB   5 downloads


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 13 September 2017 - 07:40 PM

Now for the fun part :) Download the attached fixlist.txt, and move it on your USB where the FRST executable is. Go back in the Recovery Environment, open the command prompt, launch FRST but this time use the Fix button instead. After FRST is done running the fix, a file called fixlog.txt will be on your USB. Attach it here.

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Ronins8

Ronins8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 September 2017 - 08:02 PM

After FRST is done running the fix, a file called fixlog.txt will be on your USB. Attach it here.

 

Here it is :)

Attached Files



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 13 September 2017 - 08:02 PM

Now if you restart your computer, are you able to log in normally?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Ronins8

Ronins8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 September 2017 - 08:08 PM

No, I restarted it twice and it still boots up to the same image above with no login

#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 13 September 2017 - 08:12 PM

Did you try to boot normally, or in Safe Mode?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 Ronins8

Ronins8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 September 2017 - 08:57 PM

I'm not able to choose anything. After bios it boots straight to the blank login. I think bcdedit was used to set default to boot to safe mode.

#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 AM

Posted 13 September 2017 - 09:03 PM

If you go back in the RE and use the command prompt, use this command:
bcdedit
What's the identifiers of the "Windows Boot Manager" and "Windows Boot Loader"?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Ronins8

Ronins8
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:24 AM

Posted 13 September 2017 - 09:32 PM

What's the identifiers of the "Windows Boot Manager" and "Windows Boot Loader"?

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users