Adlice forum
General Category => Malware removal help => Topic started by: Louis Lata on June 19, 2017, 05:32:20 PM
-
Rogue Killer has been able to detect Adw.Yelloader, ntuserlitelist, dataup, and svcvmx but upon reboot they are all still there and svcvmx continues to clone itself and eat up my memory, any advice?
Edit : Added RogueKiller JSON report.
-
Hi Louis,
Welcome to Adlice.com Forum and thanks for supporting our product.
Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
-
FRST & Addition
-
Hi Louis,
Please uninstall TeamViewer if you haven't installed it.
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply. A file using the Date_Time.zip notation should have been created, please attach it as well.
How is your computer running ?
Regards.
-
Computer seems to be running fine i don't see any of the programs running found in the ntuserlitelist folder (Dataup,svcvmx,retool,winscr), But the ntuserlitelist folder is still there (AppData\Local\ntuserlitelist).
-
Hi Louis,
The infection is not completely gone.
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Regards.
-
Here is the Fixlog
-
Hi Louis,
It's still here. We are going to use another method.
Please restart your system in Safe Mode with Networking (https://support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode).
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Regards.
-
Fixlog
-
Hi Louis,
It was a long time since I saw such resistant malware.
Could you please generate new FRST.txt and Addition.txt reports ?
Regards.
-
Here is the new Addition and FRST.
Thanks
-
Hi Louis,
Let's give Safe Mode another try.
Please restart your system in Safe Mode with Networking (https://support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode).
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Regards.
-
New Fixlog
-
Hi Louis,
It seems that FRST is unable to set proper permissions on some files / registry keys.
I must speak to the developper of the tool before proceding any further.
- Please download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop
- Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
(http://i1118.photobucket.com/albums/k611/lhs22/tds2.jpg)
- Check Loaded Modules and Detect TDLFS file system.
- If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
(http://i1118.photobucket.com/albums/k611/lhs22/2012081514h0118.png)
- Click Start Scan and allow the scan process to run.
If threats are detected select Skip for all of them unless I instruct you otherwise.
- Click Continue
(http://i1118.photobucket.com/albums/k611/lhs22/tds6.jpg)
- Click Reboot computer
Please attach the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.
Regards.
-
Everytime i click it i get a error says, Resource is in use
-
Hi Louis,
I think the malware is preventing TDSSKiller kernel-mode driver to launch. Let's try another tool.
Please follow the instruction in shadowwar post (https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/) and attach MBAR log with your next reply.
Regards.
-
Mbar log
-
Hi Louis,
The tool removed some troublesome keys.
Could you please generate a fresh FRST log ?
Regards.
-
FRST Log and Addition if needed
-
Hi Louis,
The malware is still present.
A new build of MBAR should take care of it.
Please download MBAR 1.09.4.1001 (https://malwarebytes.app.box.com/s/h72aj6mp6rkshh7lk0u7msx810wz75jl), then follow the instructions in shadowwar post and attach the reports with your next reply.
Please make sure to hit the "Update" button to update MBAR databases.
Regards.
-
Hi im having a problem completing the scan, it freezes and stops responding also the amount of malware it has detected is extremely high.
Attached is a screen shot
-
Hi Louis,
Does the software unfreeze when waiting long enough ?
This infection drops many files, so it's not unusual for MBAR to detect such an amount of malware.
Regards.
-
Hi sorry for the late reply, the longest i waited was about 2 hours and with no success of responding
-
Hi Louis,
Don't worry about the late reply, it's no big deal.
There is definitely a bug with this version of MBAR. Could you please download this one (https://downloads.malwarebytes.com/file/mbar/) and try again ?
Please make sure to hit the "Update" button to update MBAR databases before launching the scan.
Regards.
-
Hi i was able to get a full scan and cleanup overnight attached is the mbar log
-
Hi Louis,
It seems that MBAR was able to kill the rootkit.
Could you please redo a FRST scan ?
Regards.
-
FRST log attached
-
Hi Louis,
The log confirms that the infection is gone. Your system is now clean.
You can remove MBAR, FRST and related files/folders.
Regards.
-
Great! thanks so much, you guys are Awesome!
-
Hi Louis,
You are welcome. Thanks for the kind words.
I'm glad we were able to help you.
Regards.