Unable to remove vmxclient, ntuserlite, etc., even after scan and cleanup

[cben251]

I know it has been posted a few times before, but I was wondering if it would be possible to get some help/advice regarding the ntuserlite/vmxclient/Yelloader malware.  My computer is infected and I have run Rogue Killer, but when I check the cleanup logs, it gives an error[5] result, which I've read means that the access to the file is denied.  I am at a bit of a loss as to what my next steps should be so that I can get rid of this once and for all.  I am unable to boot into Safe Mode, unable to open the Task Manager, unable to run Malwarebytes, unable to run TDSSkiller, etc.  I'm very scared that I am going to have to format my hard drive and attempt to reinstall Windows 10.  I have attached my log file for reference.  Thank you very much in advance!

EDIT: Added JSON version of log

[Curson]

Hi Ben,

Welcome to Adlice.com Forum.
Don't worry, we should be able to get rid of the infection.

Please follow the instruction in shadowwar post and attach MBAR log with your next reply.

Regards.

[cben251]

Thanks for the reply, Curson!  I ran the build of MBAR in the post and did the cleanup/reboot.  I reran the scan after the reboot and it didn't detect anything (which is a little bit better considering that when I'd rebooted after running MBAR previously the scans would still pick up the same thing).  I've attached the before and after logs.  Another good bit of news is that I did a fresh install of MBAM and it actually ran (full scan is going on at the moment).  However, I am still unable to open the Task Manager, which seems to be indicative of there being a bit of the infection still hanging around.

[Curson]

Hi Ben,

Yes, MBAR seems to have killed the rootkit.
Wait until MBAM finish the scan, then do the following :

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
  
• Please attach log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
  

Please also attach MBAM report.

Regards.

[cben251]

Sorry for the late reply, I had MBAM run a full scan on both of my hard drives and it took 10+ hours (it did not detect anything).  I've attached all of the logs to this post.  Thank you!

[Curson]

Hi Ben,

If you do not use TeamViewer, please uninstall it.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Are you able to run the Task Manager now ?

Regards.

[cben251]

I've attached the log file, but I am still unable to open the Task Manager.  The window opens in its small, less-detailed view, then immediately closes.  Also, I do use Team Viewer a fair bit, I've been replying on here, etc. while I'm at work using the app on my phone to control my desktop.

[Curson]

Hi Ben,

Your system seems to have an underlying issue with taskmgr itself.

Error: (08/02/2017 11:18:14 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: taskmgr.exe, version: 1.0.0.1, time stamp: 0x578999cf
Faulting module name: taskmgr.exe, version: 1.0.0.1, time stamp: 0x578999cf
Exception code: 0xc0000005
Fault offset: 0x0000000000025076
Faulting process id: 0x1ff0
Faulting application start time: 0x01d30ba28f4b7ea9
Faulting application path: C:\WINDOWS\system32\taskmgr.exe
Faulting module path: C:\WINDOWS\system32\taskmgr.exe
Report Id: fc41f937-8476-4a54-a41e-d97b27212d44
Faulting package full name:
Faulting package-relative application ID:

Download ProcDump (x64) on your desktop.
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :

Code: [Select]

"%USERPROFILE%\Desktop\procdump64.exe" -e -l -ma -accepteula -w taskmgr.exe "%USERPROFILE%\Desktop\taskmgr.dmp" > "%USERPROFILE%\Desktop\taskmgr.log"Do not close the command prompt !

Please launch the task manager.
A new file named taskmgr.dmp should has been created on your desktop. Please zip it, upload it on Google Drive/Dropbox and share the link here. Please also attach the taskmgr.log file.

Regards.

[cben251]

I followed your instructions, however the dump file is not being created.  I opened the log file that appeared on my desktop and all it says is:

"Waiting for process named taskmgr.exe...

[15:08:28] Multiple processes match the specified name."

It almost sounds like there's multiple task managers attempting to run.  Looking it up, it seems as if the malware has a taskmgr.exe program in it that's masquerading as the real thing.  Should I attempt to boot into safe mode and see if anything works then?

[Curson]

Hi Ben,

Let's try another thing. Please use the following command :

Code: [Select]

"%USERPROFILE%\Desktop\procdump64.exe" -e -l -ma -accepteula -x "%USERPROFILE%\Desktop" "C:\Windows\System32\taskmgr.exe" > "%USERPROFILE%\Desktop\taskmgr.logThe Task Manager will launch directly, this time.

Regards.

[cben251]

Awesome, that one generated the file.  I've put the link to the zip with the log and the dump below.  I also attached the log file separately to this post.

https://drive.google.com/file/d/0B3IsTeqJsfsjcnM2N0VVLXljTFk/view?usp=sharing

[Curson]

Hi Ben,

Analysis of the dump shows that the process crashed because of an Access Violation exception.
To be more concise, the exception occured because the process tried to access an invalid area in its memory space.
There is nothing we can do here, so I advice you to open a new thread on the Microsoft forum with a link to the dump. If there is a bug with the system, only them can correct it. What do you mind ?

Besides, could you please download Process Explorer (x64) and check if it is able to run ?

Regards.

[cben251]

Will do, Curson.  I was able to run that other task manager program and didn't see anything out of the ordinary.  Also had Windows Defender run an offline scan and nothing was picked up.  When I try to open task manager, I can see in the other program that it is attempting to essentially open two processes at the same time.  Currently also running a McAfee Stinger scan on my system, since I read a couple places that it works fairly well for similar situations.  Also going to try and run TDSSKiller to see if it picks it up.

[Curson]

Hi Ben,

In the meantime, you can replace the standard Task Manager with Process Explorer using the "Replace Task Manager" option in the "Options" menu.
If you need help with the reports analysis, don't hesitate to attach them in your next reply.

Regards.

[Curson]

Hi Ben,

Sorry about the delay, but a fellow Malware Analyst (many thanks Aura ) found a solution for this issue.
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :

Code: [Select]

sc config pcw start= bootPlease then reboot the computer.

Is Windows Task Manager working as expected now ?

Regards.