Author Topic: ntuserlitelist,SVCVMX Found but not removed after reboot (Read 19966 times)

Curson · « **Reply #15 on:** July 03, 2017, 10:25:59 PM »

Hi Louis,

I think the malware is preventing TDSSKiller kernel-mode driver to launch. Let's try another tool.
Please follow the instruction in shadowwar post and attach MBAR log with your next reply.

Regards.

Louis Lata · « **Reply #16 on:** July 04, 2017, 03:38:06 AM »

Mbar log

Curson · « **Reply #17 on:** July 05, 2017, 10:05:44 AM »

Hi Louis,

The tool removed some troublesome keys.
Could you please generate a fresh FRST log ?

Regards.

Louis Lata · « **Reply #18 on:** July 07, 2017, 05:07:21 AM »

FRST Log and Addition if needed

Curson · « **Reply #19 on:** July 08, 2017, 11:24:43 AM »

Hi Louis,

The malware is still present.
A new build of MBAR should take care of it.

Please download MBAR 1.09.4.1001, then follow the instructions in shadowwar post and attach the reports with your next reply.
Please make sure to hit the "Update" button to update MBAR databases.

Regards.

Louis Lata · « **Reply #20 on:** July 09, 2017, 03:04:49 AM »

Hi im having a problem completing the scan, it freezes and stops responding also the amount of malware it has detected is extremely high.
Attached is a screen shot

Curson · « **Reply #21 on:** July 09, 2017, 06:16:57 PM »

Hi Louis,

Does the software unfreeze when waiting long enough ?
This infection drops many files, so it's not unusual for MBAR to detect such an amount of malware.

Regards.

Louis Lata · « **Reply #22 on:** July 13, 2017, 06:16:13 AM »

Hi sorry for the late reply, the longest i waited was about 2 hours and with no success of responding

Curson · « **Reply #23 on:** July 13, 2017, 10:52:39 AM »

Hi Louis,

Don't worry about the late reply, it's no big deal.
There is definitely a bug with this version of MBAR. Could you please download this one and try again ?
Please make sure to hit the "Update" button to update MBAR databases before launching the scan.

Regards.

Louis Lata · « **Reply #24 on:** July 13, 2017, 04:21:28 PM »

Hi i was able to get a full scan and cleanup overnight attached is the mbar log

Curson · « **Reply #25 on:** July 13, 2017, 04:52:38 PM »

Hi Louis,

It seems that MBAR was able to kill the rootkit.
Could you please redo a FRST scan ?

Regards.

Louis Lata · « **Reply #26 on:** July 13, 2017, 08:40:56 PM »

FRST log attached

Curson · « **Reply #27 on:** July 13, 2017, 10:06:54 PM »

Hi Louis,

The log confirms that the infection is gone. Your system is now clean.
You can remove MBAR, FRST and related files/folders.

Regards.

Louis Lata · « **Reply #28 on:** July 14, 2017, 12:15:38 AM »

Great! thanks so much, you guys are Awesome!

Curson · « **Reply #29 on:** July 14, 2017, 12:25:49 AM »

Hi Louis,

You are welcome. Thanks for the kind words.
I'm glad we were able to help you.

Regards.

Author Topic: ntuserlitelist,SVCVMX Found but not removed after reboot (Read 19966 times)

Curson

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Louis Lata

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Curson

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Louis Lata

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Curson

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Louis Lata

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Curson

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Louis Lata

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Curson

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Louis Lata

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Curson

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Louis Lata

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Curson

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Louis Lata

Re: ntuserlitelist,SVCVMX Found but not removed after reboot

Curson

Re: ntuserlitelist,SVCVMX Found but not removed after reboot