Author Topic: ntuserlitelist,SVCVMX Found but not removed after reboot  (Read 21239 times)

0 Members and 3 Guests are viewing this topic.

June 19, 2017, 05:32:20 PM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
ntuserlitelist,SVCVMX Found but not removed after reboot
« on: June 19, 2017, 05:32:20 PM »
Rogue Killer has been able to detect Adw.Yelloader, ntuserlitelist, dataup, and svcvmx but upon reboot they are all still there and svcvmx continues to clone itself and eat up my memory, any advice?

Edit : Added RogueKiller JSON report.
« Last Edit: June 19, 2017, 05:42:33 PM by Curson »

Reply #1June 19, 2017, 05:41:36 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #1 on: June 19, 2017, 05:41:36 PM »
Hi Louis,

Welcome to Adlice.com Forum and thanks for supporting our product.

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.

Reply #2June 20, 2017, 12:55:11 AM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #2 on: June 20, 2017, 12:55:11 AM »
FRST  & Addition

Reply #3June 20, 2017, 01:00:04 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #3 on: June 20, 2017, 01:00:04 PM »
Hi Louis,

Please uninstall TeamViewer if you haven't installed it.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply. A file using the Date_Time.zip notation should have been created, please attach it as well.

How is your computer running ?

Regards.

Reply #4June 21, 2017, 06:01:19 PM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #4 on: June 21, 2017, 06:01:19 PM »
Computer seems to be running fine i don't see any of the  programs running found in the ntuserlitelist folder (Dataup,svcvmx,retool,winscr), But the ntuserlitelist  folder is still there (AppData\Local\ntuserlitelist).

Reply #5June 21, 2017, 06:31:40 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #5 on: June 21, 2017, 06:31:40 PM »
Hi Louis,

The infection is not completely gone.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Regards.

Reply #6July 01, 2017, 12:46:40 AM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #6 on: July 01, 2017, 12:46:40 AM »
Here is the Fixlog

Reply #7July 02, 2017, 09:50:02 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #7 on: July 02, 2017, 09:50:02 AM »
Hi Louis,

It's still here. We are going to use another method.

Please restart your system in Safe Mode with Networking.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Regards.

Reply #8July 03, 2017, 05:19:40 PM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #8 on: July 03, 2017, 05:19:40 PM »
Fixlog

Reply #9July 03, 2017, 05:40:13 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #9 on: July 03, 2017, 05:40:13 PM »
Hi Louis,

It was a long time since I saw such resistant malware.
Could you please generate new FRST.txt and Addition.txt reports ?

Regards.

Reply #10July 03, 2017, 07:50:18 PM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #10 on: July 03, 2017, 07:50:18 PM »
Here is the new Addition and FRST.

Thanks

Reply #11July 03, 2017, 08:47:25 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #11 on: July 03, 2017, 08:47:25 PM »
Hi Louis,

Let's give Safe Mode another try.
Please restart your system in Safe Mode with Networking.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Regards.

Reply #12July 03, 2017, 09:15:30 PM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #12 on: July 03, 2017, 09:15:30 PM »
New Fixlog

Reply #13July 03, 2017, 09:34:02 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #13 on: July 03, 2017, 09:34:02 PM »
Hi Louis,

It seems that FRST is unable to set proper permissions on some files / registry keys.
I must speak to the developper of the tool before proceding any further.
  • Please download TDSSKiller and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.



  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue



  • Click Reboot computer
Please attach the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.
« Last Edit: July 03, 2017, 09:35:44 PM by Curson »

Reply #14July 03, 2017, 09:57:24 PM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #14 on: July 03, 2017, 09:57:24 PM »
Everytime i click it i get a error says, Resource is in use