Author Topic: ntuserlitelist,SVCVMX Found but not removed after reboot  (Read 23687 times)

0 Members and 3 Guests are viewing this topic.

Reply #15July 03, 2017, 10:25:59 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #15 on: July 03, 2017, 10:25:59 PM »
Hi Louis,

I think the malware is preventing TDSSKiller kernel-mode driver to launch. Let's try another tool.
Please follow the instruction in shadowwar post and attach MBAR log with your next reply.

Regards.
« Last Edit: July 03, 2017, 10:57:29 PM by Curson »

Reply #16July 04, 2017, 03:38:06 AM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #16 on: July 04, 2017, 03:38:06 AM »
Mbar log

Reply #17July 05, 2017, 10:05:44 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #17 on: July 05, 2017, 10:05:44 AM »
Hi Louis,

The tool removed some troublesome keys.
Could you please generate a fresh FRST log ?

Regards.

Reply #18July 07, 2017, 05:07:21 AM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #18 on: July 07, 2017, 05:07:21 AM »
FRST Log and Addition if needed

Reply #19July 08, 2017, 11:24:43 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #19 on: July 08, 2017, 11:24:43 AM »
Hi Louis,

The malware is still present.
A new build of MBAR should take care of it.

Please download MBAR 1.09.4.1001, then follow the instructions in shadowwar post and attach the reports with your next reply.
Please make sure to hit the "Update" button to update MBAR databases.

Regards.

Reply #20July 09, 2017, 03:04:49 AM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #20 on: July 09, 2017, 03:04:49 AM »
Hi im having a problem completing the scan, it freezes and stops responding also the amount of malware it has detected is extremely high.
Attached is a screen shot

Reply #21July 09, 2017, 06:16:57 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #21 on: July 09, 2017, 06:16:57 PM »
Hi Louis,

Does the software unfreeze when waiting long enough ?
This infection drops many files, so it's not unusual for MBAR to detect such an amount of malware.

Regards.

Reply #22July 13, 2017, 06:16:13 AM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #22 on: July 13, 2017, 06:16:13 AM »
Hi sorry for the late reply, the longest i waited was about 2 hours and with no success of responding

Reply #23July 13, 2017, 10:52:39 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #23 on: July 13, 2017, 10:52:39 AM »
Hi Louis,

Don't worry about the late reply, it's no big deal.
There is definitely a bug with this version of MBAR. Could you please download this one and try again ?
Please make sure to hit the "Update" button to update MBAR databases before launching the scan.

Regards.

Reply #24July 13, 2017, 04:21:28 PM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #24 on: July 13, 2017, 04:21:28 PM »
Hi i was able to get a full scan and cleanup overnight attached is the mbar log

Reply #25July 13, 2017, 04:52:38 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #25 on: July 13, 2017, 04:52:38 PM »
Hi Louis,

It seems that MBAR was able to kill the rootkit.
Could you please redo a FRST scan ?

Regards.

Reply #26July 13, 2017, 08:40:56 PM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #26 on: July 13, 2017, 08:40:56 PM »
FRST log attached

Reply #27July 13, 2017, 10:06:54 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #27 on: July 13, 2017, 10:06:54 PM »
Hi Louis,

The log confirms that the infection is gone. Your system is now clean.
You can remove MBAR, FRST and related files/folders.

Regards.

Reply #28July 14, 2017, 12:15:38 AM

Louis Lata

  • Newbie

  • Offline
  • *

  • 15
  • Reputation:
    0
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #28 on: July 14, 2017, 12:15:38 AM »
Great! thanks so much, you guys are Awesome!

Reply #29July 14, 2017, 12:25:49 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: ntuserlitelist,SVCVMX Found but not removed after reboot
« Reply #29 on: July 14, 2017, 12:25:49 AM »
Hi Louis,

You are welcome. Thanks for the kind words.
I'm glad we were able to help you.

Regards.