Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Procces is in use. Can't run or install any program accept FRST

Started by RowanJak , Jun 14 2017 09:16 PM

Please log in to reply

#1
RowanJak

Posted 14 June 2017 - 09:16 PM

Member

Member
10 posts

As the title states i cant install any anti-virus, i get the process is in use error, some file ive found that im pretty sure is the virus are called, ntuserlitelist, and a program called ct.exe.

The ONLY thing i have found that runs is FRST, i ran a scan and a fix the fix logs are attached, i still could not install AVG or Malwarebites.

Thanks in advance please ask if you need any other info.

All things attempted already:

I have located each file throu the file paths and attempted to edit/delete them. I either encounter Acces Denied or Req permision from Admistrators\Nick. I am logged in as that admin and have attempted to delete them through admin cmd promt.

I have also tried deleting the code with notepadd++ to attempt to break the program, this did help to some extent. I gained some results: It no longer consumed large ammounts of the cpu and the redirects on my broswer stopped, however i still could not install or run any anti-malware/virus remover. This lasted for roughly 3 days before everything repaired itself.

I just realised i attached the wrong files. those or docs i coppied when tracing file paths. will get the logs from my comp

Attached Files

Fixlog.txt 21.68KB 594 downloads
fixlist.txt 14.3KB 594 downloads

Edited by RowanJak, 14 June 2017 - 09:50 PM.

#2
RowanJak

Posted 14 June 2017 - 09:54 PM

Member

Topic Starter
Member
10 posts

These are a fresh scan

Attached Files

FRST.txt 34.33KB 646 downloads
Addition.txt 55.54KB 923 downloads

#3
zep516

Posted 14 June 2017 - 10:53 PM

Trusted Helper

Malware Removal
8,093 posts

Hello,

Hi! My name is zep516 and Welcome to Geekstogo!
I'll do the best I can to resolve your computer issue
Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, don't continue Stop and ask! Never be afraid to ask questions!

Let Malwarebytes run and stay away from the computer, in other words don't wait for the scan to finish as it could take a while up to 2 hours, don't move the mouse around close all aps & browsers.

Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
Right-Click MBAR.exe and select Run as administrator to run the installer.
Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
Click Next, followed by Update. Upon update completion, click Next.
Ensure Drivers, Sectors & System are checked and click Scan.
Note: Do not use your computer during the scan.
Upon completion:
- If no infection is found, close the MBAR window.
- If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

#4
RowanJak

Posted 14 June 2017 - 10:59 PM

Member

Topic Starter
Member
10 posts

Thanks for the quick reply. I downloaded and extracted it, but the program never started on its own, i gave it about 5 mins before i attempted to start it from the file. I received process in use error again.

#5
zep516

Posted 14 June 2017 - 11:10 PM

Trusted Helper

Malware Removal
8,093 posts

Hello,

Reboot the computer an try again.

Malwarebytes Antirootkit also created a folder on the desktop MBAR, Open the folder Find MBAR and run it from there.

Try running in safemode.

Re-download it if needed.

Rename MBAR to test.exe

I'm signing off as it's very late here.

Keep trying you will get it, once it starts don't interfere with the computer, there's about 1500 or more infected files with this infection.

#6
RowanJak

Posted 14 June 2017 - 11:21 PM

Member

Topic Starter
Member
10 posts

I've restarted 5 times and continue to receive proccess in use even after trying to rename the file to many difernt thing (test.exe being used first)

#7
zep516

Posted 14 June 2017 - 11:27 PM

Trusted Helper

Malware Removal
8,093 posts

Try running from the MBAR folder.

I'm working with another person here with the same infection.
http://www.geekstogo...urce-is-in-use/

#8
RowanJak

Posted 14 June 2017 - 11:30 PM

Member

Topic Starter
Member
10 posts

Yes thats what i did, tried again still same error, tried renaming to test.exe and still same error. Edit: Tried both running as admin and not

Update: I still cannot get the program to run, ive lost count howmany times ive restarted, ive tried running safemode without netwrking and alternate shell. In alternate shell i received the error "system cannot execute the specified program".

Edited by RowanJak, 15 June 2017 - 09:31 AM.

#9
zep516

Posted 15 June 2017 - 04:41 PM

Trusted Helper

Malware Removal
8,093 posts

There's 2 MBAR'S files in the folder make sure you try them both.

I'm currently consulting with someone and will be with you as soon as possible.

Thanks
Joe

#10
RowanJak

Posted 15 June 2017 - 04:43 PM

Member

Topic Starter
Member
10 posts

Thanks, i have tried both of them, and tried renaming both of them as well.

#11
zep516

Posted 15 June 2017 - 04:46 PM

Trusted Helper

Malware Removal
8,093 posts

Lets see if FRST can budge anything, I doubt it.

Delete any fixlist you have already on the computer.

Next
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.

start
CloseProcesses:
CreateRestorePoint:
Task: {AB1FBBCC-78CB-44A4-82AE-2A202A5A66F4} - \AdobeAAMUpdater-1.0-valgrind-Administrator -> No File <==== ATTENTION
Task: {E0992331-57FF-4205-9C14-D01F1D455379} - \Driver Booster SkipUAC (Administrator) -> No File <==== ATTENTION
HKLM-x32\...\Run: [cpx] => "C:\Users\Nick\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <===== ATTENTION
Unlock: C:\Users\Nick\AppData\Local\ntuserlitelist
HKLM-x32\...\Run: [svcvmx] => C:\Users\Nick\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [884224 2017-04-21] ()
C:\Users\Nick\AppData\Local\ntuserlitelist
"drmkpro64" => service could not be unlocked. <===== ATTENTION
S2 Dataup; C:\Program Files\ntuserlitelist\dataup\dataup.exe [0 2017-06-11] () <==== ATTENTION (zero byte File/Folder) <==== ATTENTION
S2 windowsmanagementservice; C:\Users\Administrator\AppData\Local\snqbji\myojh\ct.exe [0 2017-06-11] () <==== ATTENTION (zero byte File/Folder) <==== ATTENTION
C:\Users\Administrator\AppData\Local\snqbji
R5 drmkpro64;  <===== ATTENTION: Locked Service
S3 iobit_monitor_server; \??\C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\drivers\Monitor_x64.sys [X]
S3 netwlv64; \SystemRoot\system32\DRIVERS\netwlv64.sys [X]
S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]
2017-06-11 10:56 - 2017-06-11 10:56 - 00001583 _____ C:\Users\Administrator\Desktop\ct.exe.lnk
2017-06-11 09:55 - 2017-06-11 09:55 - 00001295 _____ C:\Users\Administrator\Desktop\svcvmx.lnk
2017-06-10 22:09 - 2017-06-11 12:36 - 00000000 ____D C:\Program Files\ntuserlitelist
2017-06-03 08:52 - 2017-06-10 21:45 - 00000000 ____D C:\Program Files\NTUSERLITELIST.del
2017-06-03 08:39 - 2017-06-03 08:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\c
2017-06-03 08:39 - 2017-06-03 08:39 - 00000000 ____D C:\Users\Administrator\AppData\Local\snqbji
2017-06-03 08:39 - 2017-06-03 08:39 - 00000000 ____D C:\Users\Administrator\AppData\Local\lxkvpcq
2017-02-22 22:01 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-2148.exe
2017-02-22 22:05 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-2216.exe
2017-01-24 20:36 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-3864.exe
2017-01-24 20:35 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-4720.exe
2017-01-24 20:36 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-4728.exe
2017-01-24 20:34 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-5056.exe
2017-01-30 05:59 - 2017-01-30 05:59 - 0065280 _____ () C:\Users\Administrator\AppData\Local\Temp\utils.dll
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" /f
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" /f
hosts:
Emptytemp:

Click Format and ensure Wordwrap is unchecked.
Save as Fixlist.txt to your Desktop (Must be in this location)
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

#12
RowanJak

Posted 15 June 2017 - 04:55 PM

Member

Topic Starter
Member
10 posts

Done. Here is the Fixlog

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-06-2017 01

Ran by Nick (15-06-2017 17:51:20) Run:2

Running from C:\Users\Nick\Desktop

Loaded Profiles: Nick (Available Profiles: Nick)

Boot Mode: Normal

==============================================

fixlist content:

*****************

start

CloseProcesses:

CreateRestorePoint:

Task: {AB1FBBCC-78CB-44A4-82AE-2A202A5A66F4} - \AdobeAAMUpdater-1.0-valgrind-Administrator -> No File <==== ATTENTION

Task: {E0992331-57FF-4205-9C14-D01F1D455379} - \Driver Booster SkipUAC (Administrator) -> No File <==== ATTENTION

HKLM-x32\...\Run: [cpx] => "C:\Users\Nick\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <===== ATTENTION

Unlock: C:\Users\Nick\AppData\Local\ntuserlitelist

HKLM-x32\...\Run: [svcvmx] => C:\Users\Nick\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [884224 2017-04-21] ()

C:\Users\Nick\AppData\Local\ntuserlitelist

"drmkpro64" => service could not be unlocked. <===== ATTENTION

S2 Dataup; C:\Program Files\ntuserlitelist\dataup\dataup.exe [0 2017-06-11] () <==== ATTENTION (zero byte File/Folder) <==== ATTENTION

S2 windowsmanagementservice; C:\Users\Administrator\AppData\Local\snqbji\myojh\ct.exe [0 2017-06-11] () <==== ATTENTION (zero byte File/Folder) <==== ATTENTION

C:\Users\Administrator\AppData\Local\snqbji

R5 drmkpro64; <===== ATTENTION: Locked Service

S3 iobit_monitor_server; \??\C:\Program Files (x86)\IObit\Advanced SystemCare Ultimate\drivers\Monitor_x64.sys [X]

S3 netwlv64; \SystemRoot\system32\DRIVERS\netwlv64.sys [X]

S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]

S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]

2017-06-11 10:56 - 2017-06-11 10:56 - 00001583 _____ C:\Users\Administrator\Desktop\ct.exe.lnk

2017-06-11 09:55 - 2017-06-11 09:55 - 00001295 _____ C:\Users\Administrator\Desktop\svcvmx.lnk

2017-06-10 22:09 - 2017-06-11 12:36 - 00000000 ____D C:\Program Files\ntuserlitelist

2017-06-03 08:52 - 2017-06-10 21:45 - 00000000 ____D C:\Program Files\NTUSERLITELIST.del

2017-06-03 08:39 - 2017-06-03 08:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\c

2017-06-03 08:39 - 2017-06-03 08:39 - 00000000 ____D C:\Users\Administrator\AppData\Local\snqbji

2017-06-03 08:39 - 2017-06-03 08:39 - 00000000 ____D C:\Users\Administrator\AppData\Local\lxkvpcq

2017-02-22 22:01 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-2148.exe

2017-02-22 22:05 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-2216.exe

2017-01-24 20:36 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-3864.exe

2017-01-24 20:35 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-4720.exe

2017-01-24 20:36 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-4728.exe

2017-01-24 20:34 - 2012-02-13 15:41 - 0314784 _____ () C:\Users\Administrator\AppData\Local\Temp\Uninstaller-5056.exe

2017-01-30 05:59 - 2017-01-30 05:59 - 0065280 _____ () C:\Users\Administrator\AppData\Local\Temp\utils.dll

unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64

reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" /f

unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice

reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" /f

hosts:

Emptytemp:

*****************

Processes closed successfully.

Restore point was successfully created.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AB1FBBCC-78CB-44A4-82AE-2A202A5A66F4} => key removed successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AB1FBBCC-78CB-44A4-82AE-2A202A5A66F4} => key removed successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AdobeAAMUpdater-1.0-valgrind-Administrator => key removed successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E0992331-57FF-4205-9C14-D01F1D455379} => key removed successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E0992331-57FF-4205-9C14-D01F1D455379} => key removed successfully

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Driver Booster SkipUAC (Administrator) => key removed successfully

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value could not remove.

"C:\Users\Nick\AppData\Local\ntuserlitelist" => was unlocked

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value could not remove.

C:\Users\Nick\AppData\Local\ntuserlitelist => moved successfully

"drmkpro64" => service could not be unlocked. <===== ATTENTION => Error: No automatic fix found for this entry.

HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected

HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected

C:\Users\Administrator\AppData\Local\snqbji => moved successfully

drmkpro64 => Unable to stop service.

HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove. Access Denied.

HKLM\System\CurrentControlSet\Services\iobit_monitor_server => key removed successfully

iobit_monitor_server => service removed successfully

HKLM\System\CurrentControlSet\Services\netwlv64 => key removed successfully

netwlv64 => service removed successfully

HKLM\System\CurrentControlSet\Services\vmci => key removed successfully

vmci => service removed successfully

HKLM\System\CurrentControlSet\Services\VMnetAdapter => key removed successfully

VMnetAdapter => service removed successfully

Could not move "C:\Users\Administrator\Desktop\ct.exe.lnk" => Scheduled to move on reboot.

Could not move "C:\Users\Administrator\Desktop\svcvmx.lnk" => Scheduled to move on reboot.

C:\Program Files\ntuserlitelist => moved successfully

C:\Program Files\NTUSERLITELIST.del => moved successfully

C:\Users\Administrator\AppData\Roaming\c => moved successfully

"C:\Users\Administrator\AppData\Local\snqbji" => not found.

C:\Users\Administrator\AppData\Local\lxkvpcq => moved successfully

C:\Users\Administrator\AppData\Local\Temp\Uninstaller-2148.exe => moved successfully

C:\Users\Administrator\AppData\Local\Temp\Uninstaller-2216.exe => moved successfully

C:\Users\Administrator\AppData\Local\Temp\Uninstaller-3864.exe => moved successfully

C:\Users\Administrator\AppData\Local\Temp\Uninstaller-4720.exe => moved successfully

C:\Users\Administrator\AppData\Local\Temp\Uninstaller-4728.exe => moved successfully

C:\Users\Administrator\AppData\Local\Temp\Uninstaller-5056.exe => moved successfully

C:\Users\Administrator\AppData\Local\Temp\utils.dll => moved successfully

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" => key could not be unlocked

========= reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" /f =========

ERROR: Access is denied.

========= End of Reg: =========

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" => key was unlocked

========= reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" /f =========

ERROR: Access is denied.

========= End of Reg: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully

Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B

DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10599280 B

Java, Flash, Steam htmlcache => 7012181 B

Windows/system/drivers => 25792368 B

Edge => 0 B

Chrome => 11678778 B

Firefox => 0 B

Opera => 90837063 B

Temp, IE cache, history, cookies, recent:

Default => 0 B

Users => 0 B

ProgramData => 0 B

Public => 0 B

systemprofile => 27011 B

systemprofile32 => 128 B

LocalService => 490964 B

NetworkService => 1331646 B

UpdatusUser => 0 B

Nick => 336424798 B

RecycleBin => 0 B

EmptyTemp: => 469.8 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 15-06-2017 17:53:25)

"C:\Users\Administrator\Desktop\ct.exe.lnk" => Could not move

"C:\Users\Administrator\Desktop\svcvmx.lnk" => Could not move

Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected

HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected

HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove. Access Denied.

==== End of Fixlog 17:53:25 ====

#13
zep516

Posted 15 June 2017 - 05:01 PM

Trusted Helper

Malware Removal
8,093 posts

Next

Download AdwCleaner from here. Save the file to the desktop.
NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.
Close all open windows and browsers.

XP users: Double click the AdwCleaner icon to start the program.
Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:

Click the Scan button and wait for the scan to finish.
After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
Click the Clean button.
Everything checked will be moved to Quarantine.
When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

#14
RowanJak

Posted 15 June 2017 - 05:03 PM

Member

Topic Starter
Member
10 posts

Downloaded and saved to desktop, right-clicked and ran as admin, received resource is in use error

#15
zep516

Posted 15 June 2017 - 05:09 PM

Trusted Helper

Malware Removal
8,093 posts

FRST moved a few things, so lets try MBAR again

Please delete your copy of MBAR on the desktop and the folder,

Re-download MBAR per instruction below:

https://forums.malwa...t-malwarebytes/