Jump to content
GrantClark209

Requested Resource Is In Use Error - svcvmx.exe Help

Recommended Posts

Trying to get rid of a rootkit-related Trojan from what I can tell from my searches on the internet. While trying to run Malwarebytes Anti-Rootkit, I keep getting an error with requested resource in use. I've currently tried downloading mbar-1.09.3.1001 from your site, follow the instructions at the forum post below, and tried running either of these programs within safe mode with networking. From what I can tell this svcvmx.exe is causing my problems. Also, not sure if it's relevant, but I was unable to boot in safe mode with networking using the windows 10 "Shift-Restart" method and had to enable the legacy F8 safe mode method from the admin command prompt.

 

Share this post


Link to post
Share on other sites

Hi GrantClark209 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

In order to follow the instructions in the tutorial below, you need to download the MBAR linked in it, and not the one straight from Malwarebytes' website.

Share this post


Link to post
Share on other sites

I have a folder on my desktop labelled "mbar" and I tried running mbar.exe from said folder while in safe mode. Is this the MBAR link you're referring to for me to download? On the other forum post I followed those instructions and was able to get to the screen where it chose a destination location. I waited a bit but the mbar program did not start (I assume by the instructions it's supposed to launch automatically after installation). I navigated to the mbar folder on my desktop and tried to launch the mbar.exe file in safe mode like I said above, but it still gave me the error that the requested resource was in use.

Share this post


Link to post
Share on other sites

Although I have nothing running regarding MalwareBytes I'm unable to delete the folder "mbar" that contains "mbar.exe". Not sure if this is an issue and/or if I should continue to just download it from the link you sent (which does look familiar and I'm 100% confident that I have already downloaded mbar from that link. I'll re-download it from there once everything regarding mbar is deleted, just disclosing that in the interest of clarity).

Share this post


Link to post
Share on other sites

And just as a heads-up, I'll be leaving here shortly and will be gone for a few hours and/or may not be able to reply until later tonight or tomorrow (PST time zone). Thanks and I hope to receive your help shortly Aura. :)

Share this post


Link to post
Share on other sites

Aura,

[Below is a rough explanation of what I did but I feel that the numbered steps are better explained and explain more of what I did. I included both in case one may offer a better explanation that the other.]

I'm back, and I was able to delete the remaining folder using the resource monitor and ending the processes "net.exe" and "net1.exe" when searching "mbar" in the associated handles. I have since downloaded the .exe file from the link you sent as it is the same as before. I am unable to run mbar.exe still. I'm not sure if this information is useful but when searching "mbar" in associated handles like before, "net.exe" and "net1.exe" appear once again in addition to "cmd.exe" and "mbar-1.09.4.1001.exe" and I am not unable to end the process "net.exe". 

 

Although it might not make sense, I'm just going to describe what I just did in the interest of (potential) clarity and full disclosure to hopefully help you understand what's going on. I apologize if any of this is information that is not useful in trying to diagnose my issue.

 

1) Deleted the previous mbar folder.
2) Reinstalled the mbar folder from the link you sent me.
3) Tried to launch mbar.exe with no success (same error regarding resource being used)
4) Searched "mbar" under Associated Handles in the CPU section of the Windows 10 Resource Monitor.
5) Saw the following: "cmd.exe", "mbar-1.09.4.1001.exe", "net.exe", and "net1.exe".
6) Tried to end the process "net.exe" like I had done before which helped to delete the mbar folder when it said it was in use. When I tried this I was given a sort of error message which I can't remember nor get back to, but the result was a greyed-out "End Process" button when right-clicking "net.exe". From there I was successfully able to end the process "net1.exe" with no errors.
7) I tried to execute mbar.exe with the same error of resource being used, and returned to the Resource Monitor. This time, however, I initially saw no entries under Associated Handles, but upon refreshing a few times and trying to re-launch mbar.exe once more, "explorer.exe" is now listed twice as associated handles.

That is the extent of which I have been able to get. I won't do anything else because I see that your thread mentions not trying to go to other pages for help and while I have contacted nobody regarding this issue other than you I feel that I might be doing more harm than good in trying to actually resolve this issue, both on my computer and for general understanding of what the issue might be. Sorry for that but I hope this doesn't hinder your ability to help me and I'll await further instructions to hopefully get mbar up and running.

Thanks,

Grant

 

EDIT: I'll likely be leaving my computer for the time being but I'll respond to you as soon as I am back on my computer. (Likely tomorrow PST)

Edited by GrantClark209

Share this post


Link to post
Share on other sites

Thank you for the explanation.

Now I would like you to try 2 things. First, if you run the mbar.cmd file inside the MBAR folder, does it launch MBAR properly? If not, if you rename the MBAR.exe to something like (like test.exe) and launch it, does it works?

Share this post


Link to post
Share on other sites

Sorry for the delayed response. So I was able to get a somewhat small window of mbar.exe running I do believe and was in the middle of performing a scan. I couldn't see the progress bar so I can't gauge how far along the scan was when I got a blue screen with a "BAD_POOL_HEADER" stop code. I'll try it once more to see if I get the same error and I'll be sure to make an edit to this reply once I do with the results. Also in the scan it had detected two malware in the system.

 

EDIT: I won't be testing it again tonight because what I forgot to mention was that I got an indication to potentially update the software. Let me know if this is something I should do and I'll proceed from there. Will be travelling the next few days so if my responses are further delayed I apologize.

Thanks,

Grant

Edited by GrantClark209
Additional Info

Share this post


Link to post
Share on other sites

Once you manage to launch a new scan with MBAR, just check the Drivers checkbox prior to launching the scan. Uncheck Sectors and System.

Share this post


Link to post
Share on other sites

So I'm not seeing any checkboxes. Am I to still use the mbar.cmd file to open the scanner? With mbar.cmd I get asked whether or not I want to Update and if I don't it just automatically does the scan. And I can't launch mbar.exe successfully. Also no longer in safe mode so let me know if that's an issue

Share this post


Link to post
Share on other sites

Ok I tried doing that and I bluescreened again. Didn't get a good look at the stopcode though, let me know if you'd like me to repeat the scan.

 

Share this post


Link to post
Share on other sites
2 hours ago, GrantClark209 said:

Oh hold on, I do see checkboxed but they're all overlapped and hard to tell which is what.

Do you use a custom zoom in the Display Options? If so, set it back to 100% and you should see them clearly. If you run MBAR with only the "Drivers" checkbox selected, it should go through.

Share this post


Link to post
Share on other sites

Yeah I was able to make sure it was selected on drivers only. Still can't figure out why the window is so small but I suppose it's not an issue as long as I can work with it. So anyhow, I was able to run the scan and start the cleanup process (there's a checkbox I couldn't really read about "Restore" but i just left it checked off). Once it queued me for a restart, I clicked restart but my computer halted during the restart phase and the processing indicator (that swirly loading thing) also stopped and I was eventually forced to turn off my computer and turn it back on. I'll run the scan again and see how it goes once more and make an edit to this reply with any results. Also it did detect one malware whatnot in the first scan.

 

Performed the scam again and no malware was detected.

Edited by GrantClark209

Share this post


Link to post
Share on other sites

Awesome :) Can you attach the "mbar-log-TODAY'S-DATE.txt" that is in the MBAR folder?

Share this post


Link to post
Share on other sites

However, I still see a vmxclient.exe on my task manager which I believe to also be a virus and seems to eat at my cpu usage often. Should I run the entire program (all boxes selected)?

Share this post


Link to post
Share on other sites

Not yet. Now that MBAR detected and removed the driver, you should be able to install and run a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button;
    • If it asks you to restart your computer to complete the removal, do so;
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply;

Share this post


Link to post
Share on other sites

Okay so I did everything and I've restarted my computer after doing the whole "Quarantine Selected" stuff but I can't locate the "Export Summary" button.

Share this post


Link to post
Share on other sites

Open Malwarebytes and go in the Reports tab. From there, select the latest (most recent) Scan entry and double-click on it. In the window that will open, click on the Export button in the bottom-left corner and select Copy to clipboard. Once done, simply paste (Ctrl + V) it here.

Share this post


Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/9/17
Protection Event Time: 7:45 PM
Log File: 
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 
Update Package Version: 
License: Trial

-System Information-
OS: Windows 10 (Build 15063.540)
CPU: x64
File System: NTFS
User: System

-Blocked Malware Details-
File: 1
Trojan.Clicker, C:\Users\grant\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe, Quarantined, [21], [383807],


(end)

Share this post


Link to post
Share on other sites

This is a protection event log. Look for an entry called "Scan".

Share this post


Link to post
Share on other sites

When I run the scan again though it find 10 things and when I try to quarantine them it would be stuck in that loading screen with 0/10 items quarantined.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.