How to Fix: Remove CPX, SVCVMX and CT.EXE Malware (SmartService Rootkit)

Dennis Faas's picture

Infopackets Reader Priscilla writes:

" Dear Dennis,

I am running Windows 10 and my computer seems to be infected with a rootkit from what I read online. In Task Manager's Startup, I have the following programs running: cpx.exe, svcvmx.exe, and ct.exe. I have tried to disabled these from startup but I get 'Access denied'. I have tried to download Malwarebytes Antimalware to scan the computer but the setup file simply won't run. I have tried downloading other antivirus programs but Edge reports that the file is corrupt. I have tried resetting Windows 10 but it fails and tells me I cannot reset! I have researched this problem online for many, many hours - with most of the website 'fixes' suggesting I simply scan with Malwarebytes to fix the problem (which doesn't work!) - or that I pay for some third party software I've never heard of to rid myself of this problem. I am leery of installing any of these so called 'fix it' programs because I know many of them are just scams with empty promises! I NEED HELP BADLY - I can't do anything on my computer, and am willing to pay for your services. Please help! "

My response:

I asked Priscilla if she would like me to connect to her computer using my remote desktop support service, and she agreed.

Everything Priscilla said was true, and I also found a fake Windows service called "WindowsManagementService" running. I tried to stop it but was greeted with an 'Access denied' message. I tried to download Windows 10 .ISO file onto her machine, but the that failed as well.

Researching CPX.EXE, SVCMC.EXE, CT.EXE: What is it?

After a bit of research online I discovered that this type of malware is indeed a rootkit, dubbed the SmartService Rootkit or SmartService Trojan. Rootkits are especially nefarious because they embed themselves into the Windows operating system before Windows is even loaded, which means they are nearly impossible to remove. This is the reason I kept getting "Access denied" whenever I tried to delete an infected file, or kill its task. This happened even with Administrator privileges and ownership on the files.

Mitigating the Malware Infection: Thoughts and Process

If you don't care about the technical details, you can skip this section and move onto the 'How to Fix' section below.

After more examination I discovered that Priscilla's c:\windows\temp directory was full of many randomly generating filenames with a similar time stamp - indicative of an malware infection. I cleared out temp directory as best I could, which is when I discovered two files that would not delete, namely: dataup.zip, and svcvmx.zip. After more research I confirmed my suspicions - these files were related to the rootkit. My suspicion was that these files unpacked themselves upon reboot to re-infect. For the record, the .ZIP files were password protected so I could not view their contents. At any rate, I knew that if I disabled these files somehow, it would likely kill the infection.

At this point I remembered an old Linux trick - I/O (input output) redirection on files. Oftentimes if you cannot delete a file or end its task (especially if it's malicious) you can overwrite the file using the command line. This effectively kills the process from executing again on reboot because the content of the file is garbage, making it non-executable. This is exactly what I did; after reboot, the cpx.exe, svcvmx.exe and ct.exe were no longer running in her startup - however, the WindowsManagementService fake service reported that it was still running. Whether or not this was true was uncertain because I could not find any executables related to the service.

Below I'll explain what I did to remove the cpx.exe, svcvmx.exe and ct.exe from executing in case anyone else has this issue. In doing so, this should be enough to get most people to the point where they can download and run Malwarebytes or another antimalware utility to clean the rest of the infection (if it exists). It should be noted that rootkits will often install multiple infections, which is why it's important to scan the system - even after the dataup.zip and svcvmc.zip files have been disabled.

How to Fix: Remove CPX, SVCVMX and CT.EXE Malware (SmartService Rootkit)

  1. The first thing you will want to do is open up an administrative command prompt. To do so: click Start, type in "cmd" (no quotes); wait for CMD.EXE or "Command Prompt" to appear in the list, right click it and run as administrator.
     
  2. Highlight the commands below using your mouse

    c:
    cd \
    rmdir /q /s c:\windows\temp
    takeown /f "c:\windows\temp" /r /d y >out.txt
    icacls "c:\windows\temp" /reset /T >out2.txt
    echo EAT ME >dataup.zip
    echo EAT ME >svcvmx.zip
    echo this is a dummy line
     
  3. Right click over top of the highlighted text above, then select "Copy" from the dialogue menu. Go back to the command prompt you opened in Step #1 above, then right click in the middle of the window and select "Paste". These commands should effectively disable most of the malware.
     
  4. Now it's time to reboot the system. Before you do that, bookmark this page now in case you need to contact me for additional support. Press CTRL-D on the keyboard to make the bookmark, and click "OK" if necessary. Reboot your machine as this will destroy the active .EXE's in memory which are infecting your system. Upon reboot, the cpx.exe, svcvmx.exe, and ct.exe files which were part of your Windows Startup (accessible via Task Manager) should now be disabled.
     
  5. With any luck, you should be able to download Malwarebytes Antimalware or any other antivirus / antimalware tool to successfully scan the system. If you receive a message that your download is corrupt (using Microsoft Edge, for example), try using another web browser like Internet Explorer, Chrome, or Firefox to download the same file.
     
  6. After you download Malwarebytes Antimalware or any other free antivirus / antimalware program and have scanned the system, please check to ensure that the fake and malicious "WindowsManagementService" is not running. To do so: click Start, then type in "services.msc" (no quotes); wait for "Services" or "Services.msc" to appear in the list, then click it. The Windows "Services" will be shown; scroll down and look to see if you can find "WindowsManagementService" - if it is listed, double click it to bring up its properties and then look under the "Service status:" heading - it should not say it is running. If it is, you are still infected. In that case, you are welcome to contact me for additional help - described next.

Additional 1-on-1 Support: From Dennis

This particular rootkit / malware was especially difficult to remove due to the 'Access denied' errors. The nature of a rootkit is to embed itself so deeply in a system that is very, very, very difficult to remove. If your system is infected with this pervasive malware and you need help removing it - I can help using my remote desktop support service. Simply contact me, briefly describing the issue and I will get back to you as soon as possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question -- or even a computer problem that needs fixing -- please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 4.6 (8 votes)

Comments

franksmobilerv_9712's picture

(Priscilla; Infected Computer spoken of above)

I had been experiencing multiple issues for quite some time. To the point of basically putting this computer in a closet and calling it a loss. I stumbled upon Dennis and thank the stars I did! I watched the above process mentioned in action and can attest that this was not an easy task! I am not certain exactly how I got this infection but will be honest with my activity leading up:
I had tried to download a free trial and hack for quicken.
I received a notification from "Kaspersky" for PC clean up (yes I fell for it and yes I paid.) ( I believe Dennis already has an article about this)

Please be very diligent when surfing and downloading things. Remember the adage that "You get what you pay for"

On a side note: Dennis was an awesome technician! I have his information saved and will be using him exclusively for all my IT needs.