System (32 bit) or otherwise called winserv.exe is pottentially eating my Laptop

Update:

I managed to quarantine the malware by turning off my firewall and lowering administrative priviliges, because APPERANTLY, this Virus managed to change my permissions, so I couldn’t install a single anti-malware application. Once I quarantined it using Security Task Manager, I noticed that I still can’t access any of my privileges, which led to me being unable to uninstall Malwarebit, always showing me this error when I try to open it, and telling me a similar “Loss of permission” message when trying to uninstall it.

Besides getting rid of Malwarebit and restoring my administrative permission, how do I completely remove the virus, so I can happily live on, knowing it is gone and not quarantined?

[ATTACH type=“full”]12454[/ATTACH]

hopefully our resident malware removal expert @Malnutrition will be with you as soon as he gets off work! (y)

@RordonGamsey

Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.

If you are unsure if your operating system is 32 or 64 Bit please go HERE.
Once downloaded right click the FRST desktop icon and select “Run as administrator” from the menu"
[IMG alt=“icon2.jpg”]https://pchelpforum.net/attachments/icon2-jpg.794/
If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
FRST will open with two dialogue boxes, accept the disclaimer.
[ol]
[li]Accept the default whitelist options,[/li][li]If the additions.txt options box is not checked please select it.[/li][li]Then select Scan[/li][/ol]
[IMG alt=“frst.jpg”]https://pchelpforum.net/attachments/frst-jpg.796/
Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.
Please Attach the contents of these logs in your next post for review by our Security Team[/IMG]

Right off the bat, when I tried running the app, this message popped up. The same goes for any anti-malware (so far as I saw, anti-malware applications) I try to install (besides Security Task Manager, which runs without the message popping up.

[ATTACH type=“full”]12457[/ATTACH]

Sooooo I tried lowering my permission again, turning off firewall and still, to no avail. Even tried running it on safe mode - didn’t work. and I noticed aswell, that this message started popping up whenever I restart my computer.[ATTACH type=“full”]12458[/ATTACH]

@RordonGamsey

looks like you have a Bitcoin miner.

Download AV block remover .
Unzip to your desktop, Right click run as admin and follow the instructions. If it does not start, rename the AVbr.exe file to, for example, AV_br.exe
Click yes to reset hosts file.
After the machine reboots then there will be a logfile in the new folder created, post that please.

If it fails to start…

Right click AVBR.exe and rename it to Svchost.exe, (or any other name just make sure the .exe remains) then right click on SVchost.exe and run as administrator.
If this fails, then we will skip it.

---

---

Download Autologger to your desktop.
Disable your Anitivirus/Defender prior to running.

[ul]
[li]Unzip it there. – If you are unsure how to unzip a program, then use ---- http://www.7-zip.org/ ----[/li][li]Right click Autologger and run as admin. (Xp user double click)[/li][li]AVZ4 will open and scan your machine, allow this to complete.[/li][li]Upload Collectionlog.zip to your next reply.[/li][/ul]

This is the error I get when trying to run bot programs. I had to change AV blocker name to all the solutions you gave, to which this message showed every time. Same goes for the other program, but the other program I had to run in safe mode, because the virus kept closing it.

It seems so far, that the virus has corrupted all of my pc permissions for installations and file managing. At the same time, manipulating every attempt at removing it.

The only place it actually doesn’t have control and can’t manipulate anything is in safe mode, but there, it can still deny file managment, stating that I don’t have the permission to change/create/install files.

[ATTACH type=“full”]12459[/ATTACH]

Can you run AVBR in safe mode?
Or any version of Rkill that i have uploaded in normal mode then try and run FRST if you are able to get Rkill to run, but do not reboot after running Rkill.

The password for Rkill.zip is [COLOR=rgb(184, 49, 47)]clean

Also, follow instructions here to reset group policy,

https://helpdeskgeek.com/how-to/how-...on-windows-10/[/COLOR]

So I ran Rkill and it seemed to finish without any problems, but I still couldn’t run FRST, AVBR or AutoLogger. It kept showing the same error “Access Denied” or “Insufficient Permissions”. I’ll post the Rkill log file (notepad) file bellow, maybe it will be of help.

Besides that, I tried reseting group policy and got this message when I tried doing it through settings, but the same message of “Access Denied, or it was removed” appeared. So much so, that now when I wanted to go PrintScreen the message, the search of gpedit.mcs doesn’t even exist anymore. I tried doing it through the command block, but it showed this message.

[ATTACH type=“full”]12470[/ATTACH]

To sum up, it all circles back to me not having permission’s to change, install or access any anti-malware application’s.

[IMG alt=“iO3R662.png”]https://content.invisioncic.com/Mmalware/imageproxy/iO3R662.png.c64778f12b1da2b545511da42b2260e8.png @RordonGamsey

Farbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.
[ul]
[li]USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)[/li][li]CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)[/li][li]Another computer (optional: only needed if you cannot work from the infected computer directly)[/li][/ul]
[ul]
[li]Download the right version of FRST for your system:[/li]

• [li]FRST 32-bit[/li][li]FRST 64-bit[/li]Note: Only the right version will run on your system, the other will throw an error message. So if you don’t know what your system’s version is, simply download both of them, and the one that works is the one you should be using.
  [/ul]
  [li]Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive[/li]

[ul]
[li]Plug your USB Flash Drive in the infected computer[/li][li]To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:[/li]

• [li]Restart the computer[/li][li]Once you’ve seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears[/li][li]Use the arrow keys to select Repair your computer, and press on Enter[/li][li]Select your keyboard layout (US, French, etc.) and click on Next[/li][li]Click on Command Prompt to open the command prompt[/li]Note:If you can’t access the Recovery Environment using the F8 method above, you’ll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  [/ul]
  [li]To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums[/li]Note:If you can’t access the Recovery Environment using the method above, you’ll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  [li]To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums[/li]Note:If you can’t access the Recovery Environment using the method above, you’ll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.

[ul]
[li]In the command prompt, type notepad and press on Enter[/li][li]Notepad will open. Click on the File menu and select Open[/li][li]Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad[/li][li]In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter[/li][li]Note: Replace the letter e with the drive letter of your USB Flash Drive[/li][li]FRST will open[/li][li]Click on Yes to accept the disclaimer[/li][li]Click on the Scan button and wait for the scan to complete[/li][li]A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply[/li][/ul][/IMG]

Here it is. IT WORKED DDD

Open notepad. Please copy the contents of the quote box below. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
start::
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
HKLM...\Run: [Realtek HD Audio] => C:\ProgramData\ReaItekHD\taskhostw.exe (No File) <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {0A771D93-5210-425C-AD56-7BD185C877A8} - \Lenovo\ImController\TimeBasedEvents\71862736-6a82-4d16-8632-df00e363b34f → No File <==== ATTENTION
Task: {20C9FE37-7402-419D-B07C-8844A4A2AA06} - \Lenovo\ImController\Plugins\LenovoSystemUpdatePlu gin_WeeklyTask → No File <==== ATTENTION
Task: {5259042B-C2B5-474A-848B-900D12343C31} - \Lenovo\ImController\TimeBasedEvents\9d3e09dd-9dc6-415e-8ee4-1e9f6136de70 → No File <==== ATTENTION
Task: {85ED35E9-8B88-4A52-A6A4-6C5B566E974F} - \Lenovo\ImController\TimeBasedEvents\268b5929-059f-437c-a684-cdb91cc1a5e9 → No File <==== ATTENTION
Task: {AAAD73E8-6F45-44D3-8384-3B095A498196} - \Lenovo\ImController\Lenovo iM Controller Scheduled Maintenance → No File <==== ATTENTION
Task: {AED13305-5582-4332-8250-8944B9A78975} - \Lenovo\ImController\TimeBasedEvents\0a3dae0f-68d7-48a6-bc39-5ff7f03ba3d2 → No File <==== ATTENTION
Task: {BE58A208-F860-464A-9641-7FC0B0328CB4} - \Lenovo\ImController\Lenovo iM Controller Monitor → No File <==== ATTENTION
Task: {8C7A385E-7873-41AA-ABEB-8AC0D15699B2} - System32\Tasks\Microsoft\Windows\CheckGlobalO\Reco veryHosts => C:\Programdata\Microsoft\vbffa\script.bat [2803 2023-08-07] () <==== ATTENTION
Task: {81FC32FD-4C94-40F4-9871-175131373EC9} - System32\Tasks\Microsoft\Windows\CheckGlobalO\Reco veryTask => C:\Programdata\ReaItekHD\taskhostw.exe (No File) <==== ATTENTION
Task: {8BE92F4B-C497-48A5-AC00-C4831B1FAC20} - System32\Tasks\Microsoft\Windows\CheckGlobalO\vbff a => C:\Programdata\ReaItekHD\taskhost.exe (No File) <==== ATTENTION
Task: {5E4B0D29-F0B3-4ABE-86FC-DA037B7E423B} - System32\Tasks\Microsoft\Windows\WindowsBackup\Cas hClean => C:\Programdata\ReaItekHD\taskhostw.exe (No File) <==== ATTENTION
Task: {BBE1A9A0-4CAC-4C95-9B94-DB26F14E0792} - System32\Tasks\Microsoft\Windows\WindowsBackup\Mic rosoftCheck => C:\Programdata\ReaItekHD\taskhost.exe (No File) <==== ATTENTION
Task: {4EFF07A2-7953-4259-8C6B-3742E5B32299} - System32\Tasks\Microsoft\Windows\WindowsBackup\Onl ogonCheck => C:\Programdata\ReaItekHD\taskhostw.exe (No File) <==== ATTENTION
Task: {C6CD48BD-6466-4353-8887-FC6B8DC93300} - System32\Tasks\Microsoft\Windows\WindowsBackup\Win logonCheck => C:\Programdata\ReaItekHD\taskhost.exe (No File) <==== ATTENTION
Task: {44EA01D7-38AA-4A4A-B2A2-1D3ADE8EEDD7} - System32\Tasks\Microsoft\Windows\Wininet\1Hour => C:\Programdata\Microsoft\vbffa\Game.exe [51460942 2023-06-28] () <==== ATTENTION
Task: {D49A0EC0-F413-4951-8C9D-8248807D9394} - System32\Tasks\Microsoft\Windows\Wininet\winser => “C:\ProgramData\Windows Tasks Service\winserv.exe” → Task Service\winserv.exe <==== ATTENTION
Task: {AC9BCBB9-F434-4856-8F2F-7861733EBFD3} - System32\Tasks\Microsoft\Windows\Wininet\winsers => “C:\ProgramData\Windows Tasks Service\winserv.exe” → Task Service\winserv.exe <==== ATTENTION
S2 TermService; C:\Program Files\RDP Wrapper\rdpwrap.dll [116736 2023-08-07] (Stas’M Corp.) <==== ATTENTION (no ServiceDLL)
HKLM-x32...\Run: [TeamsMachineUninstallerLocalAppData] => %LOCALAPPDATA%\Microsoft\Teams\Update.exe --uninstall --msiUninstall --source=default (No File)
HKLM-x32...\Run: [TeamsMachineUninstallerProgramData] => %ProgramData%\Microsoft\Teams\Update.exe --uninstall --msiUninstall --source=default (No File)
Task: {40D588D5-F551-47CE-8DEE-DD2F9502B744} - System32\Tasks\McAfeeTsk\OOBEUpgrader => C:\Program Files\McAfee\MSC\OOBE_Upgrader.exe /Run (No File)
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrato r\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
C:\Programdata\ReaItekHD
C:\Programdata\Microsoft\vbffa
S2 ImControllerService; %SystemRoot%\Lenovo\ImController\Service\Lenovo.Mo dern.ImController.exe
S3 Rockstar Service; “C:\Program Files\Rockstar Games\Launcher\RockstarService.exe”
unlock: C:\KVRT2020_Data
unlock: C:\KVRT_Data
unlock: C:\Program Files\Bitdefender Agent
unlock: C:\Program Files\DrWeb
unlock: C:\Program Files\ESET
unlock: C:\Program Files\Kaspersky Lab
unlock: C:\Program Files\Process Lasso
unlock: C:\Program Files\Ravantivirus
unlock: C:\Program Files (x86)\Kaspersky Lab
unlock: C:\Program Files (x86)\Microsoft JDX
unlock: C:\Windows\speechstracing
unlock: C:\Program Files\Common Files\AV
unlock: C:\Program Files\Common Files\Doctor Web
unlock: C:\ProgramData\BookManager
unlock: C:\ProgramData\ESET
unlock: C:\ProgramData\Evernote
unlock: C:\ProgramData\FingerPrint
unlock: C:\ProgramData\Kaspersky Lab
unlock: C:\ProgramData\Kaspersky Lab Setup Files
unlock: C:\ProgramData\MB3Install
unlock: C:\ProgramData\PuzzleMedia
unlock: C:\ProgramData\RobotDemo
unlock: C:\ProgramData\WavePad
C:\Program Files (x86)\IObit
C:\ProgramData\Norton
C:\ProgramData\Kaspersky Lab
C:\ProgramData\Kaspersky Lab Setup Files
C:\ProgramData\ESET
C:\ProgramData\Doctor Web
C:\ProgramData\AVAST Software
C:\ProgramData\360safe
C:\Program Files\SUPERAntiSpyware
C:\Program Files\SpyHunter
C:\Program Files\RogueKiller
C:\Program Files\Ravantivirus
C:\Program Files\Loaris Trojan Remover
C:\Program Files\Kaspersky Lab
C:\Program Files\HitmanPro
C:\Program Files\ESET
C:\Program Files\EnigmaSoft
C:\Program Files\Enigma Software Group
C:\Program Files\DrWeb
C:\Program Files\COMODO
C:\Program Files\Common Files\Doctor Web
C:\Program Files\Cezurity
C:\Program Files\ByteFence
C:\Program Files\Bitdefender Agent
C:\Program Files\AVG
C:\Program Files\AVAST Software
C:\Program Files (x86)\SpyHunter
C:\Program Files (x86)\Panda Security
C:\Program Files (x86)\Kaspersky Lab
C:\Program Files (x86)\GRIZZLY Antivirus
C:\Program Files (x86)\Cezurity
C:\Program Files (x86)\AVG
C:\Program Files (x86)\AVAST Software
C:\Program Files (x86)\360
C:\KVRT2020_Data
C:\KVRT_Data
C:\ProgramData\Avira
C:\WINDOWS\system32\drivers\etc\hosts
C:\WINDOWS\system32\drivers\etc\hosts.ics
Hosts:
CMD: del /f /s /q %windir%\prefetch*.*
CMD: del /s /q C:\Windows\SoftwareDistribution\download*.*
CMD: del /s /q “%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache*."
cmd: del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\Us er Data\Default\Cache*.”
cmd: del /s /q “%userprofile%\AppData\Local\Opera Software\Opera Stable\Cache\Cache_Data*."
cmd: bitsadmin /list /allusers
CMD: “%WINDIR%\SYSTEM32\lodctr.exe /R”
CMD: “%WINDIR%\SysWOW64\lodctr.exe /R”
CMD: “C:\Windows\SYSTEM32\lodctr.exe /R”
CMD: “C:\Windows\SysWOW64\lodctr.exe /R”
CMD: del /s /q "%userprofile%\AppData\Local\temp*.”
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state On
CMD: ipconfig /flushdns
C:\Windows\Temp*.*
C:\WINDOWS\system32*.tmp
C:\WINDOWS\syswow64*.tmp
emptytemp:
Reboot:
End::

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Now please enter System Recovery Environment Command Prompt.

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will generate a log on the flashdrive (Fixlog.txt) please post it in your reply.

Attached the fixlist as well to make things easier. You can move this to the flashdrive.

After this fix. I need you to run AVBR in safe mode with networking. Then run FRST in normal mode and post both logs for me.

Heres the fix log, but sadly, when I tried running AVBR in safe mode with networking, the same error reapeared. A windows update was scheduled and ran as soon as I turned to safe mode, which maybe, could have done something? Besided that, I think the virus removed AVBR all together, cause after returning to normal mode, the path to AVBR on desktop was deleted, or “doesn’t exist”. I tried running AutoLogger too, but the same error appeared still. I’m thinking maybe running AVBR the same way I ran FRST through a USB stick? Will that help in any way?