• Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Solved System (32 bit) or otherwise called winserv.exe is pottentially eating my Laptop

Status
Not open for further replies.
R

RordonGamsey

PCHF Member
Apr 5, 2020
79
2
22
#1
So today, around 3 hours ago, I attempted to casually boot up a game or two (as I do regularly), and noticed that something was all of the sudden off.
When I launched my game, i noticed some kind of new lag appear, to which I though that graphics settings were at fault. Thinking that was the problem, I played it, it crashed, then I booted up another game.
When I hoped on into a match, I noticed that this game was lagging too, and so did the other one I booted up.
This would all be explanable by simply saying "my pc is wearing off", but it doesn't explain how my games can perfectly run one day ago, and then all of the sudden, all of them run like garbage.

This seemed suspicious to me, so I decided to do some digging and found, that system (32 bit) with a gray windows logo was running in task manager. I found online, that it's a trojan virus (to which removal I was not new of), and thought this was going to be a peace of cake to remove and be done with. Oh how wrong was I.

The malware doesn't allow you to go to it's file location (crashes the file explorer when you do try). I tried running windows security, full scan (which got stuck at about 75% of the scan and didn't finish) and an offline scan (which finished, but to no avail). Then I tried installing Malwarebit and adwcleaner, and both of them get closed upon opening them (Malwarebit installer and adw itself). I tried using Security Task Manager, which gets closed aswell. And to piss me off even more, now task manager closes itself from time to time, sometimes even leaving it unopenable.

After all this, I tried running Windows in Safety Mode. There, I uninstalled all suspicious applications (Which I really think weren's so) and ran Security Task Manager, which didn't find anything suspicious. I tried running Malwarebit Installer, but I simply couldn't connect to the internet for it to install. Adwcleaner ran, "quarantined" 8 items, but the problem still remained.

Now I'm sitting here, my pc fans blowing like crazy from simply doing nothing, and writting for help or tips or something, because I am deeply lost and confused and don't know what to do.

1691523986556.png
 
#2
Update:

I managed to quarantine the malware by turning off my firewall and lowering administrative priviliges, because APPERANTLY, this Virus managed to change my permissions, so I couldn't install a single anti-malware application. Once I quarantined it using Security Task Manager, I noticed that I still can't access any of my privileges, which led to me being unable to uninstall Malwarebit, always showing me this error when I try to open it, and telling me a similar "Loss of permission" message when trying to uninstall it.

Besides getting rid of Malwarebit and restoring my administrative permission, how do I completely remove the virus, so I can happily live on, knowing it is gone and not quarantined?

1691527831548.png
 
#4
@RordonGamsey

Please download the FRST 32 bit or FRST 64bit version to suit your operating system. It is important FRST is downloaded to your desktop.

If you are unsure if your operating system is 32 or 64 Bit please go HERE.
Once downloaded right click the FRST desktop icon and select "Run as administrator" from the menu"
icon2.jpg
If you receive any security warnings, or the User Account Control warning opens at any time whilst using FRST you can safely allow FRST to proceed.
FRST will open with two dialogue boxes, accept the disclaimer.

frst disclaimer.jpg



  1. Accept the default whitelist options,
  2. If the additions.txt options box is not checked please select it.
  3. Then select Scan
frst.jpg
Frst will take a few minutes to scan your computer, and when finished will produce two log files on your desktop, FRST.txt, and Addition.txt. They will display immediately on the desktop, but can be reopened later as a notepad file.

2016-08-12_152002.jpg

Please Attach the contents of these logs in your next post for review by our Security Team
 
#5
Right off the bat, when I tried running the app, this message popped up. The same goes for any anti-malware (so far as I saw, anti-malware applications) I try to install (besides Security Task Manager, which runs without the message popping up.


1691594109362.png
 
#6
Sooooo I tried lowering my permission again, turning off firewall and still, to no avail. Even tried running it on safe mode - didn't work. and I noticed aswell, that this message started popping up whenever I restart my computer.
1691594651453.png
 
#7
@RordonGamsey

looks like you have a Bitcoin miner.

Download AV block remover .
Unzip to your desktop, Right click run as admin and follow the instructions. If it does not start, rename the AVbr.exe file to, for example, AV_br.exe
Click yes to reset hosts file.
After the machine reboots then there will be a logfile in the new folder created, post that please.

If it fails to start....


Right click AVBR.exe and rename it to Svchost.exe, (or any other name just make sure the .exe remains) then right click on SVchost.exe and run as administrator.
If this fails, then we will skip it.

Download Autologger to your desktop.
Disable your Anitivirus/Defender prior to running.

  • Unzip it there. -- If you are unsure how to unzip a program, then use ---- http://www.7-zip.org/ ----
  • Right click Autologger and run as admin. (Xp user double click)
  • AVZ4 will open and scan your machine, allow this to complete.
  • Upload Collectionlog.zip to your next reply.
 
#8
This is the error I get when trying to run bot programs. I had to change AV blocker name to all the solutions you gave, to which this message showed every time. Same goes for the other program, but the other program I had to run in safe mode, because the virus kept closing it.

It seems so far, that the virus has corrupted all of my pc permissions for installations and file managing. At the same time, manipulating every attempt at removing it.

The only place it actually doesn't have control and can't manipulate anything is in safe mode, but there, it can still deny file managment, stating that I don't have the permission to change/create/install files.

Vienas.png
 
#9
Can you run AVBR in safe mode?
Or any version of Rkill that i have uploaded in normal mode then try and run FRST if you are able to get Rkill to run, but do not reboot after running Rkill.

The password for Rkill.zip is clean



Also, follow instructions here to reset group policy,

helpdeskgeek.com

How to Reset Group Policy Settings on Windows 10

You can change most Windows 10 settings through the Settings app or the Control Panel on Windows. That said, you may need to rely on the Local Group Policy Editor when you need to change more advanced settings. The Local Group Policy Editor provides a more comprehensive interface to change basic...
helpdeskgeek.com helpdeskgeek.com
 

Attachments

  • rkill.zip
    821.5 KB · Views: 0
  • rkillversions.zip
    3.2 MB · Views: 0
Last edited:
#10
So I ran Rkill and it seemed to finish without any problems, but I still couldn't run FRST, AVBR or AutoLogger. It kept showing the same error "Access Denied" or "Insufficient Permissions". I'll post the Rkill log file (notepad) file bellow, maybe it will be of help.

Besides that, I tried reseting group policy and got this message when I tried doing it through settings, but the same message of "Access Denied, or it was removed" appeared. So much so, that now when I wanted to go PrintScreen the message, the search of gpedit.mcs doesn't even exist anymore. I tried doing it through the command block, but it showed this message.

1691697343603.png


To sum up, it all circles back to me not having permission's to change, install or access any anti-malware application's.
 

Attachments

  • Rkill.txt
    5.1 KB · Views: 0
#11
iO3R662.png @RordonGamsey

Farbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.


Item(s) required:


  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
  • Another computer (optional: only needed if you cannot work from the infected computer directly)



Preparing the USB Flash Drive


  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive



Boot in the Recovery Environment


  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note:If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.



Once in the command prompt


  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Scan button and wait for the scan to complete
  • A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply
 
#13
Open notepad. Please copy the contents of the quote box below. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

start::
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
HKLM\...\Run: [Realtek HD Audio] => C:\ProgramData\ReaItekHD\taskhostw.exe (No File) <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {0A771D93-5210-425C-AD56-7BD185C877A8} - \Lenovo\ImController\TimeBasedEvents\71862736-6a82-4d16-8632-df00e363b34f -> No File <==== ATTENTION
Task: {20C9FE37-7402-419D-B07C-8844A4A2AA06} - \Lenovo\ImController\Plugins\LenovoSystemUpdatePlugin_WeeklyTask -> No File <==== ATTENTION
Task: {5259042B-C2B5-474A-848B-900D12343C31} - \Lenovo\ImController\TimeBasedEvents\9d3e09dd-9dc6-415e-8ee4-1e9f6136de70 -> No File <==== ATTENTION
Task: {85ED35E9-8B88-4A52-A6A4-6C5B566E974F} - \Lenovo\ImController\TimeBasedEvents\268b5929-059f-437c-a684-cdb91cc1a5e9 -> No File <==== ATTENTION
Task: {AAAD73E8-6F45-44D3-8384-3B095A498196} - \Lenovo\ImController\Lenovo iM Controller Scheduled Maintenance -> No File <==== ATTENTION
Task: {AED13305-5582-4332-8250-8944B9A78975} - \Lenovo\ImController\TimeBasedEvents\0a3dae0f-68d7-48a6-bc39-5ff7f03ba3d2 -> No File <==== ATTENTION
Task: {BE58A208-F860-464A-9641-7FC0B0328CB4} - \Lenovo\ImController\Lenovo iM Controller Monitor -> No File <==== ATTENTION
Task: {8C7A385E-7873-41AA-ABEB-8AC0D15699B2} - System32\Tasks\Microsoft\Windows\CheckGlobalO\RecoveryHosts => C:\Programdata\Microsoft\vbffa\script.bat [2803 2023-08-07] () <==== ATTENTION
Task: {81FC32FD-4C94-40F4-9871-175131373EC9} - System32\Tasks\Microsoft\Windows\CheckGlobalO\RecoveryTask => C:\Programdata\ReaItekHD\taskhostw.exe (No File) <==== ATTENTION
Task: {8BE92F4B-C497-48A5-AC00-C4831B1FAC20} - System32\Tasks\Microsoft\Windows\CheckGlobalO\vbffa => C:\Programdata\ReaItekHD\taskhost.exe (No File) <==== ATTENTION
Task: {5E4B0D29-F0B3-4ABE-86FC-DA037B7E423B} - System32\Tasks\Microsoft\Windows\WindowsBackup\CashClean => C:\Programdata\ReaItekHD\taskhostw.exe (No File) <==== ATTENTION
Task: {BBE1A9A0-4CAC-4C95-9B94-DB26F14E0792} - System32\Tasks\Microsoft\Windows\WindowsBackup\MicrosoftCheck => C:\Programdata\ReaItekHD\taskhost.exe (No File) <==== ATTENTION
Task: {4EFF07A2-7953-4259-8C6B-3742E5B32299} - System32\Tasks\Microsoft\Windows\WindowsBackup\OnlogonCheck => C:\Programdata\ReaItekHD\taskhostw.exe (No File) <==== ATTENTION
Task: {C6CD48BD-6466-4353-8887-FC6B8DC93300} - System32\Tasks\Microsoft\Windows\WindowsBackup\WinlogonCheck => C:\Programdata\ReaItekHD\taskhost.exe (No File) <==== ATTENTION
Task: {44EA01D7-38AA-4A4A-B2A2-1D3ADE8EEDD7} - System32\Tasks\Microsoft\Windows\Wininet\1Hour => C:\Programdata\Microsoft\vbffa\Game.exe [51460942 2023-06-28] () <==== ATTENTION
Task: {D49A0EC0-F413-4951-8C9D-8248807D9394} - System32\Tasks\Microsoft\Windows\Wininet\winser => "C:\ProgramData\Windows Tasks Service\winserv.exe" -> Task Service\winserv.exe <==== ATTENTION
Task: {AC9BCBB9-F434-4856-8F2F-7861733EBFD3} - System32\Tasks\Microsoft\Windows\Wininet\winsers => "C:\ProgramData\Windows Tasks Service\winserv.exe" -> Task Service\winserv.exe <==== ATTENTION
S2 TermService; C:\Program Files\RDP Wrapper\rdpwrap.dll [116736 2023-08-07] (Stas'M Corp.) <==== ATTENTION (no ServiceDLL)
HKLM-x32\...\Run: [TeamsMachineUninstallerLocalAppData] => %LOCALAPPDATA%\Microsoft\Teams\Update.exe --uninstall --msiUninstall --source=default (No File)
HKLM-x32\...\Run: [TeamsMachineUninstallerProgramData] => %ProgramData%\Microsoft\Teams\Update.exe --uninstall --msiUninstall --source=default (No File)
Task: {40D588D5-F551-47CE-8DEE-DD2F9502B744} - System32\Tasks\McAfeeTsk\OOBEUpgrader => C:\Program Files\McAfee\MSC\OOBE_Upgrader.exe /Run (No File)
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (No File)
C:\Programdata\ReaItekHD
C:\Programdata\Microsoft\vbffa
S2 ImControllerService; %SystemRoot%\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [X]
S3 Rockstar Service; "C:\Program Files\Rockstar Games\Launcher\RockstarService.exe" [X]
unlock: C:\KVRT2020_Data
unlock: C:\KVRT_Data
unlock: C:\Program Files\Bitdefender Agent
unlock: C:\Program Files\DrWeb
unlock: C:\Program Files\ESET
unlock: C:\Program Files\Kaspersky Lab
unlock: C:\Program Files\Process Lasso
unlock: C:\Program Files\Ravantivirus
unlock: C:\Program Files (x86)\Kaspersky Lab
unlock: C:\Program Files (x86)\Microsoft JDX
unlock: C:\Windows\speechstracing
unlock: C:\Program Files\Common Files\AV
unlock: C:\Program Files\Common Files\Doctor Web
unlock: C:\ProgramData\BookManager
unlock: C:\ProgramData\ESET
unlock: C:\ProgramData\Evernote
unlock: C:\ProgramData\FingerPrint
unlock: C:\ProgramData\Kaspersky Lab
unlock: C:\ProgramData\Kaspersky Lab Setup Files
unlock: C:\ProgramData\MB3Install
unlock: C:\ProgramData\PuzzleMedia
unlock: C:\ProgramData\RobotDemo
unlock: C:\ProgramData\WavePad
C:\Program Files (x86)\IObit
C:\ProgramData\Norton
C:\ProgramData\Kaspersky Lab
C:\ProgramData\Kaspersky Lab Setup Files
C:\ProgramData\ESET
C:\ProgramData\Doctor Web
C:\ProgramData\AVAST Software
C:\ProgramData\360safe
C:\Program Files\SUPERAntiSpyware
C:\Program Files\SpyHunter
C:\Program Files\RogueKiller
C:\Program Files\Ravantivirus
C:\Program Files\Loaris Trojan Remover
C:\Program Files\Kaspersky Lab
C:\Program Files\HitmanPro
C:\Program Files\ESET
C:\Program Files\EnigmaSoft
C:\Program Files\Enigma Software Group
C:\Program Files\DrWeb
C:\Program Files\COMODO
C:\Program Files\Common Files\Doctor Web
C:\Program Files\Cezurity
C:\Program Files\ByteFence
C:\Program Files\Bitdefender Agent
C:\Program Files\AVG
C:\Program Files\AVAST Software
C:\Program Files (x86)\SpyHunter
C:\Program Files (x86)\Panda Security
C:\Program Files (x86)\Kaspersky Lab
C:\Program Files (x86)\GRIZZLY Antivirus
C:\Program Files (x86)\Cezurity
C:\Program Files (x86)\AVG
C:\Program Files (x86)\AVAST Software
C:\Program Files (x86)\360
C:\KVRT2020_Data
C:\KVRT_Data
C:\ProgramData\Avira
C:\WINDOWS\system32\drivers\etc\hosts
C:\WINDOWS\system32\drivers\etc\hosts.ics
Hosts:
CMD: del /f /s /q %windir%\prefetch\*.*
CMD: del /s /q C:\Windows\SoftwareDistribution\download\*.*
CMD: del /s /q "%userprofile%\AppData\Local\Google\Chrome\User Data\Default\Cache\*.*"
cmd: del /s /q "%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Cache\*.*"
cmd: del /s /q "%userprofile%\AppData\Local\Opera Software\Opera Stable\Cache\Cache_Data\*.*"
cmd: bitsadmin /list /allusers
CMD: "%WINDIR%\SYSTEM32\lodctr.exe /R"
CMD: "%WINDIR%\SysWOW64\lodctr.exe /R"
CMD: "C:\Windows\SYSTEM32\lodctr.exe /R"
CMD: "C:\Windows\SysWOW64\lodctr.exe /R"
CMD: del /s /q "%userprofile%\AppData\Local\temp\*.*"
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state On
CMD: ipconfig /flushdns
C:\Windows\Temp\*.*
C:\WINDOWS\system32\*.tmp
C:\WINDOWS\syswow64\*.tmp
emptytemp:
Reboot:
End::
Click to expand...

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Now please enter System Recovery Environment Command Prompt.

Run FRST/FRST64 and press the Fix button just once and wait.
The tool will generate a log on the flashdrive (Fixlog.txt) please post it in your reply.

Attached the fixlist as well to make things easier. You can move this to the flashdrive.
 

Attachments

  • fixlist.txt
    6.8 KB · Views: 0
#15
Heres the fix log, but sadly, when I tried running AVBR in safe mode with networking, the same error reapeared. A windows update was scheduled and ran as soon as I turned to safe mode, which maybe, could have done something? Besided that, I think the virus removed AVBR all together, cause after returning to normal mode, the path to AVBR on desktop was deleted, or "doesn't exist". I tried running AutoLogger too, but the same error appeared still. I'm thinking maybe running AVBR the same way I ran FRST through a USB stick? Will that help in any way?
 

Attachments

  • Fixlog.txt
    1.1 MB · Views: 1
#17
Can you please run FRST again from, the recovery console. Post the new log. I need to see a fresh log after the fix.

Also download a fresh copy of AVBR and try and run it in safe mode with networking while I look over the new log.
 
Status
Not open for further replies.
Top Bottom
Back
Forums
Resources
Menu