Adlice forum

General Category => Malware removal help => Topic started by: Cybrdeth on March 26, 2019, 05:47:14 AM

Title: error 5 help?
Post by: Cybrdeth on March 26, 2019, 05:47:14 AM

Hey y'all, so my girlfriend tried to torrent a program she wanted and she ended up downloading a virus. All kinds of different exe's shoewd up in task manager that I managed to delete but there's one still remaining and it's named "Windows Process Manager", I always have task manager open and I didn't recognize it from before this happened so I google'd it and it turns out it's some sort of virus. I figured i'd do what I did with the other exes and just delete it but when I try to open file location it says I don't have permission. The laptop itself works fine I can connect to the internet and everything, but the thing is I know this program is not supposed to be there. Since I don't have much on this laptop I decided to move my files to a thumb drive and then factory reset the laptop, but its not letting me. I first tried system restore and when I try to launch it it does nothing and it's the same with factory resetting, nothing happens when I try to launch that option. Now I'm stuck and have no idea what to do. I ran RogueKiller and it found 9 threats and delete all but 2, "sperzndsvc" and "nimrpvd" the nimrpvd folder is the folder that opens up when i choose open file location for Windows Process Manager in task manager. The report said "need permissions" and that it was an error 5. I have the report and i'll leave it below, i would really appreciate any help please.

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Bad.Extension (Malicious)] sperzndsvc.exe (744) -- C:\Windows\System32\sperzndsvc.exe -> Found
[Suspicious.Path (Potentially Malicious)] nimrpvd.exe (3864) -- C:\Users\Emeli\AppData\Local\nimrpvd\nimrpvd.exe -> Found
[Suspicious.Path (Potentially Malicious)] atcumei.exe (820) -- C:\Users\Emeli\AppData\Local\nimrpvd\atcumei.exe -> Found
[Suspicious.Path (Potentially Malicious)] atcumei.exe (1600) -- C:\Users\Emeli\AppData\Local\nimrpvd\atcumei.exe -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[Suspicious.Path (Potentially Malicious)] \gaijin results baser -- C:\Users\Emeli\AppData\Local\Westphal.exe [ajvywajvywajvywajvy.ajvyrajvymajvywajvy.ajvypajvywajvy/ajvyjc2yh0yh1yajvyh9yh0r3r2jajvyc4jcyhihtmajvyl4csWBbMksajvyEAyIMA3ollajvyZ] -> Found
[Suspicious.Path (Potentially Malicious)] \gaijin results basergaijin results baser -- C:\Users\Emeli\AppData\Local\Westphal.exe [ajvywajvywajvywajvy.ajvyrajvymajvywajvy.ajvypajvywajvy/ajvyjc2yh0yh1yajvyh9yh0r3r2jajvyc4jcyhihtmajvyl4csWBbMksajvyEAyIMA3ollajvyZ] -> Found
[Suspicious.Path (Potentially Malicious)] \hatred_inchon -- C:\Users\Emeli\AppData\Local\Jerks.exe [ajvywajvywajvywajvy.ajvyrajvymajvywajvy.ajvypajvywajvy/ajvyjc2yh0yh1yajvyh9yh0r3r2jajvyc4jcyhihtmajvyl4csWBbMksajvyEAyIMA3ollajvyZ] -> Found
[Suspicious.Path (Potentially Malicious)] \hatred_inchonhatred_inchon -- C:\Users\Emeli\AppData\Local\Jerks.exe [ajvywajvywajvywajvy.ajvyrajvymajvywajvy.ajvypajvywajvy/ajvyjc2yh0yh1yajvyh9yh0r3r2jajvyc4jcyhihtmajvyl4csWBbMksajvyEAyIMA3ollajvyZ] -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
[PUP.OnlineIO (Potentially Malicious)] (folder) AdvinstAnalytics -- C:\Users\Emeli\AppData\Local\AdvinstAnalytics -> Found

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

Title: Re: error 5 help?
Post by: Curson on March 26, 2019, 07:25:10 PM

Hi Cybrdeth,

Welcome to Adlice.com Forum.

Please download Farbar Recovery Scan Tool (x64) (https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save it to your Desktop.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please attach log back here using the "Attachments and other options > Attach" feature.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.

Regards.

Note : This thread has been moved to the "Malware removal help" section for clarity.

Title: Re: error 5 help?
Post by: Cybrdeth on March 26, 2019, 10:46:08 PM

Ok thank you! Here are the logs.

Title: Re: error 5 help?
Post by: Curson on March 27, 2019, 05:16:39 AM

Hi Cybrdeth,

Your computer is very infected. Please make a backup of your personal data before proceeding any further.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Please download SystemLook (x64) (http://downloads.malwareremoval.com/SystemLook/SystemLook_x64.exe) and save it to your desktop.

Double-click SystemLook_x64.exe to run it.
Copy the content of the following codebox into the main textfield:

Code: [Select]

:filefind
appexDrv.*

:dir
C:\Windows\System32\drivers /ncoi*.sys

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Regards.

Title: Re: error 5 help?
Post by: Cybrdeth on March 27, 2019, 08:28:47 AM

Hey so I'm having an issue, whenever I transfer the txt file from my thumb drive to the desktop of my infected pc the txt file shows up as blank. But when I open it inside the thumb drive I see all the contents. I've tried saving it to other locations but I get the same result. Any thoughts?

Title: Re: error 5 help?
Post by: Cybrdeth on March 27, 2019, 08:56:35 AM

Ok so it worked in safe mode i'm not sure if it has the same effect but here are the logs.

Title: Re: error 5 help?
Post by: Curson on March 27, 2019, 05:30:57 PM

Hi Cybrdeth,

The infection is still here.
Could you please generate a fresh FRST log and attach it with your next reply ?

Regards.

Title: Re: error 5 help?
Post by: Cybrdeth on March 27, 2019, 11:08:24 PM

No problem here it is, thank you for the help. Also I don't know if this is relevant but whenever I try to open the folder that Windows Process Manager is in it say access is denied, I always can't change the owner of the folder as well.

Title: Re: error 5 help?
Post by: Curson on March 27, 2019, 11:40:50 PM

Hi Cybrdeth,

Yes, access to the folder is denied because a rootkit is present.
That's also the reason why FRST was unable to remove the infection.

We need to use Windows Recovery Environment to get rid of it

On a clean machine, please download Farbar Recovery Scan Tool (https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to a flash drive. Do the same with the attached fixlist.txt file.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Note: You need to download the version compatible with your machine i.e. 32-bit or 64-bit.

Plug the flashdrive into the infected PC.
Enter System Recovery Environment Command Prompt:

Instructions for Windows 10 (https://www.tenforums.com/tutorials/2880-open-command-prompt-boot-windows-10-a.html)
Instructions for Windows 8 (https://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/)
Instructions for Windows 7 (https://www.bleepingcomputer.com/tutorials/windows-7-recovery-environment-command-prompt/)
Once in the Command Prompt:

Run FRST/FRST64 located on your flashdrive and press the Fix button just once and wait.
The tool will generate a log on the flashdrive (Fixlog.txt) please post it with your reply.

Regards.

Title: Re: error 5 help?
Post by: Cybrdeth on March 28, 2019, 12:43:22 AM

I'm having trouble getting into advanced startup options, I followed the steps mentioned in the website you linked but it didn't work. When I click restart it just restarts normally it doesn't take me to advanced startup options. I then Google'd some more methods such as shift while pressing restart, or pressing shift + F8 but neither of them work. Am I just going to have to nuke my entire pc?

Also everytime i restart I get "scanning and repairing drive" followed by the name of a folder, I attached a picture below

Title: Re: error 5 help?
Post by: Curson on March 28, 2019, 07:36:55 PM

Hi Cybrdeth,

It's possible Toshiba included something in the system that interfers with WinRE.
Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :

Code: [Select]

reagentc /enable && reagentc /info >> "%USERPROFILE%\Desktop\reagentc.log"A new file named reagentc.log should has been created on your desktop. Please attach it whith your next reply.

Regards.

Title: Re: error 5 help?
Post by: Cybrdeth on March 29, 2019, 12:17:58 AM

Hey so I tried making the log via comment prompt but whenever I open up the txt file it shows up blank like it did yesterday with the other logs. I tried doing it in safe mode but it didn't work like it did last time, I managed to get it work one time after a few tries but when I saved the file and opened it up again it came up blank. I'm going to keep trying to see if maybe it will work again, but if it doesn't I'm just going to consider wiping the whole pc. I don't want to but I
don't have much on here anyway.

Title: Re: error 5 help?
Post by: Curson on March 29, 2019, 12:50:22 AM

Hi Cybrdeth,

That's really troublesome.
Did you try this method (https://www.tenforums.com/tutorials/2880-open-command-prompt-boot-windows-10-a.html#option1) to access WinRE ?

Regards.

Title: Re: error 5 help?
Post by: Cybrdeth on March 29, 2019, 04:07:01 AM

Hey Curson so I was able to get into advanced startup options via the methods you recommended in the post above, so I did a system restore. When it finished i opened up task manager and I didn't see the Windows Process Manager running, I then went to the folder it's located in and I have access now so I deleted both folders and I'm currently doing a scan with roguekiller to see if there are still any other threats. Is there anything else you recommend I do?

Title: Re: error 5 help?
Post by: Cybrdeth on March 29, 2019, 04:42:14 AM

Update: RogueKiller scan came up clean but now I'm gonna scanwith Malware Bytes and Adwcleaner just to make sure. Also I can now open system restore and the option to factory reset and I couldn't do that before so I think the system restore might have actually fixed it? You know more about computers than I do, so does it seem like everything is fine?

Quote from: Cybrdeth on March 29, 2019, 04:07:01 AM

Hey Curson so I was able to get into advanced startup options via the methods you recommended in the post above, so I did a system restore. When it finished i opened up task manager and I didn't see the Windows Process Manager running, I then went to the folder it's located in and I have access now so I deleted both folders and I'm currently doing a scan with roguekiller to see if there are still any other threats. Is there anything else you recommend I do?

Title: Re: error 5 help?
Post by: Curson on March 29, 2019, 12:52:35 PM

Hi Cybrdeth,

That's a good new.
You were supposed to execute the fixlist in WinRE, not a System Restore, but whatever.

Could you please generate a fresh FRST log and attach it with your next reply ?

Regards.