Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Desperate-Dan on November 04, 2007, 06:58:27 AM
-
Hi, I have a virus I can't seem to remove every time I boot up when I get to my desktop avast is flashing virus
so I do the recommended action and put it in the chest,but when I restart my computer its there again,
this is what avast says Malware name VBS:Malware-gen type virus/warm VPS version 071103-0 11/03/2007
I have done a male scan with spy-bot search and destroy and found and removed a allot of stuff,
I have winxp
-
Start with a boot time scan. Move anything found to the chest. You can schedule a boottime scan from the menu on the simple user interface. (right click the "a" icon, start avast, right click on the skin)
After the boot time scan is complete and you are up and running, again do the following and post the results of the boot time scan.
Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point
Remove old restore points
Disk Cleanup - Launch the Disk Cleanup tool and then select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
-
thanks for the prompt reply I did the boot scan, after the scan avast showed the same virus
I did what said about system restore, but its still the same when I boot up its showing the same virus, I move it to the chest, restart its there again it doesn't seem to effect what I'm doing with the computer but it is worrying every time I boot up its there.
-
Hi Desperate-Dan,
Here are some more free anti-malware scanners you can try:
Look for and remove rootkits (hidden malware):
Panda Antirootkit (http://www.softpedia.com/get/Antivirus/Panda-Anti-Rootkit.shtml)
Blacklight (http://www.f-secure.com/blacklight/)
AVG Anti-Rootkit (http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5)
Try a scan with DrWeb CureIT! (http://www.freedrweb.com/cureit/)
Try the usual free adware/spyware scanners.
AVG Anti-Spyware Free (http://www.ewido.net/en/product/) (Requires Win2k/XP)
Ad-Aware Free (http://www.download.com/3000-2144-10045910.html)
SUPERAntiSpyware Free (http://www.superantispyware.com/)
a-Squared Free (http://www.emsisoft.com/en/software/free/)
Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode (http://www.pchell.com/support/safemode.shtml) if possible.
Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.
Try some online scans. (Disable avast! while scanning.)
F-Secure (http://support.f-secure.com/enu/home/ols.shtml)
BitDefender (http://www.bitdefender.com/scan8/ie.html)
Panda (http://www.pandasoftware.com/products/activescan.htm)
Trend Micro Housecall (http://housecall.trendmicro.com/)
When you have finished, scan for out-of-date and insecure software using Secunia Software Inspector (http://secunia.com/software_inspector/) and update any vulnerable software: this will help to prevent future infections.
-
Brilliant , curit did the trick,I've updated every thing on my computer,
thanks again for your help and time, I'm one happy chappy ;D
-
Panda Antirootkit (http://www.softpedia.com/get/Antivirus/Panda-Anti-Rootkit.shtml)
Panda (http://www.pandasoftware.com/products/activescan.htm)
I do recommend Panda antirootkit for XP (does not work on Vista).
But I do NOT recommend its online scanning due to its leftovers.
-
Thanks for that, I have winrar I got it to open a rar file but now it seems to want open all the files I download I don't really understand whats going on is winrar ok.
-
Thanks for that, I have winrar I got it to open a rar file but now it seems to want open all the files I download I don't really understand whats going on is winrar ok.
Are you saying that clicking a RAR file makes opening a lot of other files? ???
-
No its just since I.ve had winrar some of the file have the winrar icon now, a stack of three books,
i don't know allot about computers as you can tell
-
No its just since I.ve had winrar some of the file have the winrar icon now, a stack of three books
This icon is legit, I mean, winrar will put this icon on every file (archive file) associated with it, i.e., each archive file winrar could open/manage. It's perfectly normal.
-
thanks for clarifying that, by the way is that the brazilian flag I see?
-
thanks for clarifying that, by the way is that the brazilian flag I see?
Yes it is. You can add one for you too 8)
Just click on the link below and place your pin in the appropriate part of the map.
http://forum.avast.com/index.php?action=mm
You flag will show in your profile after you have done this.
-
I worked in Rio in the naval dock yard working on a drill ship for 8 weeks at a time I've been there two times I saw two carnivals, I love Brazil we where all broken hearted when had to go home
-
Glad you got it. Would you mind posting what the name of the trojan was?
-
Hi its in my first post, VBS:Malware-gen type virus/warm VPS version 071103-0 11/03/20
that all it had in avast
-
Hi its in my first post, VBS:Malware-gen type virus/warm VPS version 071103-0 11/03/20
that all it had in avast
Are you clean now?
-
Hi its in my first post, VBS:Malware-gen type virus/warm VPS version 071103-0 11/03/20
that all it had in avast
Thanks, I've been reading so many of these lately, I got confuzzled. ???
-
Yes every thing is running great thats to this forum ;D
-
I have the same problem, I have followed all the advice in this thread but can't seem to get rid of the virus. It's the same one I think. I have tried Dr Web Cureit and it doesnt find the virus at all. All the malware scanners don't seem to find anything too serious either. It's only Avast.
Any further advice??
-
Can you be more detailed rather than I have the same problem.
What is the malware name, the infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.
What Operating System are you using ?
Why can't avast remove it, what errors or messages are displayed ?
-
Ok, I have a notebook running XP with avast and I have installed superantispyware.
When my desktop loads up after turning on my PC I get the warning message that VBS:malware-gen has been detected
"Sign of "VBS:Malware-gen" has been found in "C:\DOCUME~1\Scott\LOCALS~1\Temp\1.reg" file. "
Each time I get the warning I move to chest as per the suggested action
I have followed the procedure outlined at the start of this thread.
There is another suggested fix at
http://roguemei.blogspot.com/2007/08/removing-vbsmalware-gen-virus-solution.html
which i have also followed and still it seems to be there.
I have run AVG Anti-Rootkit, Dr Web Cureit, Trend Micro Housecall and CCleaner which cleared a couple of trojans and unwanted cookies
but each time I boot up I get the same warning
I have removed cookies, deleted temporary internet files
Any thoughts?
-
Hi, I had tha same virus, Avast couldn't get rid of it, register with this forum they will show you how to remove it,
a great forum and very active http://www.techguy.org/ when you join click on general security tell them your problem and they will sort it for you. good luck
-
Each time I get the warning I move to chest as per the suggested action
I suggest:
1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files (again, as you've already done).
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware (http://www.ewido.net/en/); SUPERantispyware (http://www.superantispyware.com) and/or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
-
<snip>
When my desktop loads up after turning on my PC I get the warning message that VBS:malware-gen has been detected
"Sign of "VBS:Malware-gen" has been found in "C:\DOCUME~1\Scott\LOCALS~1\Temp\1.reg" file. "
Each time I get the warning I move to chest as per the suggested action
<snip>
If this file keeps coming back, "C:\DOCUME~1\Scott\LOCALS~1\Temp\1.reg" something undetected is either restoring it or downloading it again. I doubt it is the downloading bit as I would hope that the web shield would detect it on download and abort the connection, stop it being downloaded.
So something has to be running at boot to be able to do this, so I would suggest running HJT to see what is running and post the contents of the HJT log file here. Copy and paste the contents into a new post or posts if it is a large log.
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis (http://filehippo.com/download_hijackthis/) - HJT Information HiJackThis Tutorial 1 (http://www.bleepingcomputer.com/forums/tutorial42.html)
The 1.reg file seems a strange one to get a VBS (Visual Basic Script) malware alert on as .reg files are files that can be used to modify the registry. However, the file type displayed doesn't have to be correct, but I would suggest confirmation at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here.
-
Ok DavidR thanks I have submitted it to virustotal and here is the report:
File 1.reg received on 11.17.2007 19:05:24 (CET)Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/TCPParams.D.2
Authentium - - -
Avast - - VBS:Malware-gen
AVG - - -
BitDefender - - Trojan.TCPParams.D
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - REG/TCPParams.A
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - -
F-Secure - - -
Ikarus - - Trojan.TCPParams.D
Kaspersky - - -
McAfee - - -
Microsoft - - -
NOD32v2 - - REG/TCPParams.D
Norman - - -
Panda - - -
Prevx1 - - -
Rising - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
VBA32 - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.TCPParams.D.2
Additional information
MD5: f708dcfd087b5b3763678cfb8d63735e
also, I have run HJT and have the report from that, none of this means much to me and I am a bit reluctant to do too much more without advice, what i should do next?
-
A file called 1.reg is not welcome... I won't be sure the file is innocuous by your Virustotal report. I suggest:
1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware (http://www.ewido.net/en/); SUPERantispyware (http://www.superantispyware.com) and/or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
6. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or, better, submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
Specially step 6 with Runscanner automatic analysis could help us helping you.
-
File 1.reg received on 11.17.2007 19:05:24 (CET)Antivirus Version Last Update Result
AntiVir - - TR/TCPParams.D.2
Avast - - VBS:Malware-gen
BitDefender - - Trojan.TCPParams.D
eTrust-Vet - - REG/TCPParams.A
Ikarus - - Trojan.TCPParams.D
NOD32v2 - - REG/TCPParams.D
Webwasher-Gateway - - Trojan.TCPParams.D.2
also, I have run HJT and have the report from that, none of this means much to me and I am a bit reluctant to do too much more without advice, what i should do next?
From the VT hits, a google search on the other malware names (commonly, TCPParams) it is possible that there may be other elements hidden/undetected, see below.
Post the contents (copy and paste) of the HJT log file here, it may need to be split over two or more posts, depending on how large it is.
Try these other anti-rootkit tools and report the findings.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip (http://research.pandasoftware.com/blogs/images/AntiRootkit.zip).
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight (http://www.f-secure.com/blacklight)
-
As requested
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:35:52, on 09/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\sysregi.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [Acer ePresentation HPD] C:\Acer\Empowering Technology\ePresentation\ePresentation.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [Boot] C:\Acer\Empowering Technology\ePower\Boot.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nod32 Runtime] sysregi.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [Nod32 Runtime] sysregi.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acer Empowering Technology.lnk = C:\Acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
-
continued 2/2
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {FDE14979-D821-4CD8-BE1C-9D6AF01D097F} (VMTOCCtrl Class) - http://ppd.swinburne.edu.au/stuinf/vm.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Skype\Plugin Manager\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6066\SAService.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 11923 bytes
Thanks
-
First you don't appear to have an active firewall, what is your firewall ?
If XP's firewall it doesn't provide outbound protection. Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
Unknown:
Did you install this, do you know what it is ?
- Upload to VirusTotal, send the sample to avast if multiple detections and FIX in HJT (see below)
C:\WINDOWS\system32\sysregi.exe
O4 - HKLM\..\Run: [Nod32 Runtime] sysregi.exe
O4 - HKLM\..\RunServices: [Nod32 Runtime] sysregi.exe
- There is only one hit in a google search for the file name and that one is suspect. If this really was a Nod32 file then there would be much more information about it, I take it you aren't using or haven't got or had nod32 on your system ?
O16 - DPF: {FDE14979-D821-4CD8-BE1C-9D6AF01D097F} (VMTOCCtrl Class) - http://ppd.swinburne.edu.au/stuinf/vm.cab
- Is this something that you require, is swinburne.edu.au familiar to you, etc. ?
FIX:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE - see http://www.bleepingcomputer.com/startups/ALCMTR.EXE-240.html (http://www.bleepingcomputer.com/startups/ALCMTR.EXE-240.html)
Other than the above I don't see anything obvious.
####
Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here in the topic.
Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.
Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.
####
-
DavidR
I seem to be all better, sysregi.exe was the problem. So since I deleted it I Avast has not detected anything. And I never had nod32 on my pc ever.
I have loaded on Comodo firewall now too
Thanks for your help, Merry Christmas
-
That is what I was saying this was trying to hide ad a nod32 application when the file had no association with nod32. But it was just confirmation that you hadn't had nod32 at any time in the past.
Your welcome and a Merry Christmas to you too.