Author Topic: Can't get rid of regsvr32.exe malware  (Read 6964 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Can't get rid of regsvr32.exe malware
« on: February 09, 2015, 06:43:53 PM »
Avast keeps telling me that regsvr32.exe is infected and sending out a request to a website. I've run Avast, MWAB, and SUPERantispyware but the warning keeps coming up. What further steps should I be doing to get rid of this?


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Can't get rid of regsvr32.exe malware
« Reply #1 on: February 09, 2015, 07:04:53 PM »
Could you let me know if this stops it

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
HKU\S-1-5-21-1129031283-2916662017-2553396162-1000\...\Run: [Enztion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Dar\AppData\Local\ARworks\CNHI06A.dll
HKU\S-1-5-21-1129031283-2916662017-2553396162-1000\...\Winlogon: [Shell] C:\Windows\EXPLORER.EXE [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-21-1129031283-2916662017-2553396162-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Enztion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Dar\AppData\Local\ARworks\CNHI06A.dll
HKU\S-1-5-21-1129031283-2916662017-2553396162-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Winlogon: [Shell] C:\Windows\EXPLORER.EXE [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION
CHR StartupUrls: Default -> "hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT", "hxxp://www.google.com", "hxxp://www.google.com/", "hxxp://search.conduit.com/?ctid=CT3281675&SearchSource=48&CUI=UN19165416701119528&UM=2", "hxxp://www.trovi.com/?gd=&ctid=CT3324774&octid=EB_ORIGINAL_CTID&ISID=M1C12D4D9-7B7D-4179-B3D2-CD3E3AA5512F&SearchSource=55&CUI=&UM=5&UP=&SSPV="
2015-01-03 00:34 - 2015-01-03 00:34 - 0000000 _____ () C:\Users\Dar\AppData\Local\{D58BE85B-0B60-4613-81CA-30D4868C66D3}
Hosts:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

REDACTED

  • Guest
Re: Can't get rid of regsvr32.exe malware
« Reply #2 on: February 09, 2015, 07:44:39 PM »
Not sure if it stopped or not. The warning will just randomly pop up.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Can't get rid of regsvr32.exe malware
« Reply #3 on: February 09, 2015, 07:47:16 PM »
Could you monitor it for a while and let me know either way

REDACTED

  • Guest
Re: Can't get rid of regsvr32.exe malware
« Reply #4 on: November 05, 2015, 05:34:30 PM »
Hi.
Yesterday I started getting this warning as well. I scanned with Avast, Malwarebytes and CCleaner and it still pops up. I even went so far as to buy the Internet Security subscription and re-ran the scans.

I know there is a real "syswow64 regsvr32.ex" file I need but how can I tell whether this is legit (and create an exception) or the virus version?
Thanks for any ideas!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Can't get rid of regsvr32.exe malware
« Reply #5 on: November 05, 2015, 05:35:50 PM »
Beth, if you want help please start your own thread and provide the logs.

REDACTED

  • Guest
Re: Can't get rid of regsvr32.exe malware
« Reply #6 on: February 19, 2016, 12:16:54 AM »
i'm having this exact problem started this morning.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.