TechSpot

1.reg malware HELP ME!!!

By shivmister
Sep 21, 2007
  1. well everytime i still start up my computer I get a message from Avast saying I have a virus VBS: Malware [Gen]. When I try to move to the chest in Avast it comes back next time I restart my computer, the location of the file is C:\DOCUME~1\SHIVAN~1.PC7\LOCALS~1\Temp\1.reg. i had no luck with the preliminary steps.. i tried running all the different scans i have, but nothing seems to fix it. here is my hijack this log, avg log and combo fix. let me know if more is needed.
    Also, the avg rootkit did not find anything. it said everything was fine.

    On another note i have pop ups saying that my windows explorer is notworking properly. it asks me whether or not i want to send this message to microsoft. it comes up everytime i open up a certain folder where i hold WRC race videos. after i say yes or no to sending the message, then i get a pop up saying that a Dr Watson something or other program has an error and ask's me to send error report to microsoft. wen i press send or not send it freezes my screen till i Ctrl+Alt+Delete the folder from my processes. Also, it seems that my internet has slowed down and sometimes does not load pages, it take forever. this has never happened to me before. can u tell me if i am suffering from the same problem or is thre multiple problems. Also plz tell me the best cource of action. i would prefer not to reformat the harddrive if possible, but will if absolutely necccessary.
    as i said above i have attached the latest highjackthis, avg, and combo logs.
    Thank You for ur help!
    EDIT: sorry forgot to upoaad the logs. here they are now.
     
  2. Habylab

    Habylab TS Rookie Posts: 263

    re-do it with no programs running apart from hijackthis!, ok.
    Also you renamed hijackthis.exe to crusty.exe.exe(i think)
    It needs to be just Crusty.exe
    Someone will then com along and sough it all out ok
     
  3. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    new repots

    i am posting here the latest highjack this report and a ewido report, if it will help. it removed some more stuff so i thouht it pertenent to share it with you. also i am attaching the smitfraudfix rapport file.
    Thank You for helping!
     
  4. Habylab

    Habylab TS Rookie Posts: 263

    your now running hijackthis in a temp folder. install anywhere except desktop and temp folder, rename the .exe, not the shortcut, and call it crusty.exe.
     
  5. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    hopefully this right. i ran it from program files folder. and renamed the .exe to Crusty.exe. tell me wat u think.

    plz someone help me. i need to know whether reformatting is my only course of action. Thank you
    -shivmister

    someone plz help me my internet is now going haywire. it works for 5 mins and then it dies out for 10mins. it is really annoying. plz help me, i feel the virus i hav is muitating.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Delete all files in AVG Antispyware quarantine.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint
    Viewpoint Toolbar

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Viewpoint Manager Service
    MSUpdater

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    System32i.exe
    ViewpointService.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll

    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll

    O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

    O4 - HKLM\..\Run: [MSUpdater] System32i.exe

    O4 - HKLM\..\RunServices: [MSUpdater] System32i.exe

    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler

    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.proxy.cc.uic.edu/lib/uic/support/plugins/ebraryRdr.cab

    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\System32i.exe
    C:\Program Files\Viewpoint<Delete the entire folder.
    C:\Program Files\Common Files\Viewpoint<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT and Combofix logs.

    Regards Howard :)

    This thread is for the use of shivmister only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    thank you very much howard i will do this and post up fresh hjt file.

    THANK YOU VERY MUCH :) !!!!!!!
    I did everything u said, and now wen i rebooted my laptop, there was no avast pop-up. jus a few things, some of the steps u listed there was noting in the those places. is that good or bad. secondly, i attached a fresh HJT log let me know if anything else i need to do. Also. would u suggest i reformat my comp, anytime soon.
    Again THANK YOU VERY MUCH!!!!!. I was getting scared.
    -shivmister
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is now clean.

    However, I asked you to post a fresh Combofix log as well. Please do so in your next reply.

    Don`t worry that you couldn`t find all the items I asked you to delete. That`s why I said(if there). This is perfectly normal.

    Regards Howard :)

    This thread is for the use of shivmister only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. shivmister

    shivmister TS Rookie Topic Starter Posts: 33

    sorry about that did not read the directions carefully. well here is the combo fix log.
    On a side note though, my avast found Combofix to be malware, a debora or something trojan. is this because its scripting, or is it malware. i tried redownloading it,but same thing happened wen i started it, i just told the comp to quarentine it. am i okay?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Combofix is definitely not any kind of malware, so don`t worry.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\wt3d.ini

    Reboot into normal mode and rehide your protected OS files.

    Other than the above your log file looks clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of shivmister only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Mark Vincent

    Mark Vincent TS Rookie

    Thank you

    For all the informative help that you have provided here, and for the fact that it worked like a charm (manual method only), I thank you. My systems had a similar problem and although you provided help explicitly for shiv_, it worked on BOTH of my systems:

    AMD Socket 939 3500+ running Windows Server 2003
    AMD Socket AM2 4800+ running WindowsXP sp2

    Simple help, thrilling outcome.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...