Avast says I have 1.reg malware

[radicalgel]

Hey Guys,

I am running Windows XP Pro and everytime I Start up XP, Avast's On-access scanner says it has found a Vbs:Malware-gen in c:/docnsettings/userid/locals~/temp/1.reg. Even if I choose to delete it or move it I keep getting the same message on startup. I dont think my machine is infected but something is trying to deploy and execute this 1.reg file at every boot. Can some one please help me solve this issue. Do I need to post any logs? I am very new to software like HJK and combofix so I hope you can guide me through this. Thanks so much!

 

[howard_hopkinso]

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of radicalgel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[radicalgel]

I cannot run Combofix.exe for some strange reason. It keeps saying "This version has expired, please download the latest update" then it uninstalls combomfix.exe. I tried several different versions from all over the net but no luck yet. Btw the Panda Antirootkit scan found nothing and said my computer is clean.

Thanks!

 

[howard_hopkinso]

Delete all versions of Combofix, then skip the Combofix instructions for now.

Continue with the rest of the instructions and post the requested log files.

Regards Howard

This thread is for the use of radicalgel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[radicalgel]

Reports Attached!

I have attached the log files for AVG Anti-Spyware scan report and HJK below. Please let me know if there is anything else you need me to do.

View attachment 25632
View attachment 25633

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Windows Updater

Close the services window.

Click on the processes tab and end process for(if there).

WinUpdater.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Windows Updater] WinUpdater.exe

O4 - HKLM\..\RunServices: [Windows Updater] WinUpdater.exe

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or folders(if there).

C:\WINDOWS\system32\WinUpdater.exe

Reboot into normal mode and rehide your protected OS files.

Go and follow the instructions in step12 of this thread for Combofix.

Post the Combofix log as well as a fresh HJT log.

Regards Howard

This thread is for the use of radicalgel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[radicalgel]

I rebooted in safe mode but could not find windows updater in services.msc

I then ran HJK and fix the following:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Windows Updater] WinUpdater.exe

O4 - HKLM\..\RunServices: [Windows Updater] WinUpdater.exe

I have attached the new HJK log but I am still unable to run combofix.exe as I still get the popup saying that this version of combofix.exe is outdated.

I also want to inform you that avast no longer catches the 1.reg VBS:Malware-Gen anymore when I boot so I am assuming the problem has been fixed but im not sure. Thanks for the all the help!

View attachment 25685

 

[howard_hopkinso]

Your HJT log is now clean.

Combofix is having problems at the moment, so we can`t use it.

Do the following instead.

Please download Deckard's System Scanner (DSS and save it to your Desktop.
DISCONNECT FROM THE INTERNET...REMOVE THE PLUG FROM THE BACK OF THE COMPUTER

Close all other windows before proceeding.

This means TURN OFF ALL other security programmes.
Norton Anti-virus, AVG Anti-spyware or any other security programmes you`re running.

Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please attach the main.txt and extra.txt in your next reply.

Re-enable your security programmes and reconnect to the net.

Regards Howard

This thread is for the use of radicalgel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[radicalgel]

Here you go!

View attachment 25693
View attachment 25692

 

[howard_hopkinso]

Everything looks fine there.

Unless you`re still having problems, you should be good to go.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of radicalgel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[radicalgel]

Thanks a ton howard! Really appreciate the time you've taken to help! Just one last question. Out of the 3 free firewalls mention here, which one would you recommend most?

 

[howard_hopkinso]

Personally, I`ve always used the Zonealarm firewall. However, the Comodo firewall is supposed to be very good, if a little more complex.

Regards Howard

This thread is for the use of radicalgel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[radicalgel]

Hi Howard,

I just have another small question. The LED on my floppy disk drive keeps blinking intermittently even though there is no floppy in the drive. Is this normal behaviour?

 

[howard_hopkinso]

No, that isn`t normal.

Two things I think may be responsible are:

A faulty or wrongly connected floppy cable.

A faulty floppy drive.

Regards Howard

This thread is for the use of radicalgel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[radicalgel]

Popup?

I have attached a screenshot of a pop up I occasionally get. Could you please have a look at it and let me know what it is an why its happening. Thanks!

Screenshot:

 

[momok]

Hi,

That popup seems highly fishy. I suggest you post a fresh HijackThis log in your next reply. If possible, a combofix log too. Have you run your antivirus scans and anti spyware scans to check?

Regards,
momok =)

 

[radicalgel]

Hi,

Sorry I haven't replied for so long. Have been out of town. I just ran HJK and have attached the new log. Still unable to run combofix. I am pretty sure I have some sort of virus because everytime I plug in a flash memory device like a pendrive or SD card avast immediately says that the drive is infected with a trojan that is present in a file called "MicrosoftPowerPoint.exe". I also ran a full system scan and the "MicrosoftPowerPoint.exe" infect was found in my temp folder which I repaired using avast but I don't know if the problem is fully fixed. Could you please help me out. Thanks!!!

HJK new log: View attachment 27515

 

[nala]

VBS:Malware-gen

"""C:\DOCUME~1\name\LOCALS~1\Temp\1.reg"

This is an Exelent tool for free and works 100%
download instal give email address nothing to worry about.

superantispyware.com