Avast blocked a threat, but it won't go to the virus chest.

Viruses and worms
1

My computer started running slow recently, and Avast notified me last night that a threat had been blocked from SysWOW64\regsvr32 . exe. I then elected to move the file to a virus chest and run a full scan. The scan came back clean last night, but even after sleeping and coming back, avast hasn’t moved the file to a virus chest.

Any help with my issue would be greatly appreciated.

2

owenthewaller,

Welcome.

regsvr32.exe is a windows system file and should not be moved to the virus chest. If you get another block from avast about this file, please attach a screenshot.

See:https://forum.avast.com/index.php?topic=194892.0
Please download and run Malwarebytes and FRST and attach resulting logs in your next reply.

3

This should be what’s needed.

4
My computer started running slow recently, and Avast notified me last night that a threat had been blocked from SysWOW64\regsvr32 . exe
What does the message say .... All info given by avast or a screenshot
5

https://gyazo.com/7970539f57515b2578aa798c7a3a6fdd I don’t know if gyazo suffices as a screenshot, but here’s the info that I have. The computer running slower than usual may have been unrelated, I’m sorry if adding it made my first post confusing.

6

Hmmm … IDP. Generic. Guessing it is a false positive

Upload regsvr32.exe to www.virustotal.com and scan it
Post link to scan result here

7

https://www.virustotal.com/#/file/8d3289d0ca1f99f987b3dd37bbd220fa7aecaceaae4f74d9250278ce1b61fb90/detection

Looks like the file’s all good unless there’s something I’m not seeing. Thank you for your help!

8

Last analysis 2017-11-06 16:24:52 UTC
always click the rescan button for a fresh result when file has been scanned before

Analysis date 2018-03-22 18:11:39 UTC :wink:

9
  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
HKLM-x32\...\Run: [SaitekInstall] => "C:\WINDOWS\TEMP\Saitek\WebInstall\SD_Win9X_4_3_3_1727\Win9X\InstallWizard.exe" 1 <==== ATTENTION
VirusTotal: C:\WINDOWS\TEMP\Saitek\WebInstall\SD_Win9X_4_3_3_1727\Win9X\InstallWizard.exe
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
10

Hi owenthewaller,

the detection wasn’t FP. The regsvr32 must run the DLL or it’s hijacked to do bad things.

The screen shot shows that that the regsvr32 was probably hijacked by some one so the VT checks are useless in this situation.

Please follow these steps https://support.avast.com/en-us/article/33/ and post the File ID here

Thanks,
PDI