Avast keeps telling me that regsvr32.exe is infected and sending out a request to a website. I’ve run Avast, MWAB, and SUPERantispyware but the warning keeps coming up. What further steps should I be doing to get rid of this?
http://www.overclock.net/content/type/61/id/2348925/width/500/height/1000/flags/LL
Could you let me know if this stops it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKU\S-1-5-21-1129031283-2916662017-2553396162-1000\...\Run: [Enztion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Dar\AppData\Local\ARworks\CNHI06A.dll HKU\S-1-5-21-1129031283-2916662017-2553396162-1000\...\Winlogon: [Shell] C:\Windows\EXPLORER.EXE [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION HKU\S-1-5-21-1129031283-2916662017-2553396162-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Enztion] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Dar\AppData\Local\ARworks\CNHI06A.dll HKU\S-1-5-21-1129031283-2916662017-2553396162-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Winlogon: [Shell] C:\Windows\EXPLORER.EXE [2871808 2011-02-25] (Microsoft Corporation) <==== ATTENTION CHR StartupUrls: Default -> "hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT", "hxxp://www.google.com", "hxxp://www.google.com/", "hxxp://search.conduit.com/?ctid=CT3281675&SearchSource=48&CUI=UN19165416701119528&UM=2", "hxxp://www.trovi.com/?gd=&ctid=CT3324774&octid=EB_ORIGINAL_CTID&ISID=M1C12D4D9-7B7D-4179-B3D2-CD3E3AA5512F&SearchSource=55&CUI=&UM=5&UP=&SSPV=" 2015-01-03 00:34 - 2015-01-03 00:34 - 0000000 _____ () C:\Users\Dar\AppData\Local\{D58BE85B-0B60-4613-81CA-30D4868C66D3} Hosts: EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
Not sure if it stopped or not. The warning will just randomly pop up.
Could you monitor it for a while and let me know either way
Hi.
Yesterday I started getting this warning as well. I scanned with Avast, Malwarebytes and CCleaner and it still pops up. I even went so far as to buy the Internet Security subscription and re-ran the scans.
I know there is a real “syswow64 regsvr32.ex” file I need but how can I tell whether this is legit (and create an exception) or the virus version?
Thanks for any ideas!
Beth, if you want help please start your own thread and provide the logs.
i’m having this exact problem started this morning.