n?svc32.exe is infected by Win32:Trojan-gen. {VC}

Here’s the details:::

  1. How was it detected? What was scanning, you yourself or the back-ground scanner? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?
    First detected when I ran initial scan after downloading avast.
    Detected again when I ran Boot Scan.
    Detected again when I was viewing the Windows\System32 folder.

  2. What was the source of the file, where did the file come from?.: e.g. address, URL, source.
    I have no earthly idea, but a curse upon the scum that created it and all those that make this crap.

  3. When was it downloaded or received?
    Again, I’m in the dark.

  4. What is the exact file name with extension.
    Well, avast finds it as “n?svc.exe”, but I cannot find a file with that name in the Windows\System32 folder.
    I do see a file named “nvsvc32.exe”(File C:\WINDOWS\SYSTEM32\n?svc32.exe is infected by Win32:Trojan-gen. {VC})

  5. What was the exact wording of the message that the AV program came up with? This is important for later.
    File C:\WINDOWS\SYSTEM32\n?svc32.exe is infected by Win32:Trojan-gen. {VC}: from the aswBoot.txt file

  6. Now go back and do nothing yet. Scan the particular file once again with your AV product.

A. The message is in the same wording: maybe positive alert
Same message. I tried to use the move/rename feature and got this message:
The following error occurred during the file move/rename: The filename, directory name, or volume label syntax is incorrect.
B. If the message is not in the same wording or the scan does not find up anything this could be a false positive.
Not applicable
7. Check with an on line scanner or update to jotti for a second opinion. Jotti resides at http://virusscan.jotti.org/
Submitted the file named “nvsvc.exe” because do not see the target file"n?svc.exe"

 Last file scanned at least one scanner reported something about: Copy_of_poisonivy2-nme.exe, detected by:

Scanner Malware name
AntiVir X
ArcaVir Trojan.Agent.Rk
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus W32/Agent.AGL
Fortinet X
Kaspersky Anti-Virus Backdoor.Win32.Agent.rk
NOD32 Win32/Agent.NAK
Norman Virus Control X
UNA X
VBA32 Backdoor.Win32.Agent.rk

I just started using avast yesterday and am still getting familiar with it. It immediately detected 6 virus’s and sent 5 to the chest. but this one it can’t touch.

Any help to understand and resolve this issue will be greatly appreciated. I hate badwarz but am too cheap ;D to pay for security apps when free ones do a decent job. Besides, I had Norton for a couple of years and was not too impressed.

Well i hope you’re using NVIDIA graphic card with ForceWare drivers.
Because i have system32\nvsvc32.exe on system and i’m using NVIDIA card though avast! doesn’t detect anything.

Download and Run HijackThis 1.99.1 form Meriji.org
HijackThis Download Page

Run HijackThis and post the text file to
HijackThis log file analysis
or
NetworkTechs log file analysis

This may help you to find out some more details

If the file is shown as n?svc32.exe, I guess the question mark is actually a special Unicode character, showing as v in Explorer. Some malware uses such trick to “hide”. The boot-time scanner should be able to delete the file.

Hello spidyr2k,

Hi very impressed by the way you reported your virus find.
The info on this particular malware and removal instructions can be found here:

http://www.viruslist.com/en/viruses/encyclopedia?virusid=74718

If Avast alerted you to it, it cannot do much harm, but do as igor suggests to
get it off your machine.

polonus

Polonus ;D

Thanx for the assistance and the compliment ;D I went to viruslist per your posted reply and did not see removal instructions or just did not recognize them :stuck_out_tongue:

I’m not terribly comfortable mucking around in the registry. BTW, my machine DOES have a NVidia card which supposedly uses the nvsvc.exe file for something.

Afraid I have to ask for more help from you, m8 ???

Whilst thare are no direct removal instructions, knowing the registry keys allows for their deletion (always back up the registry before working in it) stopping it from running and would then allow for file deletion.

Once launched, the Trojan registers itself in the system registry, ensuring that the Trojan will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“” = “”

Try the wonderfully simple and free ERUNT program for backing up your registry :wink:

:slight_smile: :smiley: ;D :slight_smile: :wink: :smiley: ;D :slight_smile: :wink: :smiley: ;D
Thanx a bunch, guys!! Here’s what I did:

DavidR.'s comment “stopping it from running and would then allow for file deletion.” made me think about Safe Mode. After booting to safe mode, I ran a quick scan and avast once again pegged the n?svc.exe file in Windows\System 32. I tried the Repair option and syntax blocked it. I tried the Chest option, same thing. Next tried the Move/Rename option, ditto. BUT…Delete allowed me to send it to the recycle bin.

Booted back up and ran scan on the Windows\System32 folder and viola!..it’s GONE!!!

Now, do I really need the nvsvc.exe file? Dunno, but so far all systems appear to be functioning within normal operating parameters.

Once again, I really appreciate the fast response from you all. I did get the ERUNT prog…it’s really sweet and makes me feel safer already. And thanx for the jotti link.

YOU GUYS ROCK!! 8)

Glad we could help.

Scheduling a boot-time scan from within avast works even better than a safe mode scan as windows isn’t running to protect files in the system folder. If you had system restore enabled it is likely it will have been saved in a restore point waiting to bite you in the a*s when you do a system restore that includes that restore point. I suggest you disable system restore, reboot, run a full or boot-time scan, if clean enable system restore.

As Igor said, it is likely that this file had nothing to do with nvidia, just made to look like it and place it in one of the system folders to have windows protect it. If nvidia is working fine I wouldn’t touch anything.

Trojans generally can’t be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can’t do any harm and you can investigate the infected warning.

The VRDB only protects certain files, .exe, dll and other system files, it doesn’t protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won’t be an option.
Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast’s VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.
However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can’t be repaired because the complete content of the file is malicious.

Welcome to the forums.

Happy to be aboard, DavidR ;D

About the boot-time scan…I did run one after the initial run-time scan. Not sure if I asked it to delete the file when avast snagged it, though. I may have been a bit wary about deleting a file at that stage and slowwwly backed away. I will take your advice and run the full scan with sys restore disabled. Your (and everyone’s) advice has been great. There is so much that I have learned in just a few posts…I promise to use this great knowledge for the good of all mankind :wink:


Be sure to come back often, learn more, and use that knowledge for the good of all Avastkind! :wink: ;D