regsrv.exe process slowing down cpu

i have noticed that for the past week there has been problems with my pc. such as very slow speeds and a process called regsrv.exe running high cpu resources in my taskmanager. anyway it has been running past avast free antivirus with no worries. but pctools threatfire has been recently removing processes like IEXPLORER.EXE and SERVICES.EXE stating that they are tampering with other files on my pc. ever time i boot my computer the same reports comes up from threatfire and i quarintine both objects. avast has been quiet through all this mayhem but i am starting to wonder if this regsrv.exe process is infected. please help me :-\

i have located the regsrv.exe and have it zipped up in a compressed folder but it is still also running on my pc.

from dingo44 :slight_smile:

Hi dingo44

IEXPLORER.EXE is something you don’t want to have :

http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=IEXPLORER.EXE

regsrv.exe brought up this :

http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=regsrv.exe

http://www.threatexpert.com/reports.aspx?find=regsrv.exe

So please upload the file to http://www.virustotal.com and post the results here.

Greetz, Red.

Edit : On second thought I will pm Essexboy about it, so he can help you.

Hi that is a legitimate file if it is in the right location

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.

THEN

Download OTL to your Desktop

[]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[
]Under the Custom Scan box paste this in


netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav
%systemroot%\system32\drivers*.sys /90

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

this is a virus total report http://www.virustotal.com/analisis/70f135e95c6484bbd5b910ef51ff4dde577cace8e7e2eae0565f2cff13ea69cd-1271478755

this came up as my threatexpert report http://www.threatexpert.com/report.aspx?md5=6c4661d4d840f5903381c5dc66382aef

and GMER rootkit scanner refuses to download or run

i have a zipped version of the regsrv file on hand for investigation.

from dingo44 :slight_smile:

Could you run the OTL scan then please

I am sorry but i have attempted to download OTL scan several times and something keeps cutting out the download. this happens when i attempted to download blacklight rootkit scanner, hijackthis, sophos, and panda rootkit scanner, plus several other virus scanners.

from dingo44 :cry:

Well, download those from a clean computer and put them on an USB stick/CD or whatever. If they don’t run even after that, rename them to something like 5476834.EXE or .COM even.

I have uploaded a zipped copy here http://cid-32d8666f4048075b.skydrive.live.com/self.aspx/Malware%20files/OTL.zip?lc=2057

Dingo44,

We understand your problem. You dont have to download all those blacklight scanners, spohos scanner etc… Essexboy is a trained malware expert. He will help you remove the infection. Just do as he says and make sure you obey him… atleast until infections are removed. ;D

nmb

no more need to worry. i took the file into pctools, they added it to the threatfire blacklist. and well i have had no more problems.

from dingo44 :slight_smile: