Win32:Regrun-M[trj], is it gone perhaps?

Hiya, today I turned on my computer and got a message saying:
C:\Windows\Sys32\Config\Services.exe
This unit, searchpath or file could not be reached. You might not have permission to access this object. (English is not my native tongue so I had to translate it so the actual message might use different vocubalary)

Okay, so I opened Avast! and during the memory test it said I was infected with Win32:Regrun-M
After asking on this forum earlier today, I was told this is indeed a virus and not a false alarm.

After moving it to the chest. I opened Avast! once again. This time it recommended me to reboot and start their scanner.
It found 1 infected file which I moved to the chest. (By the way, should I let them stay in the chest or delete them?)

Here’s the infected files in the chest:
A0069008.ex, taken from C:\System Volume Information_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP and so on
Size of file: 20992(kb?)
File ID: 7

__
Services.exe, taken from c:\windows\system32\config
Size of file: 20992
File ID 6.


I then turned off system restore and booted up in safe mode.
Avast! didn’t find anything and neither did AVG antirootkit, Ad-aware and NoLop
However, when I boot up in normal mode, this message which I mentiond at the top, still appears.

I’ve tried googling the name but I have yet to find the trojan horse’s “mission”, does anyone know what it’s trying to accomplish by the way? :stuck_out_tongue:

I also have no idea what might have caused this, I am currently using ZoneAlarm and Avast!

I’ll post a HiJackThis log in a second…

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=SV_SE&c=64&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=SV_SE&c=64&bd=PAVILION&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=SV_SE&c=64&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe “C:\WINDOWS\system32\config\services.exe”
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM..\Run: [DMAScheduler] “c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe”
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [HPBootOp] “C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe” /run
O4 - HKLM..\Run: [Reminder] “C:\Windows\Creator\Remind_XP.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 -

HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User ‘Default user’)
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User ‘Default user’)
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skicka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: Ski&cka till OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Hjälp med anslutning - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167315191497
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 9935 bytes

Hi elH0hel,

Nothing much there on the hjt logfile, you can fix this:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

polonus

Thanks, but I’m a little worried about the message, if the virus is gone, shouldn’t the message stop appearing?

Is this the correct full path (it also differs from the hijackthis log) ?

Hiya, today I turned on my computer and got a message saying: C:\Windows\Sys32\Config\Services.exe

As the sys32 folder would appear fake (should be system32 I would have thought) and as such the config folder and services.exe. Services.exe on my XP Pro SP2 system is in the system32 folder.

So to me that would make this entry suspect.
F2 - REG:system.ini: Shell=Explorer.exe “C:\WINDOWS\system32\config\services.exe”

Do a search of your system for services.exe and report the locations it is found ?

Upload this file to virus total C:\WINDOWS\system32\config\services.exe.

This path is the one mentioned when I get this little window everytime I boot up windows, I have no idea why it differs from the hijack log. :expressionless:

After doing a search, it seems my services.exe is indeed in system32.
I can’t find any “sys32” folder in the windows folder either, and there’s no services.exe in the Config folder.

Anyway, I uploaded the Services.exe which is located in System32 and got this:
http://www.virustotal.com/sv/analisis/84cf39c2d862c2299be3a52f2e7bae7d

Hi elOHel,

That is clean, to get rid of the empty remnants do the following:

  1. Temporarily disable System Restore (Windows Me/XP).
    You must have an Administrator Privilege to be able to disable System Restore on Windows XP.

a. On the Desktop, Right Click on My Computer
b. Select the System Restore Tab
c. Mark the “Turn Off System Restore” to disable and UnMark to Enable
d. Click Apply on the Bottom of the Dialog Box to save the settings.
e. A message “This deletes all existing restore points” will appear, click Yes to disable.
f. Click OK.

  1. Download DrWebCureIT from here: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

  2. After downloading, browse where the file was saved and double click launch.exe to install it.

  3. Reboot your computer in SafeMode
    Starting computer in SafeMode was useful when troubleshooting computer problems by limiting the resources it loads.

a. During BootUp process Press F8 continuously until selection appears
b. Use Arrow Up+Down to select SafeMode on the selections menu.
c. Hit Enter to proceed.

  1. Run DrWebCureIT and do a full scan of your computer. Delete all infected files.

  2. In order to make sure that the threat is completely eliminated from your computer,
    carry out a full scan of your computer using Antispyware Software like Malwarebytes:
    http://www.malwarebytes.org/mbam/database/mbam-rules.exe

polonus

That little window/message is an indication that the HJT entry I posted is setting or trying to set explorer.exe to services.exe in the folder location system32\config\services.exe which being a non-standard location I feel it is suspect.

The sys32\config\services,exe is likely to be hidden, see image and ensure that your settings in Explorer, Tools, Folder Options are the same as those opposite the Red line. Now before you attempt to do that you should fix that entry is fixed first
F2 - REG:system.ini: Shell=Explorer.exe “C:\WINDOWS\system32\config\services.exe”

That is the legit location for services.exe so I would expect it to be clean, our problem is with another location.

Now I don’t know if this file no longer exists and it is just the entry in the HJT log, because that is still active it is trying to run the file, hence the message about missing file/location.

I now see you have two topics on the go for this same issue, http://forum.avast.com/index.php?topic=36002.0, this just causes duplication and confusion of effort for those helping (certainly me).

If avast has already alerted on this and you have sent it to the chest/deletion or what ever action you chose then :

  1. it should be gone from that location and
  2. that is probably what placed it into the system volume information folder as a restore point.

F2 - REG:system.ini: Shell=Explorer.exe “C:\WINDOWS\system32\config\services.exe”

So all you should need to do is clean up the above entry in HiJackThis.

Hello again, I’ve ran DrWebIt and found 3 suspected files in PcHealth and HP\bin. I’m not sure if they really were viruses but they’re moved / deleted now.
I have also deleted/repaired the HiJackThis object DavidR told me to. The message which appears when I boot up is now gone.

Sorry about the two threads. The first thread was just about if it was a false alarm or the real deal while this one was created because I wanted to get rid of it properly. :smiley:

Hopefully it will be all good now. I was going to scan with Panda’s online scan but my Avast! stopped me so hopefully I didn’t get a new virus already! :stuck_out_tongue:
Just to be as sure as I can, I will scan with Trends free scan, f-secure anti rootkit, avg anti rootkit, search and destroy, ad-aware and avast! virusscanner.

While F-secures Antirootkit can’t find any rootkit, my AVG finds one. It’s been in my system for a very long time and I once decided to delete it. After deleting it, it was still there but with a different name. I don’t think it’s dangerou no?
If anyone’s curious: C:\Windows\System32\Drives\ampja9q7.SYS
Rootkit type: Hidden driver file

EDIT: Is there any difference between a normal Avast! scan and the Avast! reboot scanner?
Is it worth using the normal Avast! scan instead of the Reboot scan y’know? I’ve noticed that the normal Avast! scan takes A LOT of time while the reboot scan goes a lot faster.