Hello

I am experiencing the following trojan being reported by my Norton weekly sweep, both entries (same trojan repeated) cannot be quaratined or deleted by Norton:-

regtr32.exe

I have spy sweeper as well running on my machine performing nightly sweeps, it does not pick the above up and reports my PC as clean.

I have performed the prework and attached the following reports:-

Hijack this log

Only problem being is when I save the ewido report (which was clean, honestly) on my desktop in safe mode, post restarting again I cannot find the file.....

Any help would be great

Thanks

Phil

Attached Files

hijackthis.log (13.7 KB, 3 views)

Hya Phil.


Download Pocket Killbox:
http://www.atribune.org/downloads/KillBox.exe


Then boot youre pc in safemode (hit f8 when booting up) and then fix these entrys with hjt:


After that start Killbox and place a tick next to [x]delete on reboot.
And press the "all files" button. (just above the yellow triangle)

Copy this list into the windows clipboard:
(highlight the text , and select "copy")


C:\WINDOWS\regtr32.exe
C:\WINDOWS\Downloaded Installations\{825384D4-9CB9-44EA-86A2-E4025F3949AB}
C:\WINDOWS\Downloaded Installations\{5A715517-76F5-4865-AE58-B5FD61516D36}


Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt, then click OK.

Exit Killbox and restart your PC. See if Norton still detects anything , and post a new hjt log please.

Jo

Ran through your instructions, ran Norton again, problem remains!

Latest HJT file attached

Any ideas please?

Thanks

Phil

Attached Files

HJT Phil0446.txt (13.1 KB, 3 views)

Hey Guys,

@Phill, did you also turn off Norton's Go Back before doing the fixes Joe suggested?

It may be that you need to disable System Restore, and Norton Go Back, and remove all files from the Norton Recycle Bin. That should remove any traces of the file that Norton is picking up. It will also make sure that you are not reinfected.

If prompted, you will want to remove all previous restore points, at this moment, they are all inftected anyway.

Your log checks out clean. However, you do have Windows Messenger enabled which leaves you open to popup attacks. Please download Shoot the Messenger from my signature, as well as RegSupremePro.

After disabling System Restore, and Norton Go Back, and deleting the protected recycled files. Reboot your computer. Then run Shoot the Messenger, it is very self explanatory.

Next run RegSupremePro.
It will want to create a backup of your cache, let it. Click on the Registry Cleaning tab, choose, Aggressive. When it has finished, click on Select, choose All. Click on Fix, and let it fix everything that it finds. Reboot your computer.

Now see if Nortons still locating traces of that file.

Look forward to your reply,

TTFN

LGW

Hi

Ran shoot the messenger (it was already disabled, but renabled and then disabled to be on the safe side)

Norton Goback is (prior to your reponse) disabled as I am about to do some disk partitioning with partitionmagic in irder to instal SUSE, gulp

Ran regsupreme pro, it picked up around 700 items, fixed or deleted by the programme as it deemed necessary.

Deleted out from Norton by Antivrius/reports = cleaned out reports and logs etc

Run a scan

Same as before issue remains

what next, is it a genuine issue or a quirk?

Thanks again

Phil

Im pretty sure it is a Win32.VB trojan , try this special removal tool:



Disinfection Utility

F-Secure Corporation provides the special disinfection utility to clean VB.bi infection from a computer. This disinfection utility is called F-Force and it can be downloaded from our web and ftp sites:

ftp://ftp.f-secure.com/anti-virus/tools/f-force.zip
http://www.f-secure.com/tools/f-force.zip

The utility is distributed only in a ZIP archive that contains the following files:

• f-force.exe - the main executable file
• eult.rtf - End User License Terms document
• readme.rtf - Readme file in RTF format
• readme.txt - Readme file in ASCII format

To unpack the archive please use the WinZip or similar archiver.

IMPORTANT! Please make sure that you read the End User License Terms document (Eult.rtf) and the Readme file (either Readme.txt or Readme.rtf) before using the F-Force utility!

The F-Force utility needs the archive with the latest updates in order to function properly. The archive's name is LATEST.ZIP and it should be downloaded and put into the same folder where the F-Force utility is located. This archive with the latest updates can be downloaded from one of these locations:

http://download.f-secure.com/latest/latest.zip
ftp://ftp.f-secure.com/anti-virus/updates/latest/latest.zip

Please note that the F-Force utility can disinfect only certain malicious programs. Besides the utility does not scan inside archives. So after cleaning a computer with the F-Force utility it is recommended to scan all hard drives with F-Secure Anti-Virus and the latest updates to make sure that no infected files remain there.



If that doesn't work then upload the regtr32.exe file to this site:

http://www.virustotal.com/en/indexf.html

And report back the scan result , that should tell for sure what it is.