Free Reg cleaner for XP? An AV program that works?

[Bjorn Simonsen]

I tried this one, AntiVir, as Bjorn suggested and it found and removed
my contamination.

The darned thing was back when I rebooted though.
This is the third clean reinstall of XP Pro. It appears that some of
my media is infected, but I still have not found the culprit disk yet.

Suggest next time you write down the name of the infection. This since
some of the major AV companies (and others) will often offer detailed
descriptions of how the particular infection works and spreads. This
can of course be helpful when trying to pinpoint how you got infected
in the first place, and what to do to prevent it from happening again.

Notice that different AV companies may use differen names for the same
infection (and some list the other names (alias/also known as), so do
a goggle on the name you've got from your av-client and learn more
about how it spreads.
If you can not find any web site with info, try search some the Usenet
AV/V groups via <http://groups.google.com/>. Enter advanced search,
choosing search term (virus name) and what language you want,
then type
*virus*
(with the asterix character before/after) in the *newsgroup field*
....should give you hits from all groups with "virus" as part of their
name. (if you don't have a name for it, but a name of infected file,
try search same way on that)

If you continue to struggle with this one, I suggest asking for help
in any of the dedicated AV/V groups (search them first), say such as
<alt.comp.anti-virus> or <alt.comp.virus.>

All the best,
Bjorn Simonsen

 

[Mister Charlie]

Same here. I was using AVG and Kerio 2.1.5 on XP Pro when I got it.
I see the OP here was using XP also. I'm trying to figure out exactly
how I got the bug. What is common here? Are you using XP?

Yes. I should have mentioned that.

 

[Karen]

"As AV-client I prefer <www.free-av.com> which offers resident
protection, good on trojan/worms also in my experience (found stuff
AVG didn't)"

I tried this one, AntiVir, as Bjorn suggested and it found and removed
my contamination. The darned thing was back when I rebooted though.
This is the third clean reinstall of XP Pro. It appears that some of
my media is infected, but I still have not found the culprit disk yet.

It looks like my initial infection eminated from:

C:\Docume~1\Jimmy\Locals~1\Temp\v3h43ba00796

It then manifested in the protected restore directory.

I ended up running AntiVir, which found and removed the virus from
both locations and then I took my ME boot disk and rebooted to DOS.
I used the deltree command on C:\Docume~1\Jimmy\Locals~1\Temp
and I think I finally got the thing. I've shown clean with AntiVir,
Bit Defender, AVG, A2 and Ewido since.

I was locked down pretty tight and I still don't see how I was
infected in the first place. I hope that you have better luck than I
had in removing the virus.

===============
This is an extremely interesting post.
We can't locate anything on this PC after scanning it repeatedly with 4
different anti-virus programs plus more than a few Anti-spy-scumware
programs. We removed everything we found and the problem persists. We will
definitely try the one you just recommended. We're desperate enough to try
ANYTHING rather than another reformat & reinstall of the OS.

Karen...

 

[Karen]

Oooops, should have been a little more clearer. The cleaning tool is from
Avast anti-virus. I've tried installing Avast AV, and the first scan I do,
it reports a lot of false positives, figured a cleaning tool from them would
do an excellent job. AVG anti-virus is from Grisoft. They offer a pro and a
free version. http://www.grisoft.com/us/us_index.php As many different
scans that you've run, doesn't sound like you have a virus.

==================================
At this point after NUMEROUS scans both online and in safe-mode there is
NOTHING on this PC. If there is it's invisible to all AV software we tried
and all anti-ad/scumware. This must be some kind of incompatibility or
conflict somewhere. We have no idea how to fix this or what could be
causing the problem. We're about to give up looking for worms and viruses
but will try the one recommended above. We used so many already we may have
already tried it.

Karen...

 

[Karen]

I just went thru a few days of grief trying to get rid of a low level
trojan. Don't know where it came from, but AVG (which i trust
implicitly...nothing is perfect) let it thru, then I ran the AV program
it said it 'healed' it, yet it kept reappearing.

I read in googled articles that perhaps windows media player was
responsible and I deleted wmplayer.exe. Finally I was able to get rid
of the damned thing.

I would google for that specific virus and get as much info as possible.
If you haven't already done so...

========================
If your reply is for me - we haven't found anything after numerous scans.
PestPatrol found some chintzy Adware and we removed it - the problem
remains.

Karen...

 

[Karen]

The way I've been doing it, is just select all and make sure it has a check
mark beside make a backup before deleting, then I delete everything. So far
no problems.

** If you have no clue where the backup is going, as in my case, you
wouldn't do that. There is no information as to WHERE the backup goes.
A back-up is useless if it can't be found.

Karen......

 

[Karen]

We were talking about Regseeker awhile back and there was someone
running Norton that had some problems with Regseeker. I think he was
running Norton Suite, where she is running Norton AV and possibly the
big suite or utilities thing.

========================
I'm running Norton System Works 2002. I like the trouble shooting features
and the fact that it scans all incoming and outgoing email. Stops scripts
etc.

Karen....

 

[omega]

C:\WINDOWS\System32\SYSTEM2.EXE

Looks pretty suspicious. I'd shoot it on sight.

 

[GoodTime Barnie]

** If you have no clue where the backup is going, as in my case, you
wouldn't do that. There is no information as to WHERE the backup goes.
A back-up is useless if it can't be found.

Karen......

the backup file goes to the Reg Cleaner folder by default. You click backup
and choose the file you need to use and its done, very simple. It's a good
program, have used it for a long time with no problems.
GoodTime Barnie

 

[Mister Charlie]

========================
If your reply is for me - we haven't found anything after numerous scans.
PestPatrol found some chintzy Adware and we removed it - the problem
remains.

Yeah. Sorry I was pretty much no help on this one. I know how horridly
time intensive a format is but if 4 programs see nothing one can only
imagine that might be the only way to resolve this.

 

[Karen]

Looks pretty suspicious. I'd shoot it on sight.

Karen S.

=============================
Yes,... should I just DELETE it, drag and drop it someone ELSE (a new
folder) or rename it? What do you recommend?

Karen

 

[Karen]

Looks pretty suspicious. I'd shoot it on sight.

=====================================
What do you recommend I do? Delete it, rename it or drag it to another
folder and see if it's necessary for something "legitimate" to run?

Karen

 

[Karen]

Looks pretty suspicious. I'd shoot it on sight.

========================
It appears to be some kind of "Oberon" plug-in from what I found Googling
it.... System Tools and Gadgets??? How the hell did it get on my PC?
Thanks for bringing this to my attention.

Karen.

 

[Karen]

Looks pretty suspicious. I'd shoot it on sight.

====================================
It looks like THAT was the problem - I dragged it to the desktop and renamed
it. Rebooted and Start/Run/msconfig and regedit now works as does tank
Manager!!!!! How did you single this thing out???? How can I keep
CRAPWARE like this from invading my PC in the future????

Thank you! Thank you! ))))

Karen

 

[omega]

========================
It appears to be some kind of "Oberon" plug-in from what I found Googling
it.... System Tools and Gadgets??? How the hell did it get on my PC?
Thanks for bringing this to my attention.

I see your Google web hits for Oberon. I doubt very much it's something you
have. http://www.bodley.ox.ac.uk/erl/wattcp/install.txt

| Installation of PC-Spirs for Waterloo Packet Driver TCP
|
|
| ERLCLNT.CFG
| INSTALL.EXE
| SYSTEM1.EXE
| SYSTEM2.EXE
| PING.EXE
| TCPINFO.EXE
| WATTCP.CFG
|
| You will be prompted for a directory in which the search software
| should be installed - the default is C:\SPIRS and this would normally
| be acceptable.

Not only is it more or less obscure, this packet driver stack, but mainly
this: Note how the legit set of files go into their own directory.

You probably won't find many of those other filenames mentioned as part of
that group on your system (minus ping and install). Also, right-click on
System2.exe and I see that the properties (file headers) probaby won't say
Oberon or Spirs.

It is the habit of trojans and malware to try to hide in your system
directory, and use names they think you'd be less likely to notice, such
as system.com, windows.exe, etc.

Instead of the Google web search, try a Google groups search. There are
only a few threads that get hits on that filename. But notice that in those
threads, it is the same symptoms you have described earlier in this thread.

It sounds like it is a simple trojan, and not a virus. Not a virus would
explain the failure of your AV sw.

 

[omega]

====================================
It looks like THAT was the problem - I dragged it to the desktop and renamed
it. Rebooted and Start/Run/msconfig and regedit now works as does tank
Manager!!!!! How did you single this thing out???? How can I keep
CRAPWARE like this from invading my PC in the future????

Thank you! Thank you! ))))

Great news!! You might want to make sure all is clean. That it was gone
after reboot is good. I'd thought over the situation that it could have
put an extra copy in XP system restore folder, but your results sound
like you don't have that complication. You'll want to run a start-up
utility to clean out its autoload entry.

If you have time to spend, you might see about doing a full search to see
you have any file that is exactly that same size (in case it is hiding
somewhere under a different name, waiting to copy itself over again as
system2.exe). Or instead, for that, and definitely for future, get some
anti-trojan software. It's often needed to supplement anti-virus software.

I'm not the best one to provide the specific best anti-trojan recommendation.
Hopefully one of the connoisseurs might jump in for that. Else, a Google
search on this group would turn some choices.

 

[Karen]

Great news!! You might want to make sure all is clean. That it was gone
after reboot is good. I'd thought over the situation that it could have
put an extra copy in XP system restore folder, but your results sound
like you don't have that complication. You'll want to run a start-up
utility to clean out its autoload entry.

## I'm not familiar with "startup" utilities. I'll have to read up on
them.

If you have time to spend, you might see about doing a full search to see
you have any file that is exactly that same size (in case it is hiding
somewhere under a different name, waiting to copy itself over again as
system2.exe). Or instead, for that, and definitely for future, get some
anti-trojan software. It's often needed to supplement anti-virus software.

I'm not the best one to provide the specific best anti-trojan recommendation.
Hopefully one of the connoisseurs might jump in for that. Else, a Google
search on this group would turn some choices.

## I'll see if I can turn something up......

Karen....

 

[omega]

"omega" <[email protected]> wrote in message

You'll want to run a start-up utility to clean out its autoload entry.

## I'm not familiar with "startup" utilities. I'll have to read up on
them.

I was a little vague. It's where you can check into what gets put in your
startup. Sort of as msconfig, only msconfig is only meant to toggle things
off temporarily. With a startup utility you can learn if new programs,
including malware, have decided to load whenever you boot up. And you
use that utility to remove unwanted, and suspicious, entries.

Three startup utilities made it to Pricelessware 2004. Two of these will also
hang out and monitor things for you. The third you launch just to look things
over yourself. You should install at least one of these. Winpatrol sounds
like it would offer you the most protection; and I notice Bjorn S. advocates
its use fairly regularly. The other two are small, so you might consider
going ahead and downloading all three, to take a look.


I'll go ahead and quote the whole entries in full...

http://www.pricelessware.org/PL2004SYSTEMUTILITIES.htm#ProcessMonitor:Start-Up

..........................................................................

WinPatrol

Description: WinPatrol with Scotty the Windows Watch Dog will sniff out
Worms, Adware, Spyware, Cookies, Trojan horses and other virus type,
malicious, nasty programs that may attack your computer. WinPatrol puts you
back in control of your computer with no need for constant updates.
WinPatrol's goal is to help you better understand what programs are running
on your computer, and alert you to any new programs added without your
permission. Scotty lets you confirm any new programs set up to run on your
computer.

Home Page:
http://www.winpatrol.com/
download page (English) v 7.0.0.5 (2004-03-22) (wpsetup.exe) (779 KB)
http://www.winpatrol.com/winpatrol.html

..........................................................................

Start-Up Monitor

Description: StartupMonitor is a small utility that runs transparently (it
doesn't even use a tray icon) and notifies you when any program registers
itself to run at system startup. It prevents those utterly useless tray
applications from registering themselves behind your back, and it acts as a
security tool against trojans like BackOrifice or Netbus.

Author: Mike Lin Company: --
Home Page:
http://www.mlin.net/StartupMonitor.shtml
download v 1.02 (StartupMonitor.zip) (60 KB)
http://www.mlin.net/files/StartupMonitor.zip

..........................................................................

Startup Control Panel

Description: Startup Control Panel is a nifty control panel applet that
allows you to easily configure which programs run when your computer starts.
It's simple to use and, like all my programs, is very small and won't burden
your system. A valuable tool for system administrators!

Author: Mike Lin Company: --
Home Page:
http://www.mlin.net/StartupCPL.shtml
download v 2.8 (StartupCPL.zip) (59 KB)
http://www.mlin.net/files/StartupCPL.zip
download v 2.8 (StartupCPL_EXE.zip) (34kb)
http://www.mlin.net/files/StartupCPL_EXE.zip
..........................................................................

 

[Alastair Smeaton]

========================
I'm running Norton System Works 2002. I like the trouble shooting features
and the fact that it scans all incoming and outgoing email. Stops scripts
etc.

Karen....

sorry - may have missed this - but have you tried a repair install ?
You don't need to reinstall programmes and drivers etc, but it should
put all key windows components back where they should be - things may
work then ?

 

[dszady]

"omega" <[email protected]> wrote in message

[...]
.........................................................................

[Excessive snip so I won't get bitched at]

More Security measures: A new hosts file. (WinXP comes with a one-liner -
sheesh!) Easy to do. Instructions on the site.
http://www.mvps.org/winhelp2002/hosts.htm

You already have an Anti-virus for your system... So to check again,
probably the most thorough online scan in the world (I'm not joking!)
Kaspersky Labs SuperLite on demand antivirus scanner using KAV scan engine
http://home.epix.net/~artnpeg/
It won't clean or disinfect your files for you. But if there is a nasty
in there *will* find it.

You might want to think twice about this one. On my wife's XP blue smoke
comes out of the back of the computer. Just kidding!
A lot of people recommend it and I use it when I'm in Win98. You would
probably need a couple more opinions. But it's for those start-up blues
and nasties and only runs when it is needed: SpywareBlaster (Donationware)
OS: Windows 98/ME/NT/2000/XP
Languages: English
http://www.pricelessware.org/2004/PL2004SECURITY.htm

[OT]
Now for immediate iradication if Superlite finds a Trojan:
http://tds.diamondcs.com.au/index.php?page=download
TDS-3 "the most advanced anti-trojan system in the world" 30 days
There is not a good free Trojan detector out there. And this will run in
the background or on-demand.

Dammit, Responded to the wrong post. Sorry Omega