[Gunner]

AVG 8 FREE works great. Even better now that the activex entries from
Spybot immunize feature has been eliminated.
Anyway, I do have an item of interest...
Any manual scan always turns up an adware.virusburst warning in the
WZCSVC folder of windows xp registry. That HKLM hive ends with ControlFlags.
I know that folder controls wzcsvc.dll for my wireless network so I can't just remove it.
When I vault this item, it always rewrites back into my reg.
No other malware online or off-line scans show this particular item.
I am not having any symptoms of being infected with adware.virusburst at all.
My HJT log is clean as a whistle.
I believe it to be a false positive hit.
Can anyone confirm or add to this?
Thanks.

[Blackmirror]

Have you reported it Gunner to Avg ??

VirusBurst is considered to be one of a rogue antispyware. It displays fake warnings and tricks computer users to purchase all available software to remove infections.

[Gunner]

No I haven't reported it mainly because I'm too lazy to google an address.
I have googled the symptoms you describe but, as I said, I have no indications
at all other than the avg scan warning.
Eset or Malbytes, SAS or any others do not show this as a warning or threat at all.
I will try and find an AVG trouble report link.
Thanks.

[Blackmirror]

It is a just a warning then i would ignore it

[Rik]

Please visit one of the following:
(Multiple sites are given in case one is not working)

(If more than one file needs scanned they must be done separately)

• Virustotal
• Jotti's malware scan
• VirSCAN.org

Copy the file path to the suspect file into notepad.

At the upload site, click once inside the window next to Browse.

• Press Ctrl+V on the keyboard (both at the same time) to paste the file path in the window.
• Next click Send File/Submit/Upload (depending on the site)
  • Your file will possibly be entered into a queue which normally takes less than a minute to clear.
• This will perform a scan across multiple different virus scanning engines.
• Please wait for all of the scanning engines to complete.

see if you get the same warning or not.
__________________

[Gunner]

Rik, it's not a file that's getting this warning but a registry entry...
HKLM\software\microsoft\WZCSVC\parameters\interfac es\{bunch of numbers and
letters}}\controlflags
I tried several times to send this string to AVG Virus Lab but it won't go...failed.
No other malware scanner errors on this entry. Has to be an AVG prob...I think.
But, then again, that's why I'm asking.
Thanks.

[Albert Lionheart]

I should ignore it and treat it as a false positive.

[Blackmirror]

If it was flagged as a warning yes ignore

If it was flagged as a threat thats different and it would have been quarantined

[Albert Lionheart]

Sounds like AVG has got it wrong here and is hitting a perfectly innocent registry entry as sinister.

[Rik]

Are you comfortable with using regedit? If so, make a backup of your registry with the export button then delete the entry manually.

If you see no problems after that then all is well. If you do see any problems then use import to restore the registry.

A reboot will be required after each regedit use.


If you wish to give my suggestion a try but are not too sure about regedit then let me know and i will do you some detailed instructions.

[AYTRIX Technologies]

i think gunner that it is a false positive because if nothing else is picking it up then i would ignore it.

[Gunner]

Quote:

Originally Posted by Rik

Are you comfortable with using regedit? If so, make a backup of your registry with the export button then delete the entry manually.
If you see no problems after that then all is well. If you do see any problems then use import to restore the registry.
A reboot will be required after each regedit use.
If you wish to give my suggestion a try but are not too sure about regedit then let me know and i will do you some detailed instructions.

Yes, I'm very comfortable in the reg.
I already exported the string and then deleted the reg entry but it recreates
after a reboot. I'm pretty sure windows\system32\wzcsvc.dll is doing the restore
and I can't remove/rename that dll without killing my wireless network.
But, just to reiterate, removing that string (and do not reboot), AVG will not hit
on any warning or threat.
I can vault the warnings but it's restored anyway so useless.
I appreciate all the advice and suggestions. I don't feel it's a real threat for I have
no indications of any problems at all.
Misery loves company so mainly trying to see if this happened to anyone else.
When avg 8 first came out it hit on warnings if running spywareblaster but
found out it was really hitting on spybot immunize items falsely. AVG corrected
that.
I have this posted in an avg forum and will update this thread if I find anything
of interest.
Thanks again.

[Albert Lionheart]

Gunner - have you tried scanning with hijackthis to see if it finds anything? If it scans clear then I would consider the case closed!

[Gunner]

Quote:

Originally Posted by Albert Lionheart

Gunner - have you tried scanning with hijackthis to see if it finds anything? If it scans clear then I would consider the case closed!

Yes, HJT is clean.
I'll leave this post open for a while in case later info becomes available.
Thanks again, ALL!! (That includes you too, Al. A little levity.)

[Blind Dragon]

What was the value of that key? did you check it?

Under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WZCSVC\Parameters\Interfaces

There are GUIDs (bunch of letters and numbers) for each of the installed adapters. For each adapter entry, there is a registry value called 'ControlFlags'.

If bit 0x8000 of the ControlFlags value is set, then Wzc is enabled for that adapter, if it's cleared, then Wzc is disable for that adapter. <- That is the 4th bit of the hex code for the value on that key

I believe all it is doing is telling your system to purge any previous wireless
cached connection credentials to force the you to re-authenticate

[Gunner]

There are 3 GUID entries.
2 read the same controlflags values...reg_dword 0x03918002
1 (with the threat warning) has a value of...........0x03818002
I don't know enough about it to see the diff between 1 bit in 2 hex numbers.
59867138 vs 58818562
I'll search.
Thanks.

P.S.
Windows XP Embedded SP2 Feature Pack 2007
Primitive: Wzcsvc
The Primitive: Wzcsvc component provides support for Wired Equivalency Privacy
(WEP). WEP provides data encryption for wireless networks.
Even though I use WAP and not WEP, I can not delete wzcsvc.dll.

[Gunner]

AVG resolved this problem long ago but I failed to update this thread.
AVG 8 Free Edition does not show any false positives. Actually 7.5 had been fixed also.
It's great!!!:thumbsup : (No comments, Albert.)

[Albert Lionheart]

AVG must be getting cross with me because I had an email from them this week offering a free copy to try and prove me wrong. I turned it down!

[Gunner]

Quote:

Originally Posted by Albert Lionheart

AVG must be getting cross with me because I had
an email from them this week offering a free copy to try and prove me wrong.
I turned it down!

A free copy of a paid version? And you turned it down WHY?
I really can't see AVG paid version being too much better than the FREE one.
I'm sure it does something extra but too lazy to search....too content also.

[Daveskater]

Quote:

Originally Posted by Gunner2

you turned it down WHY?
I really can't see AVG paid version being too much better than the FREE one.

You answered your own question mate.