Avast WEBforum

Other => Viruses and worms => Topic started by: MeDIeVaL on October 22, 2007, 07:59:09 AM

Title: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 22, 2007, 07:59:09 AM

Got this autoregistry.exe in D:\Windows folder that's run at every startup. Scanned it with avast!, SAS, Windows Defender and running ComboFix but found nuthin'. Running HijackThis and upload the result found that file is suspicious. Then upload to VirusTotal hits 14 out of 32. So I've put it into Chest and do some fixed with HijackThis. Now the suspicious file won't running at startup a'more(hopefully it will stay that way) but the file still lies in my D:\Windows folder. I've take all your good advices, don't simply delete it but what should I do next? I don't want to let it stay there forever if the file could be positive.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: oldman on October 22, 2007, 08:07:29 AM

The file in the chest, even if infected, can't do ant harm.

What was the file detected as? If it still is in the D:\Windows folder after you moved it to the chest, something must have replaced it.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 22, 2007, 08:21:42 AM

avast!, SAS and Windows Defender can't pick it up but the result from VirusTotal give 14 hits. The file detected as what you can see below (don't know the specific trojan/virus name as from 14 providers give different definition name)...

File autoregistry.exe received on 10.22.2007 08:13:49 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.10.22.0 2007.10.22 -
AntiVir 7.6.0.27 2007.10.21 TR/Autoregistry.A
Authentium 4.93.8 2007.10.22 -
Avast 4.7.1051.0 2007.10.21 -
AVG 7.5.0.488 2007.10.21 Small.GL
BitDefender 7.2 2007.10.22 -
CAT-QuickHeal 9.00 2007.10.20 -
ClamAV 0.91.2 2007.10.22 -
DrWeb 4.44.0.09170 2007.10.21 -
eSafe 7.0.15.0 2007.10.21 Virus.Win32.AutoRun.
eTrust-Vet 31.2.5225 2007.10.20 -
Ewido 4.0 2007.10.21 -
FileAdvisor 1 2007.10.22 High threat detected
Fortinet 3.11.0.0 2007.10.19 W32/Malicious.70EF!tr
F-Prot 4.3.2.48 2007.10.22 -
F-Secure 6.70.13030.0 2007.10.22 Virus.Win32.AutoRun.ir
Ikarus T3.1.1.12 2007.10.22 Virus.Win32.AutoRun.ir
Kaspersky 7.0.0.125 2007.10.22 Virus.Win32.AutoRun.ir
McAfee 5145 2007.10.19 -
Microsoft 1.2908 2007.10.22 -
NOD32v2 2605 2007.10.22 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.10.19 -
Panda 9.0.0.4 2007.10.21 Trj/Agent.GJJ
Prevx1 V2 2007.10.22 -
Rising 19.46.00.00 2007.10.22 -
Sophos 4.22.0 2007.10.22 Mal/Generic-A
Sunbelt 2.2.907.0 2007.10.20 -
Symantec 10 2007.10.22 -
TheHacker 6.2.9.104 2007.10.22 Trojan/Dropper.IR
VBA32 3.12.2.4 2007.10.19 Virus.Win32.AutoRun.ir
VirusBuster 4.3.26:9 2007.10.21 -
Webwasher-Gateway 6.6.1 2007.10.21 Trojan.Autoregistry.A

Additional information
File size: 24576 bytes
MD5: 1034405198173d12f7c840486e1a77cf
SHA1: 0438e3374aadae6fc0d7fd214f05546d5430538f
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=1034405198173d12f7c840486e1a77cf

P/S: Looking for it elsewhere but found none. It just stay in D:\Windows folder.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 22, 2007, 08:26:45 AM

As I can remember, it's come from my friend usb drive when he used my pc yesterday. Scan from avast! found this...

10/21/2007   10:34:53 AM   1192934093   MeDIeVaL   292   Sign of "Win32:VB-DHJ [Wrm]" has been found in "F:\MySexy.exe" file.
10/21/2007   10:35:10 AM   1192934110   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\New Folder.exe" file.
10/21/2007   10:35:13 AM   1192934113   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\scvhosts.exe" file.
10/21/2007   10:35:15 AM   1192934115   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\panggil\New Folder.exe" file.
10/21/2007   10:35:16 AM   1192934116   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\panggil\panggil.exe" file.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 22, 2007, 08:28:14 AM

Latest HijackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:54 PM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\RunDll32.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\Vista Inspirat 2\RocketDock\RocketDock.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\HiJackThis.exe

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 22, 2007, 08:30:13 AM

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Implements TweakBHO - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - D:\PROGRA~1\TweakMASTER\TweakBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] "D:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: RocketDock.lnk = D:\WINDOWS\Vista Inspirat 2\RocketDock\RocketDock.exe
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49985499-46A1-4238-9F07-1D380A377CCF}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{49985499-46A1-4238-9F07-1D380A377CCF}: NameServer = 202.188.0.133 202.188.1.5
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8691 bytes

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: oldman on October 22, 2007, 08:44:43 AM

Hmm..all I could find was that autoregistry.exe was malicious. Maybe try googling some of the detected names would help.

I think essexboy was working on something like this. I'll try to find it.

I can't see anything in the log either, unless it was what you fixed. There are others here that may be able to see what we overlooked.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: oldman on October 22, 2007, 09:21:08 AM

Quote from: oldman on October 22, 2007, 08:44:43 AM

I think essexboy was working on something like this. I'll try to find it.

It was auto run that he was working on

http://forum.avast.com/index.php?topic=31007.0

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 22, 2007, 09:48:55 AM

Quote from: MeDIeVaL on October 22, 2007, 07:59:09 AM

Then upload to VirusTotal hits 14 out of 32. So I've put it into Chest and do some fixed with HijackThis.

It was there before I fixed with HijackThis. I thought the prob will go away after I've fixed it with HJT and put it into Chest but seem I can't used that step on this thing. It remain inside my Windows folder. I've googling and found that file is malicious but I don't whether to del it or not. Put it into Chest won't work this time or maybe I've put it wrong way. Maybe I should wait for essexboy but can I del that file?

This is what I've found in PrevX web...

Quote

1. COVERT ANALYSIS OF: AUTOREGISTRY.EXE
File Names Used: 2
Paths Used: 3
Common File Name: AUTOREGISTRY.EXE
Common Path: ?:\
Vendor Information: No Vendor details specified
Version Information: 1.00
AUTOREGISTRY.EXE may use 2 or more path and file names, these are the most common:
File Name Structure: Normal
File and Path Structure: Normal
2. RELATIONSHIP ANALYSIS OF: AUTOREGISTRY.EXE
Malicious Objects Created: 1 objects
Malicious Creators: 1
Malware Run Keys: None
Self Persists:
Antivirus Detection: No third party antivirus detection observed
Anti-Spyware Detection: No third party anti-spyware detection observed
3. ACTIVITY ANALYSIS OF: AUTOREGISTRY.EXE
The following behaviors have been observed for this object:
Installs programs.
Deletes programs.
Creates Run Keys.
Creates known malware.
Creates copies of itself.
4. PROPAGATION ANALYSIS OF: AUTOREGISTRY.EXE
Object Propagation Rate: Very Low (minimal spread)
Copyright Prevx Limited 2005, 2006

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: oldman on October 22, 2007, 09:59:23 AM

For now why don't you try moving it to the chest like this?

1. In the Virus Chest, switch to user file category.
2. In main menu, select File ® Add.
3.Browse the folders and select the file you want to add.
4.Choose Open

It will be safe there.

Yes, essexboy will be able to advise you better.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 22, 2007, 10:14:54 AM

Quote from: oldman on October 22, 2007, 09:59:23 AM

For now why don't you try moving it to the chest like this?

1. In the Virus Chest, switch to user file category.
2. In main menu, select File ® Add.
3.Browse the folders and select the file you want to add.
4.Choose Open

It will be safe there.

Yes, essexboy will be able to advise you better.

So I've put it into Chest the right way but seem the it won't dissappear from my Windows folder (I've done it twice). Scanned with PrevX CSI and still it can't be detected.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: oldman on October 22, 2007, 10:28:55 AM

Well, I don't know what to say. ???

You can visibly see the file in the chest, yet it remains in the windows folder?

That is strange, to say the least.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: DavidR on October 22, 2007, 02:52:13 PM

Quote from: MeDIeVaL on October 22, 2007, 10:14:54 AM

So I've put it into Chest the right way but seem the it won't dissappear from my Windows folder (I've done it twice). Scanned with PrevX CSI and still it can't be detected.

Because you are putting it in the chest manually because avast hasn't detected it, avast 'doesn't' remove the copy from the original location, you have to do that manually too. Make sure you send the sample to avast.

Look for autorun.inf files in the root of your hard drive partitions, e.g. c:\autorun.inf as this is more likely to be what is running it considering you got it from your 'friends' USB stick. It is just a text file use notepad to open it and you will see a command to run autoregistry.exe, there may be other commands in there. Post the contents of the autorun.inf file here.

There is a habit of setting the autorun.inf as a system file so it remains hidden ensure you show system files in Explorer, Tools, Folder Options, View. There should be no reason to have autorun.inf in a fixed hard drive, it is used in removable media, typically CD/DVD and USB sticks, etc. you should rename it autorun-inf.old or move it to the user files section of the chest and delete the original.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 22, 2007, 05:51:03 PM

Quote from: DavidR on October 22, 2007, 02:52:13 PM

Because you are putting it in the chest manually because avast hasn't detected it, avast 'doesn't' remove the copy from the original location, you have to do that manually too. Make sure you send the sample to avast.

As what I u'stand here, I need to del that file manually? Already done and let see whether it will come back later. Seaching for autorun.*** in both drive (C:, D:) but no result. Already send to virus@avast.com.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: DavidR on October 22, 2007, 06:08:58 PM

Did you ensure system and hidden files and folders are displayed ?

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: oldman on October 22, 2007, 08:22:40 PM

Quote from: DavidR on October 22, 2007, 02:52:13 PM

Quote from: MeDIeVaL on October 22, 2007, 10:14:54 AM
So I've put it into Chest the right way but seem the it won't dissappear from my Windows folder (I've done it twice). Scanned with PrevX CSI and still it can't be detected.

Because you are putting it in the chest manually because avast hasn't detected it, avast 'doesn't' remove the copy from the original location, you have to do that manually too. Make sure you send the sample to avast.

.

Thanks DavidR. I misunderstood the first time he "moved it to the chest". Should have known better on the user move though. :(

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: essexboy on October 23, 2007, 12:13:39 AM

Quote

10/21/2007 10:34:53 AM 1192934093 MeDIeVaL 292 Sign of "Win32:VB-DHJ [Wrm]" has been found in "F:\MySexy.exe" file.
10/21/2007 10:35:10 AM 1192934110 MeDIeVaL 292 Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\New Folder.exe" file.
10/21/2007 10:35:13 AM 1192934113 MeDIeVaL 292 Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\scvhosts.exe" file.
10/21/2007 10:35:15 AM 1192934115 MeDIeVaL 292 Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\panggil\New Folder.exe" file.
10/21/2007 10:35:16 AM 1192934116 MeDIeVaL 292 Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\panggil\panggil.exe" file.

Whoops just seen this I was working on something similar to this a while ago it originated in Malaya if I remember right.

Download ComboFix from Here (http://"http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe") or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

It will take several posts and several analysis runs to kill it. I will set this thread to notify so I do not miss your replies

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 23, 2007, 07:29:13 AM

Quote from: DavidR on October 22, 2007, 06:08:58 PM

Did you ensure system and hidden files and folders are displayed ?

100% sure I've displayed the system and hidden files and folders. New symptom, svchost.exe keep asking permission to connect to 192.168.1.1 Port 7644 which I've never had this before.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 23, 2007, 07:49:27 AM

My HJT log but seem nothing suspicious here...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:13 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\RunDll32.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\Vista Inspirat 2\RocketDock\RocketDock.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Download Manager\IDMan.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\Program Files\HiJackThis.exe

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 23, 2007, 07:49:53 AM

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 23, 2007, 07:59:54 AM

ComboFix 07-10-23.1 - MeDIeVaL 2007-10-23 13:55:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.516 [GMT 8:00]
Running from: D:\Documents and Settings\MeDIeVaL\My Documents\Downloads\Programs\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

2007-10-23 13:55   51,200   --a------   D:\WINDOWS\NirCmd.exe
2007-10-22 23:19   6,002   --a------   D:\WINDOWS\autoregistry.zip
2007-10-22 13:42   <DIR>   d--------   D:\Program Files\backups
2007-10-19 16:02   <DIR>   d--------   D:\Documents and Settings\vizier\Application Data\ATI
2007-10-16 12:13   2,463,976   --a------   D:\WINDOWS\system32\NPSWF32.dll
2007-10-16 12:13   190,696   --a------   D:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-16 11:34   <DIR>   d--------   D:\Program Files\Common Files\Java
2007-10-12 11:51   0   --a------   D:\WINDOWS\ativpsrm.bin
2007-10-12 11:47   593,920   ---------   D:\WINDOWS\system32\ati2sgag.exe
2007-10-12 11:46   <DIR>   d---s----   D:\Program Files\ATI Technologies
2007-10-11 16:28   <DIR>   d--------   D:\Documents and Settings\MeDIeVaL\Application Data\InstallShield Installation Information
2007-10-04 17:59   5,555   --a------   D:\WINDOWS\BricoPackFoldersDelete.cmd
2007-10-04 17:58   <DIR>   d--------   D:\WINDOWS\Vista Inspirat 2
2007-10-04 16:16   12,608   --a------   D:\WINDOWS\system32\drivers\TfKbMon.sys
2007-09-29 11:21   9,854,976   --a------   D:\WINDOWS\system32\atioglx2.dll
2007-09-29 11:07   356,352   --a------   D:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 10:58   143,360   --a------   D:\WINDOWS\system32\atipdlxx.dll
2007-09-29 10:58   122,880   --a------   D:\WINDOWS\system32\Oemdspif.dll
2007-09-29 10:58   43,520   --a------   D:\WINDOWS\system32\ati2edxx.dll
2007-09-29 10:58   26,112   --a------   D:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 10:57   122,880   --a------   D:\WINDOWS\system32\ati2evxx.dll
2007-09-29 10:56   483,328   --a------   D:\WINDOWS\system32\ati2evxx.exe
2007-09-29 10:55   53,248   --a------   D:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 10:49   307,200   --a------   D:\WINDOWS\system32\atiiiexx.dll
2007-09-29 10:47   172,032   --a------   D:\WINDOWS\system32\atiok3x2.dll
2007-09-29 10:36   3,107,788   --a------   D:\WINDOWS\system32\ativvaxx.dat
2007-09-29 10:36   3,107,788   --a------   D:\WINDOWS\system32\ativva5x.dat
2007-09-29 10:36   972,072   --a------   D:\WINDOWS\system32\ativva6x.dat
2007-09-29 10:23   5,435,392   --a------   D:\WINDOWS\system32\atioglxx.dll
2007-09-29 10:22   376,832   --a------   D:\WINDOWS\system32\atikvmag.dll
2007-09-29 10:20   17,408   --a------   D:\WINDOWS\system32\atitvo32.dll
2007-09-29 10:19   49,152   --a------   D:\WINDOWS\system32\drivers\ati2erec.dll
2007-09-28 19:06   8,192   --a------   D:\ntuser.dat
2007-09-28 18:45   3,807,264   --ahs----   D:\WINDOWS\system32\drivers\fidbox.dat
2007-09-28 18:43   75,248   --a------   D:\WINDOWS\zllsputility.exe
2007-09-24 21:35   <DIR>   d---s----   D:\Program Files\CodeStuff

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 05:54   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\DMCache
2007-10-23 05:46   8,870   ----a-w   D:\Program Files\hijackthis.log
2007-10-23 05:38   47,060   --sha-w   D:\WINDOWS\system32\drivers\fidbox.idx
2007-10-22 08:19   ---------   d-----r   D:\Program Files\AVG Anti-Rootkit Free
2007-10-21 02:36   ---------   d-s---w   D:\Program Files\SUPERAntiSpyware
2007-10-16 07:56   ---------   d-s---w   D:\Program Files\Java
2007-10-11 07:56   ---------   d--h--w   D:\Program Files\Windows Live Safety Center
2007-10-11 05:27   ---------   d--h--w   D:\Program Files\InstallShield Installation Information
2007-10-04 10:43   115   --sh--w   D:\Program Files\Common Files\Desktop.ini
2007-10-04 10:13   ---------   d-s---w   D:\Program Files\Yahoo!
2007-10-04 10:02   65,108   ----a-w   D:\WINDOWS\BricoPackUninst.cmd
2007-10-04 09:04   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\Apple Computer
2007-10-04 08:50   ---------   d--h--r   D:\Documents and Settings\MeDIeVaL\Application Data\yahoo!
2007-10-04 08:47   ---------   d-s---w   D:\Program Files\C-Media 3D Audio
2007-09-29 08:23   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\ATI
2007-09-29 05:46   47,376   ----a-w   D:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:06   268,800   ----a-w   D:\WINDOWS\system32\ati2dvag.dll
2007-09-29 03:05   2,456,064   ----a-w   D:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:47   3,130,720   ----a-w   D:\WINDOWS\system32\ati3duag.dll
2007-09-29 02:36   1,593,600   ----a-w   D:\WINDOWS\system32\ativvaxx.dll
2007-09-29 02:14   499,712   ----a-w   D:\WINDOWS\system32\ati2cqag.dll
2007-09-14 15:28   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\Nokia Multimedia Player
2007-09-14 14:21   ---------   d-s---w   D:\Program Files\Easy CD-DA Extractor 10
2007-09-12 12:37   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\Command & Conquer 3 Tiberium Wars
2007-09-11 00:35   98,304   ----a-w   D:\WINDOWS\system32CmdLineExt.dll
2007-09-11 00:35   ---------   d--h--r   D:\Documents and Settings\MeDIeVaL\Application Data\SecuROM
2007-09-08 01:52   ---------   d-s---w   D:\Program Files\TweakMASTER
2007-09-06 10:09   801,144   ----a-w   D:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05   94,416   ----a-w   D:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05   92,848   ----a-w   D:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03   23,152   ----a-w   D:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02   42,912   ----a-w   D:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00   95,608   ----a-w   D:\WINDOWS\system32\AvastSS.scr
2007-09-06 10:00   26,624   ----a-w   D:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-06 08:14   1,086,952   ----a-w   D:\WINDOWS\system32\zpeng24.dll
2007-09-02 03:10   ---------   d-s---w   D:\Program Files\Microsoft ActiveSync
2007-09-02 02:39   ---------   d--h--w   D:\Program Files\Microsoft.NET
2007-08-30 15:14   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\IDM
2007-08-30 14:43   ---------   d-s---w   D:\Program Files\Internet Download Manager
2007-08-30 14:21   ---------   d-sh--w   D:\Program Files\Intel
2007-08-30 11:57   ---------   d-s---w   D:\Program Files\MSXML 4.0
2007-08-30 11:20   218,624   ----a-w   D:\WINDOWS\system32\uxtheme.dll
2007-08-30 10:08   ---------   d-----r   D:\Program Files\Windows Media Connect 2
2007-08-30 10:08   ---------   d-----r   D:\Program Files\Windows Live Toolbar
2007-08-30 10:06   ---------   d-----r   D:\Program Files\Windows Defender
2007-08-30 10:04   ---------   d-----r   D:\Program Files\Riva FLV Encoder 2.0
2007-08-30 10:04   ---------   d-----r   D:\Program Files\QuickTime
2007-08-30 10:03   ---------   d-----r   D:\Program Files\Process Explorer
2007-08-30 10:01   ---------   d-----r   D:\Program Files\Nokia
2007-08-30 09:58   ---------   d-----r   D:\Program Files\Nero
2007-08-30 09:58   ---------   d-----r   D:\Program Files\MTV Networks
2007-08-30 09:56   ---------   d-----r   D:\Program Files\MSN Messenger
2007-08-30 09:49   ---------   d-----r   D:\Program Files\Executive Software
2007-08-30 09:48   ---------   d-----r   D:\Program Files\DIFX
2007-08-30 09:43   ---------   d-----r   D:\Program Files\Apple Software Update
2007-08-30 09:43   ---------   d-----r   D:\Program Files\Alwil Software
2007-08-30 05:35   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\Ahead
2007-08-30 05:25   ---------   d-----w   D:\Program Files\Common Files\PCSuite
2007-08-30 05:25   ---------   d-----w   D:\Program Files\Common Files\Nokia
2007-08-30 05:25   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\PC Suite
2007-08-28 21:39   ---------   d-----w   D:\Program Files\Common Files\Ahead
2007-08-28 12:18   ---------   d-----w   D:\Program Files\Common Files\Adobe
2007-08-28 11:33   ---------   d--h--w   D:\Program Files\Windows Live Favorites
2007-08-28 09:36   401,720   ----a-w   D:\Program Files\HiJackThis.exe
2007-08-28 08:33   ---------   d-----w   D:\Program Files\Common Files\Apple
2007-08-28 08:29   ---------   d-----w   D:\Program Files\Common Files\Wise Installation Wizard
2007-08-28 08:29   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\SUPERAntiSpyware.com
2007-08-28 08:28   ---------   d-----w   D:\Program Files\Common Files\SWF Studio
2007-08-28 01:47   ---------   d--h--w   D:\Program Files\My Company Name
2007-08-28 01:41   ---------   d-----w   D:\Program Files\Common Files\InstallShield
2007-08-28 01:16   ---------   d--h--w   D:\Program Files\microsoft frontpage
2007-08-21 06:15   683,520   ----a-w   D:\WINDOWS\system32\inetcomm.dll
2007-07-30 11:19   92,504   ----a-w   D:\WINDOWS\system32\cdm.dll
2007-07-30 11:19   68,440   ----a-w   D:\WINDOWS\system32\wuauclt.exe
2007-07-30 11:19   549,720   ----a-w   D:\WINDOWS\system32\wuapi.dll
2007-07-30 11:19   43,352   ----a-w   D:\WINDOWS\system32\wups2.dll
2007-07-30 11:19   325,976   ----a-w   D:\WINDOWS\system32\wucltui.dll
2007-07-30 11:19   271,224   ----a-w   D:\WINDOWS\system32\mucltui.dll
2007-07-30 11:19   207,736   ----a-w   D:\WINDOWS\system32\muweb.dll
2007-07-30 11:19   203,096   ----a-w   D:\WINDOWS\system32\wuweb.dll
2007-07-30 11:19   1,712,984   ----a-w   D:\WINDOWS\system32\wuaueng.dll
2007-07-30 11:18   33,624   ----a-w   D:\WINDOWS\system32\wups.dll
2007-07-23 08:39   202,160   ----a-w   D:\WINDOWS\system32\idmmbc.dll
.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 23, 2007, 08:00:56 AM

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"avast!"="D:\Program Files\Alwil Software\Avast4\ashDisp.exe" [2007-09-06 18:06]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"DiskeeperSystray"="D:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-04-25 04:49]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

D:\Documents and Settings\MeDIeVaL\Start Menu\Programs\Startup\
RocketDock.lnk - D:\WINDOWS\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 06:05:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

S0 TfFsMon;TfFsMon;D:\WINDOWS\system32\drivers\TfFsMon.sys
S0 TfSysMon;TfSysMon;D:\WINDOWS\system32\drivers\TfSysMon.sys
S3 EnumChip;EnumChip;\??\E:\GART\EnumChip.sys
S3 TfNetMon;TfNetMon;\??\D:\WINDOWS\system32\drivers\TfNetMon.sys
S4 ThreatFire;ThreatFire;D:\Program Files\ThreatFire\TFService.exe service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05b0ef97-760d-11dc-8240-0019661a759a}]
AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe Bha.dll.vbs

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-22 05:48:04 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-23 05:35:01 D:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-23 05:42:50 D:\WINDOWS\Tasks\MP Scheduled Scan.job"
- D:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-22 05:19:23 D:\WINDOWS\Tasks\User_Feed_Synchronization-{130143A0-4688-41D8-B5F4-B5A2807DA8DA}.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 13:57:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-23 13:58:40
.
--- E O F ---

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 23, 2007, 08:05:54 AM

Screenshot of ZA pop up asking permission to grant access to couple of IPs. The pop up come out right after I start my pc and I'll have difficulties connecting to the net if I've click on Deny button.

http://www.geocities.com/solutem/za1.JPG
http://www.geocities.com/solutem/za2.JPG

After googling for 239.255.255.250 Port 1900 I've found this:

http://help.lockergnome.com/.../239-255-255-250-Port-1900-ftopict18953.html

which I understand have s'thing to do with D-Link and uPNP but I don't have it both. ???

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: DavidR on October 23, 2007, 03:08:52 PM

Quote from: MeDIeVaL on October 23, 2007, 07:29:13 AM

Quote from: DavidR on October 22, 2007, 06:08:58 PM
Did you ensure system and hidden files and folders are displayed ?

100% sure I've displayed the system and hidden files and folders. New symptom, svchost.exe keep asking permission to connect to 192.168.1.1 Port 7644 which I've never had this before.

This is a local network address and probably your router, http://compnetworking.about.com/od/routers/g/192_168_1_1_def.htm (http://compnetworking.about.com/od/routers/g/192_168_1_1_def.htm)

Quote

Definition: The IP address 192.168.1.1 is the default for Linksys brand home broadband routers. This address is set by the manufacturer at the factory, but you can change it at any time using the network router's administrative console.

You may or may not have a linksys router but this is a common address for a router.

Re your last post, by all accounts, you do have uPNP if you have a network router, whilst the particular topic link you give is about D-Link it could possibly relevant to other brands.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 23, 2007, 04:22:14 PM

I don't really know about router thing. As what I know, from my pc I've direct connect to modem and from modem to telephone jack. No other hardware between that so can anyone tell me what's router really means? 1 more thing, the port varies e'time, is that normal (but I don't think it's normal as it keep came out e'time I've open new IE windows)? How 'bout 239.255.255.250 Port 1900 IP, googling here and there found it was suspicious IP.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 23, 2007, 04:23:48 PM

Should I or should I not repair this one...

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05b0ef97-760d-11dc-8240-0019661a759a}]
AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe Bha.dll.vbs

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: DavidR on October 23, 2007, 05:31:18 PM

Quote from: MeDIeVaL on October 23, 2007, 04:22:14 PM

I don't really know about router thing. As what I know, from my pc I've direct connect to modem and from modem to telephone jack. No other hardware between that so can anyone tell me what's router really means? 1 more thing, the port varies e'time, is that normal (but I don't think it's normal as it keep came out e'time I've open new IE windows)? How 'bout 239.255.255.250 Port 1900 IP, googling here and there found it was suspicious IP.

Do you have a broadband or dial-up connection ?
What is the hardware between your computer and the telephoe jack called ?

If you have broadband then the piece of hardware is likely to be a combined modem and router. If you use broadband and modem/router then these are less likely to be an issue and even so the IP addresses are local addresses and not connecting to the internet.

I would also suggest you upload the file named at the end of the registry AutoRun\command, ShellExec_RunDLL wscript.exe Bha.dll.vbs to VT for checking (and send to avast if multiple detections).

Yes repair the entry if the VT scan shows infected, I don't know if this can be done in ComboFix as I have very little experience of this tool or if you would have to do it manually in the registry, but export the key before you edit/repair is so it can always be reversed if required (which I doubt as it does look suspect).

You are also running hijackthis.exe from a strange place, rather than a folder of its own (I would suggest HJT) all the files would seem to be in the Program Files folder and you are running it from there. It is also advisable to change the hijackthis.exe file name to say HJT-MeDi.exe as there are a number of malware items that can detect and hide from hijackthis.exe.

Does this domain 'tm.net.my' belong to your ISP ?

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: MeDIeVaL on October 23, 2007, 06:01:11 PM

Quote from: DavidR on October 23, 2007, 05:31:18 PM

Do you have a broadband or dial-up connection ?
What is the hardware between your computer and the telephoe jack called ?

If you have broadband then the piece of hardware is likely to be a combined modem and router. If you use broadband and modem/router then these are less likely to be an issue and even so the IP addresses are local addresses and not connecting to the internet.

I've broadband connection and between my pc and telephone jack I got ADSL Modem.

Quote

I would also suggest you upload the file named at the end of the registry AutoRun\command, ShellExec_RunDLL wscript.exe Bha.dll.vbs to VT for checking (and send to avast if multiple detections).

Yes repair the entry if the VT scan shows infected, I don't know if this can be done in ComboFix as I have very little experience of this tool or if you would have to do it manually in the registry, but export the key before you edit/repair is so it can always be reversed if required (which I doubt as it does look suspect).

Looking for Bha.dll.vbs in that folder but I found nothing so I'll fix that registry key later.

Quote

Does this domain 'tm.net.my' belong to your ISP ?

Yup, it's belong to my ISP.

P/S: Just finish scanning with Windows One Care and still nothing detected so I assume my pc clean now but I'll monitor for a couple of days more and I'll let you know if there's unusual activity going on.

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: essexboy on October 23, 2007, 08:28:17 PM

You are correct as this is VBS Solow

We will delete the mount point which will stop it loading and if you can then do a manual search for the file Bha.dll.vbs

REGISTRY FIX

Quote

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05b0ef97-760d-11dc-8240-0019661a759a}]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop (http://img127.imageshack.us/img127/433/regtg8.jpg)

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

You will also need to delete this file D:\WINDOWS\autoregistry.zip

Title: Re: autoregistry.exe trojan, how to get rid of it?
Post by: polonus on October 23, 2007, 11:14:45 PM

Hi MeDIeVaL,

The network thing to port 1900 is just your computer telling this special reserved multicast address it is ready for upnp-multicast traffic. Normally your firewall should deny access for the incoming traffic of this protocol. But is nothing out of the ordinary. You can disable it through the program from here: http://www.grc.com/files/unpnp.exe

polonus