autoregistry.exe trojan, how to get rid of it?

[oldman]

So I've put it into Chest the right way but seem the it won't dissappear from my Windows folder (I've done it twice). Scanned with PrevX CSI and still it can't be detected.

Because you are putting it in the chest manually because avast hasn't detected it, avast 'doesn't' remove the copy from the original location, you have to do that manually too. Make sure you send the sample to avast.

.

Thanks DavidR. I misunderstood the first time he "moved it to the chest". Should have known better on the user move though. 

[essexboy]

10/21/2007   10:34:53 AM   1192934093   MeDIeVaL   292   Sign of "Win32:VB-DHJ [Wrm]" has been found in "F:\MySexy.exe" file. 
10/21/2007   10:35:10 AM   1192934110   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\New Folder.exe" file. 
10/21/2007   10:35:13 AM   1192934113   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\scvhosts.exe" file. 
10/21/2007   10:35:15 AM   1192934115   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\panggil\New Folder.exe" file. 
10/21/2007   10:35:16 AM   1192934116   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\panggil\panggil.exe" file. 

Whoops just seen this I was working on something similar to this a while ago it originated in Malaya if I remember right.

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
  
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

It will take several posts and several analysis runs to kill it.  I will set this thread to notify so I do not miss your replies

[MeDIeVaL]

Did you ensure system and hidden files and folders are displayed ?

100% sure I've displayed the system and hidden files and folders. New symptom, svchost.exe keep asking permission to connect to 192.168.1.1 Port 7644 which I've never had this before.

[MeDIeVaL]

My HJT log but seem nothing suspicious here...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:13 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\RunDll32.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\Vista Inspirat 2\RocketDock\RocketDock.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Download Manager\IDMan.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\Program Files\HiJackThis.exe

[MeDIeVaL]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Implements TweakBHO - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - D:\PROGRA~1\TweakMASTER\TweakBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] "D:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: RocketDock.lnk = D:\WINDOWS\Vista Inspirat 2\RocketDock\RocketDock.exe
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49985499-46A1-4238-9F07-1D380A377CCF}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{49985499-46A1-4238-9F07-1D380A377CCF}: NameServer = 202.188.0.133 202.188.1.5
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8869 bytes

[MeDIeVaL]

ComboFix 07-10-23.1 - MeDIeVaL 2007-10-23 13:55:54.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.516 [GMT 8:00]
Running from: D:\Documents and Settings\MeDIeVaL\My Documents\Downloads\Programs\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2007-09-23 to 2007-10-23  )))))))))))))))))))))))))))))))
.

2007-10-23 13:55   51,200   --a------   D:\WINDOWS\NirCmd.exe
2007-10-22 23:19   6,002   --a------   D:\WINDOWS\autoregistry.zip
2007-10-22 13:42   <DIR>   d--------   D:\Program Files\backups
2007-10-19 16:02   <DIR>   d--------   D:\Documents and Settings\vizier\Application Data\ATI
2007-10-16 12:13   2,463,976   --a------   D:\WINDOWS\system32\NPSWF32.dll
2007-10-16 12:13   190,696   --a------   D:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-16 11:34   <DIR>   d--------   D:\Program Files\Common Files\Java
2007-10-12 11:51   0   --a------   D:\WINDOWS\ativpsrm.bin
2007-10-12 11:47   593,920   ---------   D:\WINDOWS\system32\ati2sgag.exe
2007-10-12 11:46   <DIR>   d---s----   D:\Program Files\ATI Technologies
2007-10-11 16:28   <DIR>   d--------   D:\Documents and Settings\MeDIeVaL\Application Data\InstallShield Installation Information
2007-10-04 17:59   5,555   --a------   D:\WINDOWS\BricoPackFoldersDelete.cmd
2007-10-04 17:58   <DIR>   d--------   D:\WINDOWS\Vista Inspirat 2
2007-10-04 16:16   12,608   --a------   D:\WINDOWS\system32\drivers\TfKbMon.sys
2007-09-29 11:21   9,854,976   --a------   D:\WINDOWS\system32\atioglx2.dll
2007-09-29 11:07   356,352   --a------   D:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 10:58   143,360   --a------   D:\WINDOWS\system32\atipdlxx.dll
2007-09-29 10:58   122,880   --a------   D:\WINDOWS\system32\Oemdspif.dll
2007-09-29 10:58   43,520   --a------   D:\WINDOWS\system32\ati2edxx.dll
2007-09-29 10:58   26,112   --a------   D:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 10:57   122,880   --a------   D:\WINDOWS\system32\ati2evxx.dll
2007-09-29 10:56   483,328   --a------   D:\WINDOWS\system32\ati2evxx.exe
2007-09-29 10:55   53,248   --a------   D:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 10:49   307,200   --a------   D:\WINDOWS\system32\atiiiexx.dll
2007-09-29 10:47   172,032   --a------   D:\WINDOWS\system32\atiok3x2.dll
2007-09-29 10:36   3,107,788   --a------   D:\WINDOWS\system32\ativvaxx.dat
2007-09-29 10:36   3,107,788   --a------   D:\WINDOWS\system32\ativva5x.dat
2007-09-29 10:36   972,072   --a------   D:\WINDOWS\system32\ativva6x.dat
2007-09-29 10:23   5,435,392   --a------   D:\WINDOWS\system32\atioglxx.dll
2007-09-29 10:22   376,832   --a------   D:\WINDOWS\system32\atikvmag.dll
2007-09-29 10:20   17,408   --a------   D:\WINDOWS\system32\atitvo32.dll
2007-09-29 10:19   49,152   --a------   D:\WINDOWS\system32\drivers\ati2erec.dll
2007-09-28 19:06   8,192   --a------   D:\ntuser.dat
2007-09-28 18:45   3,807,264   --ahs----   D:\WINDOWS\system32\drivers\fidbox.dat
2007-09-28 18:43   75,248   --a------   D:\WINDOWS\zllsputility.exe
2007-09-24 21:35   <DIR>   d---s----   D:\Program Files\CodeStuff

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 05:54   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\DMCache
2007-10-23 05:46   8,870   ----a-w   D:\Program Files\hijackthis.log
2007-10-23 05:38   47,060   --sha-w   D:\WINDOWS\system32\drivers\fidbox.idx
2007-10-22 08:19   ---------   d-----r   D:\Program Files\AVG Anti-Rootkit Free
2007-10-21 02:36   ---------   d-s---w   D:\Program Files\SUPERAntiSpyware
2007-10-16 07:56   ---------   d-s---w   D:\Program Files\Java
2007-10-11 07:56   ---------   d--h--w   D:\Program Files\Windows Live Safety Center
2007-10-11 05:27   ---------   d--h--w   D:\Program Files\InstallShield Installation Information
2007-10-04 10:43   115   --sh--w   D:\Program Files\Common Files\Desktop.ini
2007-10-04 10:13   ---------   d-s---w   D:\Program Files\Yahoo!
2007-10-04 10:02   65,108   ----a-w   D:\WINDOWS\BricoPackUninst.cmd
2007-10-04 09:04   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\Apple Computer
2007-10-04 08:50   ---------   d--h--r   D:\Documents and Settings\MeDIeVaL\Application Data\yahoo!
2007-10-04 08:47   ---------   d-s---w   D:\Program Files\C-Media 3D Audio
2007-09-29 08:23   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\ATI
2007-09-29 05:46   47,376   ----a-w   D:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:06   268,800   ----a-w   D:\WINDOWS\system32\ati2dvag.dll
2007-09-29 03:05   2,456,064   ----a-w   D:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:47   3,130,720   ----a-w   D:\WINDOWS\system32\ati3duag.dll
2007-09-29 02:36   1,593,600   ----a-w   D:\WINDOWS\system32\ativvaxx.dll
2007-09-29 02:14   499,712   ----a-w   D:\WINDOWS\system32\ati2cqag.dll
2007-09-14 15:28   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\Nokia Multimedia Player
2007-09-14 14:21   ---------   d-s---w   D:\Program Files\Easy CD-DA Extractor 10
2007-09-12 12:37   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\Command & Conquer 3 Tiberium Wars
2007-09-11 00:35   98,304   ----a-w   D:\WINDOWS\system32CmdLineExt.dll
2007-09-11 00:35   ---------   d--h--r   D:\Documents and Settings\MeDIeVaL\Application Data\SecuROM
2007-09-08 01:52   ---------   d-s---w   D:\Program Files\TweakMASTER
2007-09-06 10:09   801,144   ----a-w   D:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05   94,416   ----a-w   D:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05   92,848   ----a-w   D:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03   23,152   ----a-w   D:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02   42,912   ----a-w   D:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00   95,608   ----a-w   D:\WINDOWS\system32\AvastSS.scr
2007-09-06 10:00   26,624   ----a-w   D:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-06 08:14   1,086,952   ----a-w   D:\WINDOWS\system32\zpeng24.dll
2007-09-02 03:10   ---------   d-s---w   D:\Program Files\Microsoft ActiveSync
2007-09-02 02:39   ---------   d--h--w   D:\Program Files\Microsoft.NET
2007-08-30 15:14   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\IDM
2007-08-30 14:43   ---------   d-s---w   D:\Program Files\Internet Download Manager
2007-08-30 14:21   ---------   d-sh--w   D:\Program Files\Intel
2007-08-30 11:57   ---------   d-s---w   D:\Program Files\MSXML 4.0
2007-08-30 11:20   218,624   ----a-w   D:\WINDOWS\system32\uxtheme.dll
2007-08-30 10:08   ---------   d-----r   D:\Program Files\Windows Media Connect 2
2007-08-30 10:08   ---------   d-----r   D:\Program Files\Windows Live Toolbar
2007-08-30 10:06   ---------   d-----r   D:\Program Files\Windows Defender
2007-08-30 10:04   ---------   d-----r   D:\Program Files\Riva FLV Encoder 2.0
2007-08-30 10:04   ---------   d-----r   D:\Program Files\QuickTime
2007-08-30 10:03   ---------   d-----r   D:\Program Files\Process Explorer
2007-08-30 10:01   ---------   d-----r   D:\Program Files\Nokia
2007-08-30 09:58   ---------   d-----r   D:\Program Files\Nero
2007-08-30 09:58   ---------   d-----r   D:\Program Files\MTV Networks
2007-08-30 09:56   ---------   d-----r   D:\Program Files\MSN Messenger
2007-08-30 09:49   ---------   d-----r   D:\Program Files\Executive Software
2007-08-30 09:48   ---------   d-----r   D:\Program Files\DIFX
2007-08-30 09:43   ---------   d-----r   D:\Program Files\Apple Software Update
2007-08-30 09:43   ---------   d-----r   D:\Program Files\Alwil Software
2007-08-30 05:35   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\Ahead
2007-08-30 05:25   ---------   d-----w   D:\Program Files\Common Files\PCSuite
2007-08-30 05:25   ---------   d-----w   D:\Program Files\Common Files\Nokia
2007-08-30 05:25   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\PC Suite
2007-08-28 21:39   ---------   d-----w   D:\Program Files\Common Files\Ahead
2007-08-28 12:18   ---------   d-----w   D:\Program Files\Common Files\Adobe
2007-08-28 11:33   ---------   d--h--w   D:\Program Files\Windows Live Favorites
2007-08-28 09:36   401,720   ----a-w   D:\Program Files\HiJackThis.exe
2007-08-28 08:33   ---------   d-----w   D:\Program Files\Common Files\Apple
2007-08-28 08:29   ---------   d-----w   D:\Program Files\Common Files\Wise Installation Wizard
2007-08-28 08:29   ---------   d-----w   D:\Documents and Settings\MeDIeVaL\Application Data\SUPERAntiSpyware.com
2007-08-28 08:28   ---------   d-----w   D:\Program Files\Common Files\SWF Studio
2007-08-28 01:47   ---------   d--h--w   D:\Program Files\My Company Name
2007-08-28 01:41   ---------   d-----w   D:\Program Files\Common Files\InstallShield
2007-08-28 01:16   ---------   d--h--w   D:\Program Files\microsoft frontpage
2007-08-21 06:15   683,520   ----a-w   D:\WINDOWS\system32\inetcomm.dll
2007-07-30 11:19   92,504   ----a-w   D:\WINDOWS\system32\cdm.dll
2007-07-30 11:19   68,440   ----a-w   D:\WINDOWS\system32\wuauclt.exe
2007-07-30 11:19   549,720   ----a-w   D:\WINDOWS\system32\wuapi.dll
2007-07-30 11:19   43,352   ----a-w   D:\WINDOWS\system32\wups2.dll
2007-07-30 11:19   325,976   ----a-w   D:\WINDOWS\system32\wucltui.dll
2007-07-30 11:19   271,224   ----a-w   D:\WINDOWS\system32\mucltui.dll
2007-07-30 11:19   207,736   ----a-w   D:\WINDOWS\system32\muweb.dll
2007-07-30 11:19   203,096   ----a-w   D:\WINDOWS\system32\wuweb.dll
2007-07-30 11:19   1,712,984   ----a-w   D:\WINDOWS\system32\wuaueng.dll
2007-07-30 11:18   33,624   ----a-w   D:\WINDOWS\system32\wups.dll
2007-07-23 08:39   202,160   ----a-w   D:\WINDOWS\system32\idmmbc.dll
.

[MeDIeVaL]

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"avast!"="D:\Program Files\Alwil Software\Avast4\ashDisp.exe" [2007-09-06 18:06]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"DiskeeperSystray"="D:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-04-25 04:49]
"ZoneAlarm Client"="D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"StartCCC"="D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

D:\Documents and Settings\MeDIeVaL\Start Menu\Programs\Startup\
RocketDock.lnk - D:\WINDOWS\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 06:05:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe  /start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

S0 TfFsMon;TfFsMon;D:\WINDOWS\system32\drivers\TfFsMon.sys
S0 TfSysMon;TfSysMon;D:\WINDOWS\system32\drivers\TfSysMon.sys
S3 EnumChip;EnumChip;\??\E:\GART\EnumChip.sys
S3 TfNetMon;TfNetMon;\??\D:\WINDOWS\system32\drivers\TfNetMon.sys
S4 ThreatFire;ThreatFire;D:\Program Files\ThreatFire\TFService.exe service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05b0ef97-760d-11dc-8240-0019661a759a}]
AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe Bha.dll.vbs

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-10-22 05:48:04 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-23 05:35:01 D:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
"2007-10-23 05:42:50 D:\WINDOWS\Tasks\MP Scheduled Scan.job"
- D:\Program Files\Windows Defender\MpCmdRun.exe
"2007-10-22 05:19:23 D:\WINDOWS\Tasks\User_Feed_Synchronization-{130143A0-4688-41D8-B5F4-B5A2807DA8DA}.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 13:57:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-23 13:58:40
.
   --- E O F ---

[MeDIeVaL]

Screenshot of ZA pop up asking permission to grant access to couple of IPs. The pop up come out right after I start my pc and I'll have difficulties connecting to the net if I've click on Deny button.

http://www.geocities.com/solutem/za1.JPG
http://www.geocities.com/solutem/za2.JPG

After googling for 239.255.255.250 Port 1900 I've found this:

http://help.lockergnome.com/.../239-255-255-250-Port-1900-ftopict18953.html

which I understand have s'thing to do with D-Link and uPNP but I don't have it both. 

[DavidR]

Did you ensure system and hidden files and folders are displayed ?

100% sure I've displayed the system and hidden files and folders. New symptom, svchost.exe keep asking permission to connect to 192.168.1.1 Port 7644 which I've never had this before.

This is a local network address and probably your router, http://compnetworking.about.com/od/routers/g/192_168_1_1_def.htm

Definition: The IP address 192.168.1.1 is the default for Linksys brand home broadband routers. This address is set by the manufacturer at the factory, but you can change it at any time using the network router's administrative console.

You may or may not have a linksys router but this is a common address for a router.

Re your last post, by all accounts, you do have uPNP if you have a network router, whilst the particular topic link you give is about D-Link it could possibly relevant to other brands.

[MeDIeVaL]

I don't really know about router thing. As what I know, from my pc I've direct connect to modem and from modem to telephone jack. No other hardware between that so can anyone tell me what's router really means? 1 more thing, the port varies e'time, is that normal (but I don't think it's normal as it keep came out e'time I've open new IE windows)? How 'bout 239.255.255.250 Port 1900 IP, googling here and there found it was suspicious IP.

[MeDIeVaL]

Should I or should I not repair this one...

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05b0ef97-760d-11dc-8240-0019661a759a}]
AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe Bha.dll.vbs

[DavidR]

I don't really know about router thing. As what I know, from my pc I've direct connect to modem and from modem to telephone jack. No other hardware between that so can anyone tell me what's router really means? 1 more thing, the port varies e'time, is that normal (but I don't think it's normal as it keep came out e'time I've open new IE windows)? How 'bout 239.255.255.250 Port 1900 IP, googling here and there found it was suspicious IP.

Do you have a broadband or dial-up connection ?
What is the hardware between your computer and the telephoe jack called ?

If you have broadband then the piece of hardware is likely to be a combined modem and router. If you use broadband and modem/router then these are less likely to be an issue and even so the IP addresses are local addresses and not connecting to the internet.

I would also suggest you upload the file named at the end of the registry AutoRun\command, ShellExec_RunDLL wscript.exe Bha.dll.vbs to VT for checking (and send to avast if multiple detections).

Yes repair the entry if the VT scan shows infected, I don't know if this can be done in ComboFix as I have very little experience of this tool or if you would have to do it manually in the registry, but export the key before you edit/repair is so it can always be reversed if required (which I doubt as it does look suspect).

You are also running hijackthis.exe from a strange place, rather than a folder of its own (I would suggest HJT) all the files would seem to be in the Program Files folder and you are running it from there. It is also advisable to change the hijackthis.exe file name to say HJT-MeDi.exe as there are a number of malware items that can detect and hide from hijackthis.exe.


Does this domain 'tm.net.my' belong to your ISP ?

[MeDIeVaL]

Do you have a broadband or dial-up connection ?
What is the hardware between your computer and the telephoe jack called ?

If you have broadband then the piece of hardware is likely to be a combined modem and router. If you use broadband and modem/router then these are less likely to be an issue and even so the IP addresses are local addresses and not connecting to the internet.

I've broadband connection and between my pc and telephone jack I got ADSL Modem.

I would also suggest you upload the file named at the end of the registry AutoRun\command, ShellExec_RunDLL wscript.exe Bha.dll.vbs to VT for checking (and send to avast if multiple detections).

Yes repair the entry if the VT scan shows infected, I don't know if this can be done in ComboFix as I have very little experience of this tool or if you would have to do it manually in the registry, but export the key before you edit/repair is so it can always be reversed if required (which I doubt as it does look suspect).

Looking for Bha.dll.vbs in that folder but I found nothing so I'll fix that registry key later.

Does this domain 'tm.net.my' belong to your ISP ?

Yup, it's belong to my ISP.

P/S: Just finish scanning with Windows One Care and still nothing detected so I assume my pc clean now but I'll monitor for a couple of days more and I'll let you know if there's unusual activity going on.

[essexboy]

You are correct as this is VBS Solow

We will delete the mount point which will stop it loading and if you can then do a manual search for the file Bha.dll.vbs

REGISTRY FIX

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{05b0ef97-760d-11dc-8240-0019661a759a}]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

You will also need to delete this file D:\WINDOWS\autoregistry.zip

[polonus]

Hi MeDIeVaL,

The network thing to port 1900 is just your computer telling this special reserved multicast address it is ready for upnp-multicast traffic. Normally your firewall should deny access for the incoming traffic of this protocol. But is nothing out of the ordinary. You can disable it through the program from here: http://www.grc.com/files/unpnp.exe

polonus