autoregistry.exe trojan, how to get rid of it?

[MeDIeVaL]

Got this autoregistry.exe in D:\Windows folder that's run at every startup. Scanned it with avast!, SAS, Windows Defender and running ComboFix but found nuthin'. Running HijackThis and upload the result found that file is suspicious. Then upload to VirusTotal hits 14 out of 32. So I've put it into Chest and do some fixed with HijackThis. Now the suspicious file won't running at startup a'more(hopefully it will stay that way) but the file still lies in my D:\Windows folder. I've take all your good advices, don't simply delete it but what should I do next? I don't want to let it stay there forever if the file could be positive.

[oldman]

The file in the chest, even if infected, can't do ant harm.

What was the file detected as? If it still is in the D:\Windows folder after you moved it to the chest, something must have replaced it.

[MeDIeVaL]

avast!, SAS and Windows Defender can't pick it up but the result from VirusTotal give 14 hits. The file detected as what you can see below (don't know the specific trojan/virus name as from 14 providers give different definition name)...

File autoregistry.exe received on 10.22.2007 08:13:49 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.10.22.0 2007.10.22 -
AntiVir 7.6.0.27 2007.10.21 TR/Autoregistry.A
Authentium 4.93.8 2007.10.22 -
Avast 4.7.1051.0 2007.10.21 -
AVG 7.5.0.488 2007.10.21 Small.GL
BitDefender 7.2 2007.10.22 -
CAT-QuickHeal 9.00 2007.10.20 -
ClamAV 0.91.2 2007.10.22 -
DrWeb 4.44.0.09170 2007.10.21 -
eSafe 7.0.15.0 2007.10.21 Virus.Win32.AutoRun.
eTrust-Vet 31.2.5225 2007.10.20 -
Ewido 4.0 2007.10.21 -
FileAdvisor 1 2007.10.22 High threat detected
Fortinet 3.11.0.0 2007.10.19 W32/Malicious.70EF!tr
F-Prot 4.3.2.48 2007.10.22 -
F-Secure 6.70.13030.0 2007.10.22 Virus.Win32.AutoRun.ir
Ikarus T3.1.1.12 2007.10.22 Virus.Win32.AutoRun.ir
Kaspersky 7.0.0.125 2007.10.22 Virus.Win32.AutoRun.ir
McAfee 5145 2007.10.19 -
Microsoft 1.2908 2007.10.22 -
NOD32v2 2605 2007.10.22 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.10.19 -
Panda 9.0.0.4 2007.10.21 Trj/Agent.GJJ
Prevx1 V2 2007.10.22 -
Rising 19.46.00.00 2007.10.22 -
Sophos 4.22.0 2007.10.22 Mal/Generic-A
Sunbelt 2.2.907.0 2007.10.20 -
Symantec 10 2007.10.22 -
TheHacker 6.2.9.104 2007.10.22 Trojan/Dropper.IR
VBA32 3.12.2.4 2007.10.19 Virus.Win32.AutoRun.ir
VirusBuster 4.3.26:9 2007.10.21 -
Webwasher-Gateway 6.6.1 2007.10.21 Trojan.Autoregistry.A
 
Additional information
File size: 24576 bytes
MD5: 1034405198173d12f7c840486e1a77cf
SHA1: 0438e3374aadae6fc0d7fd214f05546d5430538f
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=1034405198173d12f7c840486e1a77cf

P/S: Looking for it elsewhere but found none. It just stay in D:\Windows folder.

[MeDIeVaL]

As I can remember, it's come from my friend usb drive when he used my pc yesterday. Scan from avast! found this...

10/21/2007   10:34:53 AM   1192934093   MeDIeVaL   292   Sign of "Win32:VB-DHJ [Wrm]" has been found in "F:\MySexy.exe" file. 
10/21/2007   10:35:10 AM   1192934110   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\New Folder.exe" file. 
10/21/2007   10:35:13 AM   1192934113   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\scvhosts.exe" file. 
10/21/2007   10:35:15 AM   1192934115   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\panggil\New Folder.exe" file. 
10/21/2007   10:35:16 AM   1192934116   MeDIeVaL   292   Sign of "Win32:AutoIt-Q [Wrm]" has been found in "F:\panggil\panggil.exe" file. 

[MeDIeVaL]

Latest HijackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:54 PM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\RunDll32.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Executive Software\Diskeeper\DkService.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\WINDOWS\Vista Inspirat 2\RocketDock\RocketDock.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\HiJackThis.exe

[MeDIeVaL]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Implements TweakBHO - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - D:\PROGRA~1\TweakMASTER\TweakBHO.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - D:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast!] "D:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: RocketDock.lnk = D:\WINDOWS\Vista Inspirat 2\RocketDock\RocketDock.exe
O8 - Extra context menu item: &Windows Live Search - res://D:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download All Links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Scan link by Dr.Web - http://www.drweb.com/online/drweb-online-en.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase2895.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49985499-46A1-4238-9F07-1D380A377CCF}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{49985499-46A1-4238-9F07-1D380A377CCF}: NameServer = 202.188.0.133 202.188.1.5
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8691 bytes

[oldman]

Hmm..all I could find was that autoregistry.exe was malicious. Maybe try googling some of the detected names would help.

I think essexboy was working on something like this. I'll try to find it.

I can't see anything in the log either, unless it was what you fixed. There are others here that may be able to see what we overlooked.

[oldman]

I think essexboy was working on something like this. I'll try to find it.

It was auto run that he was working on

http://forum.avast.com/index.php?topic=31007.0

[MeDIeVaL]

Then upload to VirusTotal hits 14 out of 32. So I've put it into Chest and do some fixed with HijackThis.

It was there before I fixed with HijackThis. I thought the prob will go away after I've fixed it with HJT and put it into Chest but seem I can't used that step on this thing. It remain inside my Windows folder. I've googling and found that file is malicious but I don't whether to del it or not. Put it into Chest won't work this time or maybe I've put it wrong way. Maybe I should wait for essexboy but can I del that file?

This is what I've found in PrevX web...

1. COVERT ANALYSIS OF: AUTOREGISTRY.EXE
File Names Used: 2
Paths Used: 3
Common File Name: AUTOREGISTRY.EXE
Common Path: ?:\
Vendor Information: No Vendor details specified
Version Information: 1.00
AUTOREGISTRY.EXE may use 2 or more path and file names, these are the most common:
File Name Structure: Normal
File and Path Structure: Normal
2. RELATIONSHIP ANALYSIS OF: AUTOREGISTRY.EXE
Malicious Objects Created: 1 objects
Malicious Creators: 1
Malware Run Keys: None
Self Persists:
Antivirus Detection: No third party antivirus detection observed
Anti-Spyware Detection: No third party anti-spyware detection observed
3. ACTIVITY ANALYSIS OF: AUTOREGISTRY.EXE
The following behaviors have been observed for this object:
Installs programs.
Deletes programs.
Creates Run Keys.
Creates known malware.
Creates copies of itself.
4. PROPAGATION ANALYSIS OF: AUTOREGISTRY.EXE
Object Propagation Rate: Very Low (minimal spread)
Copyright Prevx Limited 2005, 2006

[oldman]

For now why don't you try moving it to the chest like this?

1. In the Virus Chest, switch to user file category.
2. In main menu, select File ® Add.
3.Browse the folders and select the file you want to add.
4.Choose Open

It will be safe there.

Yes, essexboy will be able to advise you better.

[MeDIeVaL]

For now why don't you try moving it to the chest like this?

1. In the Virus Chest, switch to user file category.
2. In main menu, select File ® Add.
3.Browse the folders and select the file you want to add.
4.Choose Open

It will be safe there.

Yes, essexboy will be able to advise you better.

So I've put it into Chest the right way but seem the it won't dissappear from my Windows folder (I've done it twice). Scanned with PrevX CSI and still it can't be detected.

[oldman]

Well, I don't know what to say. 

You can visibly see the file in the chest, yet it remains in the windows folder?

That is strange, to say the least.

[DavidR]

So I've put it into Chest the right way but seem the it won't dissappear from my Windows folder (I've done it twice). Scanned with PrevX CSI and still it can't be detected.

Because you are putting it in the chest manually because avast hasn't detected it, avast 'doesn't' remove the copy from the original location, you have to do that manually too. Make sure you send the sample to avast.

Look for autorun.inf files in the root of your hard drive partitions, e.g. c:\autorun.inf as this is more likely to be what is running it considering you got it from your 'friends' USB stick. It is just a text file use notepad to open it and you will see a command to run autoregistry.exe, there may be other commands in there. Post the contents of the autorun.inf file here.

There is a habit of setting the autorun.inf as a system file so it remains hidden ensure you show system files in Explorer, Tools, Folder Options, View. There should be no reason to have autorun.inf in a fixed hard drive, it is used in removable media, typically CD/DVD and USB sticks, etc. you should rename it autorun-inf.old or move it to the user files section of the chest and delete the original.

[MeDIeVaL]

Because you are putting it in the chest manually because avast hasn't detected it, avast 'doesn't' remove the copy from the original location, you have to do that manually too. Make sure you send the sample to avast.

As what I u'stand here, I need to del that file manually? Already done and let see whether it will come back later. Seaching for autorun.*** in both drive (C:, D:) but no result. Already send to virus@avast.com.

[DavidR]

Did you ensure system and hidden files and folders are displayed ?