autoregistry.exe trojan, how to get rid of it?

system · October 23, 2007, 5:59am

ComboFix 07-10-23.1 - MeDIeVaL 2007-10-23 13:55:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.516 [GMT 8:00]
Running from: D:\Documents and Settings\MeDIeVaL\My Documents\Downloads\Programs\ComboFix.exe

Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-23 to 2007-10-23 )))))))))))))))))))))))))))))))
.

2007-10-23 13:55 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-10-22 23:19 6,002 --a------ D:\WINDOWS\autoregistry.zip
2007-10-22 13:42 d-------- D:\Program Files\backups
2007-10-19 16:02 d-------- D:\Documents and Settings\vizier\Application Data\ATI
2007-10-16 12:13 2,463,976 --a------ D:\WINDOWS\system32\NPSWF32.dll
2007-10-16 12:13 190,696 --a------ D:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-16 11:34 d-------- D:\Program Files\Common Files\Java
2007-10-12 11:51 0 --a------ D:\WINDOWS\ativpsrm.bin
2007-10-12 11:47 593,920 --------- D:\WINDOWS\system32\ati2sgag.exe
2007-10-12 11:46 d—s---- D:\Program Files\ATI Technologies
2007-10-11 16:28 d-------- D:\Documents and Settings\MeDIeVaL\Application Data\InstallShield Installation Information
2007-10-04 17:59 5,555 --a------ D:\WINDOWS\BricoPackFoldersDelete.cmd
2007-10-04 17:58 d-------- D:\WINDOWS\Vista Inspirat 2
2007-10-04 16:16 12,608 --a------ D:\WINDOWS\system32\drivers\TfKbMon.sys
2007-09-29 11:21 9,854,976 --a------ D:\WINDOWS\system32\atioglx2.dll
2007-09-29 11:07 356,352 --a------ D:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 10:58 143,360 --a------ D:\WINDOWS\system32\atipdlxx.dll
2007-09-29 10:58 122,880 --a------ D:\WINDOWS\system32\Oemdspif.dll
2007-09-29 10:58 43,520 --a------ D:\WINDOWS\system32\ati2edxx.dll
2007-09-29 10:58 26,112 --a------ D:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 10:57 122,880 --a------ D:\WINDOWS\system32\ati2evxx.dll
2007-09-29 10:56 483,328 --a------ D:\WINDOWS\system32\ati2evxx.exe
2007-09-29 10:55 53,248 --a------ D:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 10:49 307,200 --a------ D:\WINDOWS\system32\atiiiexx.dll
2007-09-29 10:47 172,032 --a------ D:\WINDOWS\system32\atiok3x2.dll
2007-09-29 10:36 3,107,788 --a------ D:\WINDOWS\system32\ativvaxx.dat
2007-09-29 10:36 3,107,788 --a------ D:\WINDOWS\system32\ativva5x.dat
2007-09-29 10:36 972,072 --a------ D:\WINDOWS\system32\ativva6x.dat
2007-09-29 10:23 5,435,392 --a------ D:\WINDOWS\system32\atioglxx.dll
2007-09-29 10:22 376,832 --a------ D:\WINDOWS\system32\atikvmag.dll
2007-09-29 10:20 17,408 --a------ D:\WINDOWS\system32\atitvo32.dll
2007-09-29 10:19 49,152 --a------ D:\WINDOWS\system32\drivers\ati2erec.dll
2007-09-28 19:06 8,192 --a------ D:\ntuser.dat
2007-09-28 18:45 3,807,264 --ahs---- D:\WINDOWS\system32\drivers\fidbox.dat
2007-09-28 18:43 75,248 --a------ D:\WINDOWS\zllsputility.exe
2007-09-24 21:35 d—s---- D:\Program Files\CodeStuff

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 05:54 --------- d-----w D:\Documents and Settings\MeDIeVaL\Application Data\DMCache
2007-10-23 05:46 8,870 ----a-w D:\Program Files\hijackthis.log
2007-10-23 05:38 47,060 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2007-10-22 08:19 --------- d-----r D:\Program Files\AVG Anti-Rootkit Free
2007-10-21 02:36 --------- d-s—w D:\Program Files\SUPERAntiSpyware
2007-10-16 07:56 --------- d-s—w D:\Program Files\Java
2007-10-11 07:56 --------- d–h–w D:\Program Files\Windows Live Safety Center
2007-10-11 05:27 --------- d–h–w D:\Program Files\InstallShield Installation Information
2007-10-04 10:43 115 --sh–w D:\Program Files\Common Files\Desktop.ini
2007-10-04 10:13 --------- d-s—w D:\Program Files\Yahoo!
2007-10-04 10:02 65,108 ----a-w D:\WINDOWS\BricoPackUninst.cmd
2007-10-04 09:04 --------- d-----w D:\Documents and Settings\MeDIeVaL\Application Data\Apple Computer
2007-10-04 08:50 --------- d–h–r D:\Documents and Settings\MeDIeVaL\Application Data\yahoo!
2007-10-04 08:47 --------- d-s—w D:\Program Files\C-Media 3D Audio
2007-09-29 08:23 --------- d-----w D:\Documents and Settings\MeDIeVaL\Application Data\ATI
2007-09-29 05:46 47,376 ----a-w D:\WINDOWS\system32\drivers\ativvpxx.vp
2007-09-29 03:06 268,800 ----a-w D:\WINDOWS\system32\ati2dvag.dll
2007-09-29 03:05 2,456,064 ----a-w D:\WINDOWS\system32\drivers\ati2mtag.sys
2007-09-29 02:47 3,130,720 ----a-w D:\WINDOWS\system32\ati3duag.dll
2007-09-29 02:36 1,593,600 ----a-w D:\WINDOWS\system32\ativvaxx.dll
2007-09-29 02:14 499,712 ----a-w D:\WINDOWS\system32\ati2cqag.dll
2007-09-14 15:28 --------- d-----w D:\Documents and Settings\MeDIeVaL\Application Data\Nokia Multimedia Player
2007-09-14 14:21 --------- d-s—w D:\Program Files\Easy CD-DA Extractor 10
2007-09-12 12:37 --------- d-----w D:\Documents and Settings\MeDIeVaL\Application Data\Command & Conquer 3 Tiberium Wars
2007-09-11 00:35 98,304 ----a-w D:\WINDOWS\system32CmdLineExt.dll
2007-09-11 00:35 --------- d–h–r D:\Documents and Settings\MeDIeVaL\Application Data\SecuROM
2007-09-08 01:52 --------- d-s—w D:\Program Files\TweakMASTER
2007-09-06 10:09 801,144 ----a-w D:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w D:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w D:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w D:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w D:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w D:\WINDOWS\system32\AvastSS.scr
2007-09-06 10:00 26,624 ----a-w D:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-06 08:14 1,086,952 ----a-w D:\WINDOWS\system32\zpeng24.dll
2007-09-02 03:10 --------- d-s—w D:\Program Files\Microsoft ActiveSync
2007-09-02 02:39 --------- d–h–w D:\Program Files\Microsoft.NET
2007-08-30 15:14 --------- d-----w D:\Documents and Settings\MeDIeVaL\Application Data\IDM
2007-08-30 14:43 --------- d-s—w D:\Program Files\Internet Download Manager
2007-08-30 14:21 --------- d-sh–w D:\Program Files\Intel
2007-08-30 11:57 --------- d-s—w D:\Program Files\MSXML 4.0
2007-08-30 11:20 218,624 ----a-w D:\WINDOWS\system32\uxtheme.dll
2007-08-30 10:08 --------- d-----r D:\Program Files\Windows Media Connect 2
2007-08-30 10:08 --------- d-----r D:\Program Files\Windows Live Toolbar
2007-08-30 10:06 --------- d-----r D:\Program Files\Windows Defender
2007-08-30 10:04 --------- d-----r D:\Program Files\Riva FLV Encoder 2.0
2007-08-30 10:04 --------- d-----r D:\Program Files\QuickTime
2007-08-30 10:03 --------- d-----r D:\Program Files\Process Explorer
2007-08-30 10:01 --------- d-----r D:\Program Files\Nokia
2007-08-30 09:58 --------- d-----r D:\Program Files\Nero
2007-08-30 09:58 --------- d-----r D:\Program Files\MTV Networks
2007-08-30 09:56 --------- d-----r D:\Program Files\MSN Messenger
2007-08-30 09:49 --------- d-----r D:\Program Files\Executive Software
2007-08-30 09:48 --------- d-----r D:\Program Files\DIFX
2007-08-30 09:43 --------- d-----r D:\Program Files\Apple Software Update
2007-08-30 09:43 --------- d-----r D:\Program Files\Alwil Software
2007-08-30 05:35 --------- d-----w D:\Documents and Settings\MeDIeVaL\Application Data\Ahead
2007-08-30 05:25 --------- d-----w D:\Program Files\Common Files\PCSuite
2007-08-30 05:25 --------- d-----w D:\Program Files\Common Files\Nokia
2007-08-30 05:25 --------- d-----w D:\Documents and Settings\MeDIeVaL\Application Data\PC Suite
2007-08-28 21:39 --------- d-----w D:\Program Files\Common Files\Ahead
2007-08-28 12:18 --------- d-----w D:\Program Files\Common Files\Adobe
2007-08-28 11:33 --------- d–h–w D:\Program Files\Windows Live Favorites
2007-08-28 09:36 401,720 ----a-w D:\Program Files\HiJackThis.exe
2007-08-28 08:33 --------- d-----w D:\Program Files\Common Files\Apple
2007-08-28 08:29 --------- d-----w D:\Program Files\Common Files\Wise Installation Wizard
2007-08-28 08:29 --------- d-----w D:\Documents and Settings\MeDIeVaL\Application Data\SUPERAntiSpyware.com
2007-08-28 08:28 --------- d-----w D:\Program Files\Common Files\SWF Studio
2007-08-28 01:47 --------- d–h–w D:\Program Files\My Company Name
2007-08-28 01:41 --------- d-----w D:\Program Files\Common Files\InstallShield
2007-08-28 01:16 --------- d–h–w D:\Program Files\microsoft frontpage
2007-08-21 06:15 683,520 ----a-w D:\WINDOWS\system32\inetcomm.dll
2007-07-30 11:19 92,504 ----a-w D:\WINDOWS\system32\cdm.dll
2007-07-30 11:19 68,440 ----a-w D:\WINDOWS\system32\wuauclt.exe
2007-07-30 11:19 549,720 ----a-w D:\WINDOWS\system32\wuapi.dll
2007-07-30 11:19 43,352 ----a-w D:\WINDOWS\system32\wups2.dll
2007-07-30 11:19 325,976 ----a-w D:\WINDOWS\system32\wucltui.dll
2007-07-30 11:19 271,224 ----a-w D:\WINDOWS\system32\mucltui.dll
2007-07-30 11:19 207,736 ----a-w D:\WINDOWS\system32\muweb.dll
2007-07-30 11:19 203,096 ----a-w D:\WINDOWS\system32\wuweb.dll
2007-07-30 11:19 1,712,984 ----a-w D:\WINDOWS\system32\wuaueng.dll
2007-07-30 11:18 33,624 ----a-w D:\WINDOWS\system32\wups.dll
2007-07-23 08:39 202,160 ----a-w D:\WINDOWS\system32\idmmbc.dll
.

system · October 23, 2007, 6:00am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Cmaudio”=“cmicnfg.cpl”
“avast!”=“D:\Program Files\Alwil Software\Avast4\ashDisp.exe” [2007-09-06 18:06]
“Windows Defender”=“D:\Program Files\Windows Defender\MSASCui.exe” [2006-11-03 19:20]
“DiskeeperSystray”=“D:\Program Files\Executive Software\Diskeeper\DkIcon.exe” [2005-04-25 04:49]
“ZoneAlarm Client”=“D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [2007-09-06 16:14]
“StartCCC”=“D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [2006-11-10 12:35]
“SunJavaUpdateSched”=“D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SUPERAntiSpyware”=“D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“DWQueuedReporting”=“D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t

D:\Documents and Settings\MeDIeVaL\Start Menu\Programs\Startup
RocketDock.lnk - D:\WINDOWS\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 06:05:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
“D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
“D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
“D:\Program Files\QuickTime\QTTask.exe” -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

S0 TfFsMon;TfFsMon;D:\WINDOWS\system32\drivers\TfFsMon.sys
S0 TfSysMon;TfSysMon;D:\WINDOWS\system32\drivers\TfSysMon.sys
S3 EnumChip;EnumChip;??\E:\GART\EnumChip.sys
S3 TfNetMon;TfNetMon;??\D:\WINDOWS\system32\drivers\TfNetMon.sys
S4 ThreatFire;ThreatFire;D:\Program Files\ThreatFire\TFService.exe service

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{05b0ef97-760d-11dc-8240-0019661a759a}]
AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe Bha.dll.vbs

Newly Created Service - CATCHME
.
Contents of the ‘Scheduled Tasks’ folder
“2007-10-22 05:48:04 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job”
“2007-10-23 05:35:01 D:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job”
“2007-10-23 05:42:50 D:\WINDOWS\Tasks\MP Scheduled Scan.job”

D:\Program Files\Windows Defender\MpCmdRun.exe
“2007-10-22 05:19:23 D:\WINDOWS\Tasks\User_Feed_Synchronization-{130143A0-4688-41D8-B5F4-B5A2807DA8DA}.job”
.

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-23 13:57:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2007-10-23 13:58:40
.
— E O F —

system · October 23, 2007, 6:05am

Screenshot of ZA pop up asking permission to grant access to couple of IPs. The pop up come out right after I start my pc and I’ll have difficulties connecting to the net if I’ve click on Deny button.

http://www.geocities.com/solutem/za1.JPG
http://www.geocities.com/solutem/za2.JPG

After googling for 239.255.255.250 Port 1900 I’ve found this:

http://help.lockergnome.com/.../239-255-255-250-Port-1900-ftopict18953.html

which I understand have s’thing to do with D-Link and uPNP but I don’t have it both. ???

DavidR · October 23, 2007, 1:08pm

This is a local network address and probably your router, http://compnetworking.about.com/od/routers/g/192_168_1_1_def.htm

[b]Definition:[/b] The IP address 192.168.1.1 is the default for Linksys brand home broadband routers. This address is set by the manufacturer at the factory, but you can change it at any time using the network router's administrative console.

You may or may not have a linksys router but this is a common address for a router.

Re your last post, by all accounts, you do have uPNP if you have a network router, whilst the particular topic link you give is about D-Link it could possibly relevant to other brands.

system · October 23, 2007, 2:22pm

I don’t really know about router thing. As what I know, from my pc I’ve direct connect to modem and from modem to telephone jack. No other hardware between that so can anyone tell me what’s router really means? 1 more thing, the port varies e’time, is that normal (but I don’t think it’s normal as it keep came out e’time I’ve open new IE windows)? How 'bout 239.255.255.250 Port 1900 IP, googling here and there found it was suspicious IP.

system · October 23, 2007, 2:23pm

Should I or should I not repair this one…

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{05b0ef97-760d-11dc-8240-0019661a759a}]
AutoRun\command - D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe Bha.dll.vbs

DavidR · October 23, 2007, 3:31pm

Do you have a broadband or dial-up connection ?
What is the hardware between your computer and the telephoe jack called ?

If you have broadband then the piece of hardware is likely to be a combined modem and router. If you use broadband and modem/router then these are less likely to be an issue and even so the IP addresses are local addresses and not connecting to the internet.

I would also suggest you upload the file named at the end of the registry AutoRun\command, ShellExec_RunDLL wscript.exe Bha.dll.vbs to VT for checking (and send to avast if multiple detections).

Yes repair the entry if the VT scan shows infected, I don’t know if this can be done in ComboFix as I have very little experience of this tool or if you would have to do it manually in the registry, but export the key before you edit/repair is so it can always be reversed if required (which I doubt as it does look suspect).

You are also running hijackthis.exe from a strange place, rather than a folder of its own (I would suggest HJT) all the files would seem to be in the Program Files folder and you are running it from there. It is also advisable to change the hijackthis.exe file name to say HJT-MeDi.exe as there are a number of malware items that can detect and hide from hijackthis.exe.

Does this domain ‘tm.net.my’ belong to your ISP ?

system · October 23, 2007, 4:01pm

I’ve broadband connection and between my pc and telephone jack I got ADSL Modem.

I would also suggest you upload the file named at the end of the registry AutoRun\command, ShellExec_RunDLL wscript.exe [b]Bha.dll.vbs[/b] to VT for checking (and send to avast if multiple detections).
Yes repair the entry if the VT scan shows infected, I don’t know if this can be done in ComboFix as I have very little experience of this tool or if you would have to do it manually in the registry, but export the key before you edit/repair is so it can always be reversed if required (which I doubt as it does look suspect).

Looking for Bha.dll.vbs in that folder but I found nothing so I’ll fix that registry key later.

Does this domain 'tm.net.my' belong to your ISP ?

Yup, it’s belong to my ISP.

P/S: Just finish scanning with Windows One Care and still nothing detected so I assume my pc clean now but I’ll monitor for a couple of days more and I’ll let you know if there’s unusual activity going on.

essexboy · October 23, 2007, 6:28pm

You are correct as this is VBS Solow

We will delete the mount point which will stop it loading and if you can then do a manual search for the file Bha.dll.vbs

REGISTRY FIX

REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{05b0ef97-760d-11dc-8240-0019661a759a}]

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

You will also need to delete this file D:\WINDOWS\autoregistry.zip

polonus · October 23, 2007, 9:14pm

Hi MeDIeVaL,

The network thing to port 1900 is just your computer telling this special reserved multicast address it is ready for upnp-multicast traffic. Normally your firewall should deny access for the incoming traffic of this protocol. But is nothing out of the ordinary. You can disable it through the program from here: http://www.grc.com/files/unpnp.exe

polonus

autoregistry.exe trojan, how to get rid of it?

Announcements