Possible IRC bot infection?

[chimpy]

Hi I was going through my "all programs and found this reg entry called reg1.reg under "files" I did a little googling and came up with it not looking so good, Though my AVG 8.5, spybot, MBAM ect pick up nothing.

I also ran Kasperskys online scanner too and that was clean.

In the googling I found it said it was a IRC bot, I do use IRC everyday but still not sure how I would have got this if this is really an infection

When I searched in the reg for it I found these entrys and took a screen shot

Is it as bad as I think?

As per instructions here is my MBAM log and hijackthis log

Malwarebytes' Anti-Malware 1.41

Database version: 3139

Windows 6.0.6002 Service Pack 2

10/11/2009 15:34:09

mbam-log-2009-11-10 (15-34-09).txt

Scan type: Quick Scan

Objects scanned: 99689

Time elapsed: 7 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:39:42, on 10/11/2009

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18828)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\RtHDVCpl.exe

C:\Windows\WindowsMobile\wmdc.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

C:\Windows\vsnp2uvc.exe

C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Sandboxie\SbieCtrl.exe

C:\Windows\system32\taskeng.exe

C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

C:\Program Files\Sandboxie\SandboxieRpcSs.exe

C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [snp2uvc] C:\Windows\vsnp2uvc.exe

O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-21-2069415660-1087055719-4139926696-1001\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'panda')

O4 - HKUS\S-1-5-21-2069415660-1087055719-4139926696-1001\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" (User 'panda')

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)

O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O13 - Gopher Prefix:

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/...can8/oscan8.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Windows\system32\AERTSrv.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--

End of file - 7190 bytes

I have no noticable signs of an infection, I just happened upon this file which when you "edit" it to look inside is huge about 278.761.472 bytes and seems to contain all my computers info including the installed games backgrounds and blocked list and much much more!

Thanks.

[miekiemoes]

Hi,

Rightclick the reg1.reg and select to edit. It shall open in notepad.

Copy and paste the contents of it in your next reply.

This regfile can be anything, can also be legit.

[chimpy]

Can I send you it in a pm? just incase it contains personal info that I should not reveal?

Also the first line of the file says "Windows Registry Editor Version 5.00" When I googled this it seems it might not apply for vista which is the version I use http://support.microsoft.com/kb/310516

[miekiemoes]

Also the first line of the file says "Windows Registry Editor Version 5.00" When I googled this it seems it might not apply for vista which is the version I use http://support.microsoft.com/kb/310516

The header "Windows Registry Editor Version 5.00" applies for Vista and Windows7 as well.

Yes, PM me the contents.

[chimpy]

Sorry about this, I cannot seem to be able to pm you the file as its so huge when I cut and paste it is crashes the browser after a few mins.

What can I do?

[miekiemoes]

Hi,

Zip the file and upload it here: http://www.bleepingcomputer.com/submit-malware.php?channel=8

That's my "personal' upload folder.

But since that file is huge, I rather think it's a registry backup you made once.

You get these when you open the registry, and rightclick a key and select export. Some tweak programs may create these regbackups as well.

[chimpy]

I zipped it and RAR'd it and tried to submit it twice and both times it took 10+ mins and came up with a error "There was a problem with your submission. Please Contact Us and let us know the name of the file, the size of the file, and the error code given below."

There was no code but the name of the file was reg1 if thats of any help.

compressing it only took the file down by half the size I could not seem to get it smaller.

EDIT

I think this might be because it is a reg file, Is there a way to take the info in the file and copy it then zip it from there and upload?

[miekiemoes]

Hi,

This has nothing to do with the file extension. It's just that it is so big in size.

As I already said, the fact that it is so big, means it's most probably just a backup of your registry. In either way, you don't have to worry at all here, it's not malware related, that I am for sure. It doesn't matter how the file is called, it matters what the contents are.

What you can do, if you really want me to have a look at it (even though I already know it's just a backup of your registry), is to create a Windows skydrive account. http://skydrive.live.com/

If you already have a Windows Live account, you have skydrive already. There you can upload files till 25GB for free and then share it with others (if you give the link).

So upload it there and send me the link to it via PM.

[chimpy]

Ok done that thanks!

sent you a message!

[miekiemoes]

Hi,

That file is 256MB original and is indeed a full HKLM backup of your registry as I suspected

[chimpy]

Thanks for that, I can not remember making it though thats the strange thing, I have Erunt but it has never worked so it cannot be that that made it.

Also the "propertys says its 265MB should I worry about the 10 missing from your copy?

So its something that I need and nothing malicious at all then?

[miekiemoes]

Hi,

There's nothing to worry at all here.

You can keep that backup, or delete it - the choice is yours.

[miekiemoes]

By the way, even better would be to delete it from your drive and keep it in your skydrive account, so you have the backup always there.

But please set that skydrive folder to "private", so it's only you who has access to it. If you want to share something else in public, then you can create a new folder and set that one to public.

[chimpy]

Thanks for all your help, I just panicked when I googled the name and the only hit for it for reg1.reg was for a really bad infection and I thought it was strange to find a reg entry when searching for things beinging with "ms" in the start menu icon. I still do not understand why it is there!

I think I better keep it, Will it just over ride it if I made a new back up as I know people say you should do it a few times a year but as I do not ever remember trying to make one from vistas own I think I should start.

[miekiemoes]

and I thought it was strange to find a reg entry when searching for things beinging with "ms" in the start menu icon

It has a LOT of ms references in that file, because as I said, it's a backup of the HKLM branch of your registry.

[chimpy]

Ah thats how it searches, I just presumed it searched by title alone.

Once again thank you for your help Miekiemoes.

[miekiemoes]

You're most welcome

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.