Jump to content
Mark17

Trojan.Agent Registry Value

Recommended Posts

I'm posting here because I found another post that sounded much like my situation:

http://forums.malwar...howtopic=111144

I originally had three infected files detected by Malwarebytes (note: I have

been using the latest, updated version). After trying to "Remove Selected" a

few times and restarting the computer, they remained. I then ran TDDSKiller

and ComboFix--I'm still left with one item that shows up on the Malwarebytes

Quick Scan:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|29032

The post cited above mentioned this might be a false positive and to

update Malwarebytes to rerun the scan. I have updated and it remains.

Is this something I need to worry about?

Thanks,

Mark

Share this post


Link to post
Share on other sites

When I type that in the run box I get "Windows cannot find 'mbam.exe/developer'. Make sure you typed the name correctly, and then try again.

Share this post


Link to post
Share on other sites

Hello you need to insert a <space> before the '/'

Like so ...

mbam.exe<space>/developer

Share this post


Link to post
Share on other sites

Registry Values Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|29032 (Trojan.Agent) -> Data: C:\PROGRA~3\LOCALS~1\Temp\msvyocia.com

This does not appear to be a false positive.

Please zip/attach the file 'C:\PROGRA~3\LOCALS~1\Temp\msvyocia.com' to your next reply.

Share this post


Link to post
Share on other sites

Are the ~'s abbreviating the full path? I'm not sure where to find that file. When I search for "msvyocia.com" under Start, I only get the MBAM and ComboFix logs.

Share this post


Link to post
Share on other sites

Yes, those ~ are referred to as Short File Names. Please copy paste this into Explorer's address bar

C:\PROGRA~3\LOCALS~1\Temp\

And it should take you to the folder in question.

Share this post


Link to post
Share on other sites

That comes up empty (please see attached screenshot).

This means the file no longer exists. It could have got removed by an earlier run of mbam or even your resident antivirus program. The entry which we're still detecting ...

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|29032

... refers to a loading point in your registry, which was previously used to automatically load the malware.

To manually verify if this entry exist ..

* Go to Start → Run → type REGEDIT

* Browse to the key → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

* See if there exist a value named 29032

Share this post


Link to post
Share on other sites

So this shows it isn't a false positive. Mbam does see and detects the entry as it exist. Imho, after each time mbam removes it, something else (most likely another security program) is restoring it.

To manually delete the entry using Regedit, right click on '29032' and select 'Delete'

Then wait 5 seconds and press F5 on your keyboard to refresh Regedit. See if it comes back

Let me know how it went

Share this post


Link to post
Share on other sites

At the risk of posting out of order here... to give a bit more history, earlier this afternoon I had three infected files showing up in the MBAM scan. I tried to eradicate them all with MBAM three or so times but was unable. Here was the screenshot:

post-115900-0-43529700-1343963201.jpg

Share this post


Link to post
Share on other sites

Svchost.exe is a legitimate Microsoft file but it resides in C:\Windows\System32 and not C:\Windows.

Often a malware strategy to rename themselves as svchost.exe but situated elsewhere.

I right clicked on 29032 only.

What type of security programs do you have installed. Please disable them before re-attempting the delete.

If that doesn't work, then you need to delete from Safe Mode where your security programs wouldnt be running.

Share this post


Link to post
Share on other sites

TrendMicro Client/Server Security Agent. I have now disabled it but still cannot delete 29032. I'll try in Safe Mode.

Share this post


Link to post
Share on other sites

Sounds like a registry permissions issue. Do this ..

Right click on 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' & select "Permissions...."

  1. Ensure 'Administrators' has Full Control & click the 'Apply' button
  2. Click on the 'Advanced' button
  3. In the Permissions tab, tick "Replace permission entries on all child objects with entries shown here that apply to child objects"
  4. Click OK & agree to the ensuing prompt
  5. Click OK again to exit the permissions page
  6. Right click on the entry & select 'Delete'

Share this post


Link to post
Share on other sites

Before I proceed, the only thing showing up under "Group or user names" is "Everyone" (not Administrator). Can I assign Full Control to "Everyone?"

Share this post


Link to post
Share on other sites

Select this option instead - Include inheritable permissions from objects parent.

Share this post


Link to post
Share on other sites

Good to hear. Please reboot the machine once and recheck to see if it comes back

Share this post


Link to post
Share on other sites

It did not come back.

Should I restore perms on Run to just "Everyone" and change "Full Control" to "Read?"

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.