Jump to content

Recommended Posts

I'm posting here because I found another post that sounded much like my situation:

http://forums.malwar...howtopic=111144

I originally had three infected files detected by Malwarebytes (note: I have

been using the latest, updated version). After trying to "Remove Selected" a

few times and restarting the computer, they remained. I then ran TDDSKiller

and ComboFix--I'm still left with one item that shows up on the Malwarebytes

Quick Scan:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|29032

The post cited above mentioned this might be a false positive and to

update Malwarebytes to rerun the scan. I have updated and it remains.

Is this something I need to worry about?

Thanks,

Mark

Link to post
Share on other sites

Registry Values Detected: 1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|29032 (Trojan.Agent) -> Data: C:\PROGRA~3\LOCALS~1\Temp\msvyocia.com

This does not appear to be a false positive.

Please zip/attach the file 'C:\PROGRA~3\LOCALS~1\Temp\msvyocia.com' to your next reply.

Link to post
Share on other sites

That comes up empty (please see attached screenshot).

This means the file no longer exists. It could have got removed by an earlier run of mbam or even your resident antivirus program. The entry which we're still detecting ...

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|29032

... refers to a loading point in your registry, which was previously used to automatically load the malware.

To manually verify if this entry exist ..

* Go to Start → Run → type REGEDIT

* Browse to the key → HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

* See if there exist a value named 29032

Link to post
Share on other sites

So this shows it isn't a false positive. Mbam does see and detects the entry as it exist. Imho, after each time mbam removes it, something else (most likely another security program) is restoring it.

To manually delete the entry using Regedit, right click on '29032' and select 'Delete'

Then wait 5 seconds and press F5 on your keyboard to refresh Regedit. See if it comes back

Let me know how it went

Link to post
Share on other sites

At the risk of posting out of order here... to give a bit more history, earlier this afternoon I had three infected files showing up in the MBAM scan. I tried to eradicate them all with MBAM three or so times but was unable. Here was the screenshot:

post-115900-0-43529700-1343963201.jpg

Link to post
Share on other sites

Svchost.exe is a legitimate Microsoft file but it resides in C:\Windows\System32 and not C:\Windows.

Often a malware strategy to rename themselves as svchost.exe but situated elsewhere.

I right clicked on 29032 only.

What type of security programs do you have installed. Please disable them before re-attempting the delete.

If that doesn't work, then you need to delete from Safe Mode where your security programs wouldnt be running.

Link to post
Share on other sites

Sounds like a registry permissions issue. Do this ..

Right click on 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' & select "Permissions...."

  1. Ensure 'Administrators' has Full Control & click the 'Apply' button
  2. Click on the 'Advanced' button
  3. In the Permissions tab, tick "Replace permission entries on all child objects with entries shown here that apply to child objects"
  4. Click OK & agree to the ensuing prompt
  5. Click OK again to exit the permissions page
  6. Right click on the entry & select 'Delete'

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.