Jump to content

Registry Values Infected


Recommended Posts

I work for a decent size company in the IT department. I am currently working on a laptop that cannot open IE. When I ran Malwarebytes the only hit I recieved is listed below. Everything else came back clean.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\1 (Trojan.Agent) -> Quarantined and deleted successfully.

This particular infection will not go away, I have seen it on many computers with performance issues. I will run Malwarebytes, this will show up and it cannot remove (or quarantine) it.

My collegaues dismiss this one hit and say it is probaly due to some security settings, I disagree. The only time I have seen this on a computer, the customer is complaining of various performance issues.

Is there a way to delete, replace or regenerate this value registry value?

Any help you could provide would be appreciated.

MBAM_LOG_7.13.10.txt

Link to post
Share on other sites

  • Staff

Hi,

This is only a registry leftover. Do you have any programs running in the background that watch registry changes? For example adaware adwatch, spybot s&d teatimer or Windows defender? Because if these are active, they see the deletion of that value (by malwarebytes) as a malicious attempt and restore it again.

In either way, it would be a good idea to post a HijackThis log.

Link to post
Share on other sites

Hi,

This is only a registry leftover. Do you have any programs running in the background that watch registry changes? For example adaware adwatch, spybot s&d teatimer or Windows defender? Because if these are active, they see the deletion of that value (by malwarebytes) as a malicious attempt and restore it again.

In either way, it would be a good idea to post a HijackThis log.

No programs running in the background. Here is my Hijackthis log

HiJack_Log.txt

Link to post
Share on other sites

  • Staff

Hi,

These are the files attached for it:

O4 - HKLM\..\Policies\Explorer\Run: [1] \\wernerds.net\NETLOGON\Scripts\Logon\Werner Drive Mapping.vbe

O4 - HKLM\..\Policies\Explorer\Run: [2] \\wernerds.net\NETLOGON\Scripts\Logon\Werner Logon Logger.vbe

O4 - HKLM\..\Policies\Explorer\Run: [3] \\wernerds.net\NETLOGON\Scripts\Logon\Werner TS Redirection.vbe

It looks like custom startup entries set pointing to some scripts. It looks like these are not created by malware, so you can ignore that in Malwarebytes (add that one to the ignore list).

I will modify detection for this one, so it won't detect anymore in your case.

The following entries need to get checked in HijackThis as they are malware related leftovers:

O4 - HKUS\S-1-5-19\..\Run: [fowobeforu] Rundll32.exe "legidonu.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [fowobeforu] Rundll32.exe "legidonu.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: sedutodo.dll,C:\WINDOWS\system32\cryptdll32.dll

O20 - Winlogon Notify: e0cc770b922 - C:\WINDOWS\system32\cryptdll32.dll (file missing)

After you have checked them, click the fix cheked button below.

Can you tell me what this is?

O4 - Global Startup: Shortcut to Bginfo.exe.lnk = C:\Bginfo.exe

Link to post
Share on other sites

Can you tell me what this is?

O4 - Global Startup: Shortcut to Bginfo.exe.lnk = C:\Bginfo.exe

Thanks for your help Miekiemoes,

BG Info is a quick reference for the build specs of each computer.

I will check those other items in HiJackThis and get back to you.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.