rezervd Posted March 7, 2011 ID:397359 Share Posted March 7, 2011 We have a client machine running the latest EP, fully enforced, etc. The user machine appeared to be fine but we were asked to run a malwarebytes scan on it (long story). Anyway, it came back with the following below. The registry data item is from our GPO so Im not worried about that at all. If its referencing "recycler" so my first question is this something that could have been removed at some point prior? The latter being is it possible the .exe was the initial drop package and dormant, the contents already being caught and wiped? Thanks guysMalwarebytes' Anti-Malware 1.50.1.1100www.malwarebytes.orgDatabase version: 5954Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.187023/4/2011 5:26:58 PMmbam-log-2011-03-04 (17-26-58).txtScan type: Quick scanObjects scanned: 216882Time elapsed: 6 minute(s), 49 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 4Registry Data Items Infected: 1Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Recycler ( -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\Recycler (Trojan.Agent) -> Value: Recycler -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load\Recycler (Trojan.Agent) -> Value: Recycler -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\Recycler (Trojan.Agent) -> Value: Recycler -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:c:\documents and settings\james.hedgepeth\local settings\Temp\0.6213781838315039.exe (Trojan.Dropper) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Mainard Posted March 7, 2011 ID:397388 Share Posted March 7, 2011 Hello reservd,Based on your description from this topic, your current inquiry should be handled by Malwarebytes Link to post Share on other sites More sharing options...
Recommended Posts