Jump to content

C:\Windows\System32\regedit.exe (Trojan.Agent)


srobot

Recommended Posts

mbam-log-2009-02-03 (19-39-17)

Malwarebytes' Anti-Malware 1.33

Database version: 1723

Windows 6.0.6001 Service Pack 1

2/3/2009 7:39:24 PM

mbam-log-2009-02-03 (19-39-17).txt

Scan type: Quick Scan

Objects scanned: 54468

Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\regedit.exe (Trojan.Agent) -> No action taken.

McAfee reports nothing, I'll update both tomorrow and try again...

BTW - I'm on x64 Vista, and as far as I know box should not have anything on it this was just a normal scan.

Link to post
Share on other sites

Same box:

Malwarebytes' Anti-Malware 1.33

Database version: 1724

Windows 6.0.6001 Service Pack 1

2/3/2009 8:20:51 PM

mbam-log-2009-02-03 (20-20-48).txt

Scan type: Quick Scan

Objects scanned: 54517

Time elapsed: 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\regedit.exe (Trojan.Agent) -> No action taken.

Link to post
Share on other sites

Here is a scan from a few days ago.

Malwarebytes' Anti-Malware 1.33

Database version: 1714

Windows 6.0.6001 Service Pack 1

2/1/2009 9:24:12 PM

mbam-log-2009-02-01 (21-24-12).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|H:\|)

Objects scanned: 356255

Time elapsed: 1 hour(s), 36 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Not fixed for me too :D

Malwarebytes' Anti-Malware 1.33Database version: 1724Windows 6.0.6001 Service Pack 1
2/4/2009 5:00:12 AMmbam-log-2009-02-04 (05-00-08).txt
Scan type: Quick ScanObjects scanned: 39209Time elapsed: 28 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:C:\Windows\System32\regedit.exe (Trojan.Agent) -> No action taken. [385753513430538380756679153472707985130136276156747969808884618490848570782019618370727069748515708970]

full explanation:

http://www.malwarebytes.org/forums/index.p...ost&p=53221

Link to post
Share on other sites

Hello Dustin,

I'm now getting this too on 64bit Vista.

Malwarebytes' Anti-Malware 1.33

Database version: 1724

Windows 6.0.6001 Service Pack 1

2/3/2009 10:23:40 PM

mbam-log-2009-02-03 (22-23-34).txt

Scan type: Quick Scan

Objects scanned: 46181

Time elapsed: 1 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\regedit.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761567479698088846184908485707820196

18370727069748515708970]

Link to post
Share on other sites

im getting

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

and it is still there after. and my quarentine i can not go into im going to try and reinstall oh and i had antivirus 2008 on my computer. would like help or update that works to solve problem

Link to post
Share on other sites

Looks like it is now fixed.

Malwarebytes' Anti-Malware 1.33

Database version: 1728

Windows 6.0.6001 Service Pack 1

2/4/2009 1:48:04 PM

mbam-log-2009-02-04 (13-48-04).txt

Scan type: Quick Scan

Objects scanned: 54607

Time elapsed: 1 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

I justed checked Vista x64 SP1 and XP Pro SP2, and I'm not finding regedit.exe in System32. Can I ask you guys why you believe the file is legit? Does it's MD5 match the real regedit.exe in the Windows folder?

No point in giving you guys the MD5's of mine, because both installs of Windows are unpatched.

Link to post
Share on other sites

http://blogs.msdn.com/davbr/archive/2006/1...r-profiler.aspx

Let's say you spawn cmd.exe from Start.Run. That gives you a 64 bit command prompt, from the real %windir%\system32\cmd.exe (unless you do some wacky things to your path). That will give you the real 64 bit environment and paths. So if you type regedit.exe from that command prompt, you'll get the real 64 bit %windir%\system32\regedit.exe. That guy will show you the whole registry.
Link to post
Share on other sites

Vista x64 SP1:

Location of 64 bit regedit.exe: C:\Windows

Location of 32 bit regedit.exe: C:\Windows\SysWOW64

No regedit in System32

It's true about the command prompt as it does show System32 as the path, however if you use Task Manager to open file location of regedit.exe (the one opened from the System32 command prompt), it comes up as the regedit in C:\Windows

Link to post
Share on other sites

There is no such file, and that blog entry lists the wrong path. exile360 listed the only valid paths for regedit.exe on a 64-bit edition of Vista.

That's correct there is no regedit.exe in System32 folder but there is an Regedt32.exe and this is what MBAM was hitting on.

This MS link will describe more here.

Hardhead, this topic is about the following file:

C:\WINDOWS\system32\regedit.exe

I see that path and filename in every log in this topic, including yours.

Regedt32.exe is a different application, and a different filename, but you are correct that it is supposed to be in System32.

My question still stands. What is this C:\WINDOWS\system32\regedit.exe and why do you believe it is a false positive? I suggest you guys start checking MD5 checksums to make sure it really is regedit.

Note trying to be an ass here guys, because we do trust you, but this is not a normal system file by any means. We really should know what this is and why it's there before putting this to rest.

Link to post
Share on other sites

DaChew, it took a little while, but what you were trying to tell me did sink in. I was in the middle of talking to Bruce about this when I realized that you were trying to tell me this:

When a 32-bit application (such as MBAM) looks for the System32 directory on a 64-bit edition of Windows, WoW64 actually shows it the contents of the SysWOW64 directory. Since there is a copy of regedit.exe in the SysWOW64 directory, MBAM thought it was in the System32 directory, and thus we have a false positive.

OK, so I've got my explanation, and I'm happy. :D

Thanks for pointing that one out.

Link to post
Share on other sites

DaChew, it took a little while, but what you were trying to tell me did sink in. I was in the middle of talking to Bruce about this when I realized that you were trying to tell me this:

When a 32-bit application (such as MBAM) looks for the System32 directory on a 64-bit edition of Windows, WoW64 actually shows it the contents of the SysWOW64 directory. Since there is a copy of regedit.exe in the SysWOW64 directory, MBAM thought it was in the System32 directory, and thus we have a false positive.

OK, so I've got my explanation, and I'm happy. :D

Thanks for pointing that one out.

Good deal. :D

Link to post
Share on other sites

If that's the case, then I should've come across this FP already on my system (I run Vista x64) and I never have. Although Windows does virtualize calls to system files/folders/registry for 32 bit apps, I haven't seen this FP, or any others, related to how Windows does it.

Probably just a change in defs to detect a malicious file pretending to be regedit in System32, and they forgot about the way WoW64 works. I don't think anyone on the research team uses 64-bit editions of Windows (which is why the product page currently reads x86 only).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.