Jump to content


Photo

C:\Windows\System32\regedit.exe (Trojan.Agent)


  • Please log in to reply
19 replies to this topic

#1 srobot

srobot

    New Member

  • Members
  • Pip
  • 6 posts

Posted 03 February 2009 - 08:49 PM

mbam-log-2009-02-03 (19-39-17)

Malwarebytes' Anti-Malware 1.33
Database version: 1723
Windows 6.0.6001 Service Pack 1

2/3/2009 7:39:24 PM
mbam-log-2009-02-03 (19-39-17).txt

Scan type: Quick Scan
Objects scanned: 54468
Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\regedit.exe (Trojan.Agent) -> No action taken.

McAfee reports nothing, I'll update both tomorrow and try again...

BTW - I'm on x64 Vista, and as far as I know box should not have anything on it this was just a normal scan.

#2 srobot

srobot

    New Member

  • Members
  • Pip
  • 6 posts

Posted 03 February 2009 - 09:21 PM

Same box:

Malwarebytes' Anti-Malware 1.33
Database version: 1724
Windows 6.0.6001 Service Pack 1

2/3/2009 8:20:51 PM
mbam-log-2009-02-03 (20-20-48).txt

Scan type: Quick Scan
Objects scanned: 54517
Time elapsed: 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\regedit.exe (Trojan.Agent) -> No action taken.

#3 srobot

srobot

    New Member

  • Members
  • Pip
  • 6 posts

Posted 03 February 2009 - 09:27 PM

Here is a scan from a few days ago.

Malwarebytes' Anti-Malware 1.33
Database version: 1714
Windows 6.0.6001 Service Pack 1

2/1/2009 9:24:12 PM
mbam-log-2009-02-01 (21-24-12).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|H:\|)
Objects scanned: 356255
Time elapsed: 1 hour(s), 36 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 B-boy/StyLe/

B-boy/StyLe/

    FFreestyleRR

  • Experts
  • PipPipPipPipPip
  • 1,141 posts
  • Gender:Male
  • Location:Bulgaria

Posted 03 February 2009 - 10:07 PM

Not fixed for me too :D

Malwarebytes' Anti-Malware 1.33
Database version: 1724
Windows 6.0.6001 Service Pack 1

2/4/2009 5:00:12 AM
mbam-log-2009-02-04 (05-00-08).txt

Scan type: Quick Scan
Objects scanned: 39209
Time elapsed: 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\regedit.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761567479698088846184908485707820
19618370727069748515708970]

full explanation:

http://www.malwareby...p...ost&p=53221
Posted Image
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - Posted Image

#5 Hardhead

Hardhead

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 815 posts
  • Location:Blue Ridge, Va.

Posted 03 February 2009 - 10:24 PM

Hello Dustin,

I'm now getting this too on 64bit Vista.

Malwarebytes' Anti-Malware 1.33
Database version: 1724
Windows 6.0.6001 Service Pack 1

2/3/2009 10:23:40 PM
mbam-log-2009-02-03 (22-23-34).txt

Scan type: Quick Scan
Objects scanned: 46181
Time elapsed: 1 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\regedit.exe (Trojan.Agent) -> No action taken. [3857535134305383807566791534727079851301362761567479698088846184908485707820196
18370727069748515708970]

Posted Image
Member Since 2004
Calendar of Updates?Posted Image
Posted Image


#6 tyler

tyler

    New Member

  • Members
  • Pip
  • 17 posts

Posted 04 February 2009 - 05:07 AM

im getting

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

and it is still there after. and my quarentine i can not go into im going to try and reinstall oh and i had antivirus 2008 on my computer. would like help or update that works to solve problem

#7 Caos

Caos

    New Member

  • Members
  • Pip
  • 3 posts

Posted 04 February 2009 - 12:45 PM

Same problem. Windows Server 2003 R2 Enterprise x64 bit Edition.

Malwarebytes' Anti-Malware 1.33
Versión de la Base de Datos: 1725
Windows 5.2.3790 Service Pack 2

04/02/2009 16:39:56
mbam-log-2009-02-04 (16-39-53).txt

Tipo de examen : Examen Rápido
Objetos examinados: 53680
Tiempo transcurrido: 1 minute(s), 25 second(s)

Procesos en Memoria Infectados: 0
Módulos en Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Ficheros Infectados: 1

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Módulos en Memoria Infectados:
(No se han detectado elementos maliciosos)

Claves del Registro Infectadas:
(No se han detectado elementos maliciosos)

Valores del Registro Infectados:
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Infectados:
(No se han detectado elementos maliciosos)

Carpetas Infectadas:
(No se han detectado elementos maliciosos)

Ficheros Infectados:
C:\WINDOWS\system32\regedit.exe (Trojan.Agent) -> No action taken.

#8 srobot

srobot

    New Member

  • Members
  • Pip
  • 6 posts

Posted 04 February 2009 - 02:50 PM

Looks like it is now fixed.

Malwarebytes' Anti-Malware 1.33
Database version: 1728
Windows 6.0.6001 Service Pack 1

2/4/2009 1:48:04 PM
mbam-log-2009-02-04 (13-48-04).txt

Scan type: Quick Scan
Objects scanned: 54607
Time elapsed: 1 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 Hardhead

Hardhead

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 815 posts
  • Location:Blue Ridge, Va.

Posted 04 February 2009 - 07:22 PM

Thanks Dustin
All fixed now. :D

Posted Image
Member Since 2004
Calendar of Updates?Posted Image
Posted Image


#10 GT500

GT500

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 6,250 posts
  • Gender:Male
  • Location:Fortville, IN

Posted 05 February 2009 - 12:57 AM

I justed checked Vista x64 SP1 and XP Pro SP2, and I'm not finding regedit.exe in System32. Can I ask you guys why you believe the file is legit? Does it's MD5 match the real regedit.exe in the Windows folder?

No point in giving you guys the MD5's of mine, because both installs of Windows are unpatched.

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#11 DaChew

DaChew

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 591 posts

Posted 05 February 2009 - 01:34 AM

http://blogs.msdn.co...r-profiler.aspx

Let's say you spawn cmd.exe from Start.Run. That gives you a 64 bit command prompt, from the real %windir%\system32\cmd.exe (unless you do some wacky things to your path). That will give you the real 64 bit environment and paths. So if you type regedit.exe from that command prompt, you'll get the real 64 bit %windir%\system32\regedit.exe. That guy will show you the whole registry.


Regards
Chewy the wild wookie

#12 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 05 February 2009 - 01:46 AM

Vista x64 SP1:
Location of 64 bit regedit.exe: C:\Windows
Location of 32 bit regedit.exe: C:\Windows\SysWOW64
No regedit in System32

It's true about the command prompt as it does show System32 as the path, however if you use Task Manager to open file location of regedit.exe (the one opened from the System32 command prompt), it comes up as the regedit in C:\Windows
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#13 Hardhead

Hardhead

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 815 posts
  • Location:Blue Ridge, Va.

Posted 05 February 2009 - 01:21 PM

That's correct there is no regedit.exe in System32 folder but there is an Regedt32.exe and this is what MBAM was hitting on.

This MS link will describe more here.

Regedt32.exe
In Windows XP and Windows Server 2003, Regedt32.exe is a small program that just runs Regedit.exe.


Posted Image
Member Since 2004
Calendar of Updates?Posted Image
Posted Image


#14 GT500

GT500

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 6,250 posts
  • Gender:Male
  • Location:Fortville, IN

Posted 07 February 2009 - 06:33 PM

http://blogs.msdn.co...r-profiler.aspx


There is no such file, and that blog entry lists the wrong path. exile360 listed the only valid paths for regedit.exe on a 64-bit edition of Vista.

That's correct there is no regedit.exe in System32 folder but there is an Regedt32.exe and this is what MBAM was hitting on.

This MS link will describe more here.


Hardhead, this topic is about the following file:
C:\WINDOWS\system32\regedit.exe

I see that path and filename in every log in this topic, including yours.

Regedt32.exe is a different application, and a different filename, but you are correct that it is supposed to be in System32.



My question still stands. What is this C:\WINDOWS\system32\regedit.exe and why do you believe it is a false positive? I suggest you guys start checking MD5 checksums to make sure it really is regedit.

Note trying to be an ass here guys, because we do trust you, but this is not a normal system file by any means. We really should know what this is and why it's there before putting this to rest.

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#15 GT500

GT500

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 6,250 posts
  • Gender:Male
  • Location:Fortville, IN

Posted 07 February 2009 - 07:07 PM

DaChew, it took a little while, but what you were trying to tell me did sink in. I was in the middle of talking to Bruce about this when I realized that you were trying to tell me this:

When a 32-bit application (such as MBAM) looks for the System32 directory on a 64-bit edition of Windows, WoW64 actually shows it the contents of the SysWOW64 directory. Since there is a copy of regedit.exe in the SysWOW64 directory, MBAM thought it was in the System32 directory, and thus we have a false positive.

OK, so I've got my explanation, and I'm happy. :D

Thanks for pointing that one out.

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#16 Hardhead

Hardhead

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 815 posts
  • Location:Blue Ridge, Va.

Posted 07 February 2009 - 08:53 PM

DaChew, it took a little while, but what you were trying to tell me did sink in. I was in the middle of talking to Bruce about this when I realized that you were trying to tell me this:

When a 32-bit application (such as MBAM) looks for the System32 directory on a 64-bit edition of Windows, WoW64 actually shows it the contents of the SysWOW64 directory. Since there is a copy of regedit.exe in the SysWOW64 directory, MBAM thought it was in the System32 directory, and thus we have a false positive.

OK, so I've got my explanation, and I'm happy. :D

Thanks for pointing that one out.

Good deal. :D

Posted Image
Member Since 2004
Calendar of Updates?Posted Image
Posted Image


#17 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 08 February 2009 - 12:46 AM

If that's the case, then I should've come across this FP already on my system (I run Vista x64) and I never have. Although Windows does virtualize calls to system files/folders/registry for 32 bit apps, I haven't seen this FP, or any others, related to how Windows does it.
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#18 GT500

GT500

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 6,250 posts
  • Gender:Male
  • Location:Fortville, IN

Posted 08 February 2009 - 03:21 AM

If that's the case, then I should've come across this FP already on my system (I run Vista x64) and I never have. Although Windows does virtualize calls to system files/folders/registry for 32 bit apps, I haven't seen this FP, or any others, related to how Windows does it.


Probably just a change in defs to detect a malicious file pretending to be regedit in System32, and they forgot about the way WoW64 works. I don't think anyone on the research team uses 64-bit editions of Windows (which is why the product page currently reads x86 only).

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...


#19 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 08 February 2009 - 03:36 AM

If I could get ahold of one of the defs.ref versions that was detecting this I could test it when I get home. Anybody got it?
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#20 Hardhead

Hardhead

    Elite Member

  • Experts
  • PipPipPipPipPip
  • 815 posts
  • Location:Blue Ridge, Va.

Posted 08 February 2009 - 07:09 PM

If I could get ahold of one of the defs.ref versions that was detecting this I could test it when I get home. Anybody got it?

It's in database version:1723 and 1724 if you can find a copy.

Posted Image
Member Since 2004
Calendar of Updates?Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users