Guest DanH Posted November 23, 2008 Posted November 23, 2008 I've had a couple of malicious software infections. Specifically, Windows malicious software removal tool reported finding and removing Horst.v, then ClamAV reported finding and removing Trojan.Agent-54500. Afterwards, I've noticed that some of the registry manipulations listed at <http://www.threatexpert.com/report.aspx?md5=9ff130ceea045a43416c50a739510b6a> have happened. At the moment, I'm particularly concened that: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools were set to 1. I can set them back to 0 with a third-party tool (chntpw), but as soon as any particular user logs in, they get set to 1 again for that user. Any ideas how to proceed, please? Thanks, DanH Quote
Guest David H. Lipman Posted November 23, 2008 Posted November 23, 2008 From: "DanH" <DanH@discussions.microsoft.com> | I've had a couple of malicious software infections. Specifically, Windows | malicious software removal tool reported finding and removing Horst.v, then | ClamAV reported finding and removing Trojan.Agent-54500. Afterwards, I've | noticed that some of the registry manipulations listed at | <http://www.threatexpert.com/report.aspx?md5=9ff130ceea045a43416c50a739510b6a> have | happened. At the moment, I'm particularly concened that: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\ | DisableTaskMgr | and | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\ | DisableRegistryTools | were set to 1. I can set them back to 0 with a third-party tool (chntpw), | but as soon as any particular user logs in, they get set to 1 again for that | user. Any ideas how to proceed, please? | Thanks, | DanH You are still infected! Download, install, update and scan with Malwarebytes Anti-Malware http://www.malwarebytes.org/mbam/program/mbam-setup.exe -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest DanH Posted November 25, 2008 Posted November 25, 2008 "David H. Lipman" wrote: <span style="color:blue"> > From: "DanH" <DanH@discussions.microsoft.com> > </span> <span style="color:blue"> > You are still infected!</span> Thank you. Of course, you must be right - otherwise there wouldn't still be unauthorized fiddlings with my registry taking place. But I've been through the filesystems super-thoroughly, using a scanner I trust, with bang-up-to-date virus definitions, and found no intrinsically malicious executables. So I guess what I'm still infected with is a malicious config option, presumably in a registry key I haven't looked at. I was hoping someone could suggest names of registry keys that might be relevant. Thanks again, DanH Quote
Guest David H. Lipman Posted November 25, 2008 Posted November 25, 2008 From: "DanH" <DanH@discussions.microsoft.com> | Thank you. Of course, you must be right - otherwise there wouldn't still be | unauthorized fiddlings with my registry taking place. But I've been through | the filesystems super-thoroughly, using a scanner I trust, with | bang-up-to-date virus definitions, and found no intrinsically malicious | executables. | So I guess what I'm still infected with is a malicious config option, | presumably in a registry key I haven't looked at. I was hoping someone could | suggest names of registry keys that might be relevant. | Thanks again, | DanH Withour real information one can not suggest where to look and the malware you may have may not be identified by your un-named anti virus application. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.