-
May 11th, 2004 10:29 PM
#1
Identifying a Registry Alteration
I just recently downloaded and ran Registry Editor for the first time, and this message popped up:
An important entry has been ADDED to the registry!
HKEY=HKEY_CLASSES_ROOT
PATH=vbsfile\shell\open\command
NAME=
DATA=%SystemRoot%\System32\WScript.exe "%1"%*
How do I know if this is malicious or something legitimate? Since it was in the System32 directory and evidently affecting an executable for user-run scripts, I didn't want to make any assumptions.
-
May 11th, 2004 10:49 PM
#2
That looks like the MS Windows scripting host.
In XP it should be (typically) in C:\Windows\system32\
If you google for processes you are not sure of you will come across a few sites that list standard processes, and references to virus/malware alerts from AV and security sites.
Be careful that you get the name EXACTLY right, that the file is in the correct folder, and that you only have one of them. Duplicates and "sounds like" should be regarded as highly suspicious!
Cheers
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
-
May 11th, 2004 10:49 PM
#3
it's not necessarily bad but I've seen a few hijackthis logs that used it to run malware.
So I guess it all depends on what script it starts running..
if you run hijackthis.. you should see such an entry.. and most likely a file name of the script that is going to get run.
-
May 11th, 2004 11:08 PM
#4
Yeah, SDG is right, it IS a valid MS program but it could be used to run a malicious VB script or whatever.
http://keir.net
I hope the link still works, you are looking for scrip trap. In interceps stuff that shouldn't run unless you want it to. It is a bit like a firewall in its use, you accept or reject programs when it prompts you, then it remembers your answer for next time.
A neat feature is it will interface to your antivirus, which is OK if you keep it up to date, and it recognises the malware. The real question should be "did I ask for a script to run right now"
Good luck
EDIT: Yes, the link works 
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
-
May 12th, 2004 01:05 AM
#5
That's the problem with reg edit apps. Unless you realy no what you are about they suck. If you do no what your doing though they are a good tool.
In this case i would hazard a guess that as you had just installed the app. It picked up on the fact and showed you the changes.
Just a guess mind you.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
Forum Rules
|
|
Reply With Quote
Bookmarks