Identifying a Registry Alteration
Results 1 to 5 of 5

Thread: Identifying a Registry Alteration

  1. #1

    Identifying a Registry Alteration

    I just recently downloaded and ran Registry Editor for the first time, and this message popped up:

    An important entry has been ADDED to the registry!
    HKEY=HKEY_CLASSES_ROOT
    PATH=vbsfile\shell\open\command
    NAME=
    DATA=%SystemRoot%\System32\WScript.exe "%1"%*

    How do I know if this is malicious or something legitimate? Since it was in the System32 directory and evidently affecting an executable for user-run scripts, I didn't want to make any assumptions.

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    That looks like the MS Windows scripting host.

    In XP it should be (typically) in C:\Windows\system32\

    If you google for processes you are not sure of you will come across a few sites that list standard processes, and references to virus/malware alerts from AV and security sites.

    Be careful that you get the name EXACTLY right, that the file is in the correct folder, and that you only have one of them. Duplicates and "sounds like" should be regarded as highly suspicious!

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    it's not necessarily bad but I've seen a few hijackthis logs that used it to run malware.

    So I guess it all depends on what script it starts running..

    if you run hijackthis.. you should see such an entry.. and most likely a file name of the script that is going to get run.

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Yeah, SDG is right, it IS a valid MS program but it could be used to run a malicious VB script or whatever.

    http://keir.net

    I hope the link still works, you are looking for scrip trap. In interceps stuff that shouldn't run unless you want it to. It is a bit like a firewall in its use, you accept or reject programs when it prompts you, then it remembers your answer for next time.

    A neat feature is it will interface to your antivirus, which is OK if you keep it up to date, and it recognises the malware. The real question should be "did I ask for a script to run right now"

    Good luck

    EDIT: Yes, the link works
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    That's the problem with reg edit apps. Unless you realy no what you are about they suck. If you do no what your doing though they are a good tool.

    In this case i would hazard a guess that as you had just installed the app. It picked up on the fact and showed you the changes.

    Just a guess mind you.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides