Printable View
I just recently downloaded and ran Registry Editor for the first time, and this message popped up:
An important entry has been ADDED to the registry!
HKEY=HKEY_CLASSES_ROOT
PATH=vbsfile\shell\open\command
NAME=
DATA=%SystemRoot%\System32\WScript.exe "%1"%*
How do I know if this is malicious or something legitimate? Since it was in the System32 directory and evidently affecting an executable for user-run scripts, I didn't want to make any assumptions.
That looks like the MS Windows scripting host.
In XP it should be (typically) in C:\Windows\system32\
If you google for processes you are not sure of you will come across a few sites that list standard processes, and references to virus/malware alerts from AV and security sites.
Be careful that you get the name EXACTLY right, that the file is in the correct folder, and that you only have one of them. Duplicates and "sounds like" should be regarded as highly suspicious!
Cheers
it's not necessarily bad but I've seen a few hijackthis logs that used it to run malware.
So I guess it all depends on what script it starts running..
if you run hijackthis.. you should see such an entry.. and most likely a file name of the script that is going to get run.
Yeah, SDG is right, it IS a valid MS program but it could be used to run a malicious VB script or whatever.
http://keir.net
I hope the link still works, you are looking for scrip trap. In interceps stuff that shouldn't run unless you want it to. It is a bit like a firewall in its use, you accept or reject programs when it prompts you, then it remembers your answer for next time.
A neat feature is it will interface to your antivirus, which is OK if you keep it up to date, and it recognises the malware. The real question should be "did I ask for a script to run right now"
Good luck
EDIT: Yes, the link works :D
That's the problem with reg edit apps. Unless you realy no what you are about they suck. If you do no what your doing though they are a good tool.
In this case i would hazard a guess that as you had just installed the app. It picked up on the fact and showed you the changes.
Just a guess mind you.