Jump to content

DISABLE REGISTRY TOOLS repeatedly appears as an infection


Recommended Posts

Using Emsisoft I repeated get the same infection and seemingly no matter how many times I send it to "Quarantine" it rears its ugly head within a couple of days or so.

 

Here is what today's report said:

 

Emsisoft Emergency Kit - Version 10.0
Last update: 10/2/2015 7:34:30 AM
User account: Lewis-PC\Lewis
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 10/4/2015 11:15:50 AM
Value: HKEY_USERS\S-1-5-21-1422163307-3788927115-2030255185-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
 
Scanned 73742
Found 1
 
Scan end: 10/4/2015 11:21:09 AM
Scan time: 0:05:19
 
Value: HKEY_USERS\S-1-5-21-1422163307-3788927115-2030255185-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Quarantined Setting.DisableRegistryTools (A)
 
Quarantined 1
 
Correspondingly whenever I run Rogue Killer I continually show the same infections which as with Emsisoft recur repeatedly despite being sent to quarantine.

Here is today's Rogue Killer Report:
 
RogueKiller V10.10.7.0 [sep 28 2015] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Lewis [Administrator]
Started from : C:\Users\Lewis\Downloads\RogueKiller.exe
Mode : Delete -- Date : 10/04/2015 12:43:00
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.1 ([(Private Address) (XX)])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters | DhcpNameServer : 10.0.0.1 ([(Private Address) (XX)])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2DB07389-E2D8-435C-8610-A2B4A482E18C} | DhcpNameServer : 10.0.0.1 ([(Private Address) (XX)])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Tcpip\Parameters\Interfaces\{2DB07389-E2D8-435C-8610-A2B4A482E18C} | DhcpNameServer : 10.0.0.1 ([(Private Address) (XX)])  -> Replaced ()
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST9500325AS +++++
--- User ---
[MBR] afd3e18634a03cfc5f5cd4c7c7c1540f
[bSP] 2ec32c4dafc030881e2a9675b975a583 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 15000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 30926848 | Size: 461838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 
How may I resolve this issue?
 
Thank you

 

Link to post
Share on other sites

Purrington,

The items showing in your RogueKiller log are not malicious. The IP address 10.0.0.1 is your internal network DNS.

There are many tools that set the Disable Registry Tools value in the Windows Registry. It is used to control access to the Windows Registry Editor. By default it is not present on Windows. If you can still use the Registry Editor, you can white list the detection.

Link to post
Share on other sites

Kevin:

 

I appreciate your prompt and professional response.

 

Allow me to apologize in advance but I do not know what "white list the detection" means.

 

Could you kindly tell me in layman's terms what this means and the steps I should take in performing this action?

 

Thank you.

Link to post
Share on other sites

Hello,

Since Kevin is away I'll work with you in this topic until he gets back. To whitelist a detected object once the scan finishes right click on the object and select Add to Whitelist. This will ensure that the object will no longer be detected. To manage the whitelist, you can also click the Scan menu and click the Manage Whitelist button (if you want to do this after having run a scan, you first need to click the New Scan button to return to the scan selection screen).

Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...