Jump to content

Recommended Posts

utalice   

Hi,

 

I have found Malware.Trace in my recent scans. I had it removed once, but now I see it again.  I am posting a copy of the log below.

When I open Regedit to see if I can figure out what it is from the registry, I cannot find the line to WINLOGON SHELL (because I cannot find the string listed between the "{   }'s" in the SAS log) in HKU\S-1-5-21-1025616775-32965946-2427245248-1008-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

...but I can find WINLOGON SHELL under HKU\S-1-5-21-1025616775-32965946-2427245248-1008\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL .No other program I use (NIS, Malwarebytes, CCleaner) is picking this up. Could this be a false positive?
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/16/2014 at 11:56 AM

Application Version : 6.0.1158
Database Version : 11560

Scan type       : Complete Scan
Total Scan Time : 01:32:15

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned      : 632
Memory threats detected   : 0
Registry items scanned    : 89028
Registry threats detected : 1
File items scanned        : 92999
File threats detected     : 9

Malware.Trace
	(x86) HKU\S-1-5-21-1025616775-32965946-2427245248-1008-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Adware.Tracking Cookie
	.doubleclick.net [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ]
	.liveperson.net [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ]
	.liveperson.net [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ]
	.advertising.com [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ]
	.advertising.com [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ]
	.serving-sys.com [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ]
	.serving-sys.com [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ]
	.ru4.com [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ]
	secure-us.imrworldwide.com [ C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\CNP8W3UV ]

============
 End of Log 
============

Share this post


Link to post
Share on other sites
geoff   

Hi utalice,

 

Do you find a Shell value if you go to:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ?

 

Thanks,

 

Geoff

Share this post


Link to post
Share on other sites
The (x86) at the start of the registry path indicates that it is under an x86 registry path. 

Try looking in

 

HKEY_USERS\S-1-5-21-1025616775-32965946-2427245248-1008-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

Share this post


Link to post
Share on other sites
utalice   
The (x86) at the start of the registry path indicates that it is under an x86 registry path. 

Try looking in

 

HKEY_USERS\S-1-5-21-1025616775-32965946-2427245248-1008-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL

 

Don,

 

As I stated in my first post, there is no {ED1FC765-E35E-4C3D-BF15-2C2B11260CE4} in a path under HKU. Here is what I see:

https://www.dropbox.com/s/ge7nwg6r12122qa/winshell%20don.jpg?dl=0

 

Share this post


Link to post
Share on other sites
utalice   

Stumped?

Well, I noticed this morning that SAS wasn't running on my laptop when I opened it this morning, so I went to open it from the Start menu (Win7 64 bit) and when I clicked on SAS Professional, it gave me the error, "The item 'SUPERAntiSpyware.exe' that this shortcut refers to has been changed or moved, so this shortcut will no longer work properly.

Do you want to delete this shortcut? 

Yes   No"

Wondering what has happened to my program.  ?

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×