utalice Posted October 19, 2014 Hi, I have found Malware.Trace in my recent scans. I had it removed once, but now I see it again. I am posting a copy of the log below.When I open Regedit to see if I can figure out what it is from the registry, I cannot find the line to WINLOGON SHELL (because I cannot find the string listed between the "{ }'s" in the SAS log) in HKU\S-1-5-21-1025616775-32965946-2427245248-1008-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL ...but I can find WINLOGON SHELL under HKU\S-1-5-21-1025616775-32965946-2427245248-1008\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL .No other program I use (NIS, Malwarebytes, CCleaner) is picking this up. Could this be a false positive? SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 10/16/2014 at 11:56 AM Application Version : 6.0.1158 Database Version : 11560 Scan type : Complete Scan Total Scan Time : 01:32:15 Operating System Information Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601) UAC On - Limited User Memory items scanned : 632 Memory threats detected : 0 Registry items scanned : 89028 Registry threats detected : 1 File items scanned : 92999 File threats detected : 9 Malware.Trace (x86) HKU\S-1-5-21-1025616775-32965946-2427245248-1008-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL Adware.Tracking Cookie .doubleclick.net [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ] .liveperson.net [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ] .liveperson.net [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ] .advertising.com [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ] .advertising.com [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ] .serving-sys.com [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ] .serving-sys.com [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ] .ru4.com [ C:\USERS\DALA\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1FAGKFQX.DEFAULT-1411659007127\COOKIES.SQLITE ] secure-us.imrworldwide.com [ C:\WINDOWS\SYSWOW64\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\CNP8W3UV ] ============ End of Log ============ Share this post Link to post Share on other sites
geoff Posted October 20, 2014 Hi utalice, Do you find a Shell value if you go to: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ? Thanks, Geoff Share this post Link to post Share on other sites
nighthawkext Posted October 20, 2014 The (x86) at the start of the registry path indicates that it is under an x86 registry path. Try looking in HKEY_USERS\S-1-5-21-1025616775-32965946-2427245248-1008-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL Share this post Link to post Share on other sites
utalice Posted October 22, 2014 Hi utalice, Do you find a Shell value if you go to: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ? Thanks, Geoff Geoff, No. Here is what I find: https://www.dropbox.com/s/wqgcz93tvut283l/winshell.jpg?dl=0 Share this post Link to post Share on other sites
utalice Posted October 22, 2014 The (x86) at the start of the registry path indicates that it is under an x86 registry path. Try looking in HKEY_USERS\S-1-5-21-1025616775-32965946-2427245248-1008-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL Don, As I stated in my first post, there is no {ED1FC765-E35E-4C3D-BF15-2C2B11260CE4} in a path under HKU. Here is what I see: https://www.dropbox.com/s/ge7nwg6r12122qa/winshell%20don.jpg?dl=0 Share this post Link to post Share on other sites
utalice Posted October 25, 2014 Stumped?Well, I noticed this morning that SAS wasn't running on my laptop when I opened it this morning, so I went to open it from the Start menu (Win7 64 bit) and when I clicked on SAS Professional, it gave me the error, "The item 'SUPERAntiSpyware.exe' that this shortcut refers to has been changed or moved, so this shortcut will no longer work properly.Do you want to delete this shortcut? Yes No"Wondering what has happened to my program. ? Share this post Link to post Share on other sites