RedDawn

Hi, Why is MBAM trying to phone home each time I scan a file with it from the context menu? And what info is it attempting to send? I have 'Anonymously report usage statistics' unchecked.

Sure, many people have setup multiple sandboxes (Sandboxie Control > Sandbox > Create New Sandbox), each to be used for a different purpose (online banking, browsing, program testing etc.) and each one configured best for that purpose. For example, my browser sandbox settings for everyday use, I have Internet access restricted to IE, Firefox, Java and WMP (Sandboxie Control > Sandbox Settings > Restrictions > Internet Access). I also have blocked access to My Documents and D and E Drives (Sandboxie Control > Sandbox Settings > Resource Access > File Access > Block Access). To be even more secure, you could limit what can start/run in the sandbox, I'm toying with this at the moment. Some may find this setting a little too restrictive for normal use, it may be better suited to a sandbox used solely for online banking for example. See this thread. There is also the Drop Rights feature. The links below will explain things better and go into more detail on the different SandboxIE settings. Sandbox Settings Restrictions Settings Resource Access Settings

I would guess Oneder tested the sample using the latest version of Sandboxie. It's good news though to hear the file was contained successfully in his testing. A restricted Sandbox would be one that has been hardened through the Sandbox settings, such as enabling the Drop Rights feature, restricting Internet access to certain programs, selecting what's allowed to Start/Run in the sandbox etc. All the best, RD .

Thanks Tom, but no need, Oneder has kindly taken the time to test the file HERE. Thanks again .

Hi TeMerc, Any chance you could elaborate a little on this. What variant of Virut, Sandboxie version etc? Thanks .

Updated through Internal Updater - No problems. Malwarebytes' Anti-Malware 1.31 Database version: 1456 Windows 6.0.6001 Service Pack 1 04/12/2008 04:39:19 mbam-log-2008-12-04 (04-39-19).txt Scan type: Quick Scan Objects scanned: 44623 Time elapsed: 3 minute(s), 3 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0

Hi Alicez, Yes, Swiss Army is safe, it is part of MBAM, a Driver if I'm not mistaken. To configure Windows Defender to ignore it: Open Windows Defender click Tools > options scroll down to Advanced Options and under Do not scan these files or locations click add, navigate to mbamswissarmy and click OK. The path should be C:\Windows\system32\drivers\mbamswissarmy.sys You should now stop seeing the warning from WD.

Hardhead, Thank you very much for your help.

Just updated to (Free) version 1.29. Uninstalled version 1.28 using Revo. Rebooted. Installed version 1.29. Rebooted. Everything is okay, except I now have the following entry in my startup list. Why is this here and can/should I delete it? Thanks, RD.

Hi Guys, Sorry for the late post on the subject, but I've only come across this tonight. A couple of questions if I may. I've restored MBAM-dor.exe from McAfee's quarantine, should everything be okay now with MBAM, or would It be advised to reinstall it? Also slightly odd, McAfee's quarantine report for MBAM-dor.exe, Process: SuperAntiSpyware?? Any thoughts appreciated. Thanks.

Smooth update, no problems. Just one thing I noticed on this [and the previous] version, After I initialize a scan, 7 seconds will elapse before scanning actually starts, not really a problem, just reporting (I'm running Vista Prem.). Malwarebytes' Anti-Malware 1.27 Database version: 1130 Windows 6.0.6000 09/09/2008 00:31:40 mbam-log-2008-09-09 (00-31-40).txt Scan type: Quick Scan Objects scanned: 43249 Time elapsed: 3 minute(s), 14 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Hi AdvancedSetup, No, everything is okay, I was just curious why the thread had disappeared. Thanks for the explanation. Take care.

It was to do with MBAM flagging the file lvuvc.hs as a rootkit. The thread was finished, I just wondered as to why it has been deleted?

A little curious as to why my recent thread "Anything to worry about?" on the HJT board has been removed?

Hi Jean, Scan is clear now (see below), must have been a FP as I've never had any infections. Thanks so much for all your help. Take care. Malwarebytes' Anti-Malware 1.11 Database version: 686 Scan type: Quick Scan Objects scanned: 35179 Time elapsed: 3 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Hi Jean, As requested, the updated MBAM log is below. I don't seem to be having any noticeable adverse symptoms. The Reg. file is definitely being marked as infected during the heuristics part of the scan. Thanks. MBAM Results: Malwarebytes' Anti-Malware 1.11 Database version: 681 Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 139302 Time elapsed: 47 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Tencent (Adware.Agent) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Hi Jean Below is the full Panda log results that I recieved. I have not had any contact or help to resolve my problem from anyone except yourself. Thanks. Panda ActiveScan 2.0 Results: ;******************************************************************************* ******************************************************************************** * ******************* ANALYSIS: 2008-04-18 14:42:56 PROTECTIONS: 1 MALWARE: 5 SUSPECTS: 0 ;******************************************************************************* ******************************************************************************** * ******************* PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================ = =================== McAfee VirusScan No Yes ;=============================================================================== ================================================================================ = =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================ = =================== 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\net#lomster11\AppData\Roaming\Microsoft\Windows\Cookies\Low\net#lomster11@net[6].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\Gerry\AppData\Roaming\Microsoft\Windows\Cookies\Low\gerry@atdmt[1].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Gerry\AppData\Roaming\Microsoft\Windows\Cookies\Low\gerry@serving-sys[1].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Users\Gerry\AppData\Roaming\Microsoft\Windows\Cookies\Low\gerry@bs.serving-sys[2].txt 00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Users\net#lomster11\AppData\Roaming\Microsoft\Windows\Cookies\Low\net#lomster11@net[10].txt ;=============================================================================== ================================================================================ = =================== SUSPECTS Sent Location -C 3 ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = =================== VULNERABILITIES Id Severity Description -C 3 ;=============================================================================== ================================================================================ = =================== ;=============================================================================== ================================================================================ = ===================

Hi Jean, If you look at the Panda log again, you'll see the 5 malwares listed as being 5 cookies. I just deleted the paths as the log wasn't rendering properly when posted. Thanks for any help.

Hi Jean, I've posted the MBAM, Panda Activescan and HJT logs you requested. If it helps, the Reg key seems to have been marked as infected during the Heuristics part of the MBAM scan. I've also run a full scan with SAS and F-secure online scanner, all results clear. Thanks for any help.

HJT Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:52:52, on 18/04/2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16643) Boot mode: Normal Running processes: C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\sttray.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\McAfee\MSK\mskagent.exe C:\Program Files\SiteAdvisor\6253\SiteAdv.exe C:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\system32\taskeng.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\Program Files\Internet Explorer\ieuser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\notepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ie/ig/dell?hl=en&cli...amp;ibd=6070412 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: SecureBrowsingBho Helper - {7632ABCA-B104-4fbc-9C70-419C4147061B} - C:\Program Files\Finjan Secure Browsing\bho.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Finjan Secure Browsing - {B99F805C-F0B1-48EA-8C8B-753BFCBED913} - C:\Program Files\Finjan Secure Browsing\bho.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe O4 - HKLM\..\Run: [ECenter] c:\dell\E-Center\EULALauncher.exe O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-21-1984928037-2126404895-2216295374-1003\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'net#lomster11') O4 - HKUS\S-1-5-18\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P5 /q C:\Users\NET#LO~1\AppData\Local\Temp\Low\~DF7527.tmp C:\Users\NET#LO~1\AppData\Local\Temp\Low\~DF7518.tmp C:\Users\NET#LO~1\AppData\Local\Temp\Low\Low\HSPERF~1.SH! C:\Users\NET#LO~1\AppData\Local\Temp\Low\HSPERF~1.SH! C:\Users\NET#LO~1\AppData\Local\Temp\HSPERF~1.SH! C:\Users\Gerry\AppData\Local\Temp\HSPERF~1.SH! C:\Users\NET#LO~1\AppData\Local\Temp\TEMPOR~1\Content.SH! C:\Users\NET#LO~1\AppData\Local\Temp\TEMPOR~1.SH! C:\Users\NET#LO~1\AppData\Local\Temp\History\History.SH! C:\Users\NET#LO~1\AppData\Local\Temp\History.SH! C:\Users\NET#LO~1\AppData\Local\Temp\Cookies.SH! C:\Users\NET#LO~1\AppData\Local\Temp\History\History.IE5\MSHIST~1.SH! C:\Users\Gerry\AppData\Local\Temp\Low\HSPERF~1.SH! C:\$Recycle.Bin\S-6159~1\$RWCG2RO.SH! C:\$Recycle.Bin\S-6159~1\$RMMKGKP\HSPERF~1.SH! C:\$Recycle.Bin\S-6159~1\$RMMKGKP.SH! C:\Users\Gerry\AppData\Local\Temp\TEMPOR~1\Content.SH! C:\Users\Gerry\AppData\Local\Temp\TEMPOR~1.SH! C:\Users\Gerry\ O4 - HKUS\.DEFAULT\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P5 /q C:\Users\NET#LO~1\AppData\Local\Temp\Low\~DF7527.tmp C:\Users\NET#LO~1\AppData\Local\Temp\Low\~DF7518.tmp C:\Users\NET#LO~1\AppData\Local\Temp\Low\Low\HSPERF~1.SH! C:\Users\NET#LO~1\AppData\Local\Temp\Low\HSPERF~1.SH! C:\Users\NET#LO~1\AppData\Local\Temp\HSPERF~1.SH! C:\Users\Gerry\AppData\Local\Temp\HSPERF~1.SH! C:\Users\NET#LO~1\AppData\Local\Temp\TEMPOR~1\Content.SH! C:\Users\NET#LO~1\AppData\Local\Temp\TEMPOR~1.SH! C:\Users\NET#LO~1\AppData\Local\Temp\History\History.SH! C:\Users\NET#LO~1\AppData\Local\Temp\History.SH! C:\Users\NET#LO~1\AppData\Local\Temp\Cookies.SH! C:\Users\NET#LO~1\AppData\Local\Temp\History\History.IE5\MSHIST~1.SH! C:\Users\Gerry\AppData\Local\Temp\Low\HSPERF~1.SH! C:\$Recycle.Bin\S-6159~1\$RWCG2RO.SH! C:\$Recycle.Bin\S-6159~1\$RMMKGKP\HSPERF~1.SH! C:\$Recycle.Bin\S-6159~1\$RMMKGKP.SH! C:\Users\Gerry\AppData\Local\Temp\TEMPOR~1\Content.SH! C:\Users\Gerry\AppData\Local\Temp\TEMPOR~1.SH! C:\Users\Gerry\ O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O13 - Gopher Prefix: O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: McAfee Application Installer Cleanup (0098011208521330) (0098011208521330mcinstcleanup) - McAfee, Inc. - C:\Windows\TEMP\009801~1.EXE O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 12146 bytes

Panda ActiveScan 2.0 Results: ;******************************************************************************* ****************************************** ANALYSIS: 2008-04-18 14:42:56 PROTECTIONS: 1 MALWARE: 5 SUSPECTS: 0 ;******************************************************************************* ***************************************** PROTECTIONS Description Version Active Updated ;=========================================================================== McAfee VirusScan No Yes ;=========================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=========================================================================== 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\U 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\U 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\U 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\U 00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\U ;============================================================================ SUSPECTS Sent Location -C 3 ;=========================================================================== ;=========================================================================== VULNERABILITIES Id Severity Description -C 3 ;=========================================================================== ;===========================================================================

Hi, As requested Here MBAM Results: Malwarebytes' Anti-Malware 1.11 Database version: 642 Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 138532 Time elapsed: 38 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Tencent (Adware.Agent) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Just to add, the Reg key seemed to be marked as infected during the Heuristics part of the scan. I've also run a full scan with SAS and F-secure online scanner, all results clear.

Hi Jean, Thanks so much for your reply. I've read the instructions in the link you provided and will post a HJT log shortly. I will also supply the other scan results required, although I use Vista Prem, and I'm not sure Panda's Activescan is compatible. I usually use Eset or F-secure online scans if one of those will be ok. Please let me know if you have a preference. Thanks again.

Hi, I'm not sure what to do as I've never had any sort or infection before. Last night I got a result during a quick scan and I'm not sure if its a false positive or not. I would be very gratful if you could advise me on what to do next. Thanks so much for any help. Malwarebytes' Anti-Malware 1.11 Database version: 636 Scan type: Quick Scan Objects scanned: 33211 Time elapsed: 2 minute(s), 2 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Tencent (Adware.Agent) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)