Malware.Trace infection

[dorkpixie]

Good Morning. I woke this morning to see that my normal nightly full system scan by SUPERAntiSpyware found a registry malware called Malware.Trace with this information:

HKUS\S-1-5-21-2418211180-2028737814-1402298196-1003\SOFTWARE\MICROSOFT\WINDOWS NT\Current Version\WinLogOn\ (SHELL -C:\Windows\eHome\McrMgr.exe)

Right now SAS has it quarantined but I am concerned about root kits and keyloggers as I work from this computer from home and security is a must. I am looking for a way to find out if this I remove this file from my system from the SAS quarantine will I be done with it?

Microsoft Security Essentials: did not find the infection
MBam: did not find the infection
AdAware: did not find the infection
Norton 360: did not find the infection

Here is my log file from SAS:
SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 12/28/2010 at 06:30 AM

Application Version : 4.47.1000

Core Rules Database Version : 6081
Trace Rules Database Version: 3893

Scan type : Complete Scan
Total Scan Time : 00:30:40

Memory items scanned : 786
Memory threats detected : 0
Registry items scanned : 15154
Registry threats detected : 1
File items scanned : 53845
File threats detected : 12

Adware.Tracking Cookie
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\shannon@atwola[2].txt
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][3].txt
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\shannon@doubleclick[1].txt
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\Low\shannon@atwola[2].txt
C:\Users\Shannon\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt

Malware.Trace
(x86) HKU\S-1-5-21-2418211180-2028737814-1402298196-1003\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON#SHELL


Any help would be greatly appreciated, also as soon as possible due to work issues, need clean machine to work.
Thank you in advance; let me know if you need more information.

Oh, running Windows 7 Professional.

 

[Borg 386]

It looks like you're running all the right software. If something is in quarantine, that's just to keep it there for either submission or in case you accidentally took out a file that is, in fact, needed.

Tracking cookies are becoming a all-to-common thing unfortunately. Most of the time though, they are easy enough to remove.

Just keep an eye on your system for strange behavior (system slowness, pop ups, etc).

MSE checks for rootkits, but if you would like another option, you can d/l Norton Power Eraser, which now has rootkit detection (you'll have to reboot for this option to run, as it checks the system before windows initilizes)

http://security.symantec.com/nbrt/npe.asp?lcid=1033

As with any program, be cautious using this as it can inadvertently hose your system.

If you have any doubts, Norton offers an online scan which will d/l a AV engine into your system, it runs in a sandbox, then scans your entire drive.

http://security.symantec.com/sscv6/...lfid=21&pkj=WYBUMSZTGSJCYWXVJQJ&auth_status=0

 

[dorkpixie]

Hi Borg Thank you for the fast reply. One question MSE? are you referring to Microsoft Security Essentials??

The tracking cookies are not my concern; I get those every time I scan with pretty much all my scanners; it's the Malware.Trace at the bottom that I am super concerned with. So if the file is in quarantine it cannot effect my system??

 

[Borg 386]

Yepperz....MSE (Microsoft Security Essentials)

Depending on the level you want to check things out, Process Explorer will show you what's running on your system.

http://technet.microsoft.com/en-us/sysinternals/bb896653

 

[dorkpixie]

Wasn't sure if you saw this part of the post as it was an edit.....
The tracking cookies are not my concern; I get those every time I scan with pretty much all my scanners; it's the Malware.Trace at the bottom that I am super concerned with. So if the file is in quarantine it cannot effect my system??

 

[Borg 386]

Nope...once it's in quarantine, it's been removed from the system use and placed in a safe folder.

Now, if you delete that from quarantine and it shows up again, that's an indication that there is something in the system & it keeps getting put back in.

 

[dorkpixie]

Ok, thank you for your help; glad it was an easy one for you.

 

[Borg 386]

Well, it looks that way. Like I said, keep an eye on your system. Malware nowadays is pretty tricky and even after apparent removal it's sometimes sitting in the background, it just changed it's spots. Glad I could help, but keep doing regular scans which is a good practice.

 

[EzioAuditore]

As far as tracking cookies, you can avoid tracking cookies by using sandboxie and browsing in a sandboxed browser. This way as soon as you delete the sandbox, everything that was saved on your disk while browsing will be gone. However, it has a 'con' that the bookmarks you made in sandboxed browser will also be gone. But atleast, it'll save you from any malicious dloads which doesn't require user's consent.

 

[EzioAuditore]

Well, it looks that way. Like I said, keep an eye on your system. Malware nowadays is pretty tricky and even after apparent removal it's sometimes sitting in the background, it just changed it's spots. Glad I could help, but keep doing regular scans which is a good practice.

This and also keep an eye on your start-up items.SysInternals Autoruns is a great program for it.
Autoruns for Windows

 

[Borg 386]

dorkpixie, if you use Firefox, there are various plug ins that disallow cookies such as cookiesafe. Or set it to allow cookies for the session only

If you use IE, you can set it to allow cookies only for the session and disallow 3rd party cookies.

Also, you can set both to delete all cookies upon exit

 

[mitchell64]

Microsoft Security Essentials: did not find the infection
MBam: did not find the infection
AdAware: did not find the infection
Norton 360: did not find the infection

This is rather interesting as i had exactly the same registry key infected on my desktop a couple of weeks ago but the infection was called "TASKMAN"

As with yourself it was detected by SAS but went undetected by Avast & Mbam

 

[dorkpixie]

Nope...once it's in quarantine, it's been removed from the system use and placed in a safe folder.

Now, if you delete that from quarantine and it shows up again, that's an indication that there is something in the system & it keeps getting put back in.

I will look into that too. Thank you!!

 

[dorkpixie]

dorkpixie, if you use Firefox, there are various plug ins that disallow cookies such as cookiesafe. Or set it to allow cookies for the session only

If you use IE, you can set it to allow cookies only for the session and disallow 3rd party cookies.

Also, you can set both to delete all cookies upon exit

Yes, I use these. The cookies was not my concern. They are always the same cookies and I usually have very few. It's the Malware I was most concerned with and thank you for the ideas and help.

 

[dorkpixie]

Well, it looks that way. Like I said, keep an eye on your system. Malware nowadays is pretty tricky and even after apparent removal it's sometimes sitting in the background, it just changed it's spots. Glad I could help, but keep doing regular scans which is a good practice.

This and also keep an eye on your start-up items.SysInternals Autoruns is a great program for it.
Autoruns for Windows

I make a link for the program. Thank you very much!!

 

[mitchell64]

Nope...once it's in quarantine, it's been removed from the system use and placed in a safe folder.

Now, if you delete that from quarantine and it shows up again, that's an indication that there is something in the system & it keeps getting put back in.

As Borg 386 said so long as it is in quarantine it is safe. But it would pay to create a new System Restore point or Image in case it is needed as restore points prior to quarantine may be infected.

If those restore points are infected the infection is contained within the restore point as if it were in quarantine so long as you don't restore to that point.

It would pay to keep them at the moment until you are sure your OS is stable as it is better to have an infected restore point you can revert to than none at all.

EDIT: I was reading one of your other threads, you may find this of interest for future security;

http://www.sevenforums.com/security...every-eight-attacks-came-via-usb-devices.html

Hope it is of some help, something that is often overlooked

 

[dorkpixie]

Nope...once it's in quarantine, it's been removed from the system use and placed in a safe folder.

Now, if you delete that from quarantine and it shows up again, that's an indication that there is something in the system & it keeps getting put back in.

As Borg 386 said so long as it is in quarantine it is safe. But it would pay to create a new System Restore point or Image in case it is needed as restore points prior to quarantine may be infected.

If those restore points are infected the infection is contained within the restore point as if it were in quarantine so long as you don't restore to that point.

It would pay to keep them at the moment until you are sure your OS is stable as it is better to have an infected restore point you can revert to than none at all.

EDIT: I was reading one of your other threads, you may find this of interest for future security;

http://www.sevenforums.com/security...every-eight-attacks-came-via-usb-devices.html

Hope it is of some help, something that is often overlooked

Thank you for this; I never auto run anything for obvious reasons.