PDA

View Full Version : Another request to analyze scan results, and "SDcleaner.exe"



Laugesen
2013-06-07, 20:34
(Apologies if this is redundant to other posts, several of which I have read)
1. Using the current Spybot download I noted the log indicated several entries "Unable to store downloaded update information". Should I be concerned?

2. In any case, I ran a quick scan and then for thoroughness a deep scan. As other threads relate, my scan also found numerous "unknown ADS" and "no admin In ACL", most of which I suspect are harmless. But how to really know? Here is the log of the deep scan (evidently, since another log is labeled "quick scan" and detected no hidden files):

info: Rootkit removal help file
// copyright: (c) 2008-2013 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\Windows\PLA\System\System Diagnostics.xml: 0v1ieca3Feahez0jAwxjjk5uRh:$DATA"
File:"Unknown ADS","C:\Users\Laugesen\Documents\Scanned Documents\Image.jpg: 3or4kl4x13tuuug3Byamue2s4b:$DATA"
File:"Unknown ADS","C:\Users\Laugesen\Documents\Scanned Documents\Welcome Scan.jpg: 3or4kl4x13tuuug3Byamue2s4b:$DATA"
File:"Unknown ADS","C:\Users\Laugesen\Documents\My Kindle Content\Aesops-Fables.azw:uidStream:$DATA"
File:"Unknown ADS","C:\Users\Laugesen\Documents\My Kindle Content\Pride-and-Prejudice.azw:uidStream:$DATA"
File:"Unknown ADS","C:\Users\Laugesen\Documents\My Kindle Content\Treasure-Island.azw:uidStream:$DATA"
File:"No admin in ACL","C:\Users\Laugesen\AppData\Roaming\Dance"
File:"No admin in ACL","C:\Users\Laugesen\AppData\Local\Temp\~DF237539BAD05437B9.TMP"
File:"No admin in ACL","C:\Users\Laugesen\AppData\Local\Temp\~DF2CF089CEA0B3166D.TMP"
File:"No admin in ACL","C:\Users\Laugesen\AppData\Local\Temp\~DF3AB340086BA708BD.TMP"
File:"No admin in ACL","C:\Users\Laugesen\AppData\Local\Temp\~DF685A3CA25757A081.TMP"
File:"No admin in ACL","C:\Users\Laugesen\AppData\Local\Temp\~DF8C1326D0DF88C477.TMP"
File:"No admin in ACL","C:\Users\Laugesen\AppData\Local\Temp\~DF94FD956426C2A55C.TMP"
File:"No admin in ACL","C:\Users\Laugesen\AppData\Local\Temp\~DFA36E38CF1EB038AA.TMP"
File:"No admin in ACL","C:\Users\Laugesen\AppData\Local\Temp\~DFDE4169BBFFA5B407.TMP"
File:"No admin in ACL","C:\Users\Laugesen\AppData\Local\Temp\~DFF96E531FA9BE4898.TMP"
File:"No admin in ACL","C:\ProgramData\Desktop Pictures"
File:"No admin in ACL","C:\ProgramData\DirectoryService"
File:"No admin in ACL","C:\ProgramData\PKP_DLdw.DAT"
File:"No admin in ACL","C:\ProgramData\Ultima_T15\reg_configee.stn"
File:"No admin in ACL","C:\ProgramData\Microsoft\OFFICE\DATA"
File:"No admin in ACL","C:\ProgramData\EnterNHelp\hxeu.xxb"
File:"No admin in ACL","C:\ProgramData\Cisco Systems\Cisco Connect\Log\logfile.CiscoConnect_exe.txt"
File:"No admin in ACL","C:\ProgramData\Cisco Systems\Cisco Connect\Log\logfile.CiscoConnect_exe_1.txt"
File:"No admin in ACL","C:\ProgramData\Cisco Systems\Cisco Connect\Log\logfile.CiscoConnect_exe_2.txt"
File:"No admin in ACL","C:\ProgramData\Cisco Systems\Cisco Connect\Log\logfile.CiscoConnect_exe_4.txt"
File:"Unknown ADS","C:\ProgramData\AVG2013\chjw\4cf6fa99f6fa828e.dat:66953f6e-68cb-4364-bfab-2a3f7467e05d:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG2013\chjw\c8e09fd9e09fcbd6.dat:94c81a2a-1946-416f-9c6d-b32d0ad6720a:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG2013\chjw\c8e09fd9e09fcbd6.dat:f0293248-5c94-4931-9ab6-7f2d2dfcf723:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG2013\chjw\dc6ac3fd6ac3d306.dat:8592fc7d-2134-4176-840d-2811329c0124:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG2013\chjw\fa2001c02001853b.dat:014f0012-4404-494e-a6bc-f224d933fa3f:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG2013\chjw\fa8667cd866788c9.dat:502cb465-6cd0-4243-99af-861307014b44:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG2013\chjw\fa8667cd866788c9.dat:f835ac59-0910-4040-9912-6f3fb1d58a79:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG2013\chjw\fc5e74c55e747a6a.dat:032f3233-5bbf-410b-bc41-ef499bb60c4d:$DATA"
File:"Unknown ADS","C:\ProgramData\AVG2013\chjw\fc5e74c55e747a6a.dat:121f9e6c-949d-4c04-bd17-bd1606806b5c:$DATA"
File:"Unknown ADS","C:\PerfLogs\System\Diagnostics\LAUGESENLAPTOP_20111122-000001\report.xml: Qgrg2rf1Znaluncm1kfl1xla5h:$DATA"


3. Here's another log, in part, concluding "fixing failed"--that can't be good?

Report generated: 2013-06-01 11:37 ---

7FaSSt: [SBI $A356ED68] Interface (Registry key, fixing failed)
HKEY_CLASSES_ROOT\Interface\{38493F7F-2922-4C6C-9A9A-8DA2C940D0EE}

7FaSSt: [SBI $A356ED68] Interface (Registry key, fixing failed)
HKEY_CLASSES_ROOT\Interface\{38493F7F-2922-4C6C-9A9A-8DA2C940D0EE}

7FaSSt: [SBI $4898F94D] Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{3277CD27-4001-4EF8-9D96-C6CA745AC2F9}

7FaSSt: [SBI $4898F94D] Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{3277CD27-4001-4EF8-9D96-C6CA745AC2F9}

7FaSSt: [SBI $B5EF44C2] IE toolbar (Registry value, fixing failed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{669695BC-A811-4A9D-8CDF-BA8C795F261C}

3. I downloaded the latest Spybot and ran the scans because it seems prudent to do, but primarily because I downloaded a browser backup program which installed a nuisance search tool bar, "Snap.do", which I cannot seem to block or remove, despite using Control Center to uninstall. Searching Spybot forums, I did see a relevant post by "Sandra" of "Team Spybot" on 4/19/13, wherein she instructed to "open the SDCleaner.exe". Where exactly is that file?

THANK YOU!

spybotsandra
2013-06-12, 15:34
Hello,

1. Which log do you mean exactly that is reporting this?
"Unable to store downloaded update information"
So you got an error message at updating?
Please report y little more detailed.

2. The RootAlyzer log looks OK.
Just some jpeg, kindle, cisco, avg and temp files.

Malware sometimes uses rootkit technology to hide itself at system level.
This makes it undetectable by standard tools. Our plugins help Spybot – Search & Destroy to detect this form of malware.
Our Rootkit Scanner tool shows anything that uses certain rootkit technologies. But items with rootkit properties detected here are not necessarily malware. Sometimes, legit software uses rootkit technologies to hide registration data or other things it does not want the user to see in any case. So please keep in mind that the Rootkit Scanner only flags suspicious stuff, not identifying just bad stuff.

If you get ‘No admin in ACL’ this threads in our forum should help explaining:
Unknown ADS and no Admin in ACL what is good and what is bad??? (http://forums.spybot.info/showthread.php?t=27446) and Unknown ADS (http://forums.spybot.info/showthread.php?t=68086) .

The deletion is final and can not be recovered through the Quarantine.
If you still want to remove the found items it is strongly recommend to create a system restore point (http://windows.microsoft.com/en-US/windows-vista/System-Restore-frequently-asked-questions) before doing that.

3. Did you open Spybot with a right click and choose "run as administrator" (http://www.safer-networking.org/faq/how-can-i-get-administrator-rights-under-windows-vista7/)?

Best regards
Sandra
Team Spybot