8 Replies Latest reply: Sep 3, 2013 10:26 AM by iceprincess RSS

    WScript.exe reading index.dat

    iceprincess

      Sorry, this may be in the wrong section (I apologize if so) & I also apologize that this seem like a re-post as someone had one here ==> https://community.mcafee.com/thread/20485

       

      However, it went unanswered for roughly 4 years and I've recently been experiencing it.

      I downloaded the Process Monitor as someone suggested from that thread, but I haven't installed it yet, should I proceed?

        • 1. Re: WScript.exe reading index.dat
          Peacekeeper

          What product do you have that link aims at an enterprise issue.

          • 2. Re: WScript.exe reading index.dat
            iceprincess

            My apologies, this is indeed the wrong section. When I tried creating a new thread (from that enterprise issue link), it seems to have directed me here in Endpoint Security...

             

            Can you please move this to the proper section?

            I'm have VSE 8.8, and this was meant to be posted in VSE/Discussions

            • 3. Re: WScript.exe reading index.dat
              Peacekeeper

              Done.Good luck

              • 4. Re: WScript.exe reading index.dat
                iceprincess

                Thank you very much Peacekeeper.

                 

                 

                I don't know if tis helps, but I downloaded a bunch of programs and ran tests with McAfee disabled. (Malwarebytes, RogueKiller, AdwCleaner, Kaspersky Virus Tool, McShield 2)

                 

                I deleted logs for Malwarebytes' Anti-Malware, but I remember it cleaning something like pup.optional.opencandy., and then 2nd time was clean.

                I also deleted some AdwCleaner logs, but I've kept the most recent ones.

                And then the logs for RogueKiller (I deleted one before the date below, which had the most results)

                 

                McShield 2 (for USB just in case) and Kaspersky were clean results.

                 

                --------------------------------------------------------------------------------

                 

                # AdwCleaner v3.002 - Report created 01/09/2013 at 23:53:44

                # Updated 01/09/2013 by Xplode

                # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

                # Username : Name - MY-PC

                # Running from : I:\Programs\AdwCleaner.exe

                # Option : Scan

                 

                ***** [ Services ] *****

                 

                 

                ***** [ Files / Folders ] *****

                 

                 

                ***** [ Shortcuts ] *****

                 

                 

                ***** [ Registry ] *****

                 

                Key Found : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}

                Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

                Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}

                Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

                Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}

                Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

                Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

                 

                ***** [ Browsers ] *****

                 

                -\\ Internet Explorer v9.0.8112.16502

                 

                 

                -\\ Mozilla Firefox v24.0 (en-US)

                 

                [ File : C:\Users\Name\AppData\Roaming\Mozilla\Firefox\Profiles\hjzp1l4i.default\prefs.j s ]

                 

                 

                -\\ Google Chrome v29.0.1547.62

                 

                [ File : C:\Users\Name\AppData\Local\Google\Chrome\User Data\Default\preferences ]

                 

                 

                *************************

                 

                AdwCleaner[R15].txt - [1435 octets] - [01/09/2013 23:53:44]

                 

                ########## EOF - C:\AdwCleaner\AdwCleaner[R15].txt - [1496 octets] ##########

                 

                 

                 

                ==================================================================

                 

                 

                 

                 

                RogueKiller V8.6.7 _x64_ [Aug 28 2013] by Tigzy

                mail : tigzyRK<at>gmail<dot>com

                Feedback : http://www.adlice.com/forum/

                Website : http://www.adlice.com/softwares/roguekiller/

                Blog : http://tigzyrk.blogspot.com/

                 

                Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

                Started in : Normal mode

                User : Name [Admin rights]

                Mode : Scan -- Date : 09/02/2013 00:03:17

                | ARK || FAK || MBR |

                 

                ¤¤¤ Bad processes : 0 ¤¤¤

                 

                ¤¤¤ Registry Entries : 12 ¤¤¤

                [SERVICE][ROGUE ST] HKLM\[...]\CCSet\[...]\Services : 81321771 (C:\Windows\system32\DRIVERS\81321771.sys [7]) -> FOUND

                [SERVICE][ROGUE ST] HKLM\[...]\CS001\[...]\Services : 81321771 (C:\Windows\system32\DRIVERS\81321771.sys [7]) -> FOUND

                [SERVICE][ROGUE ST] HKLM\[...]\CS002\[...]\Services : 81321771 (C:\Windows\system32\DRIVERS\81321771.sys [7]) -> FOUND

                [PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (localhost:21320) -> FOUND

                [HJ POL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND

                [HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

                [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableTaskMgr (0) -> FOUND

                [HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> FOUND

                [HJ SMENU] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND

                [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

                [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

                [SCREENSVR][SUSP PATH] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\Windows\GPHOTO~1.SCR [7]) -> FOUND

                 

                ¤¤¤ Scheduled tasks : 0 ¤¤¤

                 

                ¤¤¤ Startup Entries : 1 ¤¤¤

                [Name][SUSP PATH] _uninst_81321771.lnk : C:\Users\Name\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_81321771.lnk @C:\Users\Name\AppData\Local\Temp\_uninst_81321771.bat [-][x] -> FOUND

                 

                ¤¤¤ Web browsers : 0 ¤¤¤

                 

                ¤¤¤ Particular Files / Folders: ¤¤¤

                 

                ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

                 

                ¤¤¤ External Hives: ¤¤¤

                 

                ¤¤¤ Infection :  ¤¤¤

                 

                ¤¤¤ HOSTS File: ¤¤¤

                --> %SystemRoot%\System32\drivers\etc\hosts

                 

                 

                127.0.0.1    www.007guard.com

                127.0.0.1    007guard.com

                127.0.0.1    008i.com

                127.0.0.1    www.008k.com

                127.0.0.1    008k.com

                127.0.0.1    www.00hq.com

                127.0.0.1    00hq.com

                127.0.0.1    010402.com

                127.0.0.1    www.032439.com

                127.0.0.1    032439.com

                127.0.0.1    www.0scan.com

                127.0.0.1    0scan.com

                127.0.0.1    www.1000gratisproben.com

                127.0.0.1    1000gratisproben.com

                127.0.0.1    1001namen.com

                127.0.0.1    www.1001namen.com

                127.0.0.1    100888290cs.com

                127.0.0.1    www.100888290cs.com

                127.0.0.1    www.100sexlinks.com

                127.0.0.1    100sexlinks.com

                [...]

                 

                 

                ¤¤¤ MBR Check: ¤¤¤

                 

                +++++ PhysicalDrive0: TOSHIBA MK1059GSMP +++++

                --- User ---

                [MBR] d81af62b84f9232e26b3397e63b35666

                [BSP] 068733cfa271e4162a8c576d679718bc : Windows 7/8 MBR Code

                Partition table:

                0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 18432 Mo

                1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 37750784 | Size: 100 Mo

                2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 37955584 | Size: 935335 Mo

                User = LL1 ... OK!

                User = LL2 ... OK!

                 

                +++++ PhysicalDrive1: TOSHIBA MK1059GSMP +++++

                --- User ---

                [MBR] 55bfb0d64d58c600780bcb3ae3caef06

                [BSP] 5f18ed01b81868c390d22c4e87f96de6 : MBR Code unknown

                Partition table:

                0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 30543 Mo

                User = LL1 ... OK!

                Error reading LL2 ... OK!

                 

                Finished : << RKreport[0]_S_09022013_000317.txt >>

                 

                -------------------------------------------------------------------------------- -

                 

                RogueKiller V8.6.8 _x64_ [Sep  2 2013] by Tigzy

                mail : tigzyRK<at>gmail<dot>com

                Feedback : http://www.adlice.com/forum/

                Website : http://www.adlice.com/softwares/roguekiller/

                Blog : http://tigzyrk.blogspot.com/

                 

                Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

                Started in : Safe mode with network support

                User : Name [Admin rights]

                Mode : Scan -- Date : 09/02/2013 15:56:46

                | ARK || FAK || MBR |

                 

                ¤¤¤ Bad processes : 0 ¤¤¤

                 

                ¤¤¤ Registry Entries : 4 ¤¤¤

                [SERVICE][ROGUE ST] HKLM\[...]\CCSet\[...]\Services : 00447832 (C:\Windows\system32\DRIVERS\00447832.sys [7]) -> FOUND

                [SERVICE][ROGUE ST] HKLM\[...]\CS001\[...]\Services : 00447832 (C:\Windows\system32\DRIVERS\00447832.sys [7]) -> FOUND

                [SERVICE][ROGUE ST] HKLM\[...]\CS002\[...]\Services : 00447832 (C:\Windows\system32\DRIVERS\00447832.sys [7]) -> FOUND

                [SCREENSVR][SUSP PATH] HKCU\[...]\Desktop : SCRNSAVE.EXE (C:\Windows\GPHOTO~1.SCR [7]) -> FOUND

                 

                ¤¤¤ Scheduled tasks : 0 ¤¤¤

                 

                ¤¤¤ Startup Entries : 0 ¤¤¤

                 

                ¤¤¤ Web browsers : 0 ¤¤¤

                 

                ¤¤¤ Particular Files / Folders: ¤¤¤

                 

                ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

                 

                ¤¤¤ External Hives: ¤¤¤

                 

                ¤¤¤ Infection :  ¤¤¤

                 

                 

                The rest of the log is the same as 1st one, so, I cut it short.

                I hope this info helps.

                 

                Message was edited by: iceprincess on 9/2/13 6:51:49 PM CDT
                • 5. Re: WScript.exe reading index.dat
                  Peacekeeper

                  BTW we mods are comsumer moderators we do not know the enterprise products and only move posts there so enterprise users and Mcafee staff can assist you. Good luck

                   

                  Oh does or rather did your hosts file have all those sites in it? If so maybe a default hosts file needs to be loaded.

                   

                  Message was edited by: Peacekeeper on 3/09/13 11:28:00 AM
                  • 6. Re: WScript.exe reading index.dat
                    iceprincess

                    Yup, those were added by Spybot S&D

                    • 7. Re: WScript.exe reading index.dat
                      Peacekeeper

                      Ah ok  thanks

                      • 8. Re: WScript.exe reading index.dat
                        iceprincess

                        Peacekeeper wrote:

                         

                        BTW we mods are comsumer moderators we do not know the enterprise products and only move posts there so enterprise users and Mcafee staff can assist you. Good luck

                         

                        Okay, thanks. I'll wait and see if there's anyone that will help. Hopefully it won't end up like previous thread, 4 years and no real answer.