Reoccuring Rogue

[Richard]

The following two files are always identified as spyware every time I run

SUPERantispyware (free edition), which is several times a week. The program

then quarantines them and them removes them. Are these serious enough to

warrant further action and why do they keep coming back?

Rogue.PC-Cleaner

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[ {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt [ {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever advise you can provide.G

 

[Malke]

Richard wrote:

<span style="color:blue">

> The following two files are always identified as spyware every time I run

> SUPERantispyware (free edition), which is several times a week. The

> program then quarantines them and them removes them. Are these serious

> enough to warrant further action and why do they keep coming back?

>

> Rogue.PC-Cleaner

></span>

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[<span style="color:blue">

> {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ]

></span>

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt<span style="color:blue">

> [ {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever

> advise you can provide.G</span>

You've got some sort of trojan. It is common for malware to respawn.

Obviously, your SuperAntispyware program isn't cleaning it. In all good

conscience, I can't recommend leaving a computer in an infected state.

You can run through my general malware removal steps but with the current

crop of malware there is a high probability that you'll need to get guided

help. I also should tell you that in many cases, you'll need to do a wipe

and clean-install of Windows to really get clean. So back up any important

data now.

http://www.elephantboycomputers.com/page2....emoving_Malware

When all else fails, get guided help. Choose one of the specialty forums

listed at the link above. Register and read its posting FAQ. You will

generally be asked to:

1. Download and execute HiJack This! (HJT) -

http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe; Format --> uncheck; "Word

wrap"

3. Download/run Deckard's System Scanner -

http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at the

forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.

Standard disclaimer: I can't see and test your computer myself, so these are

just suggestions based on many years of being a professional computer tech;

suggestions based on what you've written. You should not take my

suggestions as a definitive diagnosis. If you can't do the work yourself

(and there is no shame in admitting this isn't your cup of tea), take the

machine to a professional computer repair shop (not your local equivalent

of BigComputerStore/GeekSquad). Please be aware that not all local shops

are skilled at removing malware and even if they are, your computer may be

so infested that Windows will need to be clean-installed. If possible, have

all your data backed up before you take the machine into a shop.

Malke

--

MS-MVP

Elephant Boy Computers

www.elephantboycomputers.com

Don't Panic!

 

[David H. Lipman]

From: "Richard" <Richard@sailaway.com>

| The following two files are always identified as spyware every time I run

| SUPERantispyware (free edition), which is several times a week. The program

| then quarantines them and them removes them. Are these serious enough to

| warrant further action and why do they keep coming back?

|

| Rogue.PC-Cleaner

| HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[

| {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ]

| HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt [

| {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever advise you can

| provide.G

What files ? You haven't identified any files.

What you ahve identified are two HKLM Registry loading points in ShellServiceObjectDelayLoad

(SSODL)

They keep coming back because SAS is not catching all aspects of the malware you are

infected with.

BVased upon what Malke provided you, post the contents of Main.txt and Extra.txt in a post

in one of the below expert forums...

{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner

Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:

http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:

http://www.bleepingcomputer.com/forums/forum22.html

http://castlecops.com/forum67.html

http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:

http://www.dslreports.com/forum/cleanup

http://www.cybertechhelp.com/forums/forumdisplay.php?f=25

http://www.atribune.org/forums/index.php?showforum=9

http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html

http://gladiator-antivirus.com/forum/index.php?showforum=170

http://forum.networktechs.com/forumdisplay.php?f=130

http://forums.maddoktor2.com/index.php?showforum=17

http://www.spywarewarrior.com/viewforum.php?f=5

http://forums.spywareinfo.com/index.php?showforum=18

http://forums.techguy.org/f54-s.html

http://forums.tomcoyote.org/index.php?showforum=27

http://forums.subratam.org/index.php?showforum=7

http://www.5starsupport.com/ipboard/index.php?showforum=18

http://aumha.net/viewforum.php?f=30

http://makephpbb.com/phpbb/viewforum.php?f=2

http://forums.techguy.org/54-security/

http://forums.security-central.us/forumdisplay.php?f=13

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Lon]

Is the second Reg value one of the various Netsky malware signatures?

Both are malware signatures, where googling for removal tools by name

brand vendors might work... but since the two malwares are

unrelated, it may be time to grab the media and format.

See if Spybot Search and Destroy can spot the file locations and remove,

then reboot and recheck. If they keep coming back, format keeps looking

better.

David H. Lipman wrote:<span style="color:blue">

> From: "Richard" <Richard@sailaway.com>

>

> | The following two files are always identified as spyware every time I run

> | SUPERantispyware (free edition), which is several times a week. The program

> | then quarantines them and them removes them. Are these serious enough to

> | warrant further action and why do they keep coming back?

> |

> | Rogue.PC-Cleaner

> | HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad#wdpoefan[

> | {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ]

> | HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad#vadokmxt [

> | {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever advise you can

> | provide.G

>

> What files ? You haven't identified any files.

> What you ahve identified are two HKLM Registry loading points in ShellServiceObjectDelayLoad

> (SSODL)

>

> They keep coming back because SAS is not catching all aspects of the malware you are

> infected with.

>

> BVased upon what Malke provided you, post the contents of Main.txt and Extra.txt in a post

> in one of the below expert forums...

>

>

> { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

>

> Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner

> Logs.

>

> NOTE: Registration is REQUIRED in any of the below before posting a log

>

> Suggested primary:

> http://www.thespykiller.co.uk/index.php?board=3.0

>

> Suggested secondary:

> http://www.bleepingcomputer.com/forums/forum22.html

> http://castlecops.com/forum67.html

> http://www.malwarebytes.org/forums/index.php?showforum=7

>

> Suggested tertiary:

> http://www.dslreports.com/forum/cleanup

> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25

> http://www.atribune.org/forums/index.php?showforum=9

> http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html

> http://gladiator-antivirus.com/forum/index.php?showforum=170

> http://forum.networktechs.com/forumdisplay.php?f=130

> http://forums.maddoktor2.com/index.php?showforum=17

> http://www.spywarewarrior.com/viewforum.php?f=5

> http://forums.spywareinfo.com/index.php?showforum=18

> http://forums.techguy.org/f54-s.html

> http://forums.tomcoyote.org/index.php?showforum=27

> http://forums.subratam.org/index.php?showforum=7

> http://www.5starsupport.com/ipboard/index.php?showforum=18

> http://aumha.net/viewforum.php?f=30

> http://makephpbb.com/phpbb/viewforum.php?f=2

> http://forums.techguy.org/54-security/

> http://forums.security-central.us/forumdisplay.php?f=13

> </span>

 

[jen]

"Richard" <Richard@sailaway.com> wrote in message

news:uXeBWepvIHA.1240@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> The following two files are always identified as spyware every time I

> run SUPERantispyware (free edition), which is several times a week.

> The program then quarantines them and them removes them. Are these

> serious enough to warrant further action and why do they keep coming

> back?

>

> Rogue.PC-Cleaner

> HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad#wdpoefan[

> {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ]

> HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad#vadokmxt

> [ {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for

> whatever advise you can provide.G

></span>

This is an undesirable program:

wdpoefan.dll

dentified as a variant of the Adware.Agent malware.

http://www.bleepingcomputer.com/startups/wdpoefan-22773.html

This is an undesirable program:

vadokmxt.dll

Identified as a variant of the Adware.Agent malware

http://www.bleepingcomputer.com/startups/vadokmxt-22772.html

-jen