Guest Richard Posted May 25, 2008 Posted May 25, 2008 The following two files are always identified as spyware every time I run SUPERantispyware (free edition), which is several times a week. The program then quarantines them and them removes them. Are these serious enough to warrant further action and why do they keep coming back? Rogue.PC-Cleaner HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[ {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt [ {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever advise you can provide.G Quote
Guest Malke Posted May 25, 2008 Posted May 25, 2008 Richard wrote: <span style="color:blue"> > The following two files are always identified as spyware every time I run > SUPERantispyware (free edition), which is several times a week. The > program then quarantines them and them removes them. Are these serious > enough to warrant further action and why do they keep coming back? > > Rogue.PC-Cleaner ></span> HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[<span style="color:blue"> > {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ] ></span> HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt<span style="color:blue"> > [ {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever > advise you can provide.G</span> You've got some sort of trojan. It is common for malware to respawn. Obviously, your SuperAntispyware program isn't cleaning it. In all good conscience, I can't recommend leaving a computer in an infected state. You can run through my general malware removal steps but with the current crop of malware there is a high probability that you'll need to get guided help. I also should tell you that in many cases, you'll need to do a wipe and clean-install of Windows to really get clean. So back up any important data now. http://www.elephantboycomputers.com/page2....emoving_Malware When all else fails, get guided help. Choose one of the specialty forums listed at the link above. Register and read its posting FAQ. You will generally be asked to: 1. Download and execute HiJack This! (HJT) - http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe 2. Disable Notepad's word wrap - In Notepad.exe; Format --> uncheck; "Word wrap" 3. Download/run Deckard's System Scanner - http://www.techsupportforum.com/sectools/Deckard/dss.exe 4. Save the scan results (Main.txt and Extra.txt) 5. And then post the contents of Main.txt and Extra.txt in your post at the forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS. Standard disclaimer: I can't see and test your computer myself, so these are just suggestions based on many years of being a professional computer tech; suggestions based on what you've written. You should not take my suggestions as a definitive diagnosis. If you can't do the work yourself (and there is no shame in admitting this isn't your cup of tea), take the machine to a professional computer repair shop (not your local equivalent of BigComputerStore/GeekSquad). Please be aware that not all local shops are skilled at removing malware and even if they are, your computer may be so infested that Windows will need to be clean-installed. If possible, have all your data backed up before you take the machine into a shop. Malke -- MS-MVP Elephant Boy Computers www.elephantboycomputers.com Don't Panic! Quote
Guest David H. Lipman Posted May 25, 2008 Posted May 25, 2008 From: "Richard" <Richard@sailaway.com> | The following two files are always identified as spyware every time I run | SUPERantispyware (free edition), which is several times a week. The program | then quarantines them and them removes them. Are these serious enough to | warrant further action and why do they keep coming back? | | Rogue.PC-Cleaner | HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[ | {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ] | HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt [ | {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever advise you can | provide.G What files ? You haven't identified any files. What you ahve identified are two HKLM Registry loading points in ShellServiceObjectDelayLoad (SSODL) They keep coming back because SAS is not catching all aspects of the malware you are infected with. BVased upon what Malke provided you, post the contents of Main.txt and Extra.txt in a post in one of the below expert forums... { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! } Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner Logs. NOTE: Registration is REQUIRED in any of the below before posting a log Suggested primary: http://www.thespykiller.co.uk/index.php?board=3.0 Suggested secondary: http://www.bleepingcomputer.com/forums/forum22.html http://castlecops.com/forum67.html http://www.malwarebytes.org/forums/index.php?showforum=7 Suggested tertiary: http://www.dslreports.com/forum/cleanup http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 http://www.atribune.org/forums/index.php?showforum=9 http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html http://gladiator-antivirus.com/forum/index.php?showforum=170 http://forum.networktechs.com/forumdisplay.php?f=130 http://forums.maddoktor2.com/index.php?showforum=17 http://www.spywarewarrior.com/viewforum.php?f=5 http://forums.spywareinfo.com/index.php?showforum=18 http://forums.techguy.org/f54-s.html http://forums.tomcoyote.org/index.php?showforum=27 http://forums.subratam.org/index.php?showforum=7 http://www.5starsupport.com/ipboard/index.php?showforum=18 http://aumha.net/viewforum.php?f=30 http://makephpbb.com/phpbb/viewforum.php?f=2 http://forums.techguy.org/54-security/ http://forums.security-central.us/forumdisplay.php?f=13 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Lon Posted May 26, 2008 Posted May 26, 2008 Is the second Reg value one of the various Netsky malware signatures? Both are malware signatures, where googling for removal tools by name brand vendors might work... but since the two malwares are unrelated, it may be time to grab the media and format. See if Spybot Search and Destroy can spot the file locations and remove, then reboot and recheck. If they keep coming back, format keeps looking better. David H. Lipman wrote:<span style="color:blue"> > From: "Richard" <Richard@sailaway.com> > > | The following two files are always identified as spyware every time I run > | SUPERantispyware (free edition), which is several times a week. The program > | then quarantines them and them removes them. Are these serious enough to > | warrant further action and why do they keep coming back? > | > | Rogue.PC-Cleaner > | HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad#wdpoefan[ > | {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ] > | HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad#vadokmxt [ > | {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever advise you can > | provide.G > > What files ? You haven't identified any files. > What you ahve identified are two HKLM Registry loading points in ShellServiceObjectDelayLoad > (SSODL) > > They keep coming back because SAS is not catching all aspects of the malware you are > infected with. > > BVased upon what Malke provided you, post the contents of Main.txt and Extra.txt in a post > in one of the below expert forums... > > > { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! } > > Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner > Logs. > > NOTE: Registration is REQUIRED in any of the below before posting a log > > Suggested primary: > http://www.thespykiller.co.uk/index.php?board=3.0 > > Suggested secondary: > http://www.bleepingcomputer.com/forums/forum22.html > http://castlecops.com/forum67.html > http://www.malwarebytes.org/forums/index.php?showforum=7 > > Suggested tertiary: > http://www.dslreports.com/forum/cleanup > http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 > http://www.atribune.org/forums/index.php?showforum=9 > http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html > http://gladiator-antivirus.com/forum/index.php?showforum=170 > http://forum.networktechs.com/forumdisplay.php?f=130 > http://forums.maddoktor2.com/index.php?showforum=17 > http://www.spywarewarrior.com/viewforum.php?f=5 > http://forums.spywareinfo.com/index.php?showforum=18 > http://forums.techguy.org/f54-s.html > http://forums.tomcoyote.org/index.php?showforum=27 > http://forums.subratam.org/index.php?showforum=7 > http://www.5starsupport.com/ipboard/index.php?showforum=18 > http://aumha.net/viewforum.php?f=30 > http://makephpbb.com/phpbb/viewforum.php?f=2 > http://forums.techguy.org/54-security/ > http://forums.security-central.us/forumdisplay.php?f=13 > </span> Quote
Guest jen Posted May 26, 2008 Posted May 26, 2008 "Richard" <Richard@sailaway.com> wrote in message news:uXeBWepvIHA.1240@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > The following two files are always identified as spyware every time I > run SUPERantispyware (free edition), which is several times a week. > The program then quarantines them and them removes them. Are these > serious enough to warrant further action and why do they keep coming > back? > > Rogue.PC-Cleaner > HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad#wdpoefan[ > {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ] > HKLMSoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad#vadokmxt > [ {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for > whatever advise you can provide.G ></span> This is an undesirable program: wdpoefan.dll dentified as a variant of the Adware.Agent malware. http://www.bleepingcomputer.com/startups/wdpoefan-22773.html This is an undesirable program: vadokmxt.dll Identified as a variant of the Adware.Agent malware http://www.bleepingcomputer.com/startups/vadokmxt-22772.html -jen Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.