Reoccuring Rogue

Home | NewsGroups | Search | About

microsoft.public.security.virus

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

Subject

Author

Date

Reoccuring Rogue

Richard

05-25-2008

Malke

David H. Lipman

Lon

jen

Posted by Richard on May 25, 2008, 2:46 pm

Please log in for more thread options

The following two files are always identified as spyware every time I run
SUPERantispyware (free edition), which is several times a week. The program
then quarantines them and them removes them. Are these serious enough to
warrant further action and why do they keep coming back?

Rogue.PC-Cleaner
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[
]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt
[ ]Thanks very much for whatever advise
you can provide.G

Posted by Malke on May 25, 2008, 3:32 pm

Please log in for more thread options

Richard wrote:

> The following two files are always identified as spyware every time I run

> SUPERantispyware (free edition), which is several times a week. The

> program then quarantines them and them removes them. Are these serious

> enough to warrant further action and why do they keep coming back?

> Rogue.PC-Cleaner

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[

> ]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt

> [ ]Thanks very much for whatever

> advise you can provide.G

You've got some sort of trojan. It is common for malware to respawn.
Obviously, your SuperAntispyware program isn't cleaning it. In all good
conscience, I can't recommend leaving a computer in an infected state.

You can run through my general malware removal steps but with the current
crop of malware there is a high probability that you'll need to get guided
help. I also should tell you that in many cases, you'll need to do a wipe
and clean-install of Windows to really get clean. So back up any important
data now.

http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, get guided help. Choose one of the specialty forums
listed at the link above. Register and read its posting FAQ. You will
generally be asked to:

1. Download and execute HiJack This! (HJT) -
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe; Format --> uncheck; "Word
wrap"

3. Download/run Deckard's System Scanner -
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at the
forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.

Standard disclaimer: I can't see and test your computer myself, so these are
just suggestions based on many years of being a professional computer tech;
suggestions based on what you've written. You should not take my
suggestions as a definitive diagnosis. If you can't do the work yourself
(and there is no shame in admitting this isn't your cup of tea), take the
machine to a professional computer repair shop (not your local equivalent
of BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may be
so infested that Windows will need to be clean-installed. If possible, have
all your data backed up before you take the machine into a shop.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!

Posted by David H. Lipman on May 25, 2008, 5:37 pm

Please log in for more thread options

| The following two files are always identified as spyware every time I run
| SUPERantispyware (free edition), which is several times a week. The program
| then quarantines them and them removes them. Are these serious enough to
| warrant further action and why do they keep coming back?
|
| Rogue.PC-Cleaner
|
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[
| ]
|
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt
[
| ]Thanks very much for whatever advise
you can
| provide.G

What files ? You haven't identified any files.
What you ahve identified are two HKLM Registry loading points in
ShellServiceObjectDelayLoad
(SSODL)

They keep coming back because SAS is not catching all aspects of the malware you
are
infected with.

BVased upon what Malke provided you, post the contents of Main.txt and Extra.txt
in a post
in one of the below expert forums...

{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's
System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Posted by Lon on May 25, 2008, 8:31 pm

Please log in for more thread options

Is the second Reg value one of the various Netsky malware signatures?

Both are malware signatures, where googling for removal tools by name
brand vendors might work... but since the two malwares are
unrelated, it may be time to grab the media and format.

See if Spybot Search and Destroy can spot the file locations and remove,
then reboot and recheck. If they keep coming back, format keeps looking
better.

David H. Lipman wrote:

> | The following two files are always identified as spyware every time I run

> | SUPERantispyware (free edition), which is several times a week. The program

> | then quarantines them and them removes them. Are these serious enough to

> | warrant further action and why do they keep coming back?

> |

> | Rogue.PC-Cleaner

> |

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[

> | ]

> |

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt
[

> | ]Thanks very much for whatever advise

you can

> | provide.G

> What files ? You haven't identified any files.

> What you ahve identified are two HKLM Registry loading points in

ShellServiceObjectDelayLoad

> (SSODL)

> They keep coming back because SAS is not catching all aspects of the malware

you are

> infected with.

> BVased upon what Malke provided you, post the contents of Main.txt and

Extra.txt in a post

> in one of the below expert forums...

> { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

> Forums where you can get expert advice for HiJack This! (HJT) and Deckard's

System Scanner

> Logs.

> NOTE: Registration is REQUIRED in any of the below before posting a log

> Suggested primary:

> http://www.thespykiller.co.uk/index.php?board=3.0

> Suggested secondary:

> http://www.bleepingcomputer.com/forums/forum22.html

> http://castlecops.com/forum67.html

> http://www.malwarebytes.org/forums/index.php?showforum=7

> Suggested tertiary:

> http://www.dslreports.com/forum/cleanup

> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25

> http://www.atribune.org/forums/index.php?showforum=9

> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html

> http://gladiator-antivirus.com/forum/index.php?showforum=170

> http://forum.networktechs.com/forumdisplay.php?f=130

> http://forums.maddoktor2.com/index.php?showforum=17

> http://www.spywarewarrior.com/viewforum.php?f=5

> http://forums.spywareinfo.com/index.php?showforum=18

> http://forums.techguy.org/f54-s.html

> http://forums.tomcoyote.org/index.php?showforum=27

> http://forums.subratam.org/index.php?showforum=7

> http://www.5starsupport.com/ipboard/index.php?showforum=18

> http://aumha.net/viewforum.php?f=30

> http://makephpbb.com/phpbb/viewforum.php?f=2

> http://forums.techguy.org/54-security/

> http://forums.security-central.us/forumdisplay.php?f=13

Posted by jen on May 25, 2008, 9:13 pm

Please log in for more thread options

> The following two files are always identified as spyware every time I

> run SUPERantispyware (free edition), which is several times a week.

> The program then quarantines them and them removes them. Are these

> serious enough to warrant further action and why do they keep coming

> back?

> Rogue.PC-Cleaner

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[

> ]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt

> [ ]Thanks very much for

> whatever advise you can provide.G

This is an undesirable program:
wdpoefan.dll
dentified as a variant of the Adware.Agent malware.
http://www.bleepingcomputer.com/startups/wdpoefan-22773.html

This is an undesirable program:
vadokmxt.dll
Identified as a variant of the Adware.Agent malware
http://www.bleepingcomputer.com/startups/vadokmxt-22772.html

-jen

Similar Threads	Posted
New Zlob Rogue: VirusRay	October 23, 2007, 3:18 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML Sitemap

XML Sitemap