Reoccuring Rogue

[Richard]

The following two files are always identified as spyware every time I run
SUPERantispyware (free edition), which is several times a week. The program
then quarantines them and them removes them. Are these serious enough to
warrant further action and why do they keep coming back?

Rogue.PC-Cleaner
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[ {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt [ {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever advise you can provide.G

 

[Malke]

Richard wrote:

> The following two files are always identified as spyware every time I run
> SUPERantispyware (free edition), which is several times a week. The
> program then quarantines them and them removes them. Are these serious
> enough to warrant further action and why do they keep coming back?
>
> Rogue.PC-Cleaner
>
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[
> {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ]
>
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt
> [ {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever
> advise you can provide.G

You've got some sort of trojan. It is common for malware to respawn.
Obviously, your SuperAntispyware program isn't cleaning it. In all good
conscience, I can't recommend leaving a computer in an infected state.

You can run through my general malware removal steps but with the current
crop of malware there is a high probability that you'll need to get guided
help. I also should tell you that in many cases, you'll need to do a wipe
and clean-install of Windows to really get clean. So back up any important
data now.

http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, get guided help. Choose one of the specialty forums
listed at the link above. Register and read its posting FAQ. You will
generally be asked to:

1. Download and execute HiJack This! (HJT) -
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

2. Disable Notepad's word wrap - In Notepad.exe Format --> uncheck "Word
wrap"

3. Download/run Deckard's System Scanner -
http://www.techsupportforum.com/sectools/Deckard/dss.exe

4. Save the scan results (Main.txt and Extra.txt)

5. And then post the contents of Main.txt and Extra.txt in your post at the
forum you chose. DO NOT POST LOGS IN THE MS NEWSGROUPS.

Standard disclaimer: I can't see and test your computer myself, so these are
just suggestions based on many years of being a professional computer tech
suggestions based on what you've written. You should not take my
suggestions as a definitive diagnosis. If you can't do the work yourself
(and there is no shame in admitting this isn't your cup of tea), take the
machine to a professional computer repair shop (not your local equivalent
of BigComputerStore/GeekSquad). Please be aware that not all local shops
are skilled at removing malware and even if they are, your computer may be
so infested that Windows will need to be clean-installed. If possible, have
all your data backed up before you take the machine into a shop.

Malke
--
MS-MVP
Elephant Boy Computers
www.elephantboycomputers.com
Don't Panic!

 

[David H. Lipman]

From: "Richard" <Richard@sailaway.com>

| The following two files are always identified as spyware every time I run
| SUPERantispyware (free edition), which is several times a week. The program
| then quarantines them and them removes them. Are these serious enough to
| warrant further action and why do they keep coming back?
|
| Rogue.PC-Cleaner
| HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[
| {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ]
| HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt [
| {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever advise you can
| provide.G

What files ? You haven't identified any files.
What you ahve identified are two HKLM Registry loading points in ShellServiceObjectDelayLoad
(SSODL)

They keep coming back because SAS is not catching all aspects of the malware you are
infected with.

BVased upon what Malke provided you, post the contents of Main.txt and Extra.txt in a post
in one of the below expert forums...


{ Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }

Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 

[Lon]

Is the second Reg value one of the various Netsky malware signatures?

Both are malware signatures, where googling for removal tools by name
brand vendors might work... but since the two malwares are
unrelated, it may be time to grab the media and format.

See if Spybot Search and Destroy can spot the file locations and remove,
then reboot and recheck. If they keep coming back, format keeps looking
better.




David H. Lipman wrote:
> From: "Richard" <Richard@sailaway.com>
>
> | The following two files are always identified as spyware every time I run
> | SUPERantispyware (free edition), which is several times a week. The program
> | then quarantines them and them removes them. Are these serious enough to
> | warrant further action and why do they keep coming back?
> |
> | Rogue.PC-Cleaner
> | HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[
> | {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ]
> | HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt [
> | {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for whatever advise you can
> | provide.G
>
> What files ? You haven't identified any files.
> What you ahve identified are two HKLM Registry loading points in ShellServiceObjectDelayLoad
> (SSODL)
>
> They keep coming back because SAS is not catching all aspects of the malware you are
> infected with.
>
> BVased upon what Malke provided you, post the contents of Main.txt and Extra.txt in a post
> in one of the below expert forums...
>
>
> { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! }
>
> Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner
> Logs.
>
> NOTE: Registration is REQUIRED in any of the below before posting a log
>
> Suggested primary:
> http://www.thespykiller.co.uk/index.php?board=3.0
>
> Suggested secondary:
> http://www.bleepingcomputer.com/forums/forum22.html
> http://castlecops.com/forum67.html
> http://www.malwarebytes.org/forums/index.php?showforum=7
>
> Suggested tertiary:
> http://www.dslreports.com/forum/cleanup
> http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
> http://www.atribune.org/forums/index.php?showforum=9
> http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
> http://gladiator-antivirus.com/forum/index.php?showforum=170
> http://forum.networktechs.com/forumdisplay.php?f=130
> http://forums.maddoktor2.com/index.php?showforum=17
> http://www.spywarewarrior.com/viewforum.php?f=5
> http://forums.spywareinfo.com/index.php?showforum=18
> http://forums.techguy.org/f54-s.html
> http://forums.tomcoyote.org/index.php?showforum=27
> http://forums.subratam.org/index.php?showforum=7
> http://www.5starsupport.com/ipboard/index.php?showforum=18
> http://aumha.net/viewforum.php?f=30
> http://makephpbb.com/phpbb/viewforum.php?f=2
> http://forums.techguy.org/54-security/
> http://forums.security-central.us/forumdisplay.php?f=13
>

 

[jen]

"Richard" <Richard@sailaway.com> wrote in message
news:uXeBWepvIHA.1240@TK2MSFTNGP02.phx.gbl...
> The following two files are always identified as spyware every time I
> run SUPERantispyware (free edition), which is several times a week.
> The program then quarantines them and them removes them. Are these
> serious enough to warrant further action and why do they keep coming
> back?
>
> Rogue.PC-Cleaner
> HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#wdpoefan[
> {DE8062CC-89CB-463E-AF01-DA85DA065FC5} ]
> HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#vadokmxt
> [ {6F25D4C7-E549-4E97-9B0C-5A3143E59960} ]Thanks very much for
> whatever advise you can provide.G
>

This is an undesirable program:
wdpoefan.dll
dentified as a variant of the Adware.Agent malware.
http://www.bleepingcomputer.com/startups/wdpoefan-22773.html

This is an undesirable program:
vadokmxt.dll
Identified as a variant of the Adware.Agent malware
http://www.bleepingcomputer.com/startups/vadokmxt-22772.html

-jen