IPB

Welcome Guest ( Log In | Register )

2 Pages V   1 2 >  
Reply to this topicStart new topic
> remove AdWare, remove AdWare
elly00
post 23.07.2007 10:46
Post #1


Advanced Member II
****

Group: Members
Posts: 321
Joined: 13.07.2006
From: ITALY







HI,

I've a Pc where Ks detectes an adware that I cannnot remove ..
Os Windows XP-KIS 6.0.2.621
On the attached report you can see:

rilevato (means detected) : adware not-a-virus:AdWare.Win32.LinkOptimizer.hFile: C:\WINDOWS\qpbby1.dll//PE_Patch.Sue//PE-Crypt.Sue//PE_Patch.UPX//UPX
rilevato: malware Exploit.Win32.IMG-ANI.k URL: http://imxndm7rj.com/92b8d7b02bfcd6231869/fciaa/wliogxy.ani

Note that I cannot find this qpbby1.dll file even if I choose "go to file".

Then on this Pc sometimes the explorer.exe crashes and something tries to start a strange connections (see images)

Can you tell me the exact steps to clean all?

Thanks
Elena
Attached File(s)
Attached File  report.txt ( 159,23K ) Number of downloads: 20
Attached File  dialer.zip ( 6,38K ) Number of downloads: 27
 
Go to the top of the page
 
+Quote Post
Lucian Bara
post 23.07.2007 10:49
Post #2


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




hello
try bootinng into safe mode and proceed with deleting the file from there.
it could also be good to do a scan with
an anti-rootkit tool like blacklight: http://www.f-secure.com/blacklight/
and superantispyware: http://www.superantispyware.com/

This post has been edited by Lucian Bara: 23.07.2007 10:49
Go to the top of the page
 
+Quote Post
elly00
post 23.07.2007 10:51
Post #3


Advanced Member II
****

Group: Members
Posts: 321
Joined: 13.07.2006
From: ITALY




QUOTE(Lucian Bara @ 23.07.2007 09:49)
hello
try bootinng into safe mode and proceed with deleting the file from there.
it could also be good to do a scan with
an anti-rootkit tool like blacklight: http://www.f-secure.com/blacklight/
and superantispyware: http://www.superantispyware.com/
[right][snapback]403025[/snapback][/right]



Hi,
thanks...
Do you think I can see the file is safe mode? start windows "normally" the file is not visible..

smile.gif
Go to the top of the page
 
+Quote Post
Lucian Bara
post 23.07.2007 10:54
Post #4


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




of course it's not visible, there's a rootkit involved. you might be able to see it in safe mode. if you can't then perform the blacklight scan in normal mode
Go to the top of the page
 
+Quote Post
elly00
post 23.07.2007 10:57
Post #5


Advanced Member II
****

Group: Members
Posts: 321
Joined: 13.07.2006
From: ITALY




QUOTE(Lucian Bara @ 23.07.2007 09:54)
of course it's not visible, there's a rootkit involved. you might be able to see it in safe mode. if you can't then perform the blacklight scan in normal mode
[right][snapback]403029[/snapback][/right]



OK!!!
I'll do that and let you know the result....
I still don't know why if I've KIs installed this kind of adware can be passed on the system ?"

Thanks
rolleyes.gif


Go to the top of the page
 
+Quote Post
norwegian
post 23.07.2007 12:04
Post #6


Posting guru
*************

Group: Members
Posts: 3790
Joined: 8.05.2005
From: Australia




Rootkits aren't a specific component of version 6(but still covers some), version 7 has more specifics for this.

As for the ANI exploit, it is a Microsoft exploit, not a KIS exploit. Is your system up to date ?

ANI info - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1765

But for now concentrate on what Lucian is asking. If you find this file maybe the date it was created will lead to what you were doing on the internet, or at least reflect on where.....


--------------------
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
Go to the top of the page
 
+Quote Post
elly00
post 23.07.2007 12:09
Post #7


Advanced Member II
****

Group: Members
Posts: 321
Joined: 13.07.2006
From: ITALY




QUOTE(norwegian @ 23.07.2007 11:04)
Rootkits aren't a specific component of version 6(but still covers some), version 7 has more specifics for this.

As for the ANI exploit, it is a Microsoft exploit, not a KIS exploit. Is your system up to date ?

ANI info - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1765

But for now concentrate on what Lucian is asking. If you find this file maybe the date it was created will lead to what you were doing on the internet, or at least reflect on where.....
[right][snapback]403061[/snapback][/right]



Hi,

yes sure I'll do what he said and post the result..
and...yes the system is correctly updated...

Thanx
biggrin.gif
Go to the top of the page
 
+Quote Post
Don Pelotas
post 23.07.2007 13:35
Post #8


Global Moderator
****************

Group: Global moderators

Posts: 28886
Joined: 7.04.2005




Elly............next time please post about virus related issue's in the ....................virus-related issue's, you have been here long enough to know this by now. smile.gif


--------------------
Go to the top of the page
 
+Quote Post
elly00
post 23.07.2007 14:01
Post #9


Advanced Member II
****

Group: Members
Posts: 321
Joined: 13.07.2006
From: ITALY




QUOTE(Don Pelotas @ 23.07.2007 12:35)
Elly............next time please post about virus related issue's in the ....................virus-related issue's, you have been here long enough to know this by now.  smile.gif
[right][snapback]403117[/snapback][/right]


yes sorry ;( just a second after having send the message I remind that the post was on wrong place..... sory sorry .....never do that again....
wink.gif
Go to the top of the page
 
+Quote Post
elly00
post 23.07.2007 16:08
Post #10


Advanced Member II
****

Group: Members
Posts: 321
Joined: 13.07.2006
From: ITALY




Hi,

I've restarted in safe mode but didn't find the file:
C:\WINDOWS\qpbby1.dll//PE_Patch.Sue//PE-Crypt.Sue//PE_Patch.UPX//UPX

Running spybot nothing is found...

What can I don now?


Thanx
Go to the top of the page
 
+Quote Post
shieber
post 23.07.2007 16:19
Post #11


Advanced Member II
****

Group: Members
Posts: 343
Joined: 4.06.2007




Looks like it's embedded in an archive.


QUOTE(elly00 @ 23.07.2007 02:46)



HI,

I've a Pc where Ks detectes an adware that I cannnot remove ..
Os Windows XP-KIS 6.0.2.621
On the attached report you can see:

rilevato (means detected) : adware not-a-virus:AdWare.Win32.LinkOptimizer.hFile: C:\WINDOWS\qpbby1.dll//PE_Patch.Sue//PE-Crypt.Sue//PE_Patch.UPX//UPX
rilevato: malware Exploit.Win32.IMG-ANI.k URL: http://imxndm7rj.com/92b8d7b02bfcd6231869/fciaa/wliogxy.ani

Note that I cannot find this qpbby1.dll file even if I choose "go to file".

Then on this Pc sometimes the explorer.exe crashes and something tries to start a strange connections (see images)

Can you tell me the exact steps to clean all?

Thanks
Elena
[right][snapback]403022[/snapback][/right]

Go to the top of the page
 
+Quote Post
elly00
post 23.07.2007 16:21
Post #12


Advanced Member II
****

Group: Members
Posts: 321
Joined: 13.07.2006
From: ITALY




QUOTE(shieber @ 23.07.2007 15:19)
Looks like it's embedded in an archive.
[right][snapback]403228[/snapback][/right]



Difficult to know... ;(
Any ideas?

wink.gif
Go to the top of the page
 
+Quote Post
elly00
post 23.07.2007 17:56
Post #13


Advanced Member II
****

Group: Members
Posts: 321
Joined: 13.07.2006
From: ITALY




Do you have a removal tools?

Thanks
Elena
Go to the top of the page
 
+Quote Post
Don Pelotas
post 23.07.2007 18:11
Post #14


Global Moderator
****************

Group: Global moderators

Posts: 28886
Joined: 7.04.2005




QUOTE(elly00 @ 23.07.2007 15:56)
Do you have a removal tools?

Thanks
Elena
[right][snapback]403290[/snapback][/right]

No.......elly, have you run a full scan with both Kaspersky, SUPERAntiSpyware with System restore disabled? Also try this Linkoptimizer tool


--------------------
Go to the top of the page
 
+Quote Post
Lucian Bara
post 23.07.2007 19:04
Post #15


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




just delete the whole file. if you can't find it let kav delete it.
if that fails:
downlaod killbox: http://killbox.net/downloads/KillBox.exe
save it to your desktop, double click it, select "delete on reboot"
and in the box file path or folder path input
C:\WINDOWS\qpbby1.dll

press on the red circle with a cross, confirm the reboot and see if it's gone
Go to the top of the page
 
+Quote Post
elly00
post 25.07.2007 10:48
Post #16


Advanced Member II
****

Group: Members
Posts: 321
Joined: 13.07.2006
From: ITALY




Hi all,

some news about the Pc situation...
1) running http://killbox.net/downloads/KillBox.exe the error is :
PendingFileReneameOperatons Registry data has been removed by external process!
2) superantispyware and f-secure don't start
3) running Linkoptimizer tool it has restarted the Pc but then it gives "access denied" but after that I can run superantispyware..
Now I'm doing a full scan...I don't know if it could remove the rootkit

I'll inform you about the result

I've a service named "WinVhm started as .\TGyPWUmr that I cannot stop or set to start manually..now is automatic startup

Thanks
Elly
sad.gif

This post has been edited by elly00: 25.07.2007 10:50
Go to the top of the page
 
+Quote Post
elly00
post 26.07.2007 10:44
Post #17


Advanced Member II
****

Group: Members
Posts: 321
Joined: 13.07.2006
From: ITALY




Hi,

running superantispyware, fsecure..at the end ks has removed the C:\WINDOWS\qpbby1.dll//PE_Patch.Sue//PE-Crypt.Sue//PE_Patch.UPX//UPX
file...

Only the service "WinVhm started as .\TGyPWUmr is already present on the Pc...
(not started) but set on "automaticaslly".

Do you think I can leave it or what?

Thanx
smile.gif


Go to the top of the page
 
+Quote Post
Lucian Bara
post 26.07.2007 10:49
Post #18


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




can you post a screenshot of that?
Go to the top of the page
 
+Quote Post
elly00
post 26.07.2007 11:04
Post #19


Advanced Member II
****

Group: Members
Posts: 321
Joined: 13.07.2006
From: ITALY




QUOTE(Lucian Bara @ 26.07.2007 09:49)
can you post a screenshot of that?
[right][snapback]405115[/snapback][/right]


Hi,

I don't have the option to send attachement anymore ?!!? I don't know why...
blink.gif
But in the image you can se that thi service is used for "save in cache DNS names"


Thanx
Go to the top of the page
 
+Quote Post
Lucian Bara
post 26.07.2007 12:07
Post #20


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




yes attaching file isn't available here, you can try to host it on http://imageshack.us and post the link here.

also you can use the console command sc delete WinVhm to delete that service
Go to the top of the page
 
+Quote Post

2 Pages V   1 2 >
Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 20.12.2014 04:08