Thread: Ridding Myself of a Pesky Virus/Spyware/Whatever

  1. #1
    ¡Amo fútbol!
    Join Date
    Dec 2001

    Ridding Myself of a Pesky Virus/Spyware/Whatever

    I recently have been bothered a program known as Universa. The file seems to create exe's of the name win####.temp.exe which launch two popups known as ULWindowURL and ULWindowSeek. I've been trying everything to get rid of the stupid thing yet nothing has worked so far. I've run adaware, spy-bot, and hijack this. All are saying I'm clean, which unfortunately isn't the case. Google has only turned up others facing the same problems.

    What I Know:
    I opened up the offending programs from the temp folder with a hex editor. The program calls the standard window dlls and pretty much standard functions (such as GetProcAddress). The only two ones that seem to be different than just a standard windows app are the last two: OleCreate and SetTimer. What the two are being used for is pretty obvious from the description of its behavior.

    Here's my idea:
    I'd like to monitor the folder where these files are being installed (Windows\Temp) and record what file is creating the exe's found in this folder. Whether it be by a program that is already created or a custom job, I'd like to find out if this is possible. I know of FileSystemWatcher allows one to monitor a directory for changes. However, I have been unable to find a more powerful version which allows one to know which file/program/process made the change to the directory. Something like this, if practicle, would allow me to track down the source of my pesky problem and eliminate it. Any suggestions as to how I could go about doing this?

  2. #2
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    The edge of the known universe
    You should get a good idea of the persistent behaviour of whatever is running on your system.
    This can give detailed info on each process, like what handles it has. This can guide you in using the other two programs.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  3. #3
    ¡Amo fútbol!
    Join Date
    Dec 2001
    Thanks Salem. Helpful as always (I guess some things never change).

  4. #4
    Registered User kryptkat's Avatar
    Join Date
    Dec 2002
    Remove UniversalTB Manually
    Note: This manual removal process is difficult and you run the risk of destroying your computer. We recommend that you use the automatic removal process.

    Remove UniversalTB registry values:
    HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerMainStart Page=[site address]
    HKEY_LOCAL_MACHINE SOFTWAREMicrosoftInternet ExplorerMainSearch Bar=[site address]
    HKEY_LOCAL_MACHINE SOFTWAREMicrosoftInternet ExplorerSearchSearchAssistant=[site address]
    HKEY_CURRENT_USER SoftwareUniversal
    HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerURLSearchHooks
    HKEY_LOCAL_MACHINE SOFTWAREClassesGoSrch.ContextItem.1
    HKEY_LOCAL_MACHINE SOFTWAREClassesCLSID{5F7AB1DB-A899-46c1-8345-B72B4567EE86}
    HKEY_LOCAL_MACHINE SOFTWAREClassesInterface{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
    HKEY_LOCAL_MACHINE SOFTWAREClassesInterface{EAF23CEF-21AF-4707-9FF3-4959FD505553}
    HKEY_LOCAL_MACHINE SOFTWAREClassesTypeLib{6D335DE7-E980-4400-AADE-9AC771AB77E3}
    HKEY_LOCAL_MACHINE SOFTWAREMicrosoftInternet ExplorerToolbar{5F7AB1DB-A899-46c1-8345-B72B4567EE86}
    HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionUninstallUniversalSearch Toolbar

  5. #5
    Fear the Reaper...
    Join Date
    Aug 2005
    Toronto, Ontario, Canada
    There's a site I often go to for problems of the sort :

    Maybe they can help you out.
    Teacher: "You connect with Internet Explorer, but what is your browser? You know, Yahoo, Webcrawler...?" It's great to see the educational system moving in the right direction

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Those pesky command lines...
    By SMurf in forum Windows Programming
    Replies: 1
    Last Post: 10-25-2003, 12:38 AM