PDA

View Full Version : Ridding Myself of a Pesky Virus/Spyware/Whatever



golfinguy4
05-21-2006, 03:13 AM
I recently have been bothered a program known as Universa. The file seems to create exe's of the name win####.temp.exe which launch two popups known as ULWindowURL and ULWindowSeek. I've been trying everything to get rid of the stupid thing yet nothing has worked so far. I've run adaware, spy-bot, and hijack this. All are saying I'm clean, which unfortunately isn't the case. Google has only turned up others facing the same problems.

What I Know:
I opened up the offending programs from the temp folder with a hex editor. The program calls the standard window dlls and pretty much standard functions (such as GetProcAddress). The only two ones that seem to be different than just a standard windows app are the last two: OleCreate and SetTimer. What the two are being used for is pretty obvious from the description of its behavior.

Here's my idea:
I'd like to monitor the folder where these files are being installed (Windows\Temp) and record what file is creating the exe's found in this folder. Whether it be by a program that is already created or a custom job, I'd like to find out if this is possible. I know of FileSystemWatcher allows one to monitor a directory for changes. However, I have been unable to find a more powerful version which allows one to know which file/program/process made the change to the directory. Something like this, if practicle, would allow me to track down the source of my pesky problem and eliminate it. Any suggestions as to how I could go about doing this?

Salem
05-21-2006, 03:46 AM
http://www.sysinternals.com/utilities/regmon.html
http://www.sysinternals.com/utilities/filemon.html
You should get a good idea of the persistent behaviour of whatever is running on your system.

http://www.sysinternals.com/utilities/processexplorer.html
This can give detailed info on each process, like what handles it has. This can guide you in using the other two programs.

golfinguy4
05-21-2006, 04:15 AM
Thanks Salem. Helpful as always (I guess some things never change).

kryptkat
05-21-2006, 05:53 PM
Remove UniversalTB Manually
Note: This manual removal process is difficult and you run the risk of destroying your computer. We recommend that you use the automatic removal process.

Remove UniversalTB registry values:
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerMainStart Page=[site address]
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftInternet ExplorerMainSearch Bar=[site address]
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftInternet ExplorerSearchSearchAssistant=[site address]
HKEY_CURRENT_USER SoftwareUniversal
HKEY_CURRENT_USER SoftwareMicrosoftInternet ExplorerURLSearchHooks
HKEY_LOCAL_MACHINE SOFTWAREClassesDadu.DaduObj
HKEY_LOCAL_MACHINE SOFTWAREClassesDadu.DaduObj.1
HKEY_LOCAL_MACHINE SOFTWAREClassesGoSrch.ContextItem
HKEY_LOCAL_MACHINE SOFTWAREClassesGoSrch.ContextItem.1
HKEY_LOCAL_MACHINE SOFTWAREClassesCLSID{5F7AB1DB-A899-46c1-8345-B72B4567EE86}
HKEY_LOCAL_MACHINE SOFTWAREClassesCLSID{FC2499DE-A673-49FD-A2DE-EFE03E9572A3}
HKEY_LOCAL_MACHINE SOFTWAREClassesInterface{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
HKEY_LOCAL_MACHINE SOFTWAREClassesInterface{EAF23CEF-21AF-4707-9FF3-4959FD505553}
HKEY_LOCAL_MACHINE SOFTWAREClassesTypeLib{6D335DE7-E980-4400-AADE-9AC771AB77E3}
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftInternet ExplorerToolbar{5F7AB1DB-A899-46c1-8345-B72B4567EE86}
HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindows CurrentVersionUninstallUniversalSearch Toolbar

Happy_Reaper
05-22-2006, 12:12 PM
There's a site I often go to for problems of the sort :

www.bleepingcomputer.com

Maybe they can help you out.