TonyKlein

Volunteer Security Advisor
  • Content Count

    17
  • Joined

  • Last visited

Everything posted by TonyKlein

  1. This time you picked the right one, but unfortunately it was a 0 byte file, which usually means your antivirus may be blocking it, or the file may be in use by another application. Let's try it this way: Please download Killbox. Click killbox.exe. Select the option "Delete on reboot". Click the button: Single File (!important!) Next, copy the following bold line: C:\Programmi\Toolbar\like_googlenew1.1a.dll Open 'file' in the killboxmenu on top and choose Paste from clipboard Then press the button that looks like a red circle with a white X in it. Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES If you don't get that message, reboot manually. Your computer should reboot now. The file in question will have been moved into a newly created folder called C:\!Killbox Once it has rebooted, go back to http://www.bleepingcomputer.com/submit-mal....php?channel=13 , browse to that C:\!Killbox folder , Highlight that folder, then press "Send File', in order to submit it. Much appreciated! :)i
  2. Thank you for uploading the file; however, unfortunately it was not the one requested. You uploaded a TFRC.tmp file, which is indeed malware (Trojan.Win32.Agent.ahp), but the one we'd like to have a look at was C:\Programmi\Toolbar\like_googlenew1.1a.dll Could I please ask you to find and upload that one as well? Thanks a lot for your cooperation!
  3. Thank you for uploading the files. The first one (yoeequery.dll) looks legitimate, hailing from yoee.com: http://english.yoee.com/static/aboutus.asp The second one (UIupdater.exe) is a 0-byte file. I suggest you temporarily disable your antivirus' real time monitoring, then try again
  4. My apologies for gatecrashing this thread, but there's a file we'd like to have a closer look at: C:\Windows\YOEEQUERY.DLL It looks like it might be a new parasite, so we'd like to receive a sample for analysis! Could I ask you to please go to this forum There's no need to register. Just start a new topic, titled "File for TonyKlein". In the topic, simply refer to this --- forum thread, and use the Attachment box to upload the file. In fact there's not even a need to actually browse to the file: just copy the full path to the file, in this case: C:\Windows\YOEEQU~1.DLL ... and paste it in in the attachment box, then press the 'Post' button. The file should be found and uploaded. NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them After that I'll be happy to leave you in CalamityJane's most capable hands! Thanks!
  5. It might not be a bad idea contact RadarSync support about this as well; after all they have an interest not to have their software crippled by AS software. In all fairness, it is not only AAW that detects this key; I also found instances of SpyBot and SpySweeper detecting 7faSSt in the SlingShot "version" of this registry key as early as a year or two ago...
  6. It is due to the fact that RadarSync uses a Class ID that happens to be in use by known malware as well. As a matter of fact, so does SlingShot... http://www.castlecops.com/modules.php?name...F-BA8C795F261C} Although this is arguably due to bad research by the developers of RadarSync and SlingShot, Ad-Aware does risk crippling legitimate software in this way...
  7. There's a Microsoft program that will reset Content Advisor to its original condition: http://www.kellys-korner-xp.com/regs_edits/CA-Reset.exe Save to a location of your choice, close all IE windows and execute the downloaded file. NOTE: CA-Reset will delete your Approved List, so you WILL need to rebuild that. Good luck!