xcqbarm.dll reported as trojan

Discussion in 'ESET Smart Security' started by shorinryu, Aug 26, 2010.

Thread Status:
Not open for further replies.
  1. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    Hi guys,

    The Basics:
    Windows 7 Home Premium, 64-bit edition
    ESET Smart Security v4.0.467.0
    Virus Signature database: 5397 (20100825)​

    I've been a happy user of Eset since 2006 with Nod32, and when the opportunity rose to upgrade to ESS, I took it.

    This morning, I saw an alert message:

    Object: C:\Windows\system32\xcqbarm.dll
    Threat: a variant of Win32/Spy.Hookit.A.trojan
    Comment: Error while deleting. Please submit this object to ESET for analysis.​

    I've search google and bing for "xcqbarm.dll" verified the spelling a hundred times while doing so, and have come up with exactly zero results.

    Does anyone else have this particular problem?
    Should I be attempting to delete this file manually in safe mode, since ESS apparently can't?

    Chad
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,411
    Isn't the file deleted after the next computer restart?
     
  3. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    No. I assume this is because Windows 7 has super-ultra locked down anything in the %windir% directories, though I could be wrong.

    No, after a reboot, I get the same warning message, which is why I asked if I should attempt to delate the file manually.
     
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,607
    Location:
    USA
    Have you tried scanning with other malware removal tools such a SUPERAntispyware or Malwarebytes? I can't find this file on any machine I have access to so I assume it isn't good.
     
  5. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    No. But the mystery deepens... When I go look in that directory, the infected file is not there: I go from xcopy.exe to xinput1_1.dll.

    When I do a custom scan of that folder, I get the following results:

    Number of scanned objects: 29099
    Number of infected objects: 0
    Number of cleaned objects: 0​
     
  6. cool1007

    cool1007 Registered Member

    Joined:
    Oct 19, 2009
    Posts:
    57
    Do a scan with Malwarebytes and see if it catches it.
     
  7. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    Sadly, no dice there, either. Whenever I reboot, I'm getting the message that the threat was found in memory, which may explain why I can't actually find the file itself.

    Any more suggestions? Is there a way I can purge the memory?
     
  8. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    Almost two months and you still haven't fixed the problem . WOW!?

    Just use another products in order to clean the computer. The mistery you write about is because there may be something that is not detected by ESET.

    If a file is in memory , it is on the hard disk , too - this is 100% true. Just not everything is detected by ESET.

    I strongly suggest you run Hitman Pro (free multivendor cloud scanning application) . Download from http://www.surfright.nl/en/hitmanpro , start it and perform scan . Remember what and where it detects it (in order to let us know after that) , follow program's instructions , activate licence and remove the malware.
     
  9. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    You have the latest signatures?
    You can check Operating Memory in "Custom Scan" from the ESET Security Window.

    Is your file (C:\Windows\system32\xcqbarm.dll) on a NTFS filesystem?
    Please check File/Folder access (File properties --> Security --> Advanced)
    Check if you have sufficient administrative privileges, etc.
     
    Last edited: Oct 17, 2010
  10. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    Scanned with HitMan Pro.

    Apart from tracking cookies, this was the only item found:

    <Item type="Malware" malwareName="Malware" score="106.0" status="Quarantiend">

    <Scanners>
    <Scanner id="Ikarus" name="Packed.Win32.Krap!IK"/>
    </Scanners>
    <File path="C:\Windows\Temp\TMPC253.tmp" hash="97043D1BCB5AF97682C6D5630C93BDB52C0A9535A8ED1D8688389D5FE7F3B573"/>
    </Item>

    Good catch, but after reboot, I'm still getting warnings about that pesky xcqbarm.dll.

    Very strange... I can post the whole HitManPro xml if you like...
     
  11. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    Done. Scan came away clean.

    Yes.

    Checked. I have everything except Full Control, Delete and Take Ownership. I SHOULD be able to see the file in question if it's there... it's just not showing up. I also have hidden and system files displayed...
     
  12. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    run Chkdsk to eliminate possibilities of corrupt file system.
     
  13. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    maybe these files are hidden by a rootkit, you tried run a Rescue Boot CD with antivirus? Rootkits are difficult to detect it when active.
     
  14. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    If you still experiencing problems with malware then you may run Kaspersky Virus Removal Tool. I think it will helps you eliminate malware.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.