xcqbarm.dll reported as trojan

Hi guys,

The Basics:

Windows 7 Home Premium, 64-bit edition
ESET Smart Security v4.0.467.0
Virus Signature database: 5397 (20100825)​

I've been a happy user of Eset since 2006 with Nod32, and when the opportunity rose to upgrade to ESS, I took it.

This morning, I saw an alert message:

Object: C:\Windows\system32\xcqbarm.dll
Threat: a variant of Win32/Spy.Hookit.A.trojan
Comment: Error while deleting. Please submit this object to ESET for analysis.​

I've search google and bing for "xcqbarm.dll" verified the spelling a hundred times while doing so, and have come up with exactly zero results.

Does anyone else have this particular problem?
Should I be attempting to delete this file manually in safe mode, since ESS apparently can't?

Chad

 

Isn't the file deleted after the next computer restart?

 

No. I assume this is because Windows 7 has super-ultra locked down anything in the %windir% directories, though I could be wrong.

No, after a reboot, I get the same warning message, which is why I asked if I should attempt to delate the file manually.

 

Have you tried scanning with other malware removal tools such a SUPERAntispyware or Malwarebytes? I can't find this file on any machine I have access to so I assume it isn't good.

 

No. But the mystery deepens... When I go look in that directory, the infected file is not there: I go from xcopy.exe to xinput1_1.dll.

When I do a custom scan of that folder, I get the following results:

Number of scanned objects: 29099
Number of infected objects: 0
Number of cleaned objects: 0​

 

Do a scan with Malwarebytes and see if it catches it.

 

Sadly, no dice there, either. Whenever I reboot, I'm getting the message that the threat was found in memory, which may explain why I can't actually find the file itself.

Any more suggestions? Is there a way I can purge the memory?

 

Almost two months and you still haven't fixed the problem . WOW!?

Just use another products in order to clean the computer. The mistery you write about is because there may be something that is not detected by ESET.

If a file is in memory , it is on the hard disk , too - this is 100% true. Just not everything is detected by ESET.

I strongly suggest you run Hitman Pro (free multivendor cloud scanning application) . Download from http://www.surfright.nl/en/hitmanpro , start it and perform scan . Remember what and where it detects it (in order to let us know after that) , follow program's instructions , activate licence and remove the malware.

 

You have the latest signatures?
You can check Operating Memory in "Custom Scan" from the ESET Security Window.

Is your file (C:\Windows\system32\xcqbarm.dll) on a NTFS filesystem?
Please check File/Folder access (File properties --> Security --> Advanced)
Check if you have sufficient administrative privileges, etc.

 

Scanned with HitMan Pro.

Apart from tracking cookies, this was the only item found:

<Item type="Malware" malwareName="Malware" score="106.0" status="Quarantiend">
−
<Scanners>
<Scanner id="Ikarus" name="Packed.Win32.Krap!IK"/>
</Scanners>
<File path="C:\Windows\Temp\TMPC253.tmp" hash="97043D1BCB5AF97682C6D5630C93BDB52C0A9535A8ED1D8688389D5FE7F3B573"/>
</Item>

Good catch, but after reboot, I'm still getting warnings about that pesky xcqbarm.dll.

Very strange... I can post the whole HitManPro xml if you like...

 

Done. Scan came away clean.

Yes.

Checked. I have everything except Full Control, Delete and Take Ownership. I SHOULD be able to see the file in question if it's there... it's just not showing up. I also have hidden and system files displayed...

 

run Chkdsk to eliminate possibilities of corrupt file system.

 

maybe these files are hidden by a rootkit, you tried run a Rescue Boot CD with antivirus? Rootkits are difficult to detect it when active.

 

If you still experiencing problems with malware then you may run Kaspersky Virus Removal Tool. I think it will helps you eliminate malware.