xcqbarm.dll reported as trojan

Discussion in 'ESET Smart Security' started by shorinryu, Aug 26, 2010.

Thread Status:
Not open for further replies.
  1. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    Hi guys,

    The Basics:
    Windows 7 Home Premium, 64-bit edition
    ESET Smart Security v4.0.467.0
    Virus Signature database: 5397 (20100825)​

    I've been a happy user of Eset since 2006 with Nod32, and when the opportunity rose to upgrade to ESS, I took it.

    This morning, I saw an alert message:

    Object: C:\Windows\system32\xcqbarm.dll
    Threat: a variant of Win32/Spy.Hookit.A.trojan
    Comment: Error while deleting. Please submit this object to ESET for analysis.​

    I've search google and bing for "xcqbarm.dll" verified the spelling a hundred times while doing so, and have come up with exactly zero results.

    Does anyone else have this particular problem?
    Should I be attempting to delete this file manually in safe mode, since ESS apparently can't?

    Chad
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Isn't the file deleted after the next computer restart?
     
  3. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    No. I assume this is because Windows 7 has super-ultra locked down anything in the %windir% directories, though I could be wrong.

    No, after a reboot, I get the same warning message, which is why I asked if I should attempt to delate the file manually.
     
  4. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    Have you tried scanning with other malware removal tools such a SUPERAntispyware or Malwarebytes? I can't find this file on any machine I have access to so I assume it isn't good.
     
  5. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    No. But the mystery deepens... When I go look in that directory, the infected file is not there: I go from xcopy.exe to xinput1_1.dll.

    When I do a custom scan of that folder, I get the following results:

    Number of scanned objects: 29099
    Number of infected objects: 0
    Number of cleaned objects: 0​
     
  6. cool1007

    cool1007 Registered Member

    Joined:
    Oct 19, 2009
    Posts:
    57
    Do a scan with Malwarebytes and see if it catches it.
     
  7. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    Sadly, no dice there, either. Whenever I reboot, I'm getting the message that the threat was found in memory, which may explain why I can't actually find the file itself.

    Any more suggestions? Is there a way I can purge the memory?
     
  8. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    Almost two months and you still haven't fixed the problem . WOW!?

    Just use another products in order to clean the computer. The mistery you write about is because there may be something that is not detected by ESET.

    If a file is in memory , it is on the hard disk , too - this is 100% true. Just not everything is detected by ESET.

    I strongly suggest you run Hitman Pro (free multivendor cloud scanning application) . Download from http://www.surfright.nl/en/hitmanpro , start it and perform scan . Remember what and where it detects it (in order to let us know after that) , follow program's instructions , activate licence and remove the malware.
     
  9. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    You have the latest signatures?
    You can check Operating Memory in "Custom Scan" from the ESET Security Window.

    Is your file (C:\Windows\system32\xcqbarm.dll) on a NTFS filesystem?
    Please check File/Folder access (File properties --> Security --> Advanced)
    Check if you have sufficient administrative privileges, etc.
     
    Last edited: Oct 17, 2010
  10. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    Scanned with HitMan Pro.

    Apart from tracking cookies, this was the only item found:

    <Item type="Malware" malwareName="Malware" score="106.0" status="Quarantiend">

    <Scanners>
    <Scanner id="Ikarus" name="Packed.Win32.Krap!IK"/>
    </Scanners>
    <File path="C:\Windows\Temp\TMPC253.tmp" hash="97043D1BCB5AF97682C6D5630C93BDB52C0A9535A8ED1D8688389D5FE7F3B573"/>
    </Item>

    Good catch, but after reboot, I'm still getting warnings about that pesky xcqbarm.dll.

    Very strange... I can post the whole HitManPro xml if you like...
     
  11. shorinryu

    shorinryu Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    6
    Done. Scan came away clean.

    Yes.

    Checked. I have everything except Full Control, Delete and Take Ownership. I SHOULD be able to see the file in question if it's there... it's just not showing up. I also have hidden and system files displayed...
     
  12. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    run Chkdsk to eliminate possibilities of corrupt file system.
     
  13. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    maybe these files are hidden by a rootkit, you tried run a Rescue Boot CD with antivirus? Rootkits are difficult to detect it when active.
     
  14. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    If you still experiencing problems with malware then you may run Kaspersky Virus Removal Tool. I think it will helps you eliminate malware.
     
Thread Status:
Not open for further replies.