Ucleaner - virus?? (Ultimate Defender spyware)

rsta

I keep getting a pop up screen asking me to download this anti virus cleaner.

I found out its website is www.ucleaner.com

Is this a virus or something? Ive scanned my laptop using AVG7 and Ad-Aware SE but it keeps coming back..

Anything i can do to get rid of it?

Thanks

(edited title to include spyware name)

Ruu_Old

Never heard of that one, its possible its spyware, try both Spybot and Ewido Security suite and scan in safe mode.

rsta

it just popped up again there... 'Malicious ... something or other.

I must copy it and paste it here next time it comes up.

Thanks Ruu ill search on the web for Spybot is it free?

Cheers

Ruu_Old

Yep spybot-search and destroy is 100% free, ewido has a 14 day trial I think, after that you have to manually update it and the resident guard is disabled but still does everything else afaik. I find that particular one very good.

thebman

Yeah Spybot is a good, Open Source Spyware application. Check out the advanced features of Spybot for good protection like blocking bad plugins etc.. in IE and a shield to track registry changes.

Also give Windows Defender a look on Ms website.

My brother has said Avast Personel edition can catch stuff AVG miss and vice versa so maybe worth downloading it to give it a go at removing it.

rsta

Hey thanks for that.

I just downloaded Spybot and ran a scan. rebooted and it seemed all was ok. but the pop up came back.

This time I copied what it says:

System Integrity Scan Wizard

Warning: Your computer may have critical errors in Windows registry and file system!

The registry and file system errors lead to computer freezes, system crashes and slowdowns, corruption of files and documents.

Immediate system integrity scan and repair is strongly recommended.

To scan your computer for errors please click the 'Next' button below

Its really bugging me how to get rid of this...

Any other tips? Do you think I should go ahead and press the 'next' button and download this thing and then try to remove it after?

Would a system restore work? Or would that do more damage...

Ruu_Old

System Restore might work but it could have infected the restore points as well so I googled around and found the suggestion below, see if it applies to your case. You could do all of this in safe mode either.

1) kill the process, e.g, 2122cae8.exe from task manager.

2) delete 2122cae8.exe in C:\Windows\System32

3) delete 2122cae8.exe in C:\Documents and Settings\<your user name>\Local Settings\Application Data

4) remove it from registry in two places:

My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\run

and

My computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\run

then reboot machine. Hope it gone.

Tom Dunne

Not strictly a laptop problem. Moving to computers.

rsta

thanks tom dunne. i wasnt sure where to post this, as boards.ie layout seems to have changed since i last logged on. cheers

Well more to follow up on this problem.

I went and pressed the 'next' button to see if it would lead me to more information as to where this popup is coming from and its a spyware called Ultimate Defender....

I've googled it and came accross this website to remove Ultimate Defender:

http://remove-ultimate-defender.info/?gclid=CPvq3PvuiogCFQ0nMAodYRhhAQ

its says to remove it I must install Xoftspy, has anyone heard of this??

I'm going to google it a bit more and see what I find.

Just thought I would keep my post up to date in case anyone else gets this.

Cheers all.

Ruu_Old

I have heard of it alright, but never tried it before, a few google searches don't suggest a whole lot. If you want, post up a hijackthis log (it will have details of what programs are running, etc) and some of us can comb through it for you to help find the culprit.

rsta

whats a hijack log? I've not heard of that.

Ive been reading about that xoftspy, looks legit.

Ruu_Old

The link I posted should provide you with the information, in short hijackthis will just generate a log file of the running processes (good if you aren't familiar with whats running in the background, which could be relevant to your issue where the popup thing is goin gon) on your computer as well as anything ever installed that could tie into your web browser. This will help us to narrow down the problem to the troublesome program.

rsta

Ah didnt see the link there. I'll have a read of that now so.

rsta

just attached hijacklog... took me a while to understand it.

ah by the way i downloaded xoftspy and all it does it scan the computer and tells what spyware is on the computer then says pay $29.99 to get the full edition....

this is what it came up with on the scan:

DialerGlobalAccess - registry key - severe risk - software\adwaredisablekey3

ultimate defender - folder - moderate risk - c:\program files \ ultimate defender

and a couple others ranging from low risk to severe risk.


this is really getting me now, im determined to get rid of this ...

I have attached the log, here's hoping.

PogMoThoin

I see you got McAfee & AVG both running, its a bad idea to have more than 1 av prog, they conflict. Uninstall McAfee, Avg is better & free.

rsta

Hey pogmothoin, thanks ive tried to uninstall mcafee this evening, but when i do it says error uninstalling it and it wont take it off...

Ruu_Old

I have nightmares from dealing with computers that have McAfee installed. You might have to remove it manually. Use this to help you out.

Regarding the original issue, I don't know what the below line means in the log and can find nothing about it on the webbie. You could try going into Start->Run->msconfig.exe in the box and then in the Startup tab, untick the box beside that entry and restart, if its not that you can enable it again.

O4-HKLM\..\Run:[qytyavh.dll]C:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\qytyavh.dll,paaqscd

PogMoThoin

Ya ruu, just spotted that, there are a few that show nothing when ya google them.

rsta

I just went into the folder system 32 and found these objects:

rundll32.exe, qytyavh.dll.

i tried to delete them but it wont let me, says they cannot delete access denied.

couldnt find paaqscd anywere...

ah this is a pain..

maybe i should do system restore. or do you think it would be worth it to pay for the xoftspy?

i googled dialerglobalaccess and found this: http://www.paretologic.com/resources/definitions.aspx?lid=EN&remove=Dialer%20GlobalAccess

i dont want a nasty surprise on my phone bill....

Ruu_Old

Don't delete anything yet especially not rundll32.exe, it is a vital system file. Just follow the steps I pointed out re:msconfig->startup tab->untick box beside the process I mentioned and restart.
If nothing, then we can narrow it down more. Give System Restore a try if you wish and see if you can get anywhere.

I would certainly not go and pay for xoftspy. Free ones like Spybot and Ewido will do just as well.

rsta

yikes.. thanks for the quick reply Ruu

But on the start up tab, i cant find any of those processes to uncheck...

but mcafee is there, should i uncheck that?

Ruu_Old

If you have removed McAfee from the system using the tool I posted earlier, then go ahead and remove it from the Startup tab.

rsta

unchecked mcupdate and mcagent

going to restart now.

Virus Eliminato

Hey i might kno its a bit old is this thread but if any one is still reading this for the ucleaner viruse as i have it do not over click on it even the popups as to many clicks on them alow your system to download and let it take over.
To end theese popups [close them] with out over clicking on them use task manager but aswel with my system it also says 'Administrator has blocked task manager'

If you do get this go to start > run > then copy and paste this code ' REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f ' and then click RUN.

Now you can be sucsesfully able to access task manager hopefully and kill the processes and local networks but remeber do NOT end any of proccesses for you computer as you will see your computer shut down lol.

Hope this works and also if you post back i might not be reading as i just made a random account to warn you and tell you this.

floydmoon1

Also smitfraud fix is great to get rid of these.Download and go into safe mode and use .Here is the link.
http://www.filepedia.com/desktop_software/desktop_security/smitfraudfix.cfm

browns51

I have been trying everything to get rid of this virus. I downloaded the AVG programs, and the virus takes about ten hours to come back :mad:
I can try some of the steps in the earlier posts, but I also read in there
that you aren't supposed to have more than one anti-virus program running... should i uninstall the AVG programs if I am going to get that smitfraud fix? I also read a few things online about an SIFix or SDFix or something?....
Sorry about my about-to-be-long post, i just don't want to miss any info that might help. I am not really having the pop-up problem again today (I ran another virus scan this morning and got rid of it again)- so I don't know if the solution from Virus Eliminato (two posts up) is right for me or not...? I never had a problem getting into task manager even when I had 35 UCleaner pop-ups on my desktop (I just went in and ended the tasks from there).
I thought it might help (possibly ) if I gave some more specific info about my situation:

One issue now is that every minute or two, my desktop taskbar disappears for a second and then comes back, and I have no cursor for a couple seconds...??? The wallpaper stays there (the red devil-looking thing didn't return today).
i'm sure that one reason why this all happened is because our paid subscription with bearshare ran out and we kept downloading music anyway without knowing we were getting the third party bundles... i deleted all of the bearshare stuff, as far as i know (this is probably also why my computer's been messed up for a while). When I ran the AVG spyware and virus scan yesterday it detected some Viewpoint (media?) files as possibly infected, so I deleted those. It also detected four spyware threats, and I wiped those.
The problems detected yesterday were like this:
Two were in Documents and Settings, and said something like local settings\temp\WNSInst.exe\WSN.exe`(it said that one was "Adware Generic.EAI and a potentially unwanted program with an embedded object, and I deleted it) and the other one said the same path as above without the last \WSN.exe (and that it was potentially unwanted, moved to vault, and an Archive)??
The next thing was C:\WINDOWS\msmdev.dll (potentially unwanted, deleted) and the last file was C:\WINDOWS\Downloaded Program Files\popcaploader.dll (potentially unwanted and moved to vault).
When I ran the scan again this morning after I started getting the UCleaner screens again, it detected C:\WINDOWS\msmdev.dll (potentially unwanted, deleted) again, even though I deleted it yesterday...
Today it also detected two low-risk spyware issues with a GoogleToolbarNotifier (one had a HKLM\software path through windows explorer as a browser helper object or something, and I was afraid to delete it. The other one was through the C:\ drive as a program file for google and i think that is the toolbar notifier itself- I think it ended in swg.dll). Those are in quarantine and I haven't deleted them yet just in case I shouldn't).
Also, for some reason (even before I dowloaded the AVG files), I kept getting a little pop up screen from windows saying that I need my Symantec disk in order to "access that option" or something like that(when i tried to access any program, but then if i clicked out of it twice it went away for a bit)... but I did completely delete all of my Symantec stuff a few hours ago in the AVG system analysis folder as well as in the control panel/remove programs, and I haven't seen it again yet.
I guess I just need to know what my next best step would be. I'm assuming that one of the processes in the previous posts will work, but I don't want to try the wrong one. I would love some advice!!!
Thank you, and I am so sorry for the long jumbled post