• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 139
  • Last Modified:

UQbarX service (makes me go maaaaaaad!)

All right this is a tough one, at least for me:

I have a new service at startup called UQbarX, don't know where it came from but it creates a new user folder inside the Documents and Settings folder each time XP starts. I can delete the folder but it's back there at reboot... The user folder is WisPvkGRssgGeGv but it's not listed in the control panel.

I am in no way able to modify service settings, it is stuck on automatic but it runs only at startup... When I try to change from automatic to disabled or I try to disable it in the current hardware profile I get an ACCESS DENIED dialog box!

The executable of this service is: "C:\Programmi\Gvht.exe" and I can't do anything with this program, read it, delete it, copy it to another folder, NOTHING.

I've tried going to safe mode but nothing changes... Actually in the c:\programmi there were other strange files which I was able to delete in safe mode but I can't even access this one in safe mode, don't know what to do!

Moreover the hard disk is not only ntfs but a raid 0+1 array so I can't access it from dos...

0
Daniele Brunengo
Asked:
Daniele Brunengo
  • 6
  • 4
1 Solution
 
ChatableCommented:
This seems like a spyware issue. Download and scan your system with the following programs:
Ad-Aware: http://www.lavasoft.de/
MS Windows Defender: http://www.microsoft.com/athome/security/spyware/software/default.mspx
Spybot S&D: http://www.spybot.info/en/index.html
Webroot SpySweeper: http://www.webroot.com/consumer/products/spysweeper/
At least one of them should be able to rid you from the unwelcome guest.

If nothing works, you can use the Windows recovery console. Put your Windows CD in your CD-ROM and boot your computer. When the setup welcome screen appears press R for repair then C for the recovery console.
Once at the command prompt you can disable the service simply by typing (Assuming the service name is uqbarx):
disable uqbarx
Then you can also delete the files from the disk.
0
 
r-kCommented:
try this:

(0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

(1) Right click on the file (Gvht.exe) in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Close all windows.

(6) Reboot.

After reboot the file will be unable to run (because no one can access it any more). The symptoms should be gone.

At this point you can clean up with a standard anti-spyware program. I suggest Ewido, but you can try others that you already have.
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
There is no security tab in the properties window.

I've already searched with ewido, spyware doctor and adaware, will try some other
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
r-kCommented:
Are you running XP Pro? In that case, do the following:

 My Computer -> Tools -> Folder Options -> View

scroll down to "Use Simple File Sharing..." and un-check it, click on Apply etc.

After that the Security Tab will be there.

If you running XP Home just boot in safe mode and then the Security Tab will be there.
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
All right r-k I did as you say, the box was greyed out but I fiddled with authorizations til I managed to remove it.

Thanks a lot!

With similar methods I removed all entries from the registry, although a couple of them I was unable to remove. But maybe after reboot they will be removable too.

I'm waiting to reboot before closing.
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
Ok after reboot it hasn't changed, I still can't remove these registry keys for lack of authorizations, I've tried meddling with them but I can't seem to succeed.

All rest is all right, the service is not listed anymore and the alien file and folder are gone, but I would like to make a perfect cleaning, can you still help me with this?
0
 
r-kCommented:
Great. Looks like you're making progress.

To identify the remaining problem, can you do the following:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.

Thanks.

(Otherwise, let me know which registry entry you're trying to remove, and why)
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
I've tried with hijackthis but it doesn't list the entries I'm trying to remove. I'm just trying to remove all entries referencing to the UQbarX service which actually doesn't even load anymore but some junk entries are left in the registry...
0
 
r-kCommented:
OK, I see. They're probably not active anymore, so harmless. If you like, please post the exact path (in the registry) of one of the entries, and what error do you get if you try to delete it.
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
One is at: HKLM\SYSTEM\CurrentControlSet\Services\UQbarX

It says Error: impossible to eliminate or something like that (I'm translating from italian)
0
 
Daniele BrunengoIT Consultant, Web DesignerAuthor Commented:
Well, since those entries are harmless I think I'll close down this question, thanks a lot!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now