Does anybody have a good solution to remove Windows Express Spyware?
I've tried to manually remove keys from the registry and I used Malwarebytes, but I can't seem to get it removed?
Thanks
Thanks
Give SUPERAntiSpyware a try as well.
http://www.superantispyware.com/
http://www.superantispyware.com/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A quick search on google shows Manual removal which points to:
Windows Express Settings creates the following files and folders
%AppData%\{RANDOM}.exe
Windows Express Settings creates the following registry keys and values
HKEY_CURRENT_USER\Software
Also these:
* upnphost.dll
* appmgmts.dll
* %PROGRAM_FILES%\ WindowsExpressHelp
Sudeep
Windows Express Settings creates the following files and folders
%AppData%\{RANDOM}.exe
Windows Express Settings creates the following registry keys and values
HKEY_CURRENT_USER\Software
Also these:
* upnphost.dll
* appmgmts.dll
* %PROGRAM_FILES%\ WindowsExpressHelp
Sudeep
You might also want to try TDSSkiller as there may be a rootkit. Whilst MB tends to find rootkits it doesn't always work. TDSSkiller is strictly meant for finding rootkits.
Run the MB or/and HitmanPro then run TDSSkiller.
http://support.kaspersky.com/faq/?qid=208283363
Run the MB or/and HitmanPro then run TDSSkiller.
http://support.kaspersky.com/faq/?qid=208283363
This one has detail manual removal instructions:
http://security-wire.com/02/how-to-remove-windows-express-settings-rogue-anti-spyware.html
Manual Removal
Note: If you are not proficient with computer, it’s suggested that you backup your registry before manually removing Windows Express Settings Rogue Anti-Spyware. And double check the entries that you are going to delete, or your computer can’t work for missing some files.
Step 1: Processes you need to end:
[random].exe
Step 2: Registry entries you need to delete:
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
Step 3: Files you need to delete:
%Documents and Settings%\[UserName]\Appli
%Documents and Settings%\[UserName]\Deskt
%Documents and Settings%\[UserName]\Start
%Documents and Settings%\[UserName]\Start
Sudeep
http://security-wire.com/02/how-to-remove-windows-express-settings-rogue-anti-spyware.html
Manual Removal
Note: If you are not proficient with computer, it’s suggested that you backup your registry before manually removing Windows Express Settings Rogue Anti-Spyware. And double check the entries that you are going to delete, or your computer can’t work for missing some files.
Step 1: Processes you need to end:
[random].exe
Step 2: Registry entries you need to delete:
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
HKEY_LOCAL_MACHINE\SOFTWAR
Step 3: Files you need to delete:
%Documents and Settings%\[UserName]\Appli
%Documents and Settings%\[UserName]\Deskt
%Documents and Settings%\[UserName]\Start
%Documents and Settings%\[UserName]\Start
Sudeep
There are two good articles for what looks like slightly different variants of Windows Express:
Windows Express Help
Windows Express Settings
Windows Express Help
Windows Express Settings
@ChiefTechGuru,
Why did you post the same advice that I did?
I realize that you are brand new here, but you cannot simply duplicate advice that was already posted.
https://www.experts-exchange.com/help.jsp#hs=30&hi=416
"Read previous posts before commenting:"
It is important to read the entire thread so that you know the current situation. That will keep you from posting a duplicate answer or one that has already been shown not to work. If you basically agree with another comment but have something more to add, remember to give credit for the original suggestion -- mention that Expert by name -- in your post.
Why did you post the same advice that I did?
I realize that you are brand new here, but you cannot simply duplicate advice that was already posted.
https://www.experts-exchange.com/help.jsp#hs=30&hi=416
"Read previous posts before commenting:"
It is important to read the entire thread so that you know the current situation. That will keep you from posting a duplicate answer or one that has already been shown not to work. If you basically agree with another comment but have something more to add, remember to give credit for the original suggestion -- mention that Expert by name -- in your post.
@Go-GBS,
I would suggest that you always use an automated removal program - if it has been proven to be successful.
Manual manipulation of your registry is fraught with potential to damage your system beyond repair and should only be a last step - if nothing else worked.
I would suggest that you always use an automated removal program - if it has been proven to be successful.
Manual manipulation of your registry is fraught with potential to damage your system beyond repair and should only be a last step - if nothing else worked.
@younghv I would have to agree that manually messing with the registry (especially if you dont know what it is) is downright scary and dangerous. You can severely screw up your windows to beyond repair even. But I was wondering if the virus keeps showing up every time you reboot. I am assuming that after running MB it states "Please restart to finish removing". Before you do that I really recommend running TDSSkiller. A rootkit could be one system file that is infected that MB may not catch. So after you think everything is all good and restart, that rootkit can bring everything back again all on its own.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@Scissors85 -
I've only had one of these infections come through my shop and the instructions from "Grinler" did the trick - that is why I recommended it.
He doesn't seem to be concerned with RootKit analysis and I trust him to mention it if needed.
He does (as he often does) mention RKill and shell.reg, but no other tools.
I love TDSSkiller and carry it with me on every job.
TMK, it has never adversely affected a system I've worked on, but I like to keep the "less is more" mantra in mind.
If the instructions from MBAM work, let's use them and move on down the road.
<Grin>
@goldeneagle3333 -
The same comment about duplicating advice applies to you.
It is really discourteous to post advice that is already given.
I've only had one of these infections come through my shop and the instructions from "Grinler" did the trick - that is why I recommended it.
He doesn't seem to be concerned with RootKit analysis and I trust him to mention it if needed.
He does (as he often does) mention RKill and shell.reg, but no other tools.
I love TDSSkiller and carry it with me on every job.
TMK, it has never adversely affected a system I've worked on, but I like to keep the "less is more" mantra in mind.
If the instructions from MBAM work, let's use them and move on down the road.
<Grin>
@goldeneagle3333 -
The same comment about duplicating advice applies to you.
It is really discourteous to post advice that is already given.
@younghv Fair enough. It just sounded like from his symptoms if you will that it keeps coming back after running the MB or manually removing the reg keys so I figured the next step would be check for a rootkit. Just my 2 cents :)
S_85 (and anyone else) -
Let's move here (generic malware conversation):
https://www.experts-exchange.com/questions/24860646/ComboFix-MBAM-basic-posts.html?anchorAnswerId=35002621#a35002621
Let's move here (generic malware conversation):
https://www.experts-exchange.com/questions/24860646/ComboFix-MBAM-basic-posts.html?anchorAnswerId=35002621#a35002621
@younghv: my apologies. between the time i read the original post, looked for a solution, got distracted with a couple of other things, and typed up my comments, more than 6 minutes had elapsed - which is the total difference in time between our postings.
CTG - Understood - join us at the link I posted above.
ASKER
I ran Malwarebytes three total times to get it completely removed, in addition I used CCleaner and Comodo System Cleaner, which helped get rid of some Run DLL error messages I was getting as well.
ASKER
Maybe I missed something, but what is that?
It is "Step 6" from the instructions I linked to above:
6. Next we have to do is fix your Windows Registry Shell value. If we do not fix this entry and is deleted, then your Windows desktop will not be displayed the next time you reboot.
To fix the Shell entry, simple download the following file to your desktop. If you are having trouble downloading the file, try right-clicking on it and selecting Save as.
Shell.reg Download Link
**************************
If your Windows desktop is displaying OK, then nevermind.
6. Next we have to do is fix your Windows Registry Shell value. If we do not fix this entry and is deleted, then your Windows desktop will not be displayed the next time you reboot.
To fix the Shell entry, simple download the following file to your desktop. If you are having trouble downloading the file, try right-clicking on it and selecting Save as.
Shell.reg Download Link
**************************
If your Windows desktop is displaying OK, then nevermind.
ASKER
Yeah the desktop was fine, so I skipped that step, thanks.
Just glad it all worked out - thanks.
32bit
http://dl.surfright.nl/HitmanPro35.exe
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html
64bit
http://dl.surfright.nl/HitmanPro35_x64.exe
I hope that would help
Sudeep