[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 449
  • Last Modified:

Does anybody have a good solution to remove Windows Express Spyware?

I've tried to manually remove keys from the registry and I used Malwarebytes, but I can't seem to get it removed?

Thanks
0
Go-GBS
Asked:
Go-GBS
  • 9
  • 3
  • 3
  • +4
2 Solutions
 
Sudeep SharmaTechnical DesignerCommented:
0
 
JeremySBrownCommented:
Give SUPERAntiSpyware a try as well.
http://www.superantispyware.com/
0
 
younghvCommented:
Malwarebytes is the proper tool and here is a link to the exact instructions (written by "Grinler" - a world class anti-malware type)

http://www.bleepingcomputer.com/virus-removal/remove-windows-express-help
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
Sudeep SharmaTechnical DesignerCommented:
A quick search on google shows Manual removal which points to:

Windows Express Settings creates the following files and folders
%AppData%\{RANDOM}.exe

Windows Express Settings creates the following registry keys and values
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell = “%AppData%\{random}.exe”

Also these:
    * upnphost.dll
    * appmgmts.dll
    * %PROGRAM_FILES%\ WindowsExpressHelp

Sudeep
0
 
Sean ScissorsProgram Analyst IICommented:
You might also want to try TDSSkiller as there may be a rootkit. Whilst MB tends to find rootkits it doesn't always work. TDSSkiller is strictly meant for finding rootkits.

Run the MB or/and HitmanPro then run TDSSkiller.
http://support.kaspersky.com/faq/?qid=208283363
0
 
Sudeep SharmaTechnical DesignerCommented:
This one has detail manual removal instructions:

http://security-wire.com/02/how-to-remove-windows-express-settings-rogue-anti-spyware.html

Manual Removal
Note: If you are not proficient with computer, it’s suggested that you backup your registry before manually removing Windows Express Settings Rogue Anti-Spyware. And double check the entries that you are going to delete, or your computer can’t work for missing some files.

Step 1: Processes you need to end:

[random].exe

Step 2: Registry entries you need to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ’1'

Step 3: Files you need to delete:

%Documents and Settings%\[UserName]\Application Data\[random].exe

%Documents and Settings%\[UserName]\Desktop\Windows Express Settings.lnk

%Documents and Settings%\[UserName]\Start Menu\Programs\Windows Express Settings\

%Documents and Settings%\[UserName]\Start Menu\Programs\Windows Express Settings\Uninstall Windows Express Settings.lnk

Sudeep
0
 
ChiefTechGuruCommented:
There are two good articles for what looks like slightly different variants of Windows Express:

Windows Express Help
Windows Express Settings

0
 
younghvCommented:
@ChiefTechGuru,
Why did you post the same advice that I did?

I realize that you are brand new here, but you cannot simply duplicate advice that was already posted.

http://www.experts-exchange.com/help.jsp#hs=30&hi=416
"Read previous posts before commenting:"
It is important to read the entire thread so that you know the current situation. That will keep you from posting a duplicate answer or one that has already been shown not to work. If you basically agree with another comment but have something more to add, remember to give credit for the original suggestion -- mention that Expert by name -- in your post.

0
 
younghvCommented:
@Go-GBS,
I would suggest that you always use an automated removal program - if it has been proven to be successful.

Manual manipulation of your registry is fraught with potential to damage your system beyond repair and should only be a last step - if nothing else worked.
0
 
Sean ScissorsProgram Analyst IICommented:
@younghv I would have to agree that manually messing with the registry (especially if you dont know what it is) is downright scary and dangerous. You can severely screw up your windows to beyond repair even. But I was wondering if the virus keeps showing up every time you reboot. I am assuming that after running MB it states "Please restart to finish removing". Before you do that I really recommend running TDSSkiller. A rootkit could be one system file that is infected that MB may not catch. So after you think everything is all good and restart, that rootkit can bring everything back again all on its own.
0
 
goldeneagle3333Commented:
With all the suggestions I am sure you will find one that works.  

I would use:

1) Vipre Rescue - http://vipre.malwarebytes.org/ 
2) Malware Bytes - Can also be obtained from the link above
3) CCleaner
0
 
younghvCommented:
@Scissors85 -
I've only had one of these infections come through my shop and the instructions from "Grinler" did the trick - that is why I recommended it.
He doesn't seem to be concerned with RootKit analysis and I trust him to mention it if needed.
He does (as he often does) mention RKill and shell.reg, but no other tools.
I love TDSSkiller and carry it with me on every job.
TMK, it has never adversely affected a system I've worked on, but I like to keep the "less is more" mantra in mind.
If the instructions from MBAM work, let's use them and move on down the road.
<Grin>


@goldeneagle3333 -
The same comment about duplicating advice applies to you.
It is really discourteous to post advice that is already given.
0
 
Sean ScissorsProgram Analyst IICommented:
@younghv Fair enough. It just sounded like from his symptoms if you will that it keeps coming back after running the MB or manually removing the reg keys so I figured the next step would be check for a rootkit. Just my 2 cents :)
0
 
younghvCommented:
S_85 (and anyone else) -
Let's move here (generic malware conversation):
http://www.experts-exchange.com/Q_24860646.html#a35002621
0
 
ChiefTechGuruCommented:
@younghv:  my apologies.  between the time i read the original post, looked for a solution, got distracted with a couple of other things, and typed up my comments, more than 6 minutes had elapsed - which is the total difference in time between our postings.  
0
 
younghvCommented:
CTG - Understood - join us at the link I posted above.
0
 
Go-GBSAuthor Commented:
I ran Malwarebytes three total times to get it completely removed, in addition I used CCleaner and Comodo System Cleaner, which helped get rid of some Run DLL error messages I was getting as well.
0
 
younghvCommented:
Go-GBS,
Please make sure that you also run this:

http://download.bleepingcomputer.com/reg/shell.reg
0
 
Go-GBSAuthor Commented:
Maybe I missed something, but what is that?
0
 
younghvCommented:
It is "Step 6" from the instructions I linked to above:

6. Next we have to do is fix your Windows Registry Shell value. If we do not fix this entry and is deleted, then your Windows desktop will not be displayed the next time you reboot.

To fix the Shell entry, simple download the following file to your desktop. If you are having trouble downloading the file, try right-clicking on it and selecting Save as.

Shell.reg Download Link

****************************
If your Windows desktop is displaying OK, then nevermind.
0
 
Go-GBSAuthor Commented:
Yeah the desktop was fine, so I skipped that step, thanks.
0
 
younghvCommented:
Just glad it all worked out - thanks.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 3
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now