Solved

Does anybody have a good solution to remove Windows Express Spyware?

Posted on 2011-02-28
22
425 Views
Last Modified: 2012-05-11
I've tried to manually remove keys from the registry and I used Malwarebytes, but I can't seem to get it removed?

Thanks
0
Comment
Question by:Go-GBS
  • 9
  • 3
  • 3
  • +4
22 Comments
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 35002099
0
 
LVL 13

Expert Comment

by:JeremySBrown
ID: 35002117
Give SUPERAntiSpyware a try as well.
http://www.superantispyware.com/
0
 
LVL 38

Accepted Solution

by:
younghv earned 400 total points
ID: 35002118
Malwarebytes is the proper tool and here is a link to the exact instructions (written by "Grinler" - a world class anti-malware type)

http://www.bleepingcomputer.com/virus-removal/remove-windows-express-help
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 35002136
A quick search on google shows Manual removal which points to:

Windows Express Settings creates the following files and folders
%AppData%\{RANDOM}.exe

Windows Express Settings creates the following registry keys and values
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell = “%AppData%\{random}.exe”

Also these:
    * upnphost.dll
    * appmgmts.dll
    * %PROGRAM_FILES%\ WindowsExpressHelp

Sudeep
0
 
LVL 8

Expert Comment

by:Sean Scissors
ID: 35002150
You might also want to try TDSSkiller as there may be a rootkit. Whilst MB tends to find rootkits it doesn't always work. TDSSkiller is strictly meant for finding rootkits.

Run the MB or/and HitmanPro then run TDSSkiller.
http://support.kaspersky.com/faq/?qid=208283363
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 35002164
This one has detail manual removal instructions:

http://security-wire.com/02/how-to-remove-windows-express-settings-rogue-anti-spyware.html

Manual Removal
Note: If you are not proficient with computer, it’s suggested that you backup your registry before manually removing Windows Express Settings Rogue Anti-Spyware. And double check the entries that you are going to delete, or your computer can’t work for missing some files.

Step 1: Processes you need to end:

[random].exe

Step 2: Registry entries you need to delete:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ’1'

Step 3: Files you need to delete:

%Documents and Settings%\[UserName]\Application Data\[random].exe

%Documents and Settings%\[UserName]\Desktop\Windows Express Settings.lnk

%Documents and Settings%\[UserName]\Start Menu\Programs\Windows Express Settings\

%Documents and Settings%\[UserName]\Start Menu\Programs\Windows Express Settings\Uninstall Windows Express Settings.lnk

Sudeep
0
 
LVL 4

Expert Comment

by:ChiefTechGuru
ID: 35002181
There are two good articles for what looks like slightly different variants of Windows Express:

Windows Express Help
Windows Express Settings

0
 
LVL 38

Expert Comment

by:younghv
ID: 35002277
@ChiefTechGuru,
Why did you post the same advice that I did?

I realize that you are brand new here, but you cannot simply duplicate advice that was already posted.

http://www.experts-exchange.com/help.jsp#hs=30&hi=416
"Read previous posts before commenting:"
It is important to read the entire thread so that you know the current situation. That will keep you from posting a duplicate answer or one that has already been shown not to work. If you basically agree with another comment but have something more to add, remember to give credit for the original suggestion -- mention that Expert by name -- in your post.

0
 
LVL 38

Expert Comment

by:younghv
ID: 35002299
@Go-GBS,
I would suggest that you always use an automated removal program - if it has been proven to be successful.

Manual manipulation of your registry is fraught with potential to damage your system beyond repair and should only be a last step - if nothing else worked.
0
 
LVL 8

Expert Comment

by:Sean Scissors
ID: 35002380
@younghv I would have to agree that manually messing with the registry (especially if you dont know what it is) is downright scary and dangerous. You can severely screw up your windows to beyond repair even. But I was wondering if the virus keeps showing up every time you reboot. I am assuming that after running MB it states "Please restart to finish removing". Before you do that I really recommend running TDSSkiller. A rootkit could be one system file that is infected that MB may not catch. So after you think everything is all good and restart, that rootkit can bring everything back again all on its own.
0
 
LVL 3

Assisted Solution

by:goldeneagle3333
goldeneagle3333 earned 100 total points
ID: 35002386
With all the suggestions I am sure you will find one that works.  

I would use:

1) Vipre Rescue - http://vipre.malwarebytes.org/ 
2) Malware Bytes - Can also be obtained from the link above
3) CCleaner
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 38

Expert Comment

by:younghv
ID: 35002462
@Scissors85 -
I've only had one of these infections come through my shop and the instructions from "Grinler" did the trick - that is why I recommended it.
He doesn't seem to be concerned with RootKit analysis and I trust him to mention it if needed.
He does (as he often does) mention RKill and shell.reg, but no other tools.
I love TDSSkiller and carry it with me on every job.
TMK, it has never adversely affected a system I've worked on, but I like to keep the "less is more" mantra in mind.
If the instructions from MBAM work, let's use them and move on down the road.
<Grin>


@goldeneagle3333 -
The same comment about duplicating advice applies to you.
It is really discourteous to post advice that is already given.
0
 
LVL 8

Expert Comment

by:Sean Scissors
ID: 35002487
@younghv Fair enough. It just sounded like from his symptoms if you will that it keeps coming back after running the MB or manually removing the reg keys so I figured the next step would be check for a rootkit. Just my 2 cents :)
0
 
LVL 38

Expert Comment

by:younghv
ID: 35002625
S_85 (and anyone else) -
Let's move here (generic malware conversation):
http://www.experts-exchange.com/Q_24860646.html#a35002621
0
 
LVL 4

Expert Comment

by:ChiefTechGuru
ID: 35002782
@younghv:  my apologies.  between the time i read the original post, looked for a solution, got distracted with a couple of other things, and typed up my comments, more than 6 minutes had elapsed - which is the total difference in time between our postings.  
0
 
LVL 38

Expert Comment

by:younghv
ID: 35002826
CTG - Understood - join us at the link I posted above.
0
 

Author Comment

by:Go-GBS
ID: 35026711
I ran Malwarebytes three total times to get it completely removed, in addition I used CCleaner and Comodo System Cleaner, which helped get rid of some Run DLL error messages I was getting as well.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35026740
Go-GBS,
Please make sure that you also run this:

http://download.bleepingcomputer.com/reg/shell.reg
0
 

Author Comment

by:Go-GBS
ID: 35026860
Maybe I missed something, but what is that?
0
 
LVL 38

Expert Comment

by:younghv
ID: 35026904
It is "Step 6" from the instructions I linked to above:

6. Next we have to do is fix your Windows Registry Shell value. If we do not fix this entry and is deleted, then your Windows desktop will not be displayed the next time you reboot.

To fix the Shell entry, simple download the following file to your desktop. If you are having trouble downloading the file, try right-clicking on it and selecting Save as.

Shell.reg Download Link

****************************
If your Windows desktop is displaying OK, then nevermind.
0
 

Author Comment

by:Go-GBS
ID: 35026916
Yeah the desktop was fine, so I skipped that step, thanks.
0
 
LVL 38

Expert Comment

by:younghv
ID: 35026929
Just glad it all worked out - thanks.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Machine hijacked 16 67
Cryptolocker 4 66
locky virus 14 195
2 IP-adresses in one string in DNS - hacker attack ??? 5 43
Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now