Robbo
Member
Registered: 6th Aug 02
Location: London
User status: Offline
|
got some heavy duty dodginess goin on on me laptop, gettign messages saying unauthorised change smade etc etc and now some random wallpaper has installed itself saying i ahve spyware
running malwarebytes at the mo, anyhting else i can do quickly to help 
|
Cosmo
Member
Registered: 29th Mar 01
Location: Im the real one!
User status: Offline
|
its probably got one of those irish PC viruses 
bad times.
|
Robbo
Member
Registered: 6th Aug 02
Location: London
User status: Offline
|
lol
keep gettign this total security msg (probs what the problem is!)
|
Cosmo
Member
Registered: 29th Mar 01
Location: Im the real one!
User status: Offline
|
start up in safe mode and run adaware or something like that.
|
Robbo
Member
Registered: 6th Aug 02
Location: London
User status: Offline
|
will try adaware
|
Rich H
Member
Registered: 26th Oct 05
Location: West Sussex Drives: E46 M3
User status: Offline
|
Install Avast (free) as your AV software, install Spybot search and destroy and run it 
|
Robbo
Member
Registered: 6th Aug 02
Location: London
User status: Offline
|
Cheers guys, run malwarebytes thingy, adawre, spybot and AVG and seems to have cured all apart from one recurring file that avg cant get rid of called
gasfkyfgqixsyg.dll
or various name sliek that, any ideas? google no help
|
Robbo
Member
Registered: 6th Aug 02
Location: London
User status: Offline
|
its in the system32 folder
|
Robbo
Member
Registered: 6th Aug 02
Location: London
User status: Offline
|
trpjan horse rootkit-packet
|
marklawton
Member
Registered: 24th Apr 05
Location: Pensby, Wirral Drives:Golf mk4 GTI
User status: Offline
|
i use
avast and spyware terminator
|
Sunz
Member
Registered: 12th Jan 07
Location: SE England
User status: Offline
|
I had a problem with some virus, would delete my boot.ini from windows all the time, did some research into free anti virus programs.
Avast was rated quite low, something 87% rate to find the viruses.
Avira was rated the best from the tests I've seen but it takes longer to do a full scan.
Best free spyware.
SUPERantispyware
|
Sam
Moderator
Premium Member
Registered: 24th Dec 99
Location: West Midlands
User status: Offline
|
On your keyboard press the Windows key + R (or Start menu, Run if it's there).
Type in regedit and click OK.
Now, you need to navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Go to File, Export... and save the contents of that to a file, then paste the file contents in here so we can see what's dodgy and what isn't.
|
Robbo
Member
Registered: 6th Aug 02
Location: London
User status: Offline
|
Cheers Sambo
|
Robbo
Member
Registered: 6th Aug 02
Location: London
User status: Offline
|
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Class Name: <NO CLASS>
Last Write Time: 28/09/2009 - 23:14
Value 0
Name: Windows Defender
Type: REG_EXPAND_SZ
Data: %ProgramFiles%\Windows Defender\MSASCui.exe -hide
Value 1
Name: ECenter
Type: REG_SZ
Data: C:\Dell\E-Center\EULALauncher.exe
Value 2
Name: OEM02Mon.exe
Type: REG_SZ
Data: C:\Windows\OEM02Mon.exe
Value 3
Name: SigmatelSysTrayApp
Type: REG_EXPAND_SZ
Data: %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
Value 4
Name: NvSvc
Type: REG_SZ
Data: RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
Value 5
Name: NvCplDaemon
Type: REG_SZ
Data: RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
Value 6
Name: NvMediaCenter
Type: REG_SZ
Data: RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
Value 7
Name: NVHotkey
Type: REG_SZ
Data: rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
Value 8
Name: SunJavaUpdateSched
Type: REG_SZ
Data: "C:\Program Files\Java\jre6\bin\jusched.exe"
Value 9
Name: DELL Webcam Manager
Type: REG_SZ
Data: "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
Value 10
Name: Broadcom Wireless Manager UI
Type: REG_SZ
Data: C:\Windows\system32\WLTRAY.exe
Value 11
Name: ISUSScheduler
Type: REG_SZ
Data: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
Value 12
Name: <NO NAME>
Type: REG_SZ
Data:
Value 13
Name: RoxWatchTray
Type: REG_SZ
Data: "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
Value 14
Name: PCMService
Type: REG_SZ
Data: "C:\Program Files\Dell\MediaDirect\PCMService.exe"
Value 15
Name: Adobe Reader Speed Launcher
Type: REG_SZ
Data: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
Value 16
Name: Google Desktop Search
Type: REG_SZ
Data: "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
Value 17
Name: dscactivate
Type: REG_SZ
Data: "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
Value 18
Name: GrooveMonitor
Type: REG_SZ
Data: "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
Value 19
Name: Updater
Type: REG_SZ
Data: C:\Windows\system32\updater\explorer.exe
Value 20
Name: Apoint
Type: REG_SZ
Data: C:\Program Files\DellTPad\Apoint.exe
Value 21
Name: ISUSPM Startup
Type: REG_SZ
Data: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
Value 22
Name: DellSupportCenter
Type: REG_SZ
Data: "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
Value 23
Name: QuickTime Task
Type: REG_SZ
Data: "C:\Program Files\QuickTime\QTTask.exe" -atboottime
Value 24
Name: iTunesHelper
Type: REG_SZ
Data: "C:\Program Files\iTunes\iTunesHelper.exe"
Value 25
Name: AVG8_TRAY
Type: REG_SZ
Data: C:\PROGRA~1\AVG\AVG8\avgtray.exe
Value 26
Name: PromoReg
Type: REG_SZ
Data: C:\Windows\Temp\_ex-08.exe
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
Class Name: <NO CLASS>
Last Write Time: 11/12/2007 - 22:41
Value 0
Name: <NO NAME>
Type: REG_SZ
Data:
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
Class Name: <NO CLASS>
Last Write Time: 11/12/2007 - 22:41
Value 0
Name: Installed
Type: REG_SZ
Data: 1
Value 1
Name: <NO NAME>
Type: REG_SZ
Data:
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
Class Name: <NO CLASS>
Last Write Time: 11/12/2007 - 22:41
Value 0
Name: NoChange
Type: REG_SZ
Data: 1
Value 1
Name: Installed
Type: REG_SZ
Data: 1
Value 2
Name: <NO NAME>
Type: REG_SZ
Data:
Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS
Class Name: <NO CLASS>
Last Write Time: 11/12/2007 - 22:41
Value 0
Name: Installed
Type: REG_SZ
Data: 1
Value 1
Name: <NO NAME>
Type: REG_SZ
Data:
|
Sam
Moderator
Premium Member
Registered: 24th Dec 99
Location: West Midlands
User status: Offline
|
OK boot your laptop into SAFE MODE, and then load the Registry Editor (regedit).
In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, delete the following lines:
- the empty line
- the PromoReg line (this is the baddie)
Next, on your keyboard press the Windows key + R (or Start menu, Run if it's there).
Type in cmd and click OK.
Type in c: and press enter (skip this step if you already are in the c:\ drive).
Type in cd %windir%\temp and press enter.
Type in del *.* /F and press enter (this line will delete all files in the Windows temp directory including read-only files).
Now reboot into normal Windows, do you still get popups etc.?
|
Daveskater
Premium Member
Registered: 29th Apr 08
Location: Oxford, UK Drives: Jap wagon
User status: Offline
|
Bearing in mind removing the registry entry will only stop it from starting at startup, not remove it from the PC. Would probably be a good idea to delete it afterwards.
Sam, out of interest, where did you do training in Malware Removal? You don't post stuff like that without training  Looks like a canned speech if you ask me
Numberwang!
Originally posted by AlunJ
I like you Dave, you are a man of men
Originally Whatapp'd by Neo
Dave's maybe capable of a drive-by cuddle
Look at my pictures
|
Sam
Moderator
Premium Member
Registered: 24th Dec 99
Location: West Midlands
User status: Offline
|
quote:
Originally posted by Daveskater
Bearing in mind removing the registry entry will only stop it from starting at startup, not remove it from the PC. Would probably be a good idea to delete it afterwards.
The .exe file is in the windows\temp directory, hence why I told him to delete everything in there
quote:
Originally posted by Daveskater
Sam, out of interest, where did you do training in Malware Removal? You don't post stuff like that without training Looks like a canned speech if you ask me
Not canned at all, just being as detailed as possible! Used to work in tech support for a number of years BTW.
|
Daveskater
Premium Member
Registered: 29th Apr 08
Location: Oxford, UK Drives: Jap wagon
User status: Offline
|
Oh yeah, I'll admit to not reading very thoroughly 
Cool, I did some training at the MRU (Malware Removal University) and they got you to do loads of canned speeches like that with bold bits and colours and things, which is why I thought it was pre-prepared.
Numberwang!
Originally posted by AlunJ
I like you Dave, you are a man of men
Originally Whatapp'd by Neo
Dave's maybe capable of a drive-by cuddle
Look at my pictures
|
Robbo
Member
Registered: 6th Aug 02
Location: London
User status: Offline
|
cheers lads esp you sam mwah x
|
Sam
Moderator
Premium Member
Registered: 24th Dec 99
Location: West Midlands
User status: Offline
|
Sorted?
|
Robbo
Member
Registered: 6th Aug 02
Location: London
User status: Offline
|
seems to be a mix of spybot/adaware/malwatebytes cleared most apart from that last annoyign one!
|
Robbo
Member
Registered: 6th Aug 02
Location: London
User status: Offline
|
hmm, see promoreg is still in my run thing tho :S
|
Sam
Moderator
Premium Member
Registered: 24th Dec 99
Location: West Midlands
User status: Offline
|
OK next suggestion...
Boot into safe mode again, and then do a search in your windows\system32 directory for a file called alt.exe.exe (you can use the Windows search thing or in the command prompt type in cd %windir%\system32 (press enter) and then dir /s alt.exe.exe (press enter again).
If it exists, delete it (you may need to do this in Safe Mode) - this page says the alt.exe.exe file is the cause of the PromoReg trojan.
Reboot and see if it's gone by doing another search for it?
[Edited on 29-09-2009 by Sam]
[Edited on 29-09-2009 by Sam]
|
