can't get rid of pup.exe

  • Thread starter Thread starter Jan
  • Start date Start date
J

Jan

A computer was brought to me that had been inundated with popups, etc.
and after installing an antivirus (hard to believe these people run without
one these days) I found TROJ_REVOP.A. Grisoft AVG also lists it upon
bootup; I have scanned with Spybot, AdAware and AVG and removed all that I
could there, however I cannot get rid of the trojan. I know I will have to
delete values from the registry, but haven't found any accurate info on the
next steps to take. All help is appreciated.

JS
 
Identify the malware program with your AV program. Note the names and
locations (likely pup.exe and over.exe in Program Files). Bring up Task
Manager (Ctrl-Alt-Del), click the Process tab amd in the list of runnning
processes locate the files detected earlier. Slecet one of them and press
End Process, accepting the Warning Box that comes up. Repeat for other
identified malware programs. Close Task Manager.

Open Registry Editor. Click Start, then Run, type Regedit then hit Enter.
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries whose data value
is the malware path and file name of the file/s detected earlier.

This trojan adds a registry key, which it uses for configuring its programs.
You ned to remove the entry as well.
While still in the Registry Editor, in the left panel, double-click the
following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Explorer>pup
Still in the left panel, locate and delete the subkey: pup
Close Registry Editor.

Do a search for the troublesome program files and delete them. Killing the
processes about assure that the files are not in use and can be deleted. If
you find that you cannot delete the files because of Access Denied messages,
reboot to Safe Mode and delete the files from there.

The trojan could hide in any sysrestore points you may have made, only to
resurface if you ever have to use system restore. You need to purge the
contents of the System Restore volumn.

Right-click My Computer icon on the desktop and click Properties. Click the
System Restore tab. Select Turn off System Restore.
Click Apply > Yes > OK. Reboot your system and System Restore will be
purged. Run an AV scan once more to be sure, then re-enable System Restore
as above but clearing the Turn Off System Restore checkbox. You should be
clean now.
Continue with the scan/clean process. Files under the _Restore folder can
now be deleted.
Re-enable System Restore by clearing Turn off System Restore.

Rick

--
infosec (at) anthonians (dot) org
Please reply within Newsgroup so that we may all learn
"A person who surfs the Internet without a firewall, has no business being
online!"
http://www.danasoft.com/sig/RicksSig.jpg
 
Rick said:
Identify the malware program with your AV program. Note the names and
locations (likely pup.exe and over.exe in Program Files). Bring up Task
Manager (Ctrl-Alt-Del), click the Process tab amd in the list of runnning
processes locate the files detected earlier. Slecet one of them and press
End Process, accepting the Warning Box that comes up. Repeat for other
identified malware programs. Close Task Manager.

Open Registry Editor. Click Start, then Run, type Regedit then hit Enter.
In the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries whose data value
is the malware path and file name of the file/s detected earlier.

This trojan adds a registry key, which it uses for configuring its programs.
You ned to remove the entry as well.
While still in the Registry Editor, in the left panel, double-click the
following:
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Explorer>pup
Still in the left panel, locate and delete the subkey: pup
Close Registry Editor.

Do a search for the troublesome program files and delete them. Killing the
processes about assure that the files are not in use and can be deleted. If
you find that you cannot delete the files because of Access Denied messages,
reboot to Safe Mode and delete the files from there.

The trojan could hide in any sysrestore points you may have made, only to
resurface if you ever have to use system restore. You need to purge the
contents of the System Restore volumn.

Right-click My Computer icon on the desktop and click Properties. Click the
System Restore tab. Select Turn off System Restore.
Click Apply > Yes > OK. Reboot your system and System Restore will be
purged. Run an AV scan once more to be sure, then re-enable System Restore
as above but clearing the Turn Off System Restore checkbox. You should be
clean now.
Continue with the scan/clean process. Files under the _Restore folder can
now be deleted.
Re-enable System Restore by clearing Turn off System Restore.

Rick
Click to expand...

Thanks very much for your instructions, will do.

JS
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Undetectable Spyware 4
AVG 7.0 & Downloader.Istbar.5.AQ 2
Can't access any webs sites that contain anti virus fixes 16
Getting rid of pop ups, antispyware, malware 2
ISTbar problem 5
getting rid of unwanted dll's 2
Get rid of adware/spyware 18
can't download any virus software 2

Back
Top