Security POP update

[Guest]

A security POP update keeps interfering with the use of my computer.
-windows/system32/runsrvr32.exe dos shell.
-lsass.exe is also listed.
How do I end this commercial?

 

[Wesley Vogel]

runsrvr32.exe seems to be some sort of malware.

Update your antivirus software and run a full system scan.

Update whatever anti-spyware applications that you have and run a full
system scan with each one.

You might want to start in Safe Mode to run your antivirus and anti-spyware
software.

Running a full system antivirus scan or anti-spyware scan in Safe Mode can
be a good idea. Some viruses and other malware like to conceal themselves
in areas Windows protects while using them. Safe mode will prevent those
applications access and therefore unprotect the viruses or other malware
allowing for easier removal.

How to start Windows in Safe Mode Windows XP
http://www.bleepingcomputer.com/forums/index.php?showtutorial=61#winxo

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

I dont have safe mode. It's a proprietary machine. It goes into a destructive
repair. Can't I remedy it via the regestry? The antivirus isn't needed.
Nothing happeneing except this god damn recurring POP.
I also can't get rid of Google dessktop and IE Q828750.

 

[Wesley Vogel]

So run antivirus and anti-spyware in regular mode.

runsrv32.exe seems to be a trojan.

Name Troj/Spyre-A
Type Trojan

Affected operating systems Windows

Side effects Modifies data on the computer
Installs itself in the Registry

Aliases Trojan-Dropper.Win32.Xaw.b
TrojanClicker.Win32.Spyre.b

Troj/Spyre-A is a Trojan that changes the wallpaper to an advertisement of
the author's choice.
--------

This section contains the description and advanced technical information
Troj/Spyre-A is an advertising Trojan.

In order to run automatically when Windows starts up the Trojan repeatedly
creates the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"Srv32 spool service"
"C:\Windows\System32\runsrv32.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"Srv32 spool service"
"C:\Windows\System32\runsrv32.exe"

Troj/Spyre-A creates an HTML file in C:\Windows\Web\ and makes this file the
wallpaper. This file usually contains an advertisement.

The Trojan comes in two files, usually named
runsrv32.exe - starts the Trojan after login
runsrv32.dll - injected into the explorer.exe process
-------

This section tells you how to remove the threat.
In order to remove the Trojan:
rename the infected DLL file, eg. by changing the extension
reboot the computer
delete both files (the EXE and the renamed DLL)
restore the previous backdrop
delete the advertisement HTML fil

from...
http://www.sophos.com/virusinfo/analyses/trojspyrea.html

See Removal Information
MS03-040: October, 2003, Cumulative Patch for Internet Explorer
http://support.microsoft.com/kb/828750

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In