Jump to content

promo exe returns over and over


Recommended Posts

Hello,

 

I've removed promo (dot) exe numerous times and it keeps reappearing....sometimes 2 or 3 times a day.

 

Registry Keys Detected: 1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\promo.exe (Security.Hijack) -> Quarantined and deleted successfully.
 
I appreciate any help you can offer.
 
Thanks
Link to post
Share on other sites

We ned to be a little careful as trying to remove this could cause issues with internet access.

Internet Explorer (Windows)

1. Click "Tools", then click "Internet Options". This will bring up the Internet Options window.

2. Click the "Connections" tab, then click the "LAN Settings" button.

3. Uncheck the box labeled "Use a proxy server for your LAN". Click "OK", and click "OK" in the previous window. This will remove the proxy server settings in Internet Explorer.

Firefox (Windows)

1. Click "Tools", then click "Options" to bring up the Options window.

2. Click the "Advanced" button, then click the "Network" tab.

3. Click the "Settings" button, located next to "Configure how Firefox connects to the Internet".

4. Click the radio button labeled "No proxy". Click "OK" twice. This will remove the proxy server settings in Firefox.

Next:

Note the spaces between G / it needs to be there.

Click the Microsoft Start logo in the bottom left corner of the screen Type CMD and click Ok.

The MSDOS Window will be displayed. At the command prompt, type the following and press Enter after each line:

IPCONFIG /release

IPCONFIG /flushdns

IPCONFIG /renew

IPCONFIG /registerdns

netsh winsock reset

netsh int ip reset

regsvr32 netshell.dll

regsvr32 netcfgx.dll

regsvr32 netman.dll

Type in **Exit**

Restart the computer.

Let me know how it's working

Link to post
Share on other sites

Vista and Windows 7 / 8 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from this link

Click the link and select Save.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

IMPORTANT !!! Save ComboFix.exe to your Desktop

Note: Be sure to select Save as Type > All Types

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216

Double click on ComboFix.exe & follow the prompts.

Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

Note: If you have XP SP3, use the XP SP2 package.

Vista, Windows 7 or 8, skip the Recovery Console part

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Click on Yes, to continue scanning for malware.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

When the tool is finished, it will produce a report for you.

Please attach the C:\ComboFix.txt log on your next reply so that we can continue checking and cleaning the system.

Please save using the default Notepad format,

DO NOT USE WORD or any other office type of software.

DO NOT COPY & PASTE the log, send it as an attachment.

Reply to THIS ticket, DO NOT create a new one.

**Also please describe how your computer behaves at the moment.**

Link to post
Share on other sites

re: how computer is running...

 

system tray is cleaned up, but avast isn't in sys tray anymore. just initiated it through programs.

 

haven't run MWB yet, waiting for your instruction.

 

regedit to see if promo exe was still appearing under 'image file execution options' - it is gone, as well as a bunch of other entries that appeared there previously.

 

all seems well.

Link to post
Share on other sites

I'm still seeing this:

uInternet Settings,ProxyServer = http=127.0.0.1:58687

go to IE -> Tools -> Internet Options -> Connections -> LAN Settings and remove it from there.

Next:

**Step 1:**

Potentially Unwanted Programs (PUPs)

You will need to modify your MBAM settings, if you haven't already, and want them checked for removal. By default it will scan them but will not mark them for removal.

Please open Malwarebytes.

Click the Settings Tab

Click the Scanner Settings Tab

Change the Action for (PUP) and (PUM) to Show in results list and check for removal

Run a new **Quick** scan and remove whatever is found.

Attach the scan results in your next reply.

**Step 2:**

This is a two step process.

First run you use **Scan**

Second run you use **Clean**

Please download **AdwCleaner** from here: You should see a Green Tab to click to download

http://forums.whatthetech.com/index.php?autocom=downloads&showfile=53

OR:

Please download AdwCleaner from this link http://www.bleepingcomputer.com/download/adwcleaner/dl/125/

Note: You can skip the install of the: Hosts Anti-PUP/Adware if asked

Double click on AdwCleaner.exe to run the tool.

Click on **Scan** Button.

A logfile will automatically open after the scan has finished. Please attach that log in your reply.

You can find the logfile at C:\AdwCleaner\AdwCleaner[Rn].txt ('n' is the scan order number).

Once the **Scan** part is finished you will be able to click the **Clean** button

This tool might remove add-ons that you added by choice like Ask Toolbar.

Please uncheck / untick any items you don't want to remove.

Click the **Clean** Button.

It will require a reboot, so please be sure to close any other open programs first.

A text file will open after the restart.

**Step 3:**

Please attach that logfile in your reply.

You can find the logfile at C:\AdwCleaner\AdwCleaner[sn].txt ('n' is the scan order number).

**Let us know if that solves the issue.**

Link to post
Share on other sites

bewitched?

You're showing your age...

Watched very episode

One final step:

We need to uninstall Combofix to totally remove what it found.

This will cause combofix to run again just enough to uninstall itself.

1.Click Start.

2.In the Start Search box, type **ComboFix /Uninstall** and click OK. Note the space between the X and the / it needs to be there.

**Let me know how it's running now**

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.