cancel
Showing results for 
Search instead for 
Did you mean: 

Windows Expansion System

Not applicable

Windows Expansion System

As in the title, has anyone seen this spyware and if so, how have they treated it?  I have a friend's computer here and it has been infected (don't know how).
It is a real pain - can't get anything to work. Task Manager won't come up, MBAM won't execute, Lavasoft Ad-Aware which is on the machine won't scan.
Avast will scan but reports all clear.  Have found website with the registry keys to delete and the files in Programmes but have opted to try Kaspersky Rescue disk.
Have downloaded and burnt it to CD and have booted up the computer with it so am now scanning.  The threats have been detected so am waiting for it to finish to see what to do about it.  Hope that it will clear it up.  Just interested to know what the professionals do to treat this and if there is any other advice.
BTW it is an elderly Dell desktop (XP) and have tried to get into safe mode by pressing all the appropriate keys (tried F8 F10 and Delete) but it just reports a keyboard malfunction when I try.  I did get to boot from disk with F12 but how do I get it to go into safe mode?  Huh
7 REPLIES 7
HPsauce
Pro
Posts: 6,998
Thanks: 146
Fixes: 2
Registered: ‎02-02-2008

Re: Windows Expansion System

Best thing to do is take the hard disk out and connect it via adapter/caddy to a "known clean" system then scan it with everything you can at the most detailed level.
I would use at least:
Malwarebytes
Trend Housecall
Microsoft Security Essentials
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Windows Expansion System

Repeatedly pressing F8 is the usual means to get into Safe Mode. I think "keyboard error" when trying this means the key has been pressed too early in the start sequence. To fix this I believe it is necessary to start again and wait a little longer.
David
Not applicable

Re: Windows Expansion System

Thank you very much for your interest and help.  This computer is riddled with Trojans and I understand why HP recommends taking the drive out etc.  However, this is far beyond my limited capabilities.  I have run the Kaspersky rescue disk and it has dealt with some of the infections but there are some that are greyed out, therefore it cannot deal with them and there are only two actions  - delete the entry or skip.  Not knowing what the former would do I just skipped.  WES stops everything from running including Firefox, MBAM, firewall etc so it must also be preventing Kaspersky from dealing with these remaining problems.
I read up about manual removal i.e. renaming files and deleting registry keys but I just could not find the offending file/s and I don't want to be messing with the registry as it did say that this should only be done by IT experts.
If it were my machine I would just reformat but I don't know if he has backed up his stuff so I don't really want to start all that.  I have decided to leave it to the experts and suggest that the owner takes it to the computer shop nearby.  He may well suggest reformat too so will wait and see.  I did a lot of work on this elderly computer a good while ago and got it running fine.  I am afraid that I am a bit irritated because for it to be so badly damaged there has been a lot of rubbish downloads going on to it.  I noticed Limewire had been installed.
Spraxyt - your advice was sound - I was pressing too early and I did get it into safe mode but WES was still running and wouldn't let me do any more than I could when it was fully booted. I am glad that I learned that as it was something I didn't know.
HPsauce
Pro
Posts: 6,998
Thanks: 146
Fixes: 2
Registered: ‎02-02-2008

Re: Windows Expansion System

Quote from: poppy
However, this is far beyond my limited capabilities. 

You'd be amazed how easy it is. If you can rewire a plug you can do this.  Wink
And an adapter can be bought very cheaply on eBay - once you know for sure what type if disk it is: IDE or SATA.
Not applicable

Re: Windows Expansion System

Just taken a walk to the computer shop and the owner had this Trojan too.  He was just downloading Windows updates on Friday and on boot up on Saturday morning it was there so he is assuming that it came on the back of this update.  He uses the full Bullguard security suite.  He spent hours trying to get rid of it including HPs solution.  However, it just kept coming up again, renamed.  It is obviously very pernicious.  It just stops you from doing anything at all including loading browsers. In the end he has done a reformat so I reckon that this is what we will have to do with the Dell.  What is concerning me now though is that if we transfer files to a USB stick will they reinfect the machine if transferred back?
It is all very worrying - am thinking that I will have to use my Ubuntu partition more!
spraxyt
Resting Legend
Posts: 10,063
Thanks: 674
Fixes: 75
Registered: ‎06-04-2007

Re: Windows Expansion System

I think it is possible for malware to transfer via USB stick by exploiting the autorun facility. AV would have to be on the ball to detect and trap it. And from what you described it doesn't seem something to give in easily.
Google came up with this Panda Security "usbvaccine" tool to block autorun which should prevent infection. However I emphasise I haven't tried it.
David
Not applicable

Re: Windows Expansion System

Thank you for that spraxyt.  On my own machine I have auto run disabled.  It is one of those things that Kaspersky flags up in the vulnerability scan so you just click fix and that's it.  Also, when I put a drive in the slot Kaspersky comes up to ask if you want to scan it.  However, I am thinking that it wouldn't be any good because it wouldn't neutralise the Trojan on the rescue disk.  I have posted on their forum to find out what they are doing about it but no replies so far.  At the moment I think it would be best to leave the stuff on the USB stick until better methods of treating the infection it are developed.