One of my kids was looking at some voice changing software – AV Voice Changer I think – he says he started to install it but then decided against it.
However, I now think that he did install it but tried to do a manual uninstall rather than using the programs uninistall option or Add/Remove Programs.
Anyway, it left a couple of executables msa.exe
in "C:\Windows" and ygh.exe
& ygg.exe
in "C:\Documents and Settings[user]\Local Settings\Temp".
ygh.exe
was trapped by my firewall, but when I checked the logs I saw that msa.exe
had been allowed out. It seemed to be connecting to advertisement sites. Both executables were running as processes.
Anyway, I blocked both and then checked online. I couldn't find any information about ygh.exe
but msa.exe
is identified as a threat on numerous sites. I killed the processes and then removed the executables from their respective locations.
A registry search failed to find msa.exe
but ygh.exe
turned up in \HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
. Needless to say it was removed.
So – is there anything else I need to do to clean the PC? I also need to re-educate the kids on not installing software they find on random sites and setup a non-admin account for them.
And please don't say "install Linux" or "buy a MAC" 😉
UPDATE
It looks like I've got a completely compromised OS. I ran Malwarebytes and it threw up some files to delete. I deleted one I was sure of and then had to reboot. On reboot I got a BSOD – "page fault in non paged area".
This happened regardless of the boot mode – "Safe Mode", "Normally", "Last known good configuration" – so after an abortive attempt to use repair mode from the Windows CD (it needs the Administrator password which I thought I knew, but everything I tried was rejected) I decided I would have to do a complete reinstall.
Best Answer
i'd give malwarebytes a run - its probably the best malware scanner at the moment, and should root out most things.