Folder swostr; file upposv.exe

Topic

New Reply

A PC notebook , running Windows XP Home with F-Prot Antivurus, AdAware & SpybotS&D installed has a greatly extended start up period, more than an hour, and runs very slowly. Using the above utilities in Safe Mode I have cleared the system of several viruses, malware & spyware without a significant improvement in the running charecteristics but the start up is down to about three minutes.

These exercises have pointed to a file named `upposv.exe’ in a C:Program Files subfolder named `swostr’. I have done a Google search on bothe these names. The search on `upposv.exe’ produced no results. The search on `swostr’ produced links to a Turkish soccer team -but I am sure that is a coincidence! In the registry at:
HKEY _LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun there are a very large number of entries of the form:
Name: ZYVJYoUx Type: REG_SZ Data: C:PROGRA~1swostruqqosv.exe
The only difference in the entries is the name element that varies in letters & numbers from A to Z & 0 to 9!.

In the folder `swostr’ I have renamed `uqqosv.exe’ & another file `osvuqq.exe’ to *.exe.old. Since renaming these files the notebook can access the Internet so I am checking for updates on the three utilities mentioned above so that I can rerun the scans.

Under the Startup tab in msconfig there are also many entries for `uqqosv.exe’.

Can I have advice please for dealing with the folder swostr, its files & the multiple entries for `uqqosv.exe’ in Run in the Registry & the Startup folder?

In addition Spybot tells that there are 57 BackWeb entries. Should these be removed & if so how? In Safe Mode or is there more to it than that?

Reply | Quote

Replies

I would delete the swostr folder, and remove all references to uqqosv.exe from the registry. It must be some kind of malware that uses a random name to escape detection.

Backweb is a utility that is used by several companies, among which Logitech, Kodak and others, to facilitate automatic download of updates. It could be misused by malware to install unwanted software, hence it is flagged by Spybot. It is up to you to decide whether you want to delete it. If you do, Spybot can do this for you.

Reply | Quote

In Internet Explorer, go to Tools, Internet Options, General tab. Select Delete Cookies, and then Delete Files to delete all your temporary Internet files (Note, this also will force the manual entry of usernames and passwords for sites requiring them on your next visit, so make sure you know them). If using Mozilla Firefox, go to Tools, Options, Privacy, and Clear All. We do this as there is no need to scan thousands of temporary files and to delete any corrupt cookies that may already be on your system.

For Windows Me and XP users, as an option, you might consider temporarily turn off System Restore to enable the scanners to clean any infected restore images. See here for instructions. This keeps malware hiding in restore images from coming back and re-infecting your systems. It may also be the reason for spyware scanners finding the same spyware over and over again. If that is happening, you should consider this option. IMPORTANT: This option removes all past restore point images.

Now scan for spyware. Normally, SpyBot and AdAware together will clean your system up pretty good. Just rememember before scanning, use each program

Bill (AFE7Ret)
Freedom isn't free!

Reply | Quote

---

This will prevent these folder (and the files within) or the individual file from being called up and ran. Then after a few weeks of use, if no problems arise, I go back and delete them. If something breaks, I can easily determine the original file or folder name and restore them.

---

This, together with disabling such items at startup, is a good first approach, but it only goes part way. As John Gray points out, utilities like Spybot often simply rename “deleted” items in the registry to innocuous names. This doesn’t address their contributions to registry bloat, with the gradual accumulation of lots of dead entries, as the OP has experienced.

Nothing beats a good scouring of the registry to remove all the dead wood, using one of the tools of the type I suggested.

Alan

Reply | Quote

[indent]

---

utilities like Spybot often simply rename “deleted” items in the registry to innocuous names

---

[/indent]I hadn’t realized that, Alan. Too bad. I would have preferred that they just create a reg file that could later merge the entries back into the registry, if necessary, the way regclean does.

Reply | Quote

[indent]

---

utilities like Spybot often simply rename “deleted” items in the registry to innocuous names

---

[/indent]I hadn’t realized that, Alan. Too bad. I would have preferred that they just create a reg file that could later merge the entries back into the registry, if necessary, the way regclean does.

Reply | Quote

Phil

I can’t vouch that this behaviour is common to all of Spybot’s cleaning methods. It may be just for startup items. I agree that the reg file method would be a better modus operandi. At least I’d hope that if the “backup” in question were finally deleted, that Spybot would remove its dummy entries in the registry. I might investigate when I have time.

Alan

Reply | Quote

Phil

I can’t vouch that this behaviour is common to all of Spybot’s cleaning methods. It may be just for startup items. I agree that the reg file method would be a better modus operandi. At least I’d hope that if the “backup” in question were finally deleted, that Spybot would remove its dummy entries in the registry. I might investigate when I have time.

Alan

Reply | Quote

---

This will prevent these folder (and the files within) or the individual file from being called up and ran. Then after a few weeks of use, if no problems arise, I go back and delete them. If something breaks, I can easily determine the original file or folder name and restore them.

---

This, together with disabling such items at startup, is a good first approach, but it only goes part way. As John Gray points out, utilities like Spybot often simply rename “deleted” items in the registry to innocuous names. This doesn’t address their contributions to registry bloat, with the gradual accumulation of lots of dead entries, as the OP has experienced.

Nothing beats a good scouring of the registry to remove all the dead wood, using one of the tools of the type I suggested.

Alan

Reply | Quote

In Internet Explorer, go to Tools, Internet Options, General tab. Select Delete Cookies, and then Delete Files to delete all your temporary Internet files (Note, this also will force the manual entry of usernames and passwords for sites requiring them on your next visit, so make sure you know them). If using Mozilla Firefox, go to Tools, Options, Privacy, and Clear All. We do this as there is no need to scan thousands of temporary files and to delete any corrupt cookies that may already be on your system.

For Windows Me and XP users, as an option, you might consider temporarily turn off System Restore to enable the scanners to clean any infected restore images. See here for instructions. This keeps malware hiding in restore images from coming back and re-infecting your systems. It may also be the reason for spyware scanners finding the same spyware over and over again. If that is happening, you should consider this option. IMPORTANT: This option removes all past restore point images.

Now scan for spyware. Normally, SpyBot and AdAware together will clean your system up pretty good. Just rememember before scanning, use each program

Bill (AFE7Ret)
Freedom isn't free!

Reply | Quote

Hi Malcolm

Apart from Hans’ suggestions, I believe that the delayed startup is the result of all the items in the
HKEY _LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
section of the registry “hanging” during startup. You could disable them through the Startup tab or, since you say there is an inordinate numer of them, use one of the free registry cleaning tools available to weed out invalid entries. If you delete (or rename) the offending directory, they’re sure to show up as invalid.

The tool I’d recommend (personal preference) is jv16 PowerTools. Although it has now gone commercial, a legitimate ware copy is still available here. A couple of reasons I’d recommend this particular one are:
o It can generate a reinstatable backup of all changes/ deletions made to the registry.
o It allows sorting of invalid entries by name of software product”, which makes it much easier to remove references to a specific target.
Running a registry cleaner like this one in several passes will allow you to back up and remove specific items at a time, always with the ability to reinstate just those specific entries, if they turn out not to be “errors” after all. For instance, cleaning up Backweb entries alone, if you decide to first remove using Spybot.

good luck with it.

Alan

Reply | Quote

Hi Malcolm

Apart from Hans’ suggestions, I believe that the delayed startup is the result of all the items in the
HKEY _LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
section of the registry “hanging” during startup. You could disable them through the Startup tab or, since you say there is an inordinate numer of them, use one of the free registry cleaning tools available to weed out invalid entries. If you delete (or rename) the offending directory, they’re sure to show up as invalid.

The tool I’d recommend (personal preference) is jv16 PowerTools. Although it has now gone commercial, a legitimate ware copy is still available here. A couple of reasons I’d recommend this particular one are:
o It can generate a reinstatable backup of all changes/ deletions made to the registry.
o It allows sorting of invalid entries by name of software product”, which makes it much easier to remove references to a specific target.
Running a registry cleaner like this one in several passes will allow you to back up and remove specific items at a time, always with the ability to reinstate just those specific entries, if they turn out not to be “errors” after all. For instance, cleaning up Backweb entries alone, if you decide to first remove using Spybot.

good luck with it.

Alan

Reply | Quote

As previously suggested, run Spybot and “Fix” any problems you find. This will probably cause the creation of a System Restore Point, which may or may not be of future use, depending upon what you then do!

Next, if not already done, set Spybot into “Advanced Mode” (click on Mode -> Advanced) and you get a number of additional entries in the left-hand pane. Go down to near the bottom and click on Tools -> System Startup, and you will get a whole list of the programs which start when you start up your PC. You can remove the check in the box in front of what you think are Naughty Entries, and this will disable them for the next system startup. The advantage of doing it this way is that Spybot keeps the entries available in the registry under a slightly different name, and you can re-enable any of them on a subsequent run of Spybot, just by putting the tick in the box again.

John

Reply | Quote

As previously suggested, run Spybot and “Fix” any problems you find. This will probably cause the creation of a System Restore Point, which may or may not be of future use, depending upon what you then do!

Next, if not already done, set Spybot into “Advanced Mode” (click on Mode -> Advanced) and you get a number of additional entries in the left-hand pane. Go down to near the bottom and click on Tools -> System Startup, and you will get a whole list of the programs which start when you start up your PC. You can remove the check in the box in front of what you think are Naughty Entries, and this will disable them for the next system startup. The advantage of doing it this way is that Spybot keeps the entries available in the registry under a slightly different name, and you can re-enable any of them on a subsequent run of Spybot, just by putting the tick in the box again.

John

Reply | Quote

I run those same programs, plus ZoneAlarm and PestPatrol on my machine without problems and slowdowns, but I’m running Win XP Pro, and I don’t know if that makes a difference.

Reply | Quote