Jump to content


Photo

Teknum Systems Updater


  • Please log in to reply
1 reply to this topic

#1 Ciaran

Ciaran

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 13 December 2005 - 08:28 AM

Hi,

I was having a hard time trying to work out why the Teknum Systems updater program kept re-appearing in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key, even when it was deleted. At seemingly random intervals, TeaTimer (part of the SpyBot S&D suite) would pop up and tell me it had detected that this entry had re-appeared yet again. I couldn't work it out. I denied the change each time (explicitly not telling it to remember the decision because I wanted to track it down).

This isn't my computer, and the program that was causing it - EasyCrypto from Teknum Systems - had already been installed by someone else. I had removed it and removed its folder, since I knew it wasn't good, but it wasn't until I installed TeaTimer that I found out it was still trying to reappear. It didn't appear in HijackThis and SpyBot couldn't help.

Eventually, I cottoned on to the fact that it only tried to add itself to the Run key when I copied a file with Ctrl-C or right-clicked on a file. This made me even more confused, since I couldn't understand what sort of thing would trigger when I copied a file. Even worse, it was still happening in Safe Mode - obviously TeaTimer wasn't running but I could see with regedit that the entry was still appearing.

Eventually, I noticed that when I right-clicked on a file I would have in the context menu an option to "Add to EasyCrypto ZIP". Searching for this in regedit, I found this key:

HKEY_CLASSES_ROOT\CLSID\{A0752120-6D75-D111-B5B1-0800095A2318}

Examining it, it turned out to be a shell extension installed by EasyCrypto. The DLL file it referenced - C:\WINDOWS\system32\tsseCryp.dll - was checking to make sure the Updater was still in the Run key and adding it if not. Deleting the registry key solved the problem as it ensured the DLL wasn't called any more. The DLL was still in use so I couldn't delete it but I'm sure I'll be able to next time I reboot.

I hope this helps anybody who's tearing their hair out like I was, and I would like to humbly suggest that Explorer shell extensions are also listed in HijackThis as I can imagine some nasty things being done without the user's knowledge in there.

- Ciaran.

Edited by Ciaran, 13 December 2005 - 08:30 AM.


#2 jd004

jd004

    Member

  • New Member
  • Pip
  • 1 posts

Posted 15 February 2007 - 08:51 PM

Thanks so much. I installed their Shredder because I was trying to recover a HUGE directory that had been accidentally deleted and wanted to shred the files that were recovered, determined to be unwanted and removed again so that I didn't have to deal with them more than once.

Well, WinPatrol, which I had recommended and installed as a matter of course for GP kept popping up "added to you startup" messages. I set the file up to be deleted on reboot and rebooted when I got tired of its insistent attempts. I was alarmed when the same thing kept happening. :eek: I certainly didn't want to have made things worse than I found them or have to explain why I was spending so much time correcting a problem that I created. :zipped: Your post took me right to the registry key in question and I'm pretty the problem will go away and let me keep Shredder on the system, at least long enough to do what I wanted.

Thanks.


Edit: OK, my mistake. That removed the context menu. So I uninstalled it. I should have just grabbed AnalogX's Supershredder in the first place. What the heck, you try new things and they don't always work out.

Edited by jd004, 15 February 2007 - 09:01 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button