!Update.exe Trojan

By JGhulam
Apr 14, 2006
Topic Status:
Not open for further replies.
  1. Hi there

    I keep getting the following trojan when I boot my system up:

    Trojan horse Downloader.Generic.TUC, file name: !update.exe

    There was a similar thread posted by bolun and I have followed all the instructions given in the thread. I attach the HJT log. Can anyone help get rid of this annoying trojan??

    Many thanks in advance for any help give!

    Jason.

    Attached Files:

  2. Spike

    Spike Newcomer, in training Posts: 2,371

    Trojan - O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe
    Clickspring/purityscan - O4 - HKCU\..\Run: [Bsvqpq] C:\WINDOWS\system32\m?iexec.exe

    install Ewido - http://www.ewido.net/en/download/

    download ATF-Cleaner - http://www.atribune.org/ccount/click.php?id=1

    reboot to safe mode, disable system restore.

    run ewido.

    run ATF-Cleaner

    run HJT, and fix the following...

    O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe
    O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe
    O4 - HKCU\..\Run: [Bsvqpq] C:\WINDOWS\system32\m?iexec.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {505098FD-5D61-4BC2-9B82-F969D0E932A2} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1034_EN_XP.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab

    Delete (if present on your system)...

    WinAbring.exe - may be in windows or system32
    C:\WINDOWS\system32\m?iexec.exe

    Give that a go, and whether it works or not, let us know either way.
  3. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +17

    Hello and welcome to Techspot.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    WinAbring.exe
    m?iexec.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp

    R3 - URLSearchHook: (no name) - {AD9136A3-AC19-8AE8-4B84-F45A6C4D4591} - C:\WINDOWS\system32\mmpzoloj.dll (file missing)

    O2 - BHO: (no name) - {AD9136A3-AC19-8AE8-4B84-F45A6C4D4591} - C:\WINDOWS\system32\mmpzoloj.dll (file missing)

    O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe

    O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe

    O4 - HKCU\..\Run: [Bsvqpq] C:\WINDOWS\system32\m?iexec.exe

    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)

    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

    Fix all 016-DPF entries.

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    WinAbring.exe
    m?iexec.exe


    Reboot into normal mode and turn system restore back on.

    Regards Howard :wave: :wave:

    This thread is for the use of JGhulam only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. JGhulam

    JGhulam Newcomer, in training Topic Starter

    Thanks!!!

    Thanks for this guys, it worked a treat - no more trojan.

    I really appreciate you taking the time to reply - it was most appreciated.

    If I could pick your brains one more time!! I currently use the Microsoft firewall. I used to use Zone Alarm but I kept getting messages to block things and I didn't really know if I should or not so I unistalled it. What would you recommend as a reliable firewall?

    Many thanks in advance.

    Jason.
  5. Spike

    Spike Newcomer, in training Posts: 2,371

    Zone alarm, or sunbelt kerio if you want a free one.

    Agnitum outpost Pro if you're willing to pay.
  6. Peddant

    Peddant Newcomer, in training Posts: 1,644

    The reason the XP firewall doesn`t ask you any questions,is because it doesn`t
    block outgoing traffic,ie it`s only half a firewall.

    All other firewalls will ask you which programs to allow,initially.This is a very good thing.
    Once you have said that you recognize the program,you shouldn`t be bothered again(unless it`s
    been modified in some way).

    This will tell you what to allow,and what to deny - Allow or deny
  7. JGhulam

    JGhulam Newcomer, in training Topic Starter

    Sorted

    Thanks for the advice guys, I have downloaded Zone Alarm and everything seems to be sorted. Hope you're all enjoying the easter break.

    Jason.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.