!Update.exe Trojan

By JGhulam ยท 6 replies
Apr 14, 2006
  1. Hi there

    I keep getting the following trojan when I boot my system up:

    Trojan horse Downloader.Generic.TUC, file name: !update.exe

    There was a similar thread posted by bolun and I have followed all the instructions given in the thread. I attach the HJT log. Can anyone help get rid of this annoying trojan??

    Many thanks in advance for any help give!


    Attached Files:

  2. Spike

    Spike TS Evangelist Posts: 2,168

    Trojan - O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe
    Clickspring/purityscan - O4 - HKCU\..\Run: [Bsvqpq] C:\WINDOWS\system32\m?iexec.exe

    install Ewido - http://www.ewido.net/en/download/

    download ATF-Cleaner - http://www.atribune.org/ccount/click.php?id=1

    reboot to safe mode, disable system restore.

    run ewido.

    run ATF-Cleaner

    run HJT, and fix the following...

    O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe
    O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe
    O4 - HKCU\..\Run: [Bsvqpq] C:\WINDOWS\system32\m?iexec.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {505098FD-5D61-4BC2-9B82-F969D0E932A2} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1034_EN_XP.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab

    Delete (if present on your system)...

    WinAbring.exe - may be in windows or system32

    Give that a go, and whether it works or not, let us know either way.
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).


    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp

    R3 - URLSearchHook: (no name) - {AD9136A3-AC19-8AE8-4B84-F45A6C4D4591} - C:\WINDOWS\system32\mmpzoloj.dll (file missing)

    O2 - BHO: (no name) - {AD9136A3-AC19-8AE8-4B84-F45A6C4D4591} - C:\WINDOWS\system32\mmpzoloj.dll (file missing)

    O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe

    O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe

    O4 - HKCU\..\Run: [Bsvqpq] C:\WINDOWS\system32\m?iexec.exe

    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)

    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)

    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

    Fix all 016-DPF entries.

    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).


    Reboot into normal mode and turn system restore back on.

    Regards Howard :wave: :wave:

    This thread is for the use of JGhulam only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. JGhulam

    JGhulam TS Rookie Topic Starter


    Thanks for this guys, it worked a treat - no more trojan.

    I really appreciate you taking the time to reply - it was most appreciated.

    If I could pick your brains one more time!! I currently use the Microsoft firewall. I used to use Zone Alarm but I kept getting messages to block things and I didn't really know if I should or not so I unistalled it. What would you recommend as a reliable firewall?

    Many thanks in advance.

  5. Spike

    Spike TS Evangelist Posts: 2,168

    Zone alarm, or sunbelt kerio if you want a free one.

    Agnitum outpost Pro if you're willing to pay.
  6. Peddant

    Peddant TS Rookie Posts: 1,446

    The reason the XP firewall doesn`t ask you any questions,is because it doesn`t
    block outgoing traffic,ie it`s only half a firewall.

    All other firewalls will ask you which programs to allow,initially.This is a very good thing.
    Once you have said that you recognize the program,you shouldn`t be bothered again(unless it`s
    been modified in some way).

    This will tell you what to allow,and what to deny - Allow or deny
  7. JGhulam

    JGhulam TS Rookie Topic Starter


    Thanks for the advice guys, I have downloaded Zone Alarm and everything seems to be sorted. Hope you're all enjoying the easter break.

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...