!Update.exe Trojan

Status
Not open for further replies.
J

JGhulam

Hi there

I keep getting the following trojan when I boot my system up:

Trojan horse Downloader.Generic.TUC, file name: !update.exe

There was a similar thread posted by bolun and I have followed all the instructions given in the thread. I attach the HJT log. Can anyone help get rid of this annoying trojan??

Many thanks in advance for any help give!

Jason.
 

Attachments

  • hijackthis..txt
    8.7 KB · Views: 45
Trojan - O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe
Clickspring/purityscan - O4 - HKCU\..\Run: [Bsvqpq] C:\WINDOWS\system32\m?iexec.exe

install Ewido - http://www.ewido.net/en/download/

download ATF-Cleaner - http://www.atribune.org/ccount/click.php?id=1

reboot to safe mode, disable system restore.

run ewido.

run ATF-Cleaner

run HJT, and fix the following...

O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe
O4 - HKCU\..\Run: [Bsvqpq] C:\WINDOWS\system32\m?iexec.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {505098FD-5D61-4BC2-9B82-F969D0E932A2} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1034_EN_XP.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab

Delete (if present on your system)...

WinAbring.exe - may be in windows or system32
C:\WINDOWS\system32\m?iexec.exe

Give that a go, and whether it works or not, let us know either way.
 
Hello and welcome to Techspot.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

WinAbring.exe
m?iexec.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp

R3 - URLSearchHook: (no name) - {AD9136A3-AC19-8AE8-4B84-F45A6C4D4591} - C:\WINDOWS\system32\mmpzoloj.dll (file missing)

O2 - BHO: (no name) - {AD9136A3-AC19-8AE8-4B84-F45A6C4D4591} - C:\WINDOWS\system32\mmpzoloj.dll (file missing)

O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe

O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] WinAbring.exe

O4 - HKCU\..\Run: [Bsvqpq] C:\WINDOWS\system32\m?iexec.exe

O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)

O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

Fix all 016-DPF entries.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

WinAbring.exe
m?iexec.exe

Reboot into normal mode and turn system restore back on.

Regards Howard :wave: :wave:

This thread is for the use of JGhulam only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks!!!

Thanks for this guys, it worked a treat - no more trojan.

I really appreciate you taking the time to reply - it was most appreciated.

If I could pick your brains one more time!! I currently use the Microsoft firewall. I used to use Zone Alarm but I kept getting messages to block things and I didn't really know if I should or not so I unistalled it. What would you recommend as a reliable firewall?

Many thanks in advance.

Jason.
 
Zone alarm, or sunbelt kerio if you want a free one.

Agnitum outpost Pro if you're willing to pay.
 
JGhulam said:
I used to use Zone Alarm but I kept getting messages to block things and I didn't really know if I should or not so I unistalled it.
Click to expand...
The reason the XP firewall doesn`t ask you any questions,is because it doesn`t
block outgoing traffic,ie it`s only half a firewall.

All other firewalls will ask you which programs to allow,initially.This is a very good thing.
Once you have said that you recognize the program,you shouldn`t be bothered again(unless it`s
been modified in some way).

This will tell you what to allow,and what to deny - Allow or deny
 
Sorted

Thanks for the advice guys, I have downloaded Zone Alarm and everything seems to be sorted. Hope you're all enjoying the easter break.

Jason.
 
Status
Not open for further replies.

Similar threads

midian182
Meta given 30 days to cease using the name Threads by company that trademarked it 11 years...
Replies
4
Views
327
Puiu
Puiu
Cal Jeffrey
Vision Pro users are angry the device has no reset or recovery measures for password loss
Replies
7
Views
254
Cal Jeffrey
Cal Jeffrey
Jimmy2x
Gamers and developers everywhere are celebrating Bobby Kotick's departure
2
Replies
27
Views
635
Bamda
Bamda

Latest posts

Back