-
November 1st, 2004, 12:17 PM
#1
winxpupdate.exe- Hackers Army
AVG found a trojan, BackDoor.HackArmy.2.c, and I used TrojanHunter to remove it. Now it was found in winxpupdate.exe. Should I replace this file, or can I keep it and run Windows Update safely? And if I need to replace it, if I run Windows Update will it be replaced by the Microsoft website? Thanks for a great site and a good resouorce for we of the unwashed masses who know little about this stuff.
-
November 1st, 2004, 12:28 PM
#2
Member
It's highly unlikely Microsoft would release a patch entitled "winxpupdate.exe". Usually Microsofts official service packs involve names longer than my.... anyway...
No - it's more likely an inane rouse designed to make the unsuspecting user open it thinking "this'll solve all my problems" *FIZZLE*
Seriously, it's a b/s file designed to trick you into executing virii onto your machine- delete it and download proper updates and service packs from microsoft
http://windowsupdate.microsoft.com/
Your computer will now be totally secure!!!!!!!!!!!!!!!!!![
Sarcasm mode: OFF
Moiss
# Now if I ever needed inspiration,
Right about now where I lose my patience,
-
November 1st, 2004, 12:33 PM
#3
Well, I do thank you and Mr. Steve Ballmer assured me that Windows was more secure than ever. (Kind of makes you wonder what it was like before his statement- (a picture of swiss cheese comes to mind).
Thanks again.
-
November 1st, 2004, 03:24 PM
#4
Found some more info on this trojan from Trendware's site:
Description:
This backdoor malware drops a copy of itself as WINXPUPDATE.EXE in the Windows system folder. It then executes this dropped copy, and deletes its original running copy.
It adds a registry entry to ensure its automatic execution at every Windows startup.
This malware operates as an IRC bot that connects to an IRC server, where it listens for commands from a remote user. It executes these commands, providing the remote user with control over the affected machine.
It runs on Windows 95, 98, ME, NT, 2000, and XP.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Winsock32driver = "winXPupdate.exe"
Close Registry Editor.
Then it goes on to say use Task manager to end the process, close system restore and run a scan
--------------------------------------------------------------------------------
-
November 1st, 2004, 04:29 PM
#5
Re: winxpupdate.exe- Hackers Army
Originally posted here by hard candy
AVG found a trojan, BackDoor.HackArmy.2.c, and I used TrojanHunter to remove it. Now it was found in winxpupdate.exe. Should I replace this file, or can I keep it and run Windows Update safely?
There's nothing to "replace". This file doesn't belong on your computer, remove it.
Originally posted here by hard candy
Well, I do thank you and Mr. Steve Ballmer assured me that Windows was more secure than ever. (Kind of makes you wonder what it was like before his statement- (a picture of swiss cheese comes to mind).
AFAIK this backdoor doesn't abuse a bug in the system. So the only one to blame is the one that opened the wrong file.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 1st, 2004, 06:40 PM
#6
So the only one to blame is the one that opened the wrong file.
I didn't install it, I just installed the cracked software I downloaded, extracted some movie and xbox game files I got from the newsgroups, and went on IRC to the the xxx sites to get some pictures but I never installed that program! I wouldn't be THAT dumb!
The dog must have done it when he sent off for that Lassie screensaver.
-
November 1st, 2004, 07:32 PM
#7
The dog or the cracked software. What is an easy way to distribute a trojan? Modify doom3 or poplular app by wrapping a trojan into the executable and distribute it as "cracked" software.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
November 1st, 2004, 10:46 PM
#8
I didn't install it, I just installed the cracked software I downloaded
That has just made my day..
I hear MS is working on a new patch for all their Operating systems, there are beta versions around the traps.. This is to overcome the weakness that was mentioned Sysmantec have also released an update for their AV products FXid10T.exe it removes the root cause of the problem. The user need to supply 250g of C4 this need to be placed around the HDD the user needs to get realy close to the hdd to watch for problems during the execution..
info from Trend Micro on this Malware:
Description:
This backdoor malware drops a copy of itself as WINXPUPDATE.EXE in the Windows system folder. It then executes this dropped copy, and deletes its original running copy.
It adds a registry entry to ensure its automatic execution at every Windows startup.
This malware operates as an IRC bot that connects to an IRC server, where it listens for commands from a remote user. It executes these commands, providing the remote user with control over the affected machine.
It runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
Terminating the Malware Program
This procedure terminates the running malware process.
1. Open Windows Task Manager.
» On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
» On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the process:
WINXPUPDATE.EXE
3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. To check if the malware process has been terminated, close Task Manager, and then open it again.
5. Close Task Manager.
*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
Winsock32driver = "winXPupdate.exe"
4. Close Registry Editor.
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure sets.
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
November 1st, 2004, 11:52 PM
#9
BUT
I just installed the cracked software I downloaded
AND TO TOP IT OFF, THEY ARE
files I got from the newsgroups
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
November 2nd, 2004, 12:10 AM
#10
I didn't install it, I just installed the cracked software I downloaded, extracted some movie and xbox game files I got from the newsgroups, and went on IRC to the the xxx sites to get some pictures but I never installed that program! I wouldn't be THAT dumb!
I think that that was an attempt at sarcasm as signified by the .
Cheers,
cgkanchi
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|