Printable View
AVG found a trojan, BackDoor.HackArmy.2.c, and I used TrojanHunter to remove it. Now it was found in winxpupdate.exe. Should I replace this file, or can I keep it and run Windows Update safely? And if I need to replace it, if I run Windows Update will it be replaced by the Microsoft website? Thanks for a great site and a good resouorce for we of the unwashed masses who know little about this stuff.
It's highly unlikely Microsoft would release a patch entitled "winxpupdate.exe". Usually Microsofts official service packs involve names longer than my.... anyway...
No - it's more likely an inane rouse designed to make the unsuspecting user open it thinking "this'll solve all my problems" *FIZZLE* :D
Seriously, it's a b/s file designed to trick you into executing virii onto your machine- delete it and download proper updates and service packs from microsoft
http://windowsupdate.microsoft.com/
Your computer will now be totally secure!!!!!!!!!!!!!!!!!![
Sarcasm mode: OFF :D
Moiss
Well, I do thank you and Mr. Steve Ballmer assured me that Windows was more secure than ever. (Kind of makes you wonder what it was like before his statement- (a picture of swiss cheese comes to mind).
Thanks again.
Found some more info on this trojan from Trendware's site:
Description:
This backdoor malware drops a copy of itself as WINXPUPDATE.EXE in the Windows system folder. It then executes this dropped copy, and deletes its original running copy.
It adds a registry entry to ensure its automatic execution at every Windows startup.
This malware operates as an IRC bot that connects to an IRC server, where it listens for commands from a remote user. It executes these commands, providing the remote user with control over the affected machine.
It runs on Windows 95, 98, ME, NT, 2000, and XP.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
Winsock32driver = "winXPupdate.exe"
Close Registry Editor.
Then it goes on to say use Task manager to end the process, close system restore and run a scan
--------------------------------------------------------------------------------
There's nothing to "replace". This file doesn't belong on your computer, remove it.Quote:
Originally posted here by hard candy
AVG found a trojan, BackDoor.HackArmy.2.c, and I used TrojanHunter to remove it. Now it was found in winxpupdate.exe. Should I replace this file, or can I keep it and run Windows Update safely?
AFAIK this backdoor doesn't abuse a bug in the system. So the only one to blame is the one that opened the wrong file.Quote:
Originally posted here by hard candy
Well, I do thank you and Mr. Steve Ballmer assured me that Windows was more secure than ever. (Kind of makes you wonder what it was like before his statement- (a picture of swiss cheese comes to mind).
I didn't install it, I just installed the cracked software I downloaded, extracted some movie and xbox game files I got from the newsgroups, and went on IRC to the the xxx sites to get some pictures but I never installed that program! I wouldn't be THAT dumb! :DQuote:
So the only one to blame is the one that opened the wrong file.
The dog must have done it when he sent off for that Lassie screensaver.
The dog or the cracked software. What is an easy way to distribute a trojan? Modify doom3 or poplular app by wrapping a trojan into the executable and distribute it as "cracked" software.
That has just made my day..Quote:
I didn't install it, I just installed the cracked software I downloaded
I hear MS is working on a new patch for all their Operating systems, there are beta versions around the traps.. This is to overcome the weakness that was mentioned Sysmantec have also released an update for their AV products FXid10T.exe it removes the root cause of the problem. The user need to supply 250g of C4 this need to be placed around the HDD the user needs to get realy close to the hdd to watch for problems during the execution..
info from Trend Micro on this Malware:
Description:
This backdoor malware drops a copy of itself as WINXPUPDATE.EXE in the Windows system folder. It then executes this dropped copy, and deletes its original running copy.
It adds a registry entry to ensure its automatic execution at every Windows startup.
This malware operates as an IRC bot that connects to an IRC server, where it listens for commands from a remote user. It executes these commands, providing the remote user with control over the affected machine.
It runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
Terminating the Malware Program
This procedure terminates the running malware process.
1. Open Windows Task Manager.
» On Windows 95, 98, and ME, press
CTRL+ALT+DELETE
» On Windows NT, 2000, and XP, press
CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the process:
WINXPUPDATE.EXE
3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. To check if the malware process has been terminated, close Task Manager, and then open it again.
5. Close Task Manager.
*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
Winsock32driver = "winXPupdate.exe"
4. Close Registry Editor.
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.
Users running other Windows versions can proceed with the succeeding procedure sets.
BUTQuote:
I wouldn't be THAT dumb!
AND TO TOP IT OFF, THEY AREQuote:
I just installed the cracked software I downloaded
Quote:
files I got from the newsgroups
I think that that was an attempt at sarcasm as signified by the :D.Quote:
I didn't install it, I just installed the cracked software I downloaded, extracted some movie and xbox game files I got from the newsgroups, and went on IRC to the the xxx sites to get some pictures but I never installed that program! I wouldn't be THAT dumb! :D
Cheers,
cgkanchi