Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Elusive update.exe


  • Please log in to reply
2 replies to this topic

#1 starbaron

starbaron

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 27 December 2004 - 04:38 PM

Heya guys.

This is my first post to these forums. Been browsing here all week looking for a solution to my problem, but I can't seem to find one so I am posting a new topic.

I have been trying to clear out an elusive process on my machine. Im not really sure what it is, I assume its spyware but it may be some sort of windows XP thing thats broken.

I have a process called update.exe that is running every 3 seconds on my computer. Exactly every 3 seconds. I've timed it. It runs for about a second and a half, uses up 90% of my cpu for that time, then stops. Because it is recurring, trying to end the process does nothing to stop it.

I run a fairly tight ship. I have fully updated AdAware, Spybot S&D, McAfee Viruscan 8.0i, SpywareBlaster, and ZoneAlarm Pro. I regularly run HijackThis and Security Task Manager. Somehow this update.exe thing has slipped through all of these programs. None of the scanning programs seem to pick it up at all.

Things I have done so far to try and get rid of this:
Running scans with all of the above-mentioned programs.
Doing a windows search for files named update.exe. There are 4 of these in subfolders of a windows folder called C:\Windows\SoftwareDistribution\Download. I am suspicious that these are the ones causing the problem, but am hesitant to delete without confirmation.
Looking through the Run, RunOnce, RunService etc folders in my registry for anything suspicious. There is nothing in there I dont recognize.
Googled "update.exe". A little bit tough because of the generic name, but I did pull up some stuff that looked promising. One website said that update.exe was part of the Gaobot virus, so I downloaded an app from Symantec to get rid of that virus, but it said that it couldnt find the virus on my hard drive.
Rebooted in safe mode, done scans, run HijackThis and Security Task Manager many times...

So I have definitely been trying pretty hard to figure this thing out. Starting to run out of fresh ideas though, and I was hoping that you bright young lads would be able to shed some light on my problem. I am posting a HijackThis log as well, though it does not pick up update.exe in its list of running processes (not sure why that is...something to do with how fast HijackThis scans?).

Btw I use Mozilla Firefox as my primary browser, though I only switched recently.

Thanks in advance for your help. I appreciate what you do for people on this forum. :thumbsup:

Logfile of HijackThis v1.99.0
Scan saved at 4:14:56 PM, on 12/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan\mcshield.exe
C:\PROGRA~1\McAfee\COMMON~1\naPrdMgr.exe
C:\Program Files\McAfee\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee\VirusScan\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Chuck\My Documents\downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-12.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: McAfee Framework Service - Network Associates, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield - Network Associates, Inc. - C:\Program Files\McAfee\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager - Network Associates, Inc. - C:\Program Files\McAfee\VirusScan\vstskmgr.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:56 AM

Posted 29 December 2004 - 01:44 AM

Do not see anything bad here: You can fix these:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)


As for update.exe, these are probably windows updates installing. Do youhave your computer set to autmatically install windows updates?

#3 starbaron

starbaron
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 29 December 2004 - 03:30 AM

I do have my computer set to download automatic updates.

But if it is a windows update, why is it running every 3 seconds and not actually doing anything besides taking up cpu? Also, since ZoneAlarm monitors outgoing internet attempts and hasn't picked up update.exe, it isn't connecting to the internet at all.

Does the fact that the only update.exe files on my computer are all in the same folder mean anything special? Does C:\Windows\SoftwareDistribution\Download strike you as a windows update folder, or something else??

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users