msuptde.exe virus/infection or something like that...

Hi all,

I don’t think I’ve gotten any virus or malware but when this started popping up, I figured I’d better make sure. I’ve run Avast with no results. Here is the error:

On reboot, an MS-DOS window opens along with this error window:
16 bit MS-DOS sybsystem
C:\WINDOWS\system32\msupdte.exe
The NTVDM CPU has encountered an illegal instruction.
CS:0000 IP:0077 OP:f0 37 05 0c 02 Choose ‘Close’ to terminate the application.

Then gives a Close and Ignore choice.

Can you help me figure what is it and what should I do to fix this?


Welcome to the forums, RTur. :slight_smile:

This file … C:\WINDOWS\system32\msupdte.exe … is related to a family of trojans/backdoors.

The folloring is for information. Please wait for someone more skilled than me to give you help with removing this.

http://www.prevx.com/filenames/1900800922735001595-X1/MSUPDTE.EXE.html

http://www.bleepingcomputer.com/startups/msupdte.exe-23270.html

http://www.fileresearchcenter.com/M/MSUPDTE.EXE-12834.html


sneaky little devil with a real similar name to the real MS thing msupdate.exe

first
rt click the ball update>programs (will also update definitions)
then
rt click the ball and schedule boot time scan (if W98me or vista 64 let us know- what os?)
reboot
send any hits to chest and post log

second
download install update and scan with MalwareBytes Anti Malware (free- bypass the nag to buy screen)
put a check mark next to all baddies- sorta scan the list to make sure something important is not on the list
google anything you are not sure of- however a back up will be made so we can replace if necessary
Click Remove Checked (a backup will be made)
post the log

there is a new version of MBAM download the 1.27 version

While at the MalwareBytes site you can also run their free Rogue Remover

Fake MSUpdate. SuperAntiSpyware Free Version should cover it.

Agreed
I would like to see both SAS and MBAM on demand scanners available
then get these thing stopped before they get into someone’s system

Let’s see if anything else shows up in the scans

RTur
please remember to quarantine/ chest/vault not Delete
REMOVE is only alowed with MBAM

fisrt of all, thanks for help! but I don’t really know how to do all you wrote here…
I did the update but I can’t find the schedule boot time scan you mentioned… (I have windows xp)
and I don’t know what does “send any hits to chest and post log” means… LOL
sorry, I’m kinda new user with avast and don’t really understand all the technical stuff you wrote… please explain to me…
thanks a lot

no problem
lots of good questions
I’m not on xp but right clicking the ball and looking at the menue should point you to a scheduler or configuration
Someone on XP lurking? JTaylor83?
log posting instructions?

after your scan Avast will give you three choices
Avast always suggests - send to chest
do it
even if a reboot is required

From a reply to another post.

:slight_smile: Hi all :

I perceive “wyrmrider” does a lot a “texting” and would recommend she would
be more helpful IF she started Posting in complete sentences !?

not only that but dyslexic
I’ll try and do complete sentences:)

Ok, I did the schedule boot time scan… I saw that in the end that there were no infections found. how do I get the log?
and how do i get the MBAM?
I also downloaded SAS… what should I do after the scan complete in the program?

C:/Program Files/Alwil Software/Avast4/DATA/log/warning.txt

Here’s the link to MBAM.

After an SAS scan, quarantine if found.

ok, here’s the log from avast:

18/01/2008 12:46:34 1200653194 SYSTEM 1888 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
18/01/2008 12:46:35 1200653195 SYSTEM 1888 An error has occured while attempting to update. Please check the logs.
15/02/2008 23:18:41 1203110321 SYSTEM 1884 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
15/02/2008 23:18:42 1203110322 SYSTEM 1884 An error has occured while attempting to update. Please check the logs.
08/05/2008 13:21:46 1210242106 SYSTEM 1936 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
08/05/2008 13:21:46 1210242106 SYSTEM 1936 An error has occured while attempting to update. Please check the logs.
15/06/2008 09:47:07 1213512427 SYSTEM 1656 Sign of “VBS:Malware-gen” has been found in “http://missing.freehomepages.com/” file.
26/06/2008 07:14:47 1214453687 User 1592 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\IMG_1383.JPG (E:\IMG_1383.JPG) returning error, 0000001E.
26/06/2008 07:14:59 1214453699 User 1592 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\IMG_1510.JPG (E:\IMG_1510.JPG) returning error, 0000001E.
27/06/2008 07:31:18 1214541078 SYSTEM 1592 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: E:\IMG_1510.JPG (E:\IMG_1510.JPG) returning error, 0000001E.
14/07/2008 01:05:09 1215986709 User 1784 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\WINDOWS\Downloaded Program Files\CONFLICT.1\launcher.ocx” file.
14/07/2008 17:17:46 1216045066 User 1784 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
01/08/2008 17:28:18 1217600898 User 1200 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
01/08/2008 17:29:09 1217600949 User 1200 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
02/08/2008 15:54:27 1217681667 User 3192 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\System Volume Information_restore{FE4C2582-E74A-4B74-AA59-F62077811F89}\RP24\A0001369.exe” file.
02/08/2008 16:30:04 1217683804 User 3192 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\Mahhev Nayad\Documents And Settings\XP\Desktop\Fruity loops Studio Producer Edition 4.1.2\VST-DX Instruments\Novation Bass Station VSTi v1.1\KeyGen\KeyGen.exe” file.
03/08/2008 00:50:48 1217713848 User 364 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\System Volume Information_restore{74679E39-B794-46A2-A270-C8C658DC4DC1}\RP123\A0020317.exe” file.
08/08/2008 22:17:37 1218223057 SYSTEM 1588 Sign of “Win32:Adware-gen [Adw]” has been found in “http://irc.nana10.co.il/Cabs/launcher39.cab\launcher.ocx” file.
08/08/2008 22:20:00 1218223200 SYSTEM 1588 Sign of “Win32:Adware-gen [Adw]” has been found in “http://irc.nana10.co.il/Cabs/launcher39.cab\launcher.ocx” file.
09/08/2008 03:26:34 1218241594 SYSTEM 1588 Sign of “Win32:Adware-gen [Adw]” has been found in “http://irc.nana10.co.il/Cabs/launcher39.cab\launcher.ocx” file.
23/08/2008 14:14:51 1219490091 SYSTEM 1588 Sign of “HTML:Agent-L [Expl]” has been found in “http://multisearch1.com/exit.php?aid=0655&d=1&product=XPA” file.
02/09/2008 22:55:45 1220385345 SYSTEM 1628 Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004.
09/09/2008 16:15:53 1220966153 User 3616 Sign of “Win32:Trojan-gen {Other}” has been found in “D:\Fruity loops Studio Producer Edition 4.1.2\VST-DX Instruments\Novation Bass Station VSTi v1.1\KeyGen\KeyGen.exe” file.
09/09/2008 16:19:55 1220966395 User 3616 Sign of “Win32:Trojan-gen {Other}” has been found in “D:\System Volume Information_restore{74679E39-B794-46A2-A270-C8C658DC4DC1}\RP148\A0029545.exe” file.
10/09/2008 00:15:32 1220994932 SYSTEM 956 Sign of “Win32:Adware-gen [Adw]” has been found in “http://irc.nana10.co.il/Cabs/launcher39.cab\launcher.ocx” file.
10/09/2008 00:31:53 1220995913 SYSTEM 956 Sign of “Win32:Adware-gen [Adw]” has been found in “http://www.tapuz.co.il/irc/main/launcher.cab\launcher.ocx” file.

and this is the log from MBAM:

Malwarebytes’ Anti-Malware 1.28
Database version: 1135
Windows 5.1.2600 Service Pack 2

10/09/2008 09:36:49
mbam-log-2008-09-10 (09-36-36).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 129200
Time elapsed: 1 hour(s), 12 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\ICQToolbar\3227\2903\toolbaru.dll (Adware.BHO) → No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\toolband.xttbpos00 (Adware.BHO) → No action taken.
HKEY_CLASSES_ROOT\TypeLib{77d6ddfa-7834-4541-b2b3-a8b0fb0e3924} (Adware.BHO) → No action taken.
HKEY_CLASSES_ROOT\CLSID{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) → No action taken.
HKEY_CLASSES_ROOT\CLSID{4bd2d6c3-31dc-b947-23d0-dc52ec4f0c4c} (Adware.BHO) → No action taken.
HKEY_CLASSES_ROOT\CLSID{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) → No action taken.
HKEY_CLASSES_ROOT\toolband.xttbpos00.1 (Adware.BHO) → No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft WinUpdate (Backdoor.Bot) → No action taken.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) → Bad: (“regedit.exe” “%1”) Good: (regedit.exe “%1”) → No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\ICQToolbar\3227\2903\toolbaru.dll (Adware.BHO) → No action taken.
C:\WINDOWS\system32\msupdte.exe (Backdoor.Bot) → No action taken.

can I remove all of them?

Yes, remove as of wyrmrider’s post.

Hi fellow posters
Yesterday was MS patch day so today is a good day to run Secunic Software Inspector and get up to date
Prevention is always the best policy

Big Spybot Search and destroy update today
SAS had an update today which targets this posters problems
If you did an SAS scan did you post the log
if not- it’s your lucky day- you get to do it with the latest definitions - please update before scanning

on MBAM new version- you got it right- I posted the old one- good work
please - no more no action taken-
post back if anything was not able to be REMOVED
if MBAM asks you to reboot DO IT IMMEDIATELY before doing anything else

Hi… just wanted to say thanks to all of you for helping :slight_smile:
the virus is gone.

Thanks for reporting back. What action does effectively cleaned it?

MBAM