Fake update.exe in hidden folder


This guide serves to educate you (and me, just in case I forget in the nearest future) on how to fix a very cunning trojan – Update.exe

The Challenge

A client came to me and complained “My laptop is dead! My laptop is dead! Each time I plug in a removable device on my PC, the files disappear. All I am left is/are shortcuts. Where are my files?”

If you have ever experience that scary situation where your data sees to “disappear” – days of hard work on that presentation or report, weeks of research on that paper, and just when you are about to print it (maybe in a cyber café), your data just is no longer existent, you sure will understand the feeling this user had when he came seeking my help.

As a not-so-seasoned IT professional (I’d rather say hobbyist), getting around such a challenge is certainly not a problem. Revealing the contents of the removable device is as easy as singing A,B,C from the Greek alphabet. And fixing the trojan manually on the user PC is also as cheap. But in this case…

The Approach

Using command prompt, I checked for hidden files and folders in the root of the C drive, Windows, System32, Drivers and User folders, but found nothing.

I checked the running processes in task manager, nothing.

I checked for startup entries in the registry, nothing

I checked for userinit or explorer hooks in the registry, nothing too.

I also checked startup entries using msconfig, nothing as well.

Now this really got interesting. Where then was the virus hiding? Or was there a new approach these virus coders have discovered that eluded me?

What was I missing?

The idea!

Somehow (either by stroke of luck or by touch of genius), I took a closer look at a particular file I initially looked legit – UPDATE.EXE. Looks legit, doesn’t it? Many programs use update.exe as an update package (in fact, my GFI Languard Scanner uses it… I believe Avira uses it too). But on taking a closer look, I discovered that it’s location was rather suspicious – a temporary folder in the User directory. Bingo! And it was also running in task manager, from the same location!

Looks like malicious code writers have gotten more cunning ways of crafting malicious code.

WE FOUND THE BAD GUY

The Action

Is that so hard anymore? All I had to do was just locate the file and hit the “Delete Forever” key. And that was it. I rebooted, and there, it was all gone – I plug a flash disk, and nothing runs into hiding anymore.

Problem Solved

The Moral

There are smart guys out there. Don’t get fooled.

PAY ATTENTION TO DETAIILS

.


Quote of the Day:
Resentment is like taking poison and hoping the other person dies.
–St. Augustine

Enhanced by Zemanta
Advertisements

4 thoughts on “Fake update.exe in hidden folder

  1. Pingback: Super-cool solution to Windows Search - Everything.exe » ECHO Solutions blog

  2. Pingback: Super-cool solution to Windows Search – Everything.exe « Solving Problems, with fun

Have your say here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s