Trojan horse Agent G (C:\WINDOWS\SYSTEM32\MSUPD5.EXE

[Rosie]

Hello,

I do hope someone can help please. A couple of problems with friends pc. He is completely pc illiterate.

Limited access at present as I have to keep travelling to his home, but next week will be at his home a lot.

O S Windows XP Home
AVG AV (version6 at present- cleaning all problems before installing version 7)
IE version 6

1) The Trojan horse cannot be removed to the virus vault and is still on the hard drive

Cannot download any 'online scanners' as keep being told that signed Activex controls cannot be downloaded. Have checked IE > Internet Options > Security > all items are set as 'default' and slider is set at medium. (Have also set it lower) but still unable to scan as message re Activex controls still appears.

Does anyone know of a removal tool for this problem?

He did have twenty viruses, all sorted except this.

2) Lots of pop ups and home page taken over by 'about blank' I know this pc is full of spyware.
I did wonder if this is causing the Activex problems above? When trojan is, hopefully, sorted then Spybot S&D plus AdaWare SE will be installed to sort this, again, hopefully.

Advice would be really appreciated, I know someone will suggest 'HiJack This' but I will be unable to do that until next week.

Thank you

Rosie

[Firecat]

I'd say you run BitDefender Free 7.2 on his PC and then see what it says. Then use AdAware and Spybot; then download AntiDote for Windows Superlite (KAV engine) or eScan free and see what spyware is there.

[Sweetie(*)(*)]

Hi, i would try emptying the cache's, turning off system restore, booting into safe mode and scanning from there with MS anti spyware & another AV.

Have a look at the running processes in task manager, research those which are not familiar, a good site is wintasks.

[Rosie]

Thank you both but I am unable to run an online scanner on his pc due to the Activex control problem.

I did try to run BitDefender but his pc was not having any of it. On line scanners just will not run and however I set his security settings in IE, the message re unable to run Activex controls appears!

I do hope this can be rectified.

Thank you

Rosie

[Firecat]

Quote:

Originally Posted by Rosie

Thank you both but I am unable to run an online scanner on his pc due to the Activex control problem.

I did try to run BitDefender but his pc was not having any of it. On line scanners just will not run and however I set his security settings in IE, the message re unable to run Activex controls appears!

I do hope this can be rectified.

Thank you

Rosie

What do you mean by 'his pc was not having any of it'?

[nadirah]

Follow these steps in General Cleaning, but use these as an absolute minimum:
http://www.wilderssecurity.com/showthread.php?t=50662

Please also try scanning for spyware using ad-aware SE and Spybot-S&D.

You can also try posting a HijackThis log, look at this announcement for more details: http://www.wilderssecurity.com/showthread.php?t=42148

[Rosie]

Sorry,

The scanners would not fully download due to:-

however I set his security settings in IE, the message re unable to run Activex controls appears!

Thanks

Rosie

[nadirah]

Quote:

Originally Posted by Rosie

Sorry,

The scanners would not fully download due to:-

however I set his security settings in IE, the message re unable to run Activex controls appears!

Thanks

Rosie

Rosie, is ActiveX enabled or disabled?
And, what program requires activeX? I don't think CWShredder or ad-aware SE or other anti-spyware apps need activex.
Security pros here get onto this case now.

[TopperID]

Things seem pretty bad here, I think you may have to take this one to a Forum that does HijackThis logs.

However before doing that try the following routine:-

Disable system restore, as per here:- http://www.bleepingcomputer.com/forums/tutorial56.html

Then clear out all your temp files, and the easy way to do that is by downloading CCleaner from here:- http://www.ccleaner.com/

Then you need to open Windows Explorer and:-
1. Select "Tools" from the menu on top.
2. Select "Folder Options".
3. Select the "View" tab.
4. Scroll down and Select "Show hidden files and folders".
5. Unselect "Hide extentions for known file types".
6. Unselect "Hide protected operating system files".
7. If you get a "warning" prompt, say yes you want to do it anyway.
8. Click Apply and Ok.

Finally you should go into Safe Mode; see here:- http://www.bleepingcomputer.com/forums/tutorial61.html

and do a full system scan with AVG.

After that you need to do a full system scan with AdAware by Lavasoft. D/L that from here:- http://www.lavasoftusa.com/software/adaware/

The above won't cure the about:Blank problem (if you do indeed have that), but there is one automated tool that may do the trick; see here:- http://www.adwareaway.com/

You can do no harm by trying Adaware Away - but ONLY after you have done all of the above. Adaware Away is available on a few days free trial, so you would need to act fast after downloading it.

There is also a new version of CWShredder (2.14) you can try from here:- http://www.intermute.com/spysubtract..._download.html

Failing all of that, you will need to resort to HJT logs.

[Rosie]

Hello,

IE Security Settings:-

ActiveX controls and plug-ins

Prompt is checked.

Download unsigned ActiveX controls

Disable is checked

Initialize and script ActiveX controls not marked as safe

Disable is checked

Run ActiveX controls and plug-ins

Enable is checked

Script ActiveX controls marked safe for scripting

Enable is checked

These settings are apparantly needed to run the online security scanners like
BitDefender and Trend Micro but even if I set the reset to low instead of medium, the same message appears stating that 'unable to run ActiveX controls' appears and the download of virus definitions ceases.

I am not able to access his pc now until Saturday, but I will try all of the other suggestins from everyone.

Thank you for your time and patience

Rosie

[TopperID]

Rosie, have you got a Firewall or Router set to block ActiveX?

If you are having difficulty doing an online scan, try here:- http://uk.trendmicro-europe.com/ente...all_launch.php

Let us know whether this is successful.

[nadirah]

Rosie, which software firewall are you using?
Also, if you're behind a router then you should have a hardware firewall, but hardware firewalls do not have any visual alerts, so a software firewall is necessary too.

[Rosie]

Hello again,

No, he has never had a firewall, At the weekend, I am going to install, on his pc, Spybot S&D - AdAware SE - ZoneAlarm, free version and SpywareBlaster.

(I use all of these on my pc and think they are fantastic) I have been trying to get my friend to install them for ages, but I am afraid he left it too late.

When I saw the problems he was having, on Tuesday, I thought that I needed to clean his pc before I installed too much.

I did manage to clear 17 viruses from his pc on Tuesday, leaving just the Trojan horse, which we are discussing here, and of course all of the spyware, which I think may be responsible for the security settings to be reset in Internet Options. Correct me if I am wrong.

I really do appreciate all advice and I am hoping that, with your advice, I can help to get his pc into some kind of order again.

Thank you

Rosie

[TopperID]

You can always try going in to safe mode and deleting C:\WINDOWS\SYSTEM32\MSUPD5.EXE via Windows Explorer.

Sometimes MSUPD5.EXE is associated with a running 'Service'. You can easily check that by clicking Start/Control Panel/Performance And Maintenance/Administrative Tools/Services; this brings up the Services box, look for any Service called Miscrosoft Update Service 5 or, alternatively, with a name consisting of random letters. If there is one double click it to bring up the Properties box - that will show you the file path. If it is C:\WINDOWS\SYSTEM32\MSUPD5.EXE then you want to set it to 'Disable' in the 'Startup Type' dropdown box. Then you can delete the MSUPD5.EXE file.

Of course this is easier said than done if you have a whole bunch of other stuff as well! You might find it simply comes back again. Unfortunately this file is often associated with nastier infections that are not so easily dealt with.

[Rosie]

Thanks Topper ID

I will try your suggestion at the weekend.

Thanks to everyone else as well for continued support

Rosie

[Rosie]

Thanks to everyone for your help.

With your help, I have managed to sort out my friends computer problems.

Rosie

[TopperID]

I do love a happy ending!