aupdate.exe

Discussion in 'malware problems & news' started by DolfTraanberg, Jun 22, 2003.

Thread Status:
Not open for further replies.
  1. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hi,
    Has anyone some info on this file:
    aupdate.exe
    It comes together with aupdate_uninstall.exe and aupdate.trk
    TDS-3 identified it as Gatherer Webdownloader 1.1
    It has some connections with http://blazefind.com which appeared to be in my restricted-site list
    Dolf
     
  2. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Yes, it's known spyware/adware:

    http://www.doxdesk.com/parasite/ISTbar.html

    If you'd like us to have a closer look, please do the following:
    Go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please show us its contents.

    Most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.

    Cheers,
     
  3. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Thanks Tony,
    I think it has to do with that Download_Plugin.exe which I could not download for further analysis at the moment because of my security settings of IE.
    Dolf
     

    Attached Files:

  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Dollefie,

    Check the items below, then close all windows except HijackThis and click Fix checked:
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx__BHODemonDisabled (file missing)
    O2 - BHO: Activater - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)

    No trace of ISTbar, so I guess you blocked it succesfully.

    Regards,

    Pieter
     
  5. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    I suppose it is not to be confused with the aupdate.exe function of Outpost firewall :rolleyes:
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi meneer,

    The location of the file would not be the same, I hope.
    In a HijackThis log ISTbar would show up like this:
    O4 - HKLM\..\Run: [AutoUpdater] C:\WINDOWS\System32\aupdate.exe

    If I'm not mistaken there is also a Aupdate.exe which is Norton related.

    Regards,

    Pieter
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Yup, but that one would alway be located in a symantec\liveupdate folder, so no risk of confusion there. :)
     
  8. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Thank you all
    Dolf
     
Thread Status:
Not open for further replies.