Trojan horse Agent G (C:\WINDOWS\SYSTEM32\MSUPD5.EXE

Discussion in 'malware problems & news' started by Rosie, Feb 8, 2005.

Thread Status:
Not open for further replies.
  1. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Hello,

    I do hope someone can help please. A couple of problems with friends pc. He is completely pc illiterate.

    Limited access at present as I have to keep travelling to his home, but next week will be at his home a lot.

    O S Windows XP Home
    AVG AV (version6 at present- cleaning all problems before installing version 7)
    IE version 6

    1) The Trojan horse cannot be removed to the virus vault and is still on the hard drive

    Cannot download any 'online scanners' as keep being told that signed Activex controls cannot be downloaded. Have checked IE > Internet Options > Security > all items are set as 'default' and slider is set at medium. (Have also set it lower) but still unable to scan as message re Activex controls still appears.

    Does anyone know of a removal tool for this problem?

    He did have twenty viruses, all sorted except this.

    2) Lots of pop ups and home page taken over by 'about blank' I know this pc is full of spyware.
    I did wonder if this is causing the Activex problems above? When trojan is, hopefully, sorted then Spybot S&D plus AdaWare SE will be installed to sort this, again, hopefully.

    Advice would be really appreciated, I know someone will suggest 'HiJack This' but I will be unable to do that until next week.

    Thank you

    Rosie
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I'd say you run BitDefender Free 7.2 on his PC and then see what it says. Then use AdAware and Spybot; then download AntiDote for Windows Superlite (KAV engine) or eScan free and see what spyware is there.
     
  3. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, i would try emptying the cache's, turning off system restore, booting into safe mode and scanning from there with MS anti spyware & another AV.

    Have a look at the running processes in task manager, research those which are not familiar, a good site is wintasks.
     
  4. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Thank you both but I am unable to run an online scanner on his pc due to the Activex control problem.

    I did try to run BitDefender but his pc was not having any of it. On line scanners just will not run and however I set his security settings in IE, the message re unable to run Activex controls appears!

    I do hope this can be rectified.

    Thank you

    Rosie
     
  5. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    What do you mean by 'his pc was not having any of it'?
     
  6. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
  7. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Sorry,

    The scanners would not fully download due to:-

    however I set his security settings in IE, the message re unable to run Activex controls appears!

    Thanks

    Rosie
     
  8. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Rosie, is ActiveX enabled or disabled?
    And, what program requires activeX? I don't think CWShredder or ad-aware SE or other anti-spyware apps need activex. o_O
    Security pros here get onto this case now.
     
  9. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Things seem pretty bad here, I think you may have to take this one to a Forum that does HijackThis logs.

    However before doing that try the following routine:-

    Disable system restore, as per here:- http://www.bleepingcomputer.com/forums/tutorial56.html

    Then clear out all your temp files, and the easy way to do that is by downloading CCleaner from here:- http://www.ccleaner.com/

    Then you need to open Windows Explorer and:-
    1. Select "Tools" from the menu on top.
    2. Select "Folder Options".
    3. Select the "View" tab.
    4. Scroll down and Select "Show hidden files and folders".
    5. Unselect "Hide extentions for known file types".
    6. Unselect "Hide protected operating system files".
    7. If you get a "warning" prompt, say yes you want to do it anyway.
    8. Click Apply and Ok.

    Finally you should go into Safe Mode; see here:- http://www.bleepingcomputer.com/forums/tutorial61.html

    and do a full system scan with AVG.

    After that you need to do a full system scan with AdAware by Lavasoft. D/L that from here:- http://www.lavasoftusa.com/software/adaware/

    The above won't cure the About:Blank problem (if you do indeed have that), but there is one automated tool that may do the trick; see here:- http://www.adwareaway.com/

    You can do no harm by trying Adaware Away - but ONLY after you have done all of the above. Adaware Away is available on a few days free trial, so you would need to act fast after downloading it.

    There is also a new version of CWShredder (2.14) you can try from here:- http://www.intermute.com/spysubtract/cwshredder_download.html

    Failing all of that, you will need to resort to HJT logs.
     
    Last edited: Feb 8, 2005
  10. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Hello,

    IE Security Settings:-

    ActiveX controls and plug-ins

    Prompt is checked.

    Download unsigned ActiveX controls

    Disable is checked

    Initialize and script ActiveX controls not marked as safe

    Disable is checked

    Run ActiveX controls and plug-ins

    Enable is checked

    Script ActiveX controls marked safe for scripting

    Enable is checked

    These settings are apparantly needed to run the online security scanners like
    BitDefender and Trend Micro but even if I set the reset to low instead of medium, the same message appears stating that 'unable to run ActiveX controls' appears and the download of virus definitions ceases.

    I am not able to access his pc now until Saturday, but I will try all of the other suggestins from everyone.

    Thank you for your time and patience

    Rosie
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  12. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Rosie, which software firewall are you using?
    Also, if you're behind a router then you should have a hardware firewall, but hardware firewalls do not have any visual alerts, so a software firewall is necessary too.
     
  13. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Hello again,

    No, he has never had a firewall, At the weekend, I am going to install, on his pc, Spybot S&D - AdAware SE - ZoneAlarm, free version and SpywareBlaster.

    (I use all of these on my pc and think they are fantastic) I have been trying to get my friend to install them for ages, but I am afraid he left it too late.

    When I saw the problems he was having, on Tuesday, I thought that I needed to clean his pc before I installed too much.

    I did manage to clear 17 viruses from his pc on Tuesday, leaving just the Trojan horse, which we are discussing here, and of course all of the spyware, which I think may be responsible for the security settings to be reset in Internet Options. Correct me if I am wrong.

    I really do appreciate all advice and I am hoping that, with your advice, I can help to get his pc into some kind of order again.

    Thank you

    Rosie
     
  14. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    You can always try going in to safe mode and deleting C:\WINDOWS\SYSTEM32\MSUPD5.EXE via Windows Explorer.

    Sometimes MSUPD5.EXE is associated with a running 'Service'. You can easily check that by clicking Start/Control Panel/Performance And Maintenance/Administrative Tools/Services; this brings up the Services box, look for any Service called Miscrosoft Update Service 5 or, alternatively, with a name consisting of random letters. If there is one double click it to bring up the Properties box - that will show you the file path. If it is C:\WINDOWS\SYSTEM32\MSUPD5.EXE then you want to set it to 'Disable' in the 'Startup Type' dropdown box. Then you can delete the MSUPD5.EXE file.

    Of course this is easier said than done if you have a whole bunch of other stuff as well! You might find it simply comes back again. Unfortunately this file is often associated with nastier infections that are not so easily dealt with.
     
    Last edited: Feb 9, 2005
  15. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Thanks Topper ID

    I will try your suggestion at the weekend.

    Thanks to everyone else as well for continued support :)

    Rosie
     
  16. Rosie

    Rosie Registered Member

    Joined:
    May 13, 2003
    Posts:
    44
    Location:
    United Kingdom
    Thanks to everyone for your help.

    With your help, I have managed to sort out my friends computer problems.

    Rosie
     
  17. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I do love a happy ending! :D :) ;)
     
Loading...
Thread Status:
Not open for further replies.