?
Solved

Is update.exe a virus or Microsoft?

Posted on 2009-04-17
11
Medium Priority
?
607 Views
Last Modified: 2013-11-22
I use Comodo firewall and since yesterday it has displayed a continuous pop-ups regarding giving access to a program called "update.exe".

I have google the problem and have found "update.exe" and "Update.exe"; the one that keeps poping up is "update.exe.  The google results comes down to its either a trojan or a Microsoft updater.

I have included images of the 3 typoes of pop-ups: SoftwareDistribution\Download, modify a dberr.txt file and modify a HKLM regisrty entry.

Is this a virus or Microsoft?

If it's a virus, how do I remove it (I have ad-aware, spy-bot and avg, and ranned, no detection)

Please advice
EE.update-exe.01.jpg
EE.update-exe.02.jpg
EE.update-exe.03.jpg
0
Comment
Question by:rayluvs
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 5

Expert Comment

by:ping_it
ID: 24167005
To know what is that, the best way is to send it to some response center that will start the file, test it and make analysis and create a response and if they detect it's something infected or a virus or similar, they will create the definitions.

Upload the file here: https://submit.symantec.com/websubmit/retail.cgi

They will reply to you with the status of the analysis, after that you can run this tool and yuu will have the confirmation whether it is or not a "dangerous" file: http://security.symantec.com/sscv6/WelcomePage.asp

0
 
LVL 8

Accepted Solution

by:
skywalker39 earned 1200 total points
ID: 24167019
Hi Ramante,

It's possible that it is this: http://www.bleepingcomputer.com/startups/update.exe-20205.html
I would try the following
http://www.malwarebytes.org/mbam.php
http://www.superantispyware.com/
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

I would recommend running this first http://www.pctools.com/spyware-doctor-antivirus/
It's not free, however you can run a scan, the downfall is it won't allow you to remove anything without paying first. I would update the definitions then run a full scan in both Normal Mode and in Safe Mode.
0
 
LVL 3

Expert Comment

by:Thickman
ID: 24167130
update.exe is not Microsoft.  Nor is winupdates.exe.  Winupdates.exe is most assuradly a virus.  I'm not sure about the other one.  Malwarebytes should fix it up.  also, check your system32 directory for any .dil files and remove them.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:rayluvs
ID: 24170891
Hi all,

I kept giving permission to "update.exe" do whatever it needed to do and it finally stop.  I have rebooted a couple of times and also permitted the periodic update of Windows to download and install and I haven't seen any problem.  Nevertheless, I will run your recommendation and let you kno.


------------------------
ping_it:
------------------------

I could find the update.exe file to upload.  I did download the Norton Security Scan for testing, I'll try it

------------------------
skywalker39:
------------------------
The link indicates that the file is found in Windows\system, but its not there in my PC.  I have downloaded the file you recommnended.  

I usually use Spy-Bot, Ad-Aware/Lavasoft and AVG.  The links you recommended are they in the same categories of performance?

One more question.  I also downloaded "sophos" product, whats a rootkit?

------------------------
Thickman:
------------------------
I thought it could be Microsoft because I did find a link referring to that.  Why you mention "winupdates.exe", you think I have that in my PC?

0
 
LVL 8

Assisted Solution

by:skywalker39
skywalker39 earned 1200 total points
ID: 24170975
Here's a link for what a rootkit is: http://en.wikipedia.org/wiki/Rootkit
Spybot, Ad-Aware/Lavasoft and AVG are good products, however I've always had a better experience with the products that I recommended to you.
0
 

Author Comment

by:rayluvs
ID: 24171071
Thanx skywalker39, so the rootkit is like a Trojan bu had its initial via Unix system. Ok.  So the apps I downloaed I just run it like any other antispyware/viruas and thats that?
0
 
LVL 8

Expert Comment

by:skywalker39
ID: 24171076
Correct Ramante.
0
 
LVL 3

Expert Comment

by:Thickman
ID: 24171117
Ramante,
I was just mentioning Winupdates.exe as a side note.  I've seen it on several of my computers here at work.  Its a worm by the name of RBOT.DIL.
0
 
LVL 5

Assisted Solution

by:ping_it
ping_it earned 300 total points
ID: 24171433
Sorry, they changed the page, they added the Norton Security Scan, it should be also ok. But I have the tested method.

On the same page http://security.symantec.com/sscv6/WelcomePage.asp click to "continue" and try the two scans. They are always updated with the latest definitions.

Did you upload the file? If you cannot find it, try to go in safe mode and search it from there.

If you have a virus it should load automatically when you start the pc. Also rootkits that are hidden files, they are hidden, yes. But there is a process that hides them. And this process cannot hide itself. So you can see it somewhere.
To search for files you can search in safe mode.

The common loadpoints are the following, try to search for suspicious files there:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
 
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
 
HKEY_CLASSES_ROOT\comfile\shell\open\command
 
HKEY_CLASSES_ROOT\piffile\shell\open\command
 
HKEY_CLASSES_ROOT\exefile\shell\open\command
 
HKEY_CLASSES_ROOT\txtfile\shell\open\command
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Open in new window

0
 

Author Comment

by:rayluvs
ID: 24171610
Thanx all...we'll try all of the recommendation after hours.  I'll keep u posted.
0
 

Author Comment

by:rayluvs
ID: 24247268
Hi sorry for delay.  I ran Spy-Bot, Ad-aware and RootKit and all clean.  I did notice when I get update from Microsoft I do get this message and the only time I see the update.exe (i don't see this file anytime else).  So I am assuming its Microsoft.

Before closing this question, maybe you guys have any last suggestions?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question