MSupdater.exe??

This file is in Document and Settings, all users. It has something to do with the start-up menu.

When Zone Alarm asked me whether I should permit it to access the internet, I said no, because I didn't know what it was.

It is probably harmless, but I would like to make sure before I let it access the internet. I can't remember what function I was performing when the message came up.

Any help in identifying this file would be appreciated.

 

Hello Sussex138

Did some searches on this. This appears to be a trojan.

Main search page http://forums.techguy.org/t180682/s86fac7e3bc449754a12fdfe3b9ed5770.html

User HijackThis log http://forums.techguy.org/t180682/s86fac7e3bc449754a12fdfe3b9ed5770.html

To download HijackThis http://www.tomcoyote.org/hjt/ !! Hijackthis tutorial/ download

You can use these security froums as well to have your log analyzed:

http://www.wilderssecurity.com/index.php under:
adware, spyware & hijack cleaning
logs and analysis

http://www.spywareinfo.com/yabbse/ under:
Spyware and Hijackware Removal Support
For help getting rid of spyware, browser hijackers, **** dialers, thiefware, and all other unwanted advertising parasites.

http://www.lavasoftsupport.com/index.php?showforum=44 This is Lavasoft's (Ad-Aware) section of analyzing HijackThis logs.

On line virus/trojan checkers: http://www.wilders.org/free_services.htm

Regards - Charles

 

Thanks for your prompt reply and good information.

I downloaded HiJack This program and deleted that file, but subsequently discovered that it was for Call Wave, which is my internet telephone answering machine. I have a back-up file and can restore it.

It is not a Trojan.

 

Hi Sussex138
Ita another varient of the coolweb search trojan
best to fisrt scan with and clean up most nasties with SpyBot or Adaware then run after a restart of the PC ,,CWShredder
found here http://www.spywareinfo.com/~merijn/cwschronicles.html

than get hijackthis and posts its log,, DO NOT ATTEMP TO FIX anything with it,,without advice
best place to post in my opinion is where they made the tool
SpywareInfo Support Forums Spyware : http://forums.spywareinfo.com/
and dont posts the startup log just the hijackthis log..unless asked for.
there and here to.

I dont know why you thinks its to do with callwave
so use the backups hijackthis created to restore what you removed then well.
Hi Charles dont mean to walk on your thread,dont mean to, its just me practicing

Lonny

 

Hi Lonny,

*Hi Charles dont mean to walk on your thread,dont mean to, its just me practicing*

No problem! You're usually more uptodate on these issues than I am.

Regards - Charles

 

Sussex,
Please post back and tell us if you misidentified the exe file you mentioned in your first post, and how you isolated the file to your answering machine. If you go to start>run> type msconfig , you will go to a box that says System Configuration Utility. Click on the "Start up" tab. If it says that "MSupdater.exe" is running, you have a problem.

Johanna

 

Thanks everyone for your replies.

The more I look into this the more confused I become.

I ran msconfig and MSupdater is not shown.

Norton or Adaware scans did not detect it. My computer runs fine so far. I am going to restart it and see what happens.

This issue is far from being resolved. So bear with me please.

 

Hi Johanna,

*Click on the "Start up" tab. If it says that "MSupdater.exe" is running, you have a problem*

Don't you mean the TaskManager to see what's running?

Regards - Charles

 

Sussex,

A few questions:

How long have you had that answering machine app running?

How long have you had ZoneAlarm running?

When did this execute rear it's head?

Has there been an update to the application?

So if the app's install predates the execute for any length of time and no updates to it, and ZA has been running before the execute as well, one can only conclude that this exe does not belong to the tele. app.

One other possibilty is that you invoked a heretofore unused feature.

Regards - Charles

 

Call Wave has been running for about 2 years without any updates. Zone Alarm for about a year with a very recent update.

As I said before, I do not remember what function I performed that initiated the message from Zone Alarm that asked if I wanted to permit MMSupdater to access the internet. I responded "No" because I didn't know what it was.

Since then Call Wave is running OK and I have not had any other problems.

I removed the exe file with HiJack and have a back-up file. There was at least one other associated file called "Global Startup" which I left intact.

Perhaps Call Wave support can clear this up. I will try that.

 

Well, actually, it would likely be in both places, start up in MS Config and running processes on the task mgr. If it is in either, there is a problem. From what I read, that browser hijacker loads at boot with that exe file MSupdater. Once you kill it from start up, you get to hack the registry to remove it and its whole family and friends. If someone saw a better fix than what I did, post it. Please.

Johanna

edit: Charles, should have said "running in the start up menu" which isn't very specific... better would have been "appearing in the start up "

 

By the way, task manager does not show it as a running proccess or otherwise.

 

Here's what the Pacs Portal Site has to say about "msupdater.exe ". Do a search on the page for "msupdate.exe ". Looks to be connected with CoolWebSearch hijack.

 

Thanks John.

I found the Windshow dll, should I delete it? This whole thing is way over my head. Look at my profile.

 

Hi Sussex,

Your answer I think is here http://forums.spywareinfo.com/index.php?showtopic=16750&hl=msupdater\.exe

*Windshow dll* and the updater exe are specifically mentioned.

I think to make sure that this is indeed a trojan on your system, take Lonny's advice and post your log on Spywareinfo or one of the others. I don't think you should try doing this on your own.

When you get this cleaned up, take a HJT log and keep for a Baseline. If new apps added, easy to track what was added to your system, benign or not. Also remember that malware is never static, so a program like HJT isn't either. There are frequent updates to it.

Regards - Charles

 

Sussex

whats been going on,, I hoped you had posted at forums spywareinfo,, but i dont see it,, have you ?

Its pefectly alright and we completly understand being a little overwhelmed when these things happen,, if you have any questions please ask and we will take it one step at a time

Lonny

 

I haven't done much of anything because I don't know where to start. Since my computer runs fine, I am tempted to leave it alone.

I am thankful for your responses, but really don't know how to do all the things that are neccessary.

 

I am not positive it is the coolwebsearch hijacker/trojan
Im not there, it most lilely is
It gets installed when just surfing , couses IE to be real slow.
lots if other symtoms to.its definitly a bad thing

Its completly safe to use the tool .
I and lots of others have to.
even though im not infected ive used it., otherwize I wouldnt recommend it.
http://www.spywareinfo.com/~merijn/files/cwshredder.zip
its easy to use,, you can delete it aftewards, becouse it doest have an installer

We mayhave tried to help to much,,
its probaly becouse we have all been infected with something in the past..
we understand how you (probaly) feel.
Regards
Lonny

 

For Lonny

I downloaded CWShredder and ran the program. The only file that it removed was Winshow dll and it restored 4 IE pages. Alll other files on the list were not present.

The only file that I am left with is the MSupdater.exe. which I removed with HiJackthis but left a back-up file on my desktop.
Norton identifies this as a Trojan, but is unable to repair it. And I cannot delete or move it. How do I get rid of this little bugger?

I am really grateful for you help to date.

 

Hi Sussex,

*How do I get rid of this little bugger?*

In safe mode - F5 or F8 key on bootup.

Regards - Charles