If its Windupdates then its a trojan which i can give you
manual removal methods but if its Winupdates then its a
worm called GAOBOT.BC! and will you some removal tips for
that here
Note :This worm teminates all antivirus .exe files do
will you probably have to reinstall any products you have
once its clean also this worm can open ports which allows
the attacker to download files to your pc,steal
information and passwords and add user accounts,Check the
accounts using the control panel> then user accounts and
delete if they are not your,typically there should be
your own admin account and a guest account which is
switched off,plus Asp.net if you have downloaded
net.framework and any other users you have added but
nothing else.
ALWAYS do these when trying to remove a bug.
First: Turn off Windows XP System Restore (Start,Right
click my computer,Properties,then system restore and
disable and apply)
Next: Enable viewing of hidden files and folders and
extensions; Some programs can hide this way by not being
visible in Windows. Start Windows Explorer and click on
your main hard drive, usually c:\. Then select Tools from
the top of Windows Explorer and then Folder Options. Go
to the View tab. Scroll down to the folder icon that says
Hidden files and folders and check show hidden files and
folders. Also, right below it, uncheck the hide file
extensions for known types. Not doing this could allow
file extensions commonly used by trojans and spyware to
be hidden, for example a file ending in .exe or dll
making manually finding it, if needed Very difficult
To end the Trojan process or boot into safe mode:
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to
alphabetically sort the processes.
Scroll through the list and look for Winupdates.exe.
If you find the file, click it, and then click End
Process.
Also while in task manager check for WinKA.exe
and WinUpdt.exe as these are connected to the trojan
downloader Windupdates
Exit the Task Manager.
Safe Mode Way: Reboot the system and tap F8, choose Safe
Mode.
Click Start, and then click Run.
Type regedit
Then click OK.
Navigate to each of the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\
RunServices
In the right pane, delete any of the following values:
"Microsoft Office Start"="winupdates.exe"
"Configuration Loader"="svch0st.exe"
Exit the Registry Editor.
Next: Delete Temp Internet files :
Open a internet browser window, click Tools then Internet
Options.
Click on the Delete Cookies and the Delete Files buttons,
then click OK and close the browser window.
Next: Delete Windows Temporary Files - (start,run then
type %temp% delete all files you can in this folder
The Windows temporary directory (usually located at
C:\windows\temp).
This directory should not be confused with the Internet
Explorer "Temporary Internet Files Directory".
The Windows temporary directory stores temporary files
that are used during installation of programs and at
other various times.
Cleaning this directory regularly is generally a good
idea.
Now go back to normal mode and run a virus scan at both
of these addresses:
do an online scan at Trend Micro's Free Online Virus Scan
http://housecall.trendmicro.com/housecall/start_corp.asp
do an online scan at Symantec Security Check
http://security.norton.com/sscv6/default.asp?
langid=ie&venid=sym
This is a worm so MS Antispy cannot help you with this
one but if you follow these tips you should get rid of it
easy enough The problem with these worms are they all use
similar names to try trick users into thinking they are
genuine but the online scans will confirm if you are
infected plus if you find them registry values you know
it is this worm but if you have any problems reply and i
will help where i can.
Regards Andy
