Trojan infecting update.exe?

I have Kaspersky anti-virus protection on my computer and recently received a
notice that it found Trojan-Downloader.Win32.Turk.a in C:\WINDOWS\update.exe.
When I ask Kaspersky to show me more information on this trojan via their
website it loads the website and the site says it has no entry on this
trojan. Kaspersky says it can't "disinfect" and says the only treatment is to
delete it. I have a few questions:

1) is there actually a trojan in my update.exe or is this a false positive
that should be ignored?

2) I've read on some websites that update.exe should not actually be in
c:\WINDOWS\. These sites suggest that if it is there it is a trojan or virus.
Is that true?

3) If there is a trojan in update.exe, is there a tool (perhaps from MS)
that can clean it out and fix update.exe?

4) if there is a trojan in update.exe, can I delete the file outright? If
so, how do I get a clean copy of update.exe?

In case it's helpful, the size of the file is:

71.5 KB (73,302 Bytes)

and the size on disk is:

72.0 KB (73,728 bytes)

Any assistance would be greatly appreciated. Thanks!

Hi

Yes this virus Trojan-Downloader.Win32 is on your system. I have checked
this virus and here is the website that tells you about this virus.

http://www.symantec.com/en/uk/securi...051715-4324-99

Just click on this site and it will go to the symantec site and just read it
and somewhere on the site, it tells you how to get it off your system.

If you need any more help, just send me an message and i will get back to you.

Thanks

Martin Hickie

"ArielZusya" wrote:

> I have Kaspersky anti-virus protection on my computer and recently received a
> notice that it found Trojan-Downloader.Win32.Turk.a in C:\WINDOWS\update.exe.
> When I ask Kaspersky to show me more information on this trojan via their
> website it loads the website and the site says it has no entry on this
> trojan. Kaspersky says it can't "disinfect" and says the only treatment is to
> delete it. I have a few questions:
>
> 1) is there actually a trojan in my update.exe or is this a false positive
> that should be ignored?
>
> 2) I've read on some websites that update.exe should not actually be in
> c:\WINDOWS\. These sites suggest that if it is there it is a trojan or virus.
> Is that true?
>
> 3) If there is a trojan in update.exe, is there a tool (perhaps from MS)
> that can clean it out and fix update.exe?
>
> 4) if there is a trojan in update.exe, can I delete the file outright? If
> so, how do I get a clean copy of update.exe?
>
> In case it's helpful, the size of the file is:
>
> 71.5 KB (73,302 Bytes)
>
> and the size on disk is:
>
> 72.0 KB (73,728 bytes)
>
> Any assistance would be greatly appreciated. Thanks!

> 1) is there actually a trojan in my update.exe or is this a false positive
> that should be ignored?

There are several websites that you can upload small files to (big ones
1GB or so take ages) that test against several virus checkers.
Try
http://virusscan.jotti.org/
and report back.

Hi Martin,

Thanks for your post. I have some questions. First, the link you gave is to
information on the Gema.B Trojan. Are you certain Gema.B and Turk.a are the
same? Second, the instructions given for Gema.B is to start in safemode and
run Norton AV. My scans and attempts at repair say it is unrepairable. So...
assuming this is really a virus can I safely delete update.exe and if so,
where do I get a clean copy. I'm concerned because I haven't be able to find
any information on Turk.a... not even posts from people who have found it on
their system (google only came up with one guy who posted to some support
site... you'd think if this were a real worm there would be a lot of people
posting about it). Just trying to avoid a messy cleanup. Thanks for your help!

Ariel

"Martin" wrote:

> Hi
>
> Yes this virus Trojan-Downloader.Win32 is on your system. I have checked
> this virus and here is the website that tells you about this virus.
>
> http://www.symantec.com/en/uk/securi...051715-4324-99
>
> Just click on this site and it will go to the symantec site and just read it
> and somewhere on the site, it tells you how to get it off your system.
>
> If you need any more help, just send me an message and i will get back to you.
>
> Thanks
>
> Martin Hickie
>
> "ArielZusya" wrote:
>
> > I have Kaspersky anti-virus protection on my computer and recently received a
> > notice that it found Trojan-Downloader.Win32.Turk.a in C:\WINDOWS\update.exe.
> > When I ask Kaspersky to show me more information on this trojan via their
> > website it loads the website and the site says it has no entry on this
> > trojan. Kaspersky says it can't "disinfect" and says the only treatment is to
> > delete it. I have a few questions:
> >
> > 1) is there actually a trojan in my update.exe or is this a false positive
> > that should be ignored?
> >
> > 2) I've read on some websites that update.exe should not actually be in
> > c:\WINDOWS\. These sites suggest that if it is there it is a trojan or virus.
> > Is that true?
> >
> > 3) If there is a trojan in update.exe, is there a tool (perhaps from MS)
> > that can clean it out and fix update.exe?
> >
> > 4) if there is a trojan in update.exe, can I delete the file outright? If
> > so, how do I get a clean copy of update.exe?
> >
> > In case it's helpful, the size of the file is:
> >
> > 71.5 KB (73,302 Bytes)
> >
> > and the size on disk is:
> >
> > 72.0 KB (73,728 bytes)
> >
> > Any assistance would be greatly appreciated. Thanks!

OK... this doesn't look good. Here are the results:

File: update.exe
Status: INFECTED/MALWARE
MD5: 47ec38b88e2a0f6fde5cfbb2d25c9d88
Packers detected: -

Scan taken on 28 Sep 2008 14:56:19 (GMT)
A-Squared Found nothing
AntiVir Found DR/Delphi.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Injector.AD
BitDefender Found Trojan.Delf.Inject.AP
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found BackDoor.Bifrost.842
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Turk.a
G DATA Found Trojan.Delf.Inject.AP
Ikarus Found VirTool.Win32.DelfInject.AF
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Turk.a
NOD32 Found a variant of Win32/Injector.BX
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found BackDoor.Bifrost.842


Now what should I do? Thanks for your help.

Ariel


"Ato_Zee" wrote:

>
> > 1) is there actually a trojan in my update.exe or is this a false positive
> > that should be ignored?
>
> There are several websites that you can upload small files to (big ones
> 1GB or so take ages) that test against several virus checkers.
> Try
> http://virusscan.jotti.org/
> and report back.
>

On Sun, 28 Sep 2008 08:01:01 -0700, ArielZusya wrote:

> OK... this doesn't look good. Here are the results:
>
> File: update.exe
> Status: INFECTED/MALWARE
> MD5: 47ec38b88e2a0f6fde5cfbb2d25c9d88
> Packers detected: -
>
> Scan taken on 28 Sep 2008 14:56:19 (GMT)
> A-Squared Found nothing
> AntiVir Found DR/Delphi.Gen
> ArcaVir Found nothing
> Avast Found nothing
> AVG Antivirus Found Injector.AD
> BitDefender Found Trojan.Delf.Inject.AP
> ClamAV Found nothing
> CPsecure Found nothing
> Dr.Web Found BackDoor.Bifrost.842
> F-Prot Antivirus Found nothing
> F-Secure Anti-Virus Found Trojan-Downloader.Win32.Turk.a
> G DATA Found Trojan.Delf.Inject.AP
> Ikarus Found VirTool.Win32.DelfInject.AF
> Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Turk.a
> NOD32 Found a variant of Win32/Injector.BX
> Norman Virus Control Found nothing
> Panda Antivirus Found nothing
> Sophos Antivirus Found nothing
> VirusBuster Found nothing
> VBA32 Found BackDoor.Bifrost.842
>
> Now what should I do? Thanks for your help.

1.CCleaner - Free
Cleans temporary internet files, cookies, history, recent urls, application
MRUs, etc. ...
http://www.filehippo.com/download_ccleaner/
If Windows Defender is utilized go to Applications, under Utilities
uncheck "Windows Defender" (so it won't delete the history of WD)
Do not the registry cleaner option in CCleaner!

2.Download/execute David H. Lipman's MULTI_AV Tool
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe
http://www.pctipp.ch/downloads/dl/35905.asp
English:
http://www.raymond.cc/blog/archives/...irus-for-free/
Additional Instructions:
http://pcdid.com/Multi_AV.htm
--and/or--
Kaspersky's AVPTool
http://downloads5.kaspersky-labs.com/devbuilds/AVPTool/
--and/or--
http://ftp.kaspersky.com/devbuilds/AVPTool/
There's no updating involved since the scanning engine is updated
several times a day and you simply download the updated scanner whenever
you want to do a scan.
--and/or--
Dr.Web CureIt!® Utility - FREE
http://www.freedrweb.com/cureit/
--and/or--
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

3.To flush your System Restore *after* doing the above cleaning steps.
Do this:
Right click "My Computer" icon and select Properties from the drop down
list.
On the system Properties click on System Restore Tab and *check* the box
'Turn off System Restore on all drives'.

Click [Apply] then click [OK]

Reboot.

Right click "My Computer" icon and select Properties from the drop down
list.
On the system Properties click on System Restore Tab and *uncheck* the box
'Turn off System Restore on all drives'.

Note: ensure that under 'Available drives' the Status of Drive does show
'Monitoring'.

And then manually create a Restore point.
Go to:
http://www.microsoft.com/windowsxp/u...emrestore.mspx
And scroll down to: Create a Restore Point.

Done!

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://spywarehammer.com/simplemachi...php?board=10.0,
http://forums.spybot.info/forumdisplay.php?f=22,
http://aumha.net/viewforum.php?f=30, or another appropriate forum for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/

ArielZusya wrote:
> I have Kaspersky anti-virus protection on my computer and recently
> received
> a notice that it found Trojan-Downloader.Win32.Turk.a in
> C:\WINDOWS\update.exe. When I ask Kaspersky to show me more information on
> this trojan via their website it loads the website and the site says it
> has
> no entry on this trojan. Kaspersky says it can't "disinfect" and says the
> only treatment is to delete it. I have a few questions:
>
> 1) is there actually a trojan in my update.exe or is this a false positive
> that should be ignored?
>
> 2) I've read on some websites that update.exe should not actually be in
> c:\WINDOWS\. These sites suggest that if it is there it is a trojan or
> virus. Is that true?
>
> 3) If there is a trojan in update.exe, is there a tool (perhaps from MS)
> that can clean it out and fix update.exe?
>
> 4) if there is a trojan in update.exe, can I delete the file outright? If
> so, how do I get a clean copy of update.exe?
>
> In case it's helpful, the size of the file is:
>
> 71.5 KB (73,302 Bytes)
>
> and the size on disk is:
>
> 72.0 KB (73,728 bytes)
>
> Any assistance would be greatly appreciated. Thanks!