msapdate.exe??



dev2137
07-09-2005, 10:48 PM
i find this exe file in my system32 directory and don't know what it is,this file execute while my system start,i analysed simply and found it was protected my UPX Shell,this is the unpacked file.anyone can tell me what does it want to do??is it a virus?how it works?Thanks.
http://freehost04.websamba.com/devleiz/msupdate.zip

Malke
07-09-2005, 10:48 PM
dev2137 wrote:

> i find this exe file in my system32 directory and don't know what it
> is,this file execute while my system start,i analysed simply and found
> it was protected my UPX Shell,this is the unpacked file.anyone can
> tell me what does it want to do??is it a virus?how it works?Thanks.

A quick Google for "msupdate.exe" would have told you that this is a
variety of the protoride worm. Here's Symantec's writeup:

http://securityresponse.symantec.com/avcenter/venc/data/w32.protoride.worm.html

Since you apparently either don't have any antivirus, it is obsolete,
you let the subscription to the virus definitions lapse, or it just
didn't catch this:

Get all necessary tools/updates from a different, known-clean computer
with an Internet connection and a cd burner. Take your computer off any
networks - Internet and lan. Start by running TrendMicro's Sysclean:

TrendMicro's Sysclean is an extensive antivirus tool which has the
advantage of not needing to be installed. It requires two parts - the
scanning engine and the virus pattern files. Delete all Temporary and
Temporary Internet Files before running the program.

1. Create a new folder on your Desktop or the C: drive named something
useful like "Sysclean".
2. Go here and download the two parts of the program to that folder:

http://www.trendmicro.com/download/dcs.asp - Sysclean
http://www.trendmicro.com/download/pattern.asp - virus pattern files

The pattern files will be zipped - extract them with your unzipper (like
WinZip) or if you have XP, you can just open the folder. You need to
put the extracted files in the Sysclean folder you made. For a more
automated way to get Sysclean, use Dave Lipman's Sysclean_FE from
http://www.ik-cs.com/got-a-virus.htm .

3. Restart your computer in Safe Mode. Get into Safe Mode by repeatedly
tapping the F8 key as the computer is starting up to get to the proper
menu.
4. Go to the Sysclean folder you made and double-click on sysclean.com.
Start the scan. After the scan is finished, look at the log. You may
need to make a note of where any viruses were found if they were not
able to be removed so you can manually delete them.

After you've scanned with Sysclean, get and install a full-featured av.
If you have a current version av (not earlier than 2004) for which you
let the subscription lapse and you like the av, renew the subscription.
Update the virus definitions and reboot into Safe Mode. Do a thorough
scan.

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

David H. Lipman
07-09-2005, 10:48 PM
"dev2137" <137145@sohu.com> wrote in message news:%23Uz4MtCZFHA.2520@TK2MSFTNGP09.phx.gbl...
i find this exe file in my system32 directory and don't know what it is,this file execute
while my system start,i analysed simply and found it was protected my UPX Shell,this is the
unpacked file.anyone can tell me what does it want to do??is it a virus?how it works?Thanks.
http://freehost04.websamba.com/devleiz/msupdate.zip


Please submit "msapdate.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


msapdate.exe??