Update.exe [Virus/Worm]

Symantec: W32.Rotinom

What is update.exe:

Update.exe is a process that might be executed by many applications in order to update its associated files. So its important for you to check its whereabouts before you jump to conclusions thinking that it is a virus. Use a Process Explorer to find out where the process is running from and if you found that it was being run from %UserProfile%\Local Settings\Application Data\start\ then you've come to the right place. This is a worm discovered by Symantec corporation in the month of January. It enters the target computer with the help of transferable media such as removable drives or shared network drives. Visiting malicious websites might also download update.exe. As soon as the worm is executed, it immediately adds a couple of folders to your profile's directory in the Documents and Settings folder. Not only that, it also does a lot of Registry editing in order to launch its process at every startup. And when you insert a removable disk during the execution of this process, the update.exe virus immediately copies its code into the inserted drive thus attempting to spread itself. The folders in these drives are hidden by the worm and a folder icon is created with its name and an exe extension. This exe file consists of the virus code which when clicked, gets executed inside the system of the computer. The user assumes this as a virus and deletes these files and thinks that the folders have been deleted by the virus. Some people even try for data recovery. But the truth is, the folders have been there all along. They were just hidden by the virus to make itself look like the folders and this way attempting to enter a computer. If you find this file running on your PC, follow the specified instructions below to remove it immediately. Follow the instructions carefully to prevent error from update.exe.

Manual instructions to remove virus update.exe:

  1. Begin with restarting the system in the Safe Mode. Click here if you're finding trouble doing so. 
  2. Check if the process update.exe is running in the system using Task Manager after the reboot. Lets undo the changes done to the Registry to get your system back to its old condition. To do this, go to Start --> Run and type regedit to open the Registry Editor. Go to the following locations

    Change the values to the ones given below:

    HKEY_USERS\S-1-5-21-1085891436-353507534-1371566055-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
  3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\"Startup" = "%USERPROFILE%\Start Menu\Programs\Startup"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "1"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "0"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"WebViewBarricade" = "1"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Startup" = "C:\Documents and Settings\Administrator\Start Menu\Programs\Startup"
    After doing this, restart your computer once again in the Safe Mode.
  4. Now go to Start --> Run and type cmd. In the Command Prompt, type the following commands
    • cd %UserProfile%
    • cd "Local Settings"
    • cd "Application Data"
    • rmdir S-1-5-31-1286970278978-5713669491-166975984-320
  5. Once this directory is deleted, all the files created by the worm are also deleted along with it. 
Tip: Go to Start --> Run and type msconfig to open the Microsoft Configuaration Tool. Here, you can remove the unwanted processes such as googleupdate.exe by tabbing to Startup and unchecking the key pointing to it.

Posts that might help you here:
Enabling Safe Mode booting, Enabling the Registry , Enable Hidden files and folders option and Enabling the Command Prompt.
Get the best security software for your compter here!

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme