autoupdt.exe

spidey · #1 May 15th, 2003, 06:05 AM

I have never heard of this before untill now. When i log on to the internet now autoupdt.exe wants to access the net. Can u please tell what this is and if its supposed to be there. Is it part of windows? or something else. If not how do i get rid of it.:no:

**AnnMarie** · #2 May 15th, 2003, 06:57 AM

Hi spidey - we will need more information before we can identify this file. Lets have a look at your startups. Go here and download and run Startup List. It will generate a log file. Copy the log and paste it back into this thread.

spidey · #3 May 15th, 2003, 07:06 AM

here ya go

StartupList report, 5/14/2003, 23:58:03
StartupList version: 1.52
Started from : C:\WINDOWS\PROFILES\SPIDEY\DESKTOP\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v5.50 (5.50.4134.0100)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\AUTOUPDT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0B\AOLTRAY.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0B\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0B\SHELLMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WINMX\WINMX.EXE
C:\WINDOWS\PROFILES\SPIDEY\DESKTOP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Profiles\spidey\Start Menu\Programs\Startup]
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0b\aoltray.exe
AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

User shell folders Startup:
[C:\WINDOWS\Profiles\spidey\Start Menu\Programs\Startup]
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0b\aoltray.exe
AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
iamapp = C:\Program Files\Norton Internet Security\IAMAPP.EXE
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
Nisum = C:\Program Files\Norton Internet Security\NISUM.EXE
ccPxySvc = C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
nisserv = C:\Program Files\Norton Internet Security\NISSERV.EXE
autoupdt = C:\WINDOWS\AUTOUPDT.EXE
SchedulingAgent = mstask.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 13/5/2003, 21:0:18)

[Rename]
C:\WINDOWS\SYSTEM\WMVCORE.DLL=C:\WINDOWS\SYSTEM\SE TB1.TMP
C:\WINDOWS\SYSTEM\WMASF.DLL=C:\WINDOWS\SYSTEM\SETB 0.TMP

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\MSIEBHO.DLL - {A096A159-4E58-45A9-8EE6-B11466851181}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[IMViewerControl Class]
InProcServer32 = C:\WINDOWS\SYSTEM\CIMVIEW.DLL
CODEBASE = http://companion.logitech.com/companion/bin/imvid.cab

[YahooYMailTo Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YMMAPI.DLL
CODEBASE = http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

[{11111111-1111-1111-1111-111111111111}]
CODEBASE = http://fr4-download.nocreditcard.com...645/dialer.exe

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]

[{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}]

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yahoo.com/dl/installs/yse/yinst.cab

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.installengine.com/engine/isetup.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 6,188 bytes
Report generated in 1.076 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

**AnnMarie** · #4 May 15th, 2003, 07:44 AM

Hi spidey - can you please rightclick on AUTOUPDT.EXE and choose Properties (you will find it in C:\WINDOWS). Copy all the information and post it back here.

spidey · #5 May 15th, 2003, 08:13 AM

General tab

type of file: Application
Description: autoupdt

Location: C:\windows
Size: 68.0 KB (69,632 bytes)
Size on disk: 68.0 KB (69,632 bytes)

Created: Tuesday, May 13, 2003, 17:08:35
Modified: Thursday, November 21, 2002, 10:47:00
Accessed: Today, May 15, 2003

archive is the only one checked hope this helps

**AnnMarie** · #6 May 15th, 2003, 08:29 AM

I suspect that it's a trojan. Go to Start > Run and type:

msconfig

then OK. Uncheck autoupdt = C:\WINDOWS\AUTOUPDT.EXE and reboot.

Now go to C:\WINDOWS and rename AUTOUPDT.EXE to AUTOUPDT.old. This will disable the file but should it turn out that you need it, it can still be renamed back to the original. If you find that you dont need it after a couple of weeks, just delete it.

To finish off, run an online antivirus scan here (just to be on the safe side).

Let us know how you get on.

TonyKlein · #7 May 15th, 2003, 08:44 AM

Would you mind terribly sending me a zipped copy of the file for analysis?

I'll PM you with my e-mail addie.

TIA!

spidey · #8 May 15th, 2003, 08:49 AM

ummm i guess...why?

spidey · #9 May 15th, 2003, 08:57 AM

My Norton says its clean

TonyKlein · #10 May 15th, 2003, 08:57 AM

Quote:

Originally posted by spidey
ummm i guess...why?

In order to see whether any of my security apps recognize it, and to have a look at its properties with a hex editor and other tools.

Also, I maintain a small mailing list to a number of folks in the security (antitrojan, antivirus, spyware) field where I submit new stuff. That way they're able to add these to future databases, thus hopefully contributing to improve security for others in your predicament.

TonyKlein · #11 May 15th, 2003, 08:59 AM

Quote:

Originally posted by spidey
My Norton says its clean

Well, that could mean it's either harmless, a brand new baddie yet unknown to Norton (it doesn't do too well in trojan detection), or maybe spyware related.

A closer look at the file might help.

spidey · #12 May 15th, 2003, 09:01 AM

where do u want me to mail it??

TonyKlein · #13 May 15th, 2003, 09:07 AM

I sent you a Private Message with my e-mail addy.

Press "User CP" > Private Messages, and you ought to find it.

**AnnMarie** · #14 May 15th, 2003, 09:17 AM

Hi spidey - TonyKlein is a very well respected figure in the Security field and I would really appreciate it if you would forward a zipped copy of that file to him. As Tony said, Norton is not much good at picking up trojans and it could be a new one. Thanks for your help

spidey · #15 May 15th, 2003, 09:20 AM

i sent it i'm just waitin to see if she got it