Limewire "virus"?

[Osiris]

Click Start > Run.
Type regedit
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.


Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"winupdates" = "%ProgramFiles%\winupdates\winupdates.exe /auto"


Exit the Registry Editor.

 

[Fred123]

I scanned with Norton and everone of those files is showing up. All but 2 of them are called setup.exe and are said to be located in that same C:documentsandsettings/complete. The two files that arnt in there are called a.tmp(located in C: /Programfiles/winupdates/a.tmp) and windows.exe (located in C: /programfiles/windowsupdates/windowsupdates.exe

and yes I did that registry edit as you instructed.

 

[Osiris]

Select show hidden folders in the folders option and see if they appear

 

[Fred123]

ok Norton did let me delete all of the files EXEPT the Windowsupdates.exe

 

[Osiris]

Winupdate.exe or Windowsupdate.exe?

 

[Osiris]

Post me a log if you will...

 

[Osiris]

W32/Alcra-B is a worm for the Windows platform.
W32/Alcra-B spreads via file sharing on P2P networks.
W32/Alcra-B includes functionality to download, install and run new malware executables.
W32/Alcra-B typically arrives with the filename Setup.exe.
When first run W32/Alcra-B displays a dialog box with the text "Setup", "Welcome to the Setup Wizard ...". W32/Alcra-B creates the folder <Program Files>\winupdates\, copies itself to this folder as winupdates.exe and creates the following files:
<Program Files>\winupdates\a.zip
<System>\cmd.com
<System>\bszip.dll
<System>\netstat.com
<System>\ping.com
<System>\regedit.com
<System>\taskkill.com
<System>\tasklist.com
<System>\tracert.com
All files and folders will have the hidden and system attributes set, including the Windows system folder.
a.zip is a zip archive containing a copy of W32/Alcra-B named Setup.exe.
Bszip.dll is a clean file compression utility.
The new files created in the Windows system folder by W32/Alcra-B with a COM extension are simply 'MZ' stubs (2-byte files simply containing "MZ"), designed to disable the standard Windows applications: cmd, netstat, ping, regedit, taskkill, tasklist and tracert. Executables files with a COM extension have precedence over files with the same filename, but an extension of EXE, therefore if a user runs "cmd", "netstat", "ping", "regedit", "taskkill", "tasklist" or "tracert", the new file with a COM extension will be executed rather than the legitimate executable with an extension of EXE.
The following registry entry is created to run winupdates.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winupdates
<Program Files>\winupdates\winupdates.exe /auto

 

[Osiris]

Delete this entry is hijack this log:


O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

and then this is c drive:

C:\Program Files\winupdates

 

[Osiris]

Remove these entries in safemode...

 

[Fred123]

Winupdate.exe or Windowsupdate.exe?

its winupdate.exe

I didnt quite understand your last posts what should I delete in safe mode?