eHow launches Android app: Get the best of eHow on the go.

Search
Now in the UK!
  1. Home »
  2. Internet »
  3. Internet Safety »
  4. Antivirus Programs »
  5. How to Remove Msupdate EXE Files
More Articles Like This
More by This Author
How To

How to Remove Msupdate EXE Files

Contributor
By Colette Larson
eHow Contributing Writer
(0 Ratings)

Msupdate.exe is a component of several Trojan horses, such as RBOT Worm, CoolWebSearch, Affilred, PSN and Trojan.Generic, that is usually found in the operating system folder. These Trojans are classified as search-hijackers that change the start page and search settings of Internet Explorer and generate multiple advertising pop-ups in addition to sending data back to the author's server for analysis. Installed as Browser Helper Objects (BHOs), these Trojans can be picked up from surfing infected websites or installed by other malware programs. Affected computers typically run under Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows Server 2003.

Difficulty: Moderately Challenging
Instructions

    Instructions

  1. Step 1

    Turn off System Restore if the operating system of the infected computer is either Windows Me or Windows XP. To turn off System Restore within Windows Me, click "Start," "Settings," "Control Panel". Double-click on the "System" icon and select "File System" from the "Performance" tab. Click on the "Troubleshooting" tab and check the "Disable System Restore" box. Click "OK." To turn off System Restore within Windows XP, log in as an administrator and click "Start." Right-click on "My Computer" and select "Properties" from the shortcut menu. Check the "Turn off System Restore" option for each drive on the "System Restore" tab. Click "apply" and "yes" to confirm when prompted. Click "OK."

  2. Step 2

    Restart the computer in safe mode and log in as an administrator. Press "F8" after the first beep occurs during startup, before the display of the Microsoft Windows logo. Select the first option to run "Windows in Safe Mode" from the selection menu.

  3. Step 3

    Remove any program files from the computer. Go to "Start," "Control Panel," "Add/Remove Programs." Remove any programs referencing msupdate.exe, CoolWebSearch, or PSN. If none is listed, continue to Step 4.

  4. Step 4

    Use the Windows Search tool to determine if "msupdate.exe" was removed with the program files. Go to "Start," "Search," "All Files and Folders." Type "msupdate.exe" in the "All or Part of the File Name" section. Select "All Local Hard Drives" from the "Look in:" drop-down list for the best results. Click "Search." Remember or write down the specific path where the file is located, typically the root of all available drive locations. This information will be necessary later in the removal process. Repeat this process for the following:
    usbwin32.exe
    C:\CriticalUpdate.exe
    C:\cab.exe
    C:\winsecure.exe
    C:\Windows\twain_32.exe
    C:\Windows\mshotfix.exe
    C:\Windows\msupdate.exe
    C:\Windows\System\security32.exe
    C:\Windows\System\iProtect.exe
    C:\Windows\System\axe.exe
    C:\Windows\System\inetconnect.dll
    C:\Windows\System\comnt32.dll
    C:\Windows\System\highspeed-cable.exe
    C:\Windows\System\default.scr
    C:\Windows\System\memorymanager.pif
    C:\Windows\System\regisry.pif

  5. Step 5

    Use the Windows Task Manager to end any msupdate.exe processes that are running. Press "Ctrl," "Alt" and "Delete" to open Task Manager. Click "msupdate.exe" within the "Processes" tab and click "End Process." End any of the following additional processes that are listed:
    usbwin32.exe
    CriticalUpdate.exe
    cab.exe
    winsecure.exe
    twain_32.exe
    mshotfix.exe
    security32.exe
    iProtect.exe
    axe.exe
    inetconnect.dll
    comnt32.dll
    highspeed-cable.exe
    default.scr
    memorymanager.pif
    regisry.pif

  6. Step 6

    Access the command prompt to unprotect the files to enable deletion. Click "Start" and "Run." Type "cmd." Click "OK."

  7. Step 7

    Type "cd" (change directory) from the command prompt, press the "backslash key" (\), type "windows" and press "Enter" to access the main Windows directory.

  8. Step 8

    Type "dir /s msupdate.exe"

  9. Step 9

    If the file is present, type "attrib C:\Windows\msupdate.exe -s -h -r -a" from the command prompt and press "Enter." Repeat this process for the following files:
    "attrib usbwin32.exe -s -h -r -a"
    "attrib C:\CriticalUpdate.exe -s -h -r -a"
    "attrib C:\cab.exe -s -h -r -a"
    "attrib C:\winsecure.exe -s -h -r -a"
    "attrib C:\Windows\twain_32.exe -s -h -r -a"
    "attrib C:\Windows\mshotfix.exe -s -h -r -a"
    "attrib C:\Windows\msupdate.exe -s -h -r -a"
    "attrib C:\Windows\System\security32.exe -s -h -r -a"
    "attrib C:\Windows\System\iProtect.exe -s -h -r -a"
    "attrib C:\Windows\System\axe.exe -s -h -r -a"
    "attrib C:\Windows\System\inetconnect.dll -s -h -r -a"
    "attrib C:\Windows\System\comnt32.dll -s -h -r -a"
    "attrib C:\Windows\System\highspeed-cable.exe -s -h -r -a"
    "attrib C:\Windows\System\default.scr -s -h -r -a"
    "attrib C:\Windows\System\memorymanager.pif -s -h -r -a"
    "attrib C:\Windows\System\regisry.pif -s -h -r -a"

  10. Step 10

    Unregister all instances of related dll files from the command prompt. Type "cd" (change directory) from the command prompt, press the space bar and type the name of the full directory path of the DLL files. This should be the path that was determined in Step 3, typically "C:\Windows\System\Amvo0.dll." Press "Enter." The file must be unregistered before removal by typing the exact directory path + "regsvr32 /u C:\Windows\System\inetconnect.dll" and press "Enter." Repeat for comnt32.dll by typing "regsvr32 /u C:\Windows\System\comnt32.dll" and pressing "Enter".

  11. Step 11

    Remove msupdate.exe with the following command: "del msupdate.exe" and pressing "Enter" from the C:\Windows prompt. Delete the remainder of the related malware files by typing the following:
    "del C:\usbwin32.exe"
    "del C:\CriticalUpdate.exe"
    "del C:\cab.exe"
    "Del C:\winsecure.exe"
    "del C:\Windows\twain_32.exe"
    "del C:\Windows\mshotfix.exe"
    "del C:\Windows\msupdate.exe"
    "del C:\Windows\System\security32.exe"
    "del C:\Windows\System\iProtect.exe"
    "del C:\Windows\System\axe.exe"
    "del C:\Windows\System\inetconnect.dll"
    "del C:\Windows\System\comnt32.dll"
    "del C:\Windows\System\highspeed-cable.exe"
    "del C:\Windows\System\default.scr"
    "del C:\Windows\System\memorymanager.pif"
    "del C:\Windows\System\regisry.pif"

  12. Step 12

    Type "exit" and press "Enter" to close the command prompt and return to the Windows operating system.

  13. Step 13

    Open the Registry Editor and remove any references to msupdate.exe. Click "Start," "Run," type "regedit" and press "Enter." Remove the following registry values:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Cab Manager
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Security Hot Fix Update
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSUpdate
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegistryMonitor
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Manager
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Update
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\WinTask
    HKEY_LOCAL_MACHINE\SOFTWARE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=%System%\userinit.exe, %Windir%\iprotect.exe
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load\Memory Manager
    HKEY_CLASSES_ROOT\CLSID\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}
    HKEY_CLASSES_ROOT\CLSID\{FD3A6AB4-5527-4B52-90AF-F90CD3270861}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1BB87441-6B7F-4B60-885C-B7AF9F9AFDE3}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0CDAAEC2-E245-44CC-8357-CAB70172D017}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77566C2A-2987-44BC-AC81-A02D19EE271B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8E668361-C801-41B7-BF89-2FC2C8DE9167}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C0DADD7E-D3F1-430D-B735-39DC6033592C}

  14. Step 14

    Reboot the PC.

  15. Step 15

    If msupdate.exe still resides on the computer, repeat the above steps or try using a free automatic removal program from Trend Micro or Symantec (see References).

Tips & Warnings
  • Manual removal of msupdate.exe may be difficult as the removal process requires knowledge of the operating system command prompt and registry editor. In addition, different versions of this malware rename and relocate various file components. If not performed properly, your computer system might experience permanent damage. Msupdate.exe may also be a component of a legitimate program. Consequently, manual removal might be best for experienced users. Less experienced users might want to consider using an automatic spyware removal application such as that offered by Trend Micro or Symantec.

References

Subscribe

Post a Comment

Post a Comment

Related Ads

  • See How Others Did It
  • Have you done this? Click here to let us know.
I Did This
Tags
Get Free Internet Newsletters

Copyright © 1999-2009 eHow, Inc. Use of this web site constitutes acceptance of the eHow Terms of Use and Privacy Policy .   en-US Portions of this page are modifications based on work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. † requires javascript

Partner Sites
Demand Media
eHow_eHow Technology and Electronics