Task Manager Problems - winupdates.exe

Hello,

I often see people having Task Manager problems, such as it won't open when pressing ctrl + alt + del and selecting Task Manager. I thought I would just put this little bit of info out:

Run a complete virus scan on your system. If you need to, go to symantec.com or trendmicro.com and use their free online virus detection.

If something is found, take care of that problem. If curing those problems doesn't take care of the Task Manager issue, browse to the C:\Program Files directory. If there is a folder names "winupdates", this is most likely your problem. Make sure you go to Folder Options and select "Show Hidden Files and Folders" as the folder may be hidden. If this folder exists, you will need to reboot into Safe Mode and delete the folder. You will need to reboot into Safe Mode because the worm process is running when your desktop loads. You can't delete a file when it is in use, and you obviously can't kill the process when you can't access the task manager.

Also, this worm write the following to the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]

"winupdates"="C:\\Program Files\\winupdates\\winupdates.exe /auto"

You can just use the registry editor to delete this.

I hope this helps many out there having this problem. I just see it come up so often I figured I'd give some advice about it.

this information on how to tackle a W32.HLLW.Gaobot.BC or the W32/Rbot-MM or W32/Gaobot.worm.gen is incomplete.



This entry is charecteristic of the worms i have mentioned above.

The correct and more complete process would be as follows. BUT REMEMBER THAT REMOVING MALWARE IS DIFFICULT TASK AND MUST BE CUSTOMISED FOR EACH INFECTION.

Download and install the following programs, If they're not on your computer, yet:

- AdAware SE: http://www.lavasoftusa.com/software/adaware/
- Spybot: http://www.safer-networking.org/
- CCleaner: http://www.ccleaner.com/ccdownload.php

Use Taskmanager (Ctrl-Alt-Del) to end these running processes if you can. Since it is very likely you will not be able to do so I recommnd you use Process Explorer freely available from SysInternals here
http://sysinternals.com/ntw2k/freeware/procexp.shtml

winupdates.exe

Next Go to Add/Remove Programs (START, settings, control Panel) and uninstall these apps (all may not be listed)
anything with a name similar to MyWay, MySearch, MyWebSearch, etc.

winupdates

Make sure you can view hidden and system files: if you do not know how to do this then you can find out how below.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Then Boot to safe mode: IF you do not know how then see the following link for information:
http://service1.symantec.com/SUPPOR...src=sec_doc_nam

Now Make sure all browser and all Windows Explorer windows closed.
Then:
1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit

Then click OK. (The Registry Editor opens.)

3. Navigate to each of the keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
RunServices

4. In the right pane, delete any of the following values:
* "Microsoft Office Start"="winupdates.exe"
* "Configuration Loader"="svch0st.exe"

5. Exit the Registry Editor.

Delete the following folder IF still present on your computer:
C:\Program Files\winupdates

Reboot

Do a System-Scan with AdAware SE:
- Open AdAware SE
- First of all, check for updates.
To do this, click on 'Check for updates now', click the 'Connect'-button and, if there are new updates, click 'OK' and then 'Finish'.
- Now, do a system-scan by clicking the 'Start'-button.
- In the next screen, select 'Perform Full System scan' and click the 'Next'-button.

- When the scan is done, right-click in the list of items, that AdAware found, and select 'Select All', click the 'Next'-button and then 'the 'Finish'-button.
- Close AdAware SE.

Do a system-scan with Spybot:
- Open Spybot 1.4
- First, Check for updates
click the 'Search for updates'-button. If there are updates available, select them and click the 'Download updates'-button.
- Click 'Search and destroy' and then 'Check for problems'.
- Relax, while Spybot is performing it's scan.
- When Spybot is done, it will show a list of found items (or congratulate you with a clean computer). Click 'Fix selected problems' to delete the items.
- Close Spybot 1.4


Run CCleaner

Before first use, check under Options, Settings, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.
Then open it and select the items you wish to clean up.

In the Windows Tab:
I recommend cleaning all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section
Clean all entries in the "Advanced" section.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

Then click the "Run Cleaner" button

Finally, do an online scan using Trend Micro Housecall. It is available.
http://housecall.antivirus.com/

You can get better assistance on this over at another devshed forum below
http://forums.devshed.com/f117/s

Nice add on, I've been unable to find that much information on it.

cheers mate

you can find out more on this type of infection at the following websites
http://securityresponse.symantec.co....gaobot.bc.html
http://www.sophos.com/virusinfo/analyses/w32rbotmm.html

Sorry for being a thread-digger, but I just had to say thanks for this thread
I was stupid enough to d/l a 850-ish kb version of LimeWire and actually run it! (I checked it with AVG first though, and it gave me nada :\)

Once again, thanks

Before doing any of this first check this info from microsoft support at:

URL=kb;en-us;314227

It appears that the task manager is just sort of "minimised". Right click the task bar then click "Task Manager" and one of the tabs ("Users") will open, then you just have to double click the edge of upper border to restore the Task Manager to normal. This solved my problem.

Quote: