Anonymous
Anonymous asked in Computers & InternetSecurity · 1 decade ago

How do I remove lupdater from my computer?

AVG scans the computer and locates this 'lupdater' file. It says it's malicious and tries to access online porn...but AVG is unable to remove it. If I access the file on the computer I cannot delete it directly as it says its open in firefox, which I have uninstalled.

I have tried running Spybot Search and Destroy --- it doesn't even detect the file.

The only Malware remover that seems to is Prevx...but you have to buy it and there is no guarantee it can remove it.

Any suggestions? I am Running Windows 7 on a HP DV7 Laptop.

Update:

hi! I tried the steps you suggested ...ran the first two programs then scanned with Sophos...lupdater is still there...any suggestions?

Update 2:

SGREKOVA -- I tried your suggestion and I was able to delete the file...trouble is, now I have wsock.exe showing in the task manager as using up 100% of my cpu resources...help!

3 Answers

Relevance
  • 1 decade ago
    Favorite Answer

    I restart my laptop in SAVE MODE, then go to the C:\Program Files\Common Files\ComObject and delete the lupdater from there and from recycle bin. Then I restart laptop and for now everything is OK.

    I hope that is working.

    See this. The solutions are down of the page http://www.experts-exchange.com/OS/Microsoft_Opera...

    unknown process - should I be concerned

    Asked by Darknlight in Windows 7, Latest Threats, Anti-Spyware

    Tags: lupdater.exe, virus, malware, spyware, firefox, mozilla

    Hello everyone,

    Earlier today, I had gone in to the task manager to have a look at what processes I had running; something I do from time to time as a way to make sure nothing new has made it's way onto the comp without my intent.

    Sure enough I noticed a new process on the list, which was as follows:

    lupdater.exe *32

    cpu usage 00

    memory usage 42,184k

    Description - Firefox

    This immediately raised a red flag for me for 2 reasons,

    1. I always make sure new programs are set to *ask* about updates, as opposed to automatically installing them.

    2. I've *never* touched or downloaded anything made by Mozilla on this comp, so I know for a fact, there should be no "Firefox" on this computer.

    I've done a full Virus scan using Microsoft Security Essentials, which came back with no threats found. I'm about to go ahead and run a scan with MalwareBytes to see if it comes back with any results, as I know no single antivirus or antimalware program is fullproof. I may even give BitDefender a try.

    If none of these end up coming back with results, does anyone have any input or experience with this process? Should it be removed immediately or is it running for a reason?

    The location of the process is as follows, in the event that it helps at all:

    "C:/Program Files (x86)/Common Files/ ComObject/"

    I'll post again if I get any results from the additional virus / malware scans.

    Thanks in advance for any help on the matter.

    -Dark

    *Ps, I'm fully up to date with my WAU as well.

    This question has been solved and asker verified.

    All Experts Exchange premium technology solutions are available to subscription members.

    Subscribe now for full access to Experts Exchange and get

    Zones: Windows 7, Latest Threats, Anti-Spyware

    Tags: lupdater.exe, virus, malware, spyware, firefox, mozilla

    Solution Provided By: Darknlight

    Participating Experts: 4

    Solution Grade: A

    17/06/10 12:48 AM, ID: 33009957Expert Comment

    DocSeltsam:

    Hi there,

    have you checked the binary for additional information like file properties

    or digital signing?

    --TheDoctor

    17/06/10 03:02 AM, ID: 33010510Expert Comment

    mattclarified:

    Sounds dodgy, especially as you dont have firefox installed, have done a search and there is nothing out there on it, which is also odd, as it would come up a lot more if it was genuine. It looks to me like it might be a new virus that has not been picked up yet, or if not it is something that you are not going to use.

    I would disable it from startup, go to start>run and type msconfig and hit ok, then disable the program from starting up. You can always turn it back on if it is needed

    M@

    17/06/10 04:11 AM, ID: 33010914Expert Comment

    optoma:

    Run process explorer.>right click and run as admin<

    In it ,hit options and select "verify image signatures"

    Then hit view,select columns and check "verified signer"

    Get a screen shot of process and attach images

    http://technet.microsoft.com/en-us/sysinternals/bb...

    Also try a scan with Hitmanpro

    http://www.surfright.nl/en/hitmanpro

    17/06/10 12:59 PM, ID: 33015970Author Comment

    Darknlight:

    *update

    @mattclarified, unfortunately I already checked msconfig and it doesn't show up as one of the startup processes, nor services, which was what added to my suspicion.

    @optoma, I did as you instructed and have attached the screenshot from the process explorer. Strangely enough it's claiming to have a verified signer of "Mozilla Corperation". Again, however, I do not have, nor have I ever had, any installation of Firefox on this computer (I did a clean reformat a couple months back so I'm positive).

    I was able to find something that looks related, on a Danish website using Google Translate. They mention the exact same process in the same location. Is this any help?:

    http://translate.google.com/translate?hl=en&sl=da&...

    I'll post again after running the hitmanpro scan.

    Thank you

    process-explr-scrn1.jpg (408 KB) (File Type Details)

    Process explorer screenshot

    17/06/10 01:16 PM, ID: 33016149Expert Comment

    optoma:

    Its verified so it should be ok.

    Check programs and features in control panel.

    Is Firefox listed?

    17/06/10 01:59 PM, ID: 33016538Expert Comment

    DocSeltsam:

    Hi there,

    possibly stupid question: Do have any other mozilla program installed?

    Like Thunderbird, Lightning or Sunbird?

    --TheDoctor

    17/06/10 06:07 PM, ID: 33017798Author Comment

    Darknlight:

    There's no installation of Firefox on this computer, nor Thunderbird, Lightning, or Sunbird.

    I've changed the name of the process to "renamed.exe" to see what would happen if the program name couldn't be found, and I've noticed a new program running from the same directory.

    This new program is wSock.exe *32, and it was taking up about 13% cpu for a minute, then went down to 0%

    Not sure how to get rid of this if the antivirus's aren't finding it. Should I simply delete the folder they're in? or delete the .exe?

    17/06/10 11:11 PM, ID: 33018649Expert Comment

    optoma:

    Run Eset online scanner

    Check to "scan archives"

    Under advanced options:

    Have all three boxes checked

    Attach its logfile

    Location:C:\Program Files\EsetOnlineScanner\log.txt

    Eset online scan http://www.eset.com/onlinescan/

    18/06/10 01:17 AM, ID: 33019091Author Comment

    Darknlight:

    **update**

    OK, I'm fairly certain I've found out which virus this is exactly at the following link:

    http://www.sophos.com/security/analyses/viruses-an...

    It starts with lupdater, then adds one process after another (like wSock.exe). Though I'm more concerned now as to what I'm going to do if none of these antivirus scans can pick it up.

    I tried deleting (temporarily) the ComObject folder all together to see how it would react, and after about 10 minutes, I received a pop up saying:

    "Windows Script Host

    Script: C:\Program Files (x86)\CommonFiles\ComObject\Liveupdate.js

    Line: 107

    Char: 2

    Error: The system cannot find the file specified.

    Code: 80070002

    Source: (null)"

    I have no problem with leaving this pop up window up to avoid letting this virus continue to add programs.

    Any suggestions?

    18/06/10 03:01 AM, ID: 33019470Expert Comment

    mattclarified:

    Heres what I suggest,

    go to msconfig and disable everything that is non-essential, e.g. leave AV and anything you consider really important, deffo disable anything in the common files directory.

    go to C:\Program Files (x86)\CommonFiles\ComObject\Liveupdate.js right click on this file and click edit, as it is a js file you should be able to see the code in there and get a vague understanding of what its doing, feel free to post the contents on here, and im sure one of us will be able to tell you exactly what to do.

    If you really feel uncomfortable with this you could roll back to a previous system restore point, the files will still be on your system, but they will not have been actioned so you can delete any that you dont trust

    18/06/10 06:24 AM, ID: 33020733Expert Comment

    rpggamergirl:

    You would need to also remove the relevant registry values to stop the error as it still try to load the file.

    You might also try either one of these scanners and see if it finds all the relevant reg entries apart from the "Run" values and files from Sophos' link.

    Darknlight:

    **update**

    I was able to get rid of it all together using Sophos Antivirus (which was an EXTREMELY aggressive antivirus).

    Apparently the virus had only been out since the 15th of this month (no clue how I managed to catch it so fast), but that would likely make sense as to why it was so hard to find.

    The script error continued popping up on restart, until I checked msconfig and noticed "windows script host" was set to startup with the command to run the script that was popping up.

    I simply unchecked the box and all has been running beautifully ever since.

    Thank you all for the assistance and advice on the matter, very helpful as always.

    Accepted Solution

  • wally
    Lv 4
    5 years ago

    The great and simplest manner to take away a application is from the "Add/Remove Programs" record for your manage panel. That is the grasp record of all application mounted for your pc so it will have to be indexed there. In Vista, you can discover it for your manage panel beneath "Programs and Features". If the application you desire to uninstall is not indexed there however you continue to see the application folder for your pc and different lines of it, there's a method to manually cast off it nevertheless it includes alterations within the registry which can also be tricky and feature dangerous outcome if the unsuitable object is transformed. ALWAYS backup your registry earlier than creating a difference but when you make a decision to head forward besides, first seem for step-by-step instructional materials on the web for that exact application. So for your case, do you a seek for whatever like "handbook uninstall survival assignment". Only do the handbook uninstall if the primary procedure does not paintings. You could even desire to take a look at reinstalling the application then uninstall it in a while considering that commonly it is simply the application that wasn't mounted appropriately the primary time that makes the uninstall hyperlink pass lacking.

  • 1 decade ago

    1. Download OTL to your Desktop

    http://oldtimer.geekstogo.com/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

    • Under the Custom Scan box paste this in

    netsvcs

    drivers32 /all

    %SYSTEMDRIVE%\*.*

    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\user32.dll /md5

    %systemroot%\system32\ws2_32.dll /md5

    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    2. Download OTS to your Desktop and double-click on it to run it.

    http://oldtimer.geekstogo.com/OTS.exe

    • Make sure you close all other programs and don't use the PC while the scan runs.

    • Now click the "Run Scan" button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.

    • When the scan is complete Notepad will open with the report file loaded in it.

    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

    Last but not least download Sophos Anti-virus and do a full scan. At this moment its the only anti-virus that can detect this virus and remove it.

Still have questions? Get your answers by asking now.