Author Topic: Removing AlwaysUpdatedNews (Read 935 times)

Crashin' Jack · « **on:** April 24, 2005, 10:09:36 AM »

Problem removing the AlwaysUpdatedNews Installation popup when trying to run a video...

I have run AdAware SE, Spybot (latest version), and AntiVir, rebooting after each. Now I have run Hijack This, and here is my logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:00:30 AM, on 4/24/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\LINKSYS WIRELESS-G PCI ADAPTER\WMP54GV4.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\DESK98.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\T2ERAHLP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
D:\OPERA7\OPERA.EXE
C:\MY DOCUMENTS\UTILITIES\ANTI VIRUS SPYWARE\HIJACK THIS 1.99\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [xeepu] C:\WINDOWS\XCQOHRT.EXE
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [o32T37e] THERXY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [WMP54Gv4] C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [Z0t3RXKpW] T2ERAHLP.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

Any help in removing this pest would be deeply appreciated!!

Thanks...

guestolo · « **Reply #1 on:** April 24, 2005, 10:57:22 AM »

==Download and Install this small program
to help clean your temp folders,cookies, recylebin, etc..
Windows Cleanup
Install for now, don't run a scan yet

Open Hijackthis>>Open Misc Tools>>Open Process manager
Kill this process if running
C:\WINDOWS\SYSTEM\T2ERAHLP.EXE

Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off or restart yet

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [xeepu] C:\WINDOWS\XCQOHRT.EXE

O4 - HKLM\..\Run: [o32T37e] THERXY.EXE

O4 - HKCU\..\Run: [Z0t3RXKpW] T2ERAHLP.EXE
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Delete these files if found
C:\WINDOWS\SYSTEM\T2ERAHLP.EXE <-file
C:\WINDOWS\XCQOHRT.EXE <-file
THERXY.EXE <-Do a search for this one

Crashin' Jack · « **Reply #2 on:** April 25, 2005, 06:56:24 AM »

Thanks for the response, guestolo. I followed your instructions, but no joy. The AlwaysUpdatedNews is still present. While removing the files listed at the end of your post, I also found this file:

c:\windows\system\T2EMBED.DLL

Is this related to the T2ERAHELP.EXE ? Here is a new log from Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 6:52:42 AM, on 4/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\LINKSYS WIRELESS-G PCI ADAPTER\WMP54GV4.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\DESK98.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
D:\OPERA7\OPERA.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HJT\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HydarVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [WMP54Gv4] C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

Again thanks for your help. it is very much appreciated!!

guestolo · « **Reply #3 on:** April 25, 2005, 11:13:23 AM »

Can you search on your computer for this file
C:\Windows\System\winupdt.exe.
Let me know if it exists

Your Windows media player
wmplayer.exe may be infected, we may be able to replace it without a reinstall of Media player
But let's make sure
Can you navigate to this folder
C:\Program Files\Windows Media Player
Open the folder and look for wmplayer.exe

Right click on wmplayer.exe and left click properties
Can you let me know date modified please

Can you also run an Online Virus scan at Panda's
Save the incident report afterwards and post it back here
http://www.pandasoftware.com/products/acti...n_principal.htm

After running Panda's scan, if wmplayer.exe is infected but can be repaired
Can you let me know what version of media player your running

Could you also
Download dpf.zip and unzip it to desktop
Double click on dpf.bat and post back the contents

Crashin' Jack · « **Reply #4 on:** April 25, 2005, 11:18:08 PM »

Guestolo, thanks again for the effort in helping...

Searched all of my C:\, and then my whole system; no file named winupdt.exe.

wmplayer date modified is Tuesday, April 12, 2005, 6:46:12 AM

(That looks suspicious I would say...)

For the Panda scan, I couldn't find an incident report to copy and paste. I ran it once and my AntiVir progam said it was trying to download the virus micro128. I shut off my AntiVir and ran three more times, getting a "No Virus Found" message.

I tried to start Windows Media Player, but the AlwaysUpdatedNews program started. I also noted the icon on the program directory was incorrect - it was the "blank" generic icon. I checked proerties and clicked on Find Target and found this line:

WMPLAYER.EXE 5KB Application Extension 4/12/2005 6:46am

Now, clicking on WMPLAYER2.EXE in the same folder started Windows Media Player, Version 6.4.07.1112

I then ran the dpf batch file from my desktop and the Notepad "dpflist.txt" was blank.

The mystery continues...

I am not very familiar with the files used for Media Player, but is it possible it has been renamed and this new file put in it's place?

guestolo · « **Reply #5 on:** April 26, 2005, 03:17:40 PM »

It looks like Windows media player exe is infected
You could Uninstall Windows media player through add/remove programs and then remove the Window Media player folder from Program files

C:\Programs files\Windows Media player

If you intend on using an older version of WMP you can get it here
http://www.oldversion.com/program.php?n=wmp

You could update to WMP player 9, I would create a fresh restore point however before installing
In case you don't want it, but it is very good in my opinion
Here's a Microsoft link
http://www.microsoft.com/downloads/details...&displaylang=en

You may also think about visiting Windows Updates and getting all latest Critical updates and service packs to keep secure
Keep revisiting until you get them all
Don't get the recommended unless they are something preferred
Again, create a fresh restore point ahead of time, just in case

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Crashin' Jack · « **Reply #6 on:** April 26, 2005, 10:24:02 PM »

Thanks for the advice, guestolo. I looked for the program in Add/Remove and it's not listed. Oh well...I guess I'll just leave it be for the moment and use the file player that came with my ATI card. I have set the files to open with that, and it works alright.

As for the Windows updates, I appreciate what you are saying, but I tend to reinstall my OS rather frequently and I don't care to go through the hassle of updating all the time.

For my browser I use Opera almost exclusively, AOL mostly for my email and becuse my wife insists we have it, and use IE only very rarely. So I don't know the IE-related stuff would do me any good.

But, I do thank you for the time you have given me, that is most generous...I will continue my quest to rid myself of this pest, mostly for my own curiosity. Typically, I don't worry about programs like this too much as I don't use these types of programs very often, but this particular pest is tenacious and has become a challenge to rid my system of it.

Thanks also for the utilities you suggested, I have some, but others have been helpful.

If I have any success I will post back here.

Cheers!

guestolo · « **Reply #7 on:** April 28, 2005, 12:38:24 AM »

you could try right click on wmplayer.exe and rename too wmplayer.ex_
and then try reinstalling your current version of Windows Media Player

TheTechGuide Forum

News:

Author Topic: Removing AlwaysUpdatedNews (Read 935 times)

Crashin' Jack

Removing AlwaysUpdatedNews

guestolo

Removing AlwaysUpdatedNews

Crashin' Jack

Removing AlwaysUpdatedNews

guestolo

Removing AlwaysUpdatedNews

Crashin' Jack

Removing AlwaysUpdatedNews

guestolo

Removing AlwaysUpdatedNews

Crashin' Jack

Removing AlwaysUpdatedNews

guestolo

Removing AlwaysUpdatedNews