RemoveIT Pro 2.1 SE

I found this little program on the main page and tried it, but I do have a question about it. I ran the program in normal mode and it 'found' 3 items, one of which was fixed and the other 2 I had to go into 'safe mode' to remove. One of the 'worms' it deleted was "wupdmgr.exe." When I got back out of 'safe mode' I noticed that I no longer had the Win update icon in my start menu. Why would it have deleted my Windows Update, and considered it a 'worm?' Could it have been infected by a 'worm' or virus? THANKS!!!

 

Never mind!! I did some research about it and here's what I found http://www.liutilities.com/products/wintaskspro/processlibrary/wupdmgr/ Now as for the conime.exe, here's what I found out about that http://www.liutilities.com/products/wintaskspro/processlibrary/conime/ I really should have done the research FIRST and then posted my findings, but sometimes I do things alittle backwards There was a 3rd one, but I can't remember what that one was, because that one was deleted before I went into 'safe mode.'

 

Stubby,Thanks for the heads up here..
I downloaded the remover and ran it on my machine..Same damn trojans you had..Followed your links as well..
Thanks,These are now removed..
Ive had a problem of excessive bandwidth usage when Ive not been using my system..
Its obviously been running in the background...
N

 

I'm glad it helped!! It's ironic, isn't it? I mean, just when you think you have a 'secure' machine you download a program like this one only to find out that you aren't as 'secure' as you thought you were!! It's going to get to the point where decent people will have to have more anti-virus, anti-trojan, anti-worm programs on their machines than they do normal programs!!

 

Er Well I tried the same program then did some research all way back to M$ and my two comime.exe and wupdmgr.exe show up as legit Windows files. They don't fire up in startup, neither do they show when on working net. But M$ is clear that my versions are the same size etc as they should be - so where do we go from here?

 

Good question, Robert!! I just wonder if those 2 exe's that this program deleted are more prone to get a worm or virus and that's why they were deleted? As a safety procedure to prevent a possible infection? I'm only guessing at that so I guess the best way to find out is to go to the 'Remove IT' site and see if I can find out why this program would delete 2 valid exe's. Since I ran that program and deleted those exe's my machine hasn't acted any differently, but you did bring up a very legitiment concern and since I started this I need to find out why they are considered 'bad.' I shall return!!!

 

Well, I e-mailed them and, hopefully, we'll have an answer soon. I tried to register on their forums, but they said that my user name is already being used. So I tried some really outlandish names and it comes back with the same message. That's alittle strange, because they have only 4 registered users and I tried at least 8 different names!! I tried names like 'Hockey Puck,' Willie Wonka,' and, of course 'Stubby.' Oh well, I'll wait and see if they reply to my e-mail.

 

Mmmmm,The plot thickens...
Waiting with baited breath,stubbs...
N

 

Yeah, me too Nokia!!! I still haven't heard back from them, but I found this little tidbit, which I found interesting http://castlecops.com/s4848-wupdmgr_exe.html A couple of other sites I checked said pretty much the same thing. Now I want to try and find out something more about 'conime.exe.' Just the name of that makes me alittle suspicious 'con-i-me.' Like it's trying to con me out of something!! LOL!! Well, off I go again...see ya'll later!!

 

Okay, here are 2 more links concerning the 'conime.exe.' Take a look and please give me your opinions. Personally, from what I've read, 'conime.exe' is NOT a good thing!! http://www.auditmypc.com/process/conime.asp and the other is http://www.processlibrary.com/directory/files/conime/

 

Robert and Stubby, you two are talking about different files.

There is conime.exe and comime.exe.

This is usually the oldest trick in the book used to mask spyware and trojans.

 

Well, that ends that mystery!!! Thanks Insomniac for pointing that out. I never noticed that subtle difference until you mentioned it and I went back and re-read Robert's post and they are, without a doubt, different!! Substituting an 'n' for an 'm' is a rotten, low-life deception and you can believe that I won't fall that one again!! If I ever run into a situation like this again, and chances are I will, I will be considerably more accurate. AHHHH life, what a learning experience!!
While you're here Insomniac, can you shed any light on that other one, 'wupdmgr.exe?' Again, thanks ALOT Insomniac, your input was extremely helpful and much appreicated!!

 

You're welcome.

And yes it is a low act substituting a letter to conceal it, but it doesn't surprise me.

These morons have no morals or ethics, so it's anything goes.

As far as "wupdmgr.exe", I really don't know. (If you are sure of the spelling?)

Looking at it, one would assume it's Windows Update Manager (for NT), which it is.

I have it on my XP PC, and it's not infected. It's also a Micro$$oft file.

All I can suggest without investigating this is to check the path.

Mines' in the System32 folder. (There is also a copy of it in DLLCache folder)

(In case your wondering how I'm so sure I'm not infected, it's only a new installation and I have all the necessary tools)

 

C:\Windows\System32\wupdmgr.exe <---- Legitimate
C:\WINNT\System32\wupdmgr.exe <---- Legitimate
C:\Windows\wupdmgr.exe <---- Virus
C:\WINNT\wupdmgr.exe <---- Virus

It then creates this registry entry to ensure its automatic execution at every system startup:

Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.

 

Well, that takes care of mystery #2!! Thanks Shadow Puter Dude!! The only problem I noticed was, according to the 'Remove IT' site, is that their program targets the valid System32 wupdmgr.exe, (as evidenced by the link below) which it has removed from my system. The only 'adverse' effect from the deletion is that I no longer have an icon in my start menu that would take me directly to the MS update site. I now have to do that manualy, which is no big deal. Here's that link http://www.incodesolutions.com/removeit.htm
BTW, I did receive an answer to the e-mail I sent them earlier and the answer was rather short; "We have information that they are viruses and should be deleted. Run a Google search and see for yourself." Not very professional for a company that has been in business since 1999. Oh well, all's well that ends well!!!

 

Stubbs and all the other guys,Thanks..Im a bit of an apprentice here..
Trust me,I am learning in leaps and bounds!..
As for Flash Gordon super puter dude,Him and his bro have been invaluable with their knowledge..Im sticking close to these guys..

Now I feel my machine is pretty well protected and safe..
I ran Nortons Lodear removal tool and ,as true as nuts,it found it on my machine!!
As Im running M/S Onecare,I was hoping they would have these trojans covered..
Mmm,what are we to do..I have more friggin anti spyware and a/v programs than normal programs on my machine..

 

Stubby,Just checked my start menu and the shortcut to ms update--mine is still there and working.The same stuff was found and deleted as per your experience..
N

 

Run sfc /scannow from the command prompt, you may need your Wndows CD. SFC invokes Windows File Protection and will replace any corrupt or missing Windows System files. You may need to run Windows Update after running SFC.

 

Ran RemoveIT and 3 dangerous files were flagged.

Sys32.conime
Sys32.wupdmgr
Sys32.iun6002

Uploaded these files to virustotal where they are scanned with many av data bases and they all came up clean.

Funny thing is there is no iun6002 in sys32 it resides in windows.Had a look in sys32 with Icesword and it's definately not there.

 

I looked at the list of files RemoveIT is supposed to detect as dangerous/bad; several of those are legitimate Microsoft Widows files. There are some viruses that will attempt to replace a legitimate MS file with an infected copy; but these are easily verified by doing MD5 hash comparison of the suspect file to the known MD5 hash of legitimate MS files.

 

Shadow Puter Dude, I didn't even know that little 'trick' exsisted!! Thanks!! I ran it as you suggested and it did ask for my Win2000 disc, which I put in and when it finished I ran a search for 'wupdmgr.exe' but it's still not there, nor is my little Windows Update icon. Do you think I need to do a 'repair?' One thing that it did say was that I needed to replace some DLL's before it could run and that's when it asked for my disc.
Well guys, I need to crash for alittle while. I've been messing with this all day and I fear that my 'gray matter' is pooped!! See ya in a couple of hours!!!

 

Locate your Windows Installation CD. Insert it into your CD drive, make sure your system is set to boot from CDRom in the BIOS. Reboot your computer and enter the Recovery Console.

1. Type map at the command prompt and make a note of the drive letter for your CD Drive.

Now at the Recovery Console command prompt enter the following commands:

expand d:\i386\WUPDMGR.EX_ c:\windows\system32
Note: where d: is the drive letter of your CD Drive. You may have to substitute WINNT for Windows

exit
​

The recovery console will close, and the computer will reboot. Remove the CD from the drive.

You will have to run Windows update after we have finished.