Pin Me

Manually Remove Trojan.Alwayup Virus

written by: zero1•edited by: Bill Fulks•updated: 6/16/2011

Did your Norton Anti-virus prompt you that it failed to clean Trojan.Alwayup? Are there still ads that pop up instructing you to install more applications? Follow these steps to manually remove Trojan.Alwayup.

  • slide 1 of 4

    Trojan.Alwayup Propagation

    Always Updated News application 

    Computers are infected by Trojan.Alwayup virus by users lured into installing a supposed browser enhancer application. They get this file by visiting non-legitimate sites infested with adware, sites that are infected with a malicious iframe tag, and attached to files shared via peer-to-peer applications or online forums. Social engineering is widely used to allow users to install this 'Always Updated News' application. Unless users don't always update their operating system and applications, the said virus can also propagate via system vulnerabilities by using exploits. Trojan.Alwayup is Symantec’s detection name for the AlwaysUpdatedNews system virus.

  • slide 2 of 4

    Signs of Infection

    The folder %SYSTEM% contains all or any of the following files:

    1. winupdt.exe
    2. winupdt.008
    3. winupdt.bin
    4. aunps.dll
    5. aunps2.dll
    6. aunbho.dll

    The file winupdt.exe, winupdt.008, and windup.bin are dropped by aun_008.exe which is located and executed in C:\temporary\ folder. The aun_008.exe is downloaded from website. The file name winupdt.exe is executed every time the computer starts to check if there are additional files to be downloaded from the net.

    The files aunps.dll and aunps2.dll are used to display pop-ups and similar adwares without user intervention.

    The file aunbho.dll is used to monitor user browsing habits and user information which is sent to the Trojan.Alwayup website.

  • slide 3 of 4

    Manual Removal

    All running process and services of AlwaysUpdatedNews should be stopped. First fire up the Task Manager by right-clicking on the taskbar. Choose Task Manager and find any running WinUpdt.exe named processes. Right click on it and choose End Process Tree.

    The /u switch unregisters the DLL Then unregister all the running services that it loads. Go to Start > Run and type the following line to the input box, or just copy and paste from here.

    • regsvr32 c:\windows\system32\aunps.dll /u

    Do the above steps same with aunps2.dll and aunbho.dll.

    • regsvr32 c:\windows\system32\aunps2.dll /u
    • regsvr32 c:\windows\system32\aunbho.dll /u

    With all the process and services stopped, we can now proceed in deleting the files. Go to %SYSTEM% or typically it is in c:\windows\system32 and then find all the mentioned files used by AlwaysUpdatedNews.

    After the files are deleted, proceed in cleaning the files’ registry entries to complete the removal process.

    Subkeys of HKEY_CLASSES_ROOT Find HKEY_CLASSES_ROOT and delete the following subkeys:

    • AUNBHO.AUN.1

    Find HKEY_CLASSES_ROOT\AppID\ and delete the following subkeys:

    • {B61F67F7-91F3-4A56-99A7-AB972F2318DF}

    Find HKEY_CLASSES_ROOT\CLSID\ and delete the following subkey:

    • {59F12660-2B92-4554-98F9-87295AD8A0CE}

    Find HKEY_CLASSES_ROOT\Interface\ and delete the following subkey:

    • {032A2AF0-CE7E-4ECB-908B-6A17D3D69A97}

    Find HKEY_CLASSES_ROOT\TypeLib\ and delete the following subkey:

    • {B61F67F7-91F3-4A56-99A7-AB972F2318DF}

    Find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ and delete the following subkey:

    • {59F12660-2B92-4554-98F9-87295AD8A0CE}

    Find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the following Name entry or string value:

    • AUNPS2
    • WinUpdt1

    The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run allows the services to run every time the computer starts.

  • slide 4 of 4

    Final Thoughts

    We have manually removed the Trojan.Alwayup infection. It pays to always update your antivirus software to check if there is a new virus that AlwaysUpdatedNews installed. If there are no symptoms as described here on your computer and Norton did not go up to say a denied clean, then most probably the computer is safe. I hope this guide helped in making your computer still up and running from Norton's Trojan.Alwayup failed clean.

    If you are disappointed by Norton's inability to remove this and some other infections, check out this list of the best free antivirus software.