Manually Remove Trojan.Alwayup Virus
Trojan.Alwayup Propagation
Computers are infected by Trojan.Alwayup virus by users lured into installing a supposed browser enhancer application. They get this file by visiting non-legitimate sites infested with adware, sites that are infected with a malicious iframe tag, and attached to files shared via peer-to-peer applications or online forums. Social engineering is widely used to allow users to install this ‘Always Updated News’ application. Unless users don’t always update their operating system and applications, the said virus can also propagate via system vulnerabilities by using exploits. Trojan.Alwayup is Symantec’s detection name for the AlwaysUpdatedNews system virus.
Signs of Infection
The folder %SYSTEM% contains all or any of the following files:
- winupdt.exe
- winupdt.008
- winupdt.bin
- aunps.dll
- aunps2.dll
- aunbho.dll
The file winupdt.exe, winupdt.008, and windup.bin are dropped by aun_008.exe which is located and executed in C:\temporary\ folder. The aun_008.exe is downloaded from alwaysupdatednews.com website. The file name winupdt.exe is executed every time the computer starts to check if there are additional files to be downloaded from the net.
The files aunps.dll and aunps2.dll are used to display pop-ups and similar adwares without user intervention.
The file aunbho.dll is used to monitor user browsing habits and user information which is sent to the Trojan.Alwayup website.
Manual Removal
All running process and services of AlwaysUpdatedNews should be stopped. First fire up the Task Manager by right-clicking on the taskbar. Choose Task Manager and find any running WinUpdt.exe named processes. Right click on it and choose End Process Tree.
Then unregister all the running services that it loads. Go to Start > Run and type the following line to the input box, or just copy and paste from here.
- regsvr32 c:\windows\system32\aunps.dll /u
Do the above steps same with aunps2.dll and aunbho.dll.
- regsvr32 c:\windows\system32\aunps2.dll /u
- regsvr32 c:\windows\system32\aunbho.dll /u
With all the process and services stopped, we can now proceed in deleting the files. Go to %SYSTEM% or typically it is in c:\windows\system32 and then find all the mentioned files used by AlwaysUpdatedNews.
After the files are deleted, proceed in cleaning the files’ registry entries to complete the removal process.
Find HKEY_CLASSES_ROOT and delete the following subkeys:
- AUNBHO.AUN
- AUNBHO.AUN.1
Find HKEY_CLASSES_ROOT\AppID\ and delete the following subkeys:
- AUNBHO.DLL
- {B61F67F7-91F3-4A56-99A7-AB972F2318DF}
Find HKEY_CLASSES_ROOT\CLSID\ and delete the following subkey:
- {59F12660-2B92-4554-98F9-87295AD8A0CE}
Find HKEY_CLASSES_ROOT\Interface\ and delete the following subkey:
- {032A2AF0-CE7E-4ECB-908B-6A17D3D69A97}
Find HKEY_CLASSES_ROOT\TypeLib\ and delete the following subkey:
- {B61F67F7-91F3-4A56-99A7-AB972F2318DF}
Find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ and delete the following subkey:
- {59F12660-2B92-4554-98F9-87295AD8A0CE}
Find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the following Name entry or string value:
- AUNPS2
- WinUpdt1
The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run allows the services to run every time the computer starts.
Final Thoughts
We have manually removed the Trojan.Alwayup infection. It pays to always update your antivirus software to check if there is a new virus that AlwaysUpdatedNews installed. If there are no symptoms as described here on your computer and Norton did not go up to say a denied clean, then most probably the computer is safe. I hope this guide helped in making your computer still up and running from Norton’s Trojan.Alwayup failed clean.
If you are disappointed by Norton’s inability to remove this and some other infections, check out this list of the best free antivirus software.
