Virus attack - winupd01.exe

My Friday evening was spoiled thanks to this stubborn virus. I was just browsing (just ebay and no suspicious sites) and suddenly my avira antivir detected a file called 205.exe in the Temperory Internet Files folder; i chose to deny access to it. But still my cursor changed to 'processing' indicating something running in background. After looking at the 'Temperory Internet Files' folder I found out there were in all, 5 exe files with weird names one of which was 205.exe
After some investigation of these files in my virtual machine i concluded that 205.exe was not run but another of those 5 was causing the damage.... And that was fol.exe which installed itself as winupd01.exe
I still have no idea how these files entered and executed on my system.

About winupd01.exe:
Size: 208,896 bytes
MD5 Hash: 5224bc60f8a486d895ff584d647897e7
Is a Malware!

Based on what I noticed when my system was infected and on the packets I sniffed here's some details:

What it does:
1) Keeps searching for email addresses on the net
2) Continuously sends spam viagara emails to email addresses which it found probably in step 1.
As a result ur net slows down.
3) Kills your antivirus's guard/protection. (I had avira antivir)
4) Hides itself from running processes. (That was the biggest hurdle in finding it.)
5) Auto-closes packet sniffers as soon as u open them. (I found a workaround to this by renaming the default filename of the sniffers)
6) Autocloses hijackthis, killbox.
7) Keeps ticking the 'Do not show hidden files and folders' option in folder options.
8) Writes some big crap to the hosts file making it 4.87mb

How it ensures it starts up with windows.
1) It copies itself to C:\Windows\system32\winupd01.exe
2) Adds the following registry entry to HKLM\Software\Microsoft\Windows\CurrentVersion\Run:
Name: ctfmon.exe Data: ctfmon.exe
3) Adds the following registry entry to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
Name: winupd01.exe Data: C:\windows\system32\winupd01.exe
Thats how it starts with windows.
There are a few more entries in regedit if u search 'winupd01.exe' but i dont think they r significant.
It keeps adding these entries continuosly so u cant delete them

How to remove it:
1) Restart computer in another OS (I used a Ubuntu linux live dvd)
2) Delete the file C:\windows\system32\winupd01.exe and C:\windows\system32\ctfmon.exe
3) Delete all the crap added to your hosts file (C:\windows\system32\drivers\etc\hosts). i.e. just delete all the contents and add this line:
127.0.0.1 localhost
4) Restart your comp in windows. Now the virus wont run. But you should clean the registry of its traces. So remove the above said entries. And also search the entire registry for 'winupd01.exe' and delete all you find.

However, it seems the virus hasnt been completely removed even after I have done this... coz my explorer.exe tries downloading fol.exe from 89.149.253.xxx on startup which is nothing but the winupd01.exe file. But fortunately, it gets a File Not Found error.

Also see the PrevX info on this file: http://www.prevx.com/filenames/X1212390081188608968-X1/WINUPD01.EXE.html
EDIT: See my new post on how to remove this virus completely here.

---

Share