Jump to content
Lutzi54

WOW6432node updater

Recommended Posts

Malwarebytes identifies HKLM\Software\wow6432node\updater as Malware. I thougt, this is an windows-subsystem, which is necessary to start 33bit-programs in 64bit-windows???

Whats right?

Share this post


Link to post
Share on other sites

Hello Lutzi54 and welcome to Malwarebytes,

Yes wow6432node is legitimate, not so sure about updater Run the following and post logs...

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....

 

Share this post


Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Protokolldetails-
Scan-Datum: 16.01.19
Scan-Zeit: 14:03
Protokolldatei: 2c3a5150-198f-11e9-b7c3-00ffb381e24c.json

-Softwaredaten-
Version: 3.6.1.2711
Komponentenversion: 1.0.0
Version des Aktualisierungspakets: 1.0.8814
Lizenz: Testversion

-Systemdaten-
Betriebssystem: Windows 7 Service Pack 1
CPU: x64
Dateisystem: NTFS
Benutzer: LK-PC\LK

-Scan-Übersicht-
Scan-Typ: Bedrohungs-Scan
Scan gestartet von: Manuell
Ergebnis: Abgeschlossen
Gescannte Objekte: 263407
Erkannte Bedrohungen: 8
In die Quarantäne verschobene Bedrohungen: 8
Abgelaufene Zeit: 1 Min., 37 Sek.

-Scan-Optionen-
Speicher: Aktiviert
Start: Aktiviert
Dateisystem: Aktiviert
Archive: Aktiviert
Rootkits: Aktiviert
Heuristik: Aktiviert
PUP: Erkennung
PUM: Erkennung

-Scan-Details-
Prozess: 0
(keine bösartigen Elemente erkannt)

This is log from Malwareytes - pleas check before i start cleaning with the both other programs. Question is: Is wow...\updater malware or not?

Modul: 0
(keine bösartigen Elemente erkannt)

Registrierungsschlüssel: 2
PUP.Optional.StartFenster, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Updater, Löschen bei Neustart, [407], [541219],1.0.8814
Adware.KeenValue, HKLM\SOFTWARE\WOW6432NODE\Updater, Löschen bei Neustart, [7175], [212959],1.0.8814

Registrierungswert: 1
PUP.Optional.StartFenster, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Updater, Löschen bei Neustart, [407], [541219],1.0.8814

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Daten-Stream: 0
(keine bösartigen Elemente erkannt)

Ordner: 1
PUP.Optional.StartFenster, C:\PROGRAMDATA\UPDATER, Löschen bei Neustart, [407], [541219],1.0.8814

Datei: 4
PUP.Optional.StartFenster, C:\PROGRAMDATA\UPDATER\CHECK-UPDATE.EXE, Löschen bei Neustart, [407], [541219],1.0.8814
PUP.Optional.StartFenster, C:\ProgramData\Updater\setup.ico, Löschen bei Neustart, [407], [541219],1.0.8814
PUP.Optional.StartFenster, C:\ProgramData\Updater\uninstall.exe, Löschen bei Neustart, [407], [541219],1.0.8814
PUP.Optional.SlimCleanerPlus, C:\WINDOWS\INSTALLER\1214F6.MSI, Löschen bei Neustart, [1484], [472306],1.0.8814

Physischer Sektor: 0
(keine bösartigen Elemente erkannt)

WMI: 0
(keine bösartigen Elemente erkannt)


(end)

Share this post


Link to post
Share on other sites

Sorry: My comment slips...

This is log from Malwareytes - pleas check before i start cleaning with the both other programs. Question is: Is wow...\updater malware or not?

Share this post


Link to post
Share on other sites

Yes but Malwarebytes does... They are different types of scans... Trust Malwarebytes..

Share this post


Link to post
Share on other sites

Thanks for those logs, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....
 
Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...

fixlist.txt

Share this post


Link to post
Share on other sites

Sorry for engage you so much - but what is this expanse good for: Malwarebytes has not found any entries after cleaning...

Share this post


Link to post
Share on other sites

Have you ran the FRST fix, can I see that log... What do you mean about expanse of Malwarebytes, do you mean is it worth buying premium version..?

Share this post


Link to post
Share on other sites

Sorry, perhaps i've choosen wrong words - english is not my practiced language...

I mean: Why to do further things with FRST and MS Removle Tool, if Malwarebytes does not find more entries?

I thought Malwarebytes has solved problem. And this is Malwarebytes-forum  - not FRST or MS.

And what does FRST-Fix do?

Share this post


Link to post
Share on other sites

Thanks for the explanation, FRST gives an overview of your full system and is the secondary choice of tools here at Malwarebytes, obviously Malwarebytes is the primary tool. In your situation the malware was identified by Malwarebytes in a system folder, hence you may believe by its name it was not malicious "updater" This is easily missed, but not by malwarebytes.

One of the traits of this type of infection is to exploit your Browser, in your case Firefox. i quote part of the fix we use with FRST to kill off reset the exploit.

Quote

FF user.js: detected! => C:\Users\LK\AppData\Roaming\Mozilla\Firefox\Profiles\lxxcafeb.default\user.js [2017-08-14]

New infections can be identified in FRST logs, in that case Malwarebytes developement guys will update Malwarebytes definitions accordingly. FRST has several uses for Malware removal teams and Malwarebytes developement teams.. Does that help..?

Can I see the log from FRST fix....

Share this post


Link to post
Share on other sites

Sorry for the waiting time. I tried to understand what the fix does exactly with my system ... mostly in vain...

Here the requested two new logs.

I hope, my system is now free of malware. I'm using Bitdefender and i wonder why this not find this.

btw: Originally the problem was, that Firefox couldt not open some sides and start some downloads. I posted this in Firefox-Forum and they said to search for malware. So i tried Malwarebytes and come here...

Now, after cleaning, i tried again. Nothing has changed: firefox blocked sides and downloads. In the meantime i found cause and solution: SSL-Scanning by Bitdefender... respectavely wrong zertifikates...

Good, i cleaned windows from malware, of which i did not know...

I think it is over now and i say Thank You.

Fixlog.txt

mrt.log

Share this post


Link to post
Share on other sites

Thanks for the update, if no remaining issues or concerns we can clean up:

Right click on FRST here: G:\Work\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

Share this post


Link to post
Share on other sites

To bring this to an end... All done - ok...

But perhaps it is an idea to add a warning, that these procedures will trigger a shutdown immediately without warning or possibility to stop, so there is a danger to lost data from not saved progam-windows  (like me...).

Will send little tip - sorry: i'm pensioner with ill wife and long studying son...

Best wishes (also for Brexit...)!

Share this post


Link to post
Share on other sites

Hello again Lutzi54,

Thanks for the updated information. Yes I take onboard your reference to the reboot by clean up procedures, in future I`ll make sure to instruct not to have any windows open when clean up takes place..... Thanks for donation and best wishes for Brexit. Think we need more than best wishes to sort out Brexit....lol.

Thank you,

Kevin....;)

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.