Jump to content

WindowsUpdate.Exe -> SysWOW64 infinite


Go to solution Solved by Maurice Naggar,

Recommended Posts

I don't know when exactly I got this malware / virus but for a few days after starting up my laptop I will always get a popup to launch WindowsUpdate.Exe. I found it weird since updates were never initiated with a popup so I always chose no and carried on with my day. But this morning I misclicked yes and then it opened up a bunch of uncancellable CMD windows all having SysWOW64 written. I was freaking out and there was nothing I could've done so I just forcefully shut down my laptop and rebooted it. It's still working now.. but what should I do?

Link to post
Share on other sites

Hello   :welcome:

My name is Maurice.  I will guide you.  Let me know what name you prefer to go by.

In order to begin to help you properly, I will need a diagnostic report in order to review & diagnose.
Specifically the FRST Farbar diagnostic report.  It is safe to get & use.
https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs

Attach FRST.txt + Addition.txt with your reply.  You may if you wish, ZIP the 2 into a zip file & then attach.
{ just please do not copy, paste their contents in main body of reply box here.)
 

Link to post
Share on other sites

Hi Chris.  Thanks for the reports.  The "windowsupdate" references are not legitimate Microsoft Windows components.  This is some sort of rogue. It will be removed.

Please do not be using other apps or web browsers during these next procedures. Only use web browser for purpose to get to this forum.

[    1    ]

As a next basic step, Please  make very very sure to  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2    ]

We will use FRST64.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  curvykaptain  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run the Windows 10 DISM to check the system integruty. It will also rebuild the Winsock.  References to "windowsupdate.exe" will be removed + that exe file will be removed.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt


Start the Windows Explorer and then, to the Downloads folder


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it run and finish.

Stick with me, as we will be running other scans, later.   And if I may suggest, you should run a scan with your Kaspersky Security Cloud after this task has completed.

Link to post
Share on other sites

A copy of the EXE file named "WindowsUpdate.exe" ( also known as windowsprotect.exe) was uploaded to Virustotal ( a security hub for several anti-malware entities) and 16 of the 70 scan engines detected it as some form of trojan, backdoor trojan, or malicious file.
You can see the detection results on this page
https://www.virustotal.com/gui/file/3a2cb79eb99a90f3dc9d8353d9fb5456eb4f9607209acb42ba2140a068d9face/detection/f-3a2cb79eb99a90f3dc9d8353d9fb5456eb4f9607209acb42ba2140a068d9face-1600786216

Sophos tends to define it as "Trojan:W32/KillWin identifies a freeware program that disables certain features of the operating system (OS).".
ESET detects it as BAT/KillWin.NFW  which I believe is their classification for a backdoor trojan.
>
The good news is that the custom script I had you run removed the file "WindowsUpdate.exe" as well as its container sub-folder "C:\Program Files (x86)\Windows Protect".
The other good news is that the Windows System File Checker ( SFC ) as well as the DISM tool found no integrity issues for this Windows 10.
The bad news is that the file was malicious.  And assuming it was a backdoor trojan, I need to relay to you what follows.
>
Malwarebytes says this about backdoor malware

Quote

Backdoor malware is generally classified as a Trojan. A Trojan is a malicious computer program pretending to be something it's not for the purposes of delivering malware, stealing data, or opening up a backdoor on your system. Much like the Trojan horse of ancient Greek literature, computer Trojans always contain a nasty surprise.

See more at https://www.malwarebytes.com/backdoor
>
Backdoors could be used to spy on the system’s user, and the threat actor can use the affected system for other malicious activities. For example, they can add the system to a botnet or use it to mine Bitcoins.
>
It would be good to know just when was the first time that you had spotted symptoms of the rogue "windowsupdate".
>

I would highly suggest that you do this next scan.

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue Save scan log to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.

Link to post
Share on other sites

Also when the scan was taking place (about a quarter in), I was trying to compare how much memory Microsoft edge consumes compared to Chrome, and I found this.

There's somehow a Microsoft Edge tab that says MicrosoftUpdate.exe -> SysWOW64. That was scary... what was that? I didn't even open that many tabs earlier... it was literally the Edge home page.

pic.png

Link to post
Share on other sites

Regarding the Edge tabs:  You should be able, while in Task Manager, to use the mouse, do a single click to select the "WindowsUpdate.exe" line.  Then do a RIGHT-click with the mouse pointer, and drill thru the Properties  information.  Hopefully to find some detail about it, such as location / path.  Jot down that info and relay it to me.

You can also do a right-click and select "End Task".  You can do that on the rest of the EDGE lines.   Possibly switch to using just Firefox for the rest of this case's duration till I signal the all clear.

Please do this special  search. 

There is the FRST64.exe  tool on the Downloads folder. We will use that to do a search.

Find & then start FRST64

 

Type the following ( better yet, use COPY  then Paste)  into the search box exactly as shown  then press the Search Files button 

SearchAll: windowsupdate

 

Please wait while the program searches for all entries relating to this , when done a  search.txt  log will be saved to the desktop. Please attach this log to your next reply. 

Remember, we will be doing much more follow-ups after this.   Persistence & patience are key.

Link to post
Share on other sites

Hello Chris.  Thanks.  Most all of what is reported by the search is normal.  Except for 1 single entry ( although inert & of no potential threat) in the registry to "windows protect\windowsupdate.exe" in the 'compatability' section.  That we will remove in the script that follows.

Please first Delete the prior file named Fixlist.txt  on the Downloads folder.

We will use FRST64.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  curvykaptain  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This will delete 1 reference to "windows protect\windowsupdate.exe"

It will also delete the Cache in the EDGE browser.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

This run should be rather quick.
 

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt


Start the Windows Explorer and then, to the Downloads folder


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.  

For the record, all contenet of the folder C:\Program Files (x86)\Windows Protect, and its sub-folders, and the folder itself were removed by the first Fix run.

That included yhe 2 EXE files bundled by the trojan.

Link to post
Share on other sites

Hi Chris.  Thanks.  THat is a very good run.  That removed the last reference of "windowsupdate.exe".

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.

Link to post
Share on other sites

Quote

did the logs ever mention anything about when / how the trojan intruded my device?

It is hard to tell.  However, as to the malicious ( fake) "windowsupdate/protect"  that may have been November 8.

This last scan with the MS Safety Scanner found  Threat Detected: Trojan:Win32/Ramnit.C and Removed!

Threat Detected: Trojan:Win32/Ramnit.C and Removed!

We will do some additional scans to keep checking this system.   Starting with a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for 

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

Link to post
Share on other sites

Here you go! Also for the next 1 week I won't be available to scan my device because I am leaving out of town and will not be carrying it with me. If there are any more subsequent scans, I will follow your instructions and notify you on around 25rd of November. Thanks for everything and see you later!

malwareybytesreport.txt

Link to post
Share on other sites

Hello.  Thanks regarding the heads-up about your upcoming trip.  The Malwarebytes for Windows scan found & removed  PUP.Optional.WinYahoo, PUP.Optional.SearchManager, PUP.Optional.WinYahoo.TskLnk.

Now then, recall that the Microsoft Safety Scanner had reported "Ramnit" infection.

Here is how Malwarebytes describes Ramnit 

Ramnit is a versatile family that holds viruses, worms, and Trojans. They are capable of infecting EXE, DLL, and HTML files on an affected system.

Your system would be safer in the long term, and for your peace of mind, to backup your personal files & documents, and then do a new clean install of Windows and then rebuild / re-install your applications.  Let me know about this.  I would relay to you how to go about that.

In any event, I would like you to do this other special one-time scan with Sophos.

This is a  different special tool to check your pc for viruses, trojans & other malware.

Download Sophos Free Virus Removal Tool   and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result....

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Let me know what Sophos reports

Link to post
Share on other sites

Hello Maurice, thank you very much for your latest response and follow up attempt. I have just returned from my vacation. However I think further scanning would be done in a few days and not necessarily right now because I have some errands to run at the moment using my device. I will absolutely get back to you once I have finished all my tasks. Once again, thank you!

  • Like 1
Link to post
Share on other sites

Good to hear from you. I was simply thinking you could, at the appropriate point, start that run, insuring it got underway, on some evening, and then simply let it run overnight.  Once it is started, you would not need to monitor it whilst it was working,

All the best to you.

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

  • 2 months later...

This thread is a continuation of the thread posted above.

TLDR my device was infected with several viruses which I have successfully eliminated thanks to Maurice Naggar's help. However, I failed to follow through the next steps needed and the thread had been closed off as a result.

As per Maurice's last advice, I have downloaded Sophos and ran a scan with it (a quick one, to my surprise) and the file has been attached along with this post. 

For good measure, Windows Defender didn't show anything off with my device, and another FRST scan's log has been attached as well.

FRST.txt Addition.txt SophosScanAndClean_20220224_1533.log

Link to post
Share on other sites

Hello Chris. It has been a very very long time since last November.
Sophos has, since we last heard from you, changed their tool to a "scan and clean" quick tool.
This run of their tool has only flagged 4 cookies.  Nothing else.
Looking back on your original thread, I said this back on Novemer 16

Now then, recall that the Microsoft Safety Scanner had reported "Ramnit" infection.

Here is how Malwarebytes describes Ramnit 

Ramnit is a versatile family that holds viruses, worms, and Trojans. They are capable of infecting EXE, DLL, and HTML files on an affected system.
Your system would be safer in the long term, and for your peace of mind, to backup your personal files & documents, and then do a new clean install of Windows and then rebuild / re-install your applications.  Let me know about this.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.