curvykaptain Posted November 11, 2021 ID:1487837 Share Posted November 11, 2021 I don't know when exactly I got this malware / virus but for a few days after starting up my laptop I will always get a popup to launch WindowsUpdate.Exe. I found it weird since updates were never initiated with a popup so I always chose no and carried on with my day. But this morning I misclicked yes and then it opened up a bunch of uncancellable CMD windows all having SysWOW64 written. I was freaking out and there was nothing I could've done so I just forcefully shut down my laptop and rebooted it. It's still working now.. but what should I do? Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 11, 2021 ID:1487844 Share Posted November 11, 2021 Hello My name is Maurice. I will guide you. Let me know what name you prefer to go by. In order to begin to help you properly, I will need a diagnostic report in order to review & diagnose. Specifically the FRST Farbar diagnostic report. It is safe to get & use.https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs Attach FRST.txt + Addition.txt with your reply. You may if you wish, ZIP the 2 into a zip file & then attach. { just please do not copy, paste their contents in main body of reply box here.) Link to post Share on other sites More sharing options...
curvykaptain Posted November 11, 2021 Author ID:1487853 Share Posted November 11, 2021 Here you go! Addition.txt FRST.txt Link to post Share on other sites More sharing options...
curvykaptain Posted November 11, 2021 Author ID:1487854 Share Posted November 11, 2021 And you can call me Chris, forgot to mention! Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 11, 2021 ID:1487876 Share Posted November 11, 2021 Hi Chris. Thanks for the reports. The "windowsupdate" references are not legitimate Microsoft Windows components. This is some sort of rogue. It will be removed. Please do not be using other apps or web browsers during these next procedures. Only use web browser for purpose to get to this forum. [ 1 ] As a next basic step, Please make very very sure to set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] We will use FRST64.exe on Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for curvykaptain only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run the Windows 10 DISM to check the system integruty. It will also rebuild the Winsock. References to "windowsupdate.exe" will be removed + that exe file will be removed. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt Start the Windows Explorer and then, to the Downloads folder RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Please know this will do a Windows Restart. Just let it run and finish. Stick with me, as we will be running other scans, later. And if I may suggest, you should run a scan with your Kaspersky Security Cloud after this task has completed. Link to post Share on other sites More sharing options...
curvykaptain Posted November 11, 2021 Author ID:1487880 Share Posted November 11, 2021 Thank you Maurice, the WindowsUpdate.exe prompt has disappeared after the reboot. May I ask, what is the harm that can be inflicted on my device by that malware if left unchecked? Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 11, 2021 ID:1487908 Share Posted November 11, 2021 A copy of the EXE file named "WindowsUpdate.exe" ( also known as windowsprotect.exe) was uploaded to Virustotal ( a security hub for several anti-malware entities) and 16 of the 70 scan engines detected it as some form of trojan, backdoor trojan, or malicious file. You can see the detection results on this pagehttps://www.virustotal.com/gui/file/3a2cb79eb99a90f3dc9d8353d9fb5456eb4f9607209acb42ba2140a068d9face/detection/f-3a2cb79eb99a90f3dc9d8353d9fb5456eb4f9607209acb42ba2140a068d9face-1600786216 Sophos tends to define it as "Trojan:W32/KillWin identifies a freeware program that disables certain features of the operating system (OS).". ESET detects it as BAT/KillWin.NFW which I believe is their classification for a backdoor trojan. > The good news is that the custom script I had you run removed the file "WindowsUpdate.exe" as well as its container sub-folder "C:\Program Files (x86)\Windows Protect". The other good news is that the Windows System File Checker ( SFC ) as well as the DISM tool found no integrity issues for this Windows 10. The bad news is that the file was malicious. And assuming it was a backdoor trojan, I need to relay to you what follows. > Malwarebytes says this about backdoor malware Quote Backdoor malware is generally classified as a Trojan. A Trojan is a malicious computer program pretending to be something it's not for the purposes of delivering malware, stealing data, or opening up a backdoor on your system. Much like the Trojan horse of ancient Greek literature, computer Trojans always contain a nasty surprise. See more at https://www.malwarebytes.com/backdoor > Backdoors could be used to spy on the system’s user, and the threat actor can use the affected system for other malicious activities. For example, they can add the system to a botnet or use it to mine Bitcoins. > It would be good to know just when was the first time that you had spotted symptoms of the rogue "windowsupdate". > I would highly suggest that you do this next scan. I would suggest a free scan with the ESET Online Scanner. This will be another check for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Please make sure you attach the log report. Link to post Share on other sites More sharing options...
curvykaptain Posted November 12, 2021 Author ID:1488025 Share Posted November 12, 2021 Thank you Maurice. The scan took long but it was worth it because 2 trojans were detected. I assume they are to be deleted after the scan? ESET Scan Log.txt Link to post Share on other sites More sharing options...
curvykaptain Posted November 12, 2021 Author ID:1488045 Share Posted November 12, 2021 Also when the scan was taking place (about a quarter in), I was trying to compare how much memory Microsoft edge consumes compared to Chrome, and I found this. There's somehow a Microsoft Edge tab that says MicrosoftUpdate.exe -> SysWOW64. That was scary... what was that? I didn't even open that many tabs earlier... it was literally the Edge home page. Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 12, 2021 ID:1488080 Share Posted November 12, 2021 Regarding the Edge tabs: You should be able, while in Task Manager, to use the mouse, do a single click to select the "WindowsUpdate.exe" line. Then do a RIGHT-click with the mouse pointer, and drill thru the Properties information. Hopefully to find some detail about it, such as location / path. Jot down that info and relay it to me. You can also do a right-click and select "End Task". You can do that on the rest of the EDGE lines. Possibly switch to using just Firefox for the rest of this case's duration till I signal the all clear. Please do this special search. There is the FRST64.exe tool on the Downloads folder. We will use that to do a search. Find & then start FRST64 Type the following ( better yet, use COPY then Paste) into the search box exactly as shown then press the Search Files button SearchAll: windowsupdate Please wait while the program searches for all entries relating to this , when done a search.txt log will be saved to the desktop. Please attach this log to your next reply. Remember, we will be doing much more follow-ups after this. Persistence & patience are key. Link to post Share on other sites More sharing options...
curvykaptain Posted November 13, 2021 Author ID:1488125 Share Posted November 13, 2021 The tab has already disappeared when I opened up Edge this morning. I suspect the ESET scan had already deleted it yesterday. Search.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 13, 2021 ID:1488130 Share Posted November 13, 2021 Hello Chris. Thanks. Most all of what is reported by the search is normal. Except for 1 single entry ( although inert & of no potential threat) in the registry to "windows protect\windowsupdate.exe" in the 'compatability' section. That we will remove in the script that follows. Please first Delete the prior file named Fixlist.txt on the Downloads folder. We will use FRST64.exe on Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for curvykaptain only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. NOTE-1: This will delete 1 reference to "windows protect\windowsupdate.exe" It will also delete the Cache in the EDGE browser. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. This run should be rather quick. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt Start the Windows Explorer and then, to the Downloads folder RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Please know this will do a Windows Restart. For the record, all contenet of the folder C:\Program Files (x86)\Windows Protect, and its sub-folders, and the folder itself were removed by the first Fix run. That included yhe 2 EXE files bundled by the trojan. Link to post Share on other sites More sharing options...
curvykaptain Posted November 13, 2021 Author ID:1488138 Share Posted November 13, 2021 Here you go. Thanks a lot for everything up to this point. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 13, 2021 ID:1488183 Share Posted November 13, 2021 Hi Chris. Thanks. THat is a very good run. That removed the last reference of "windowsupdate.exe". The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select FULL scan. Then start the scan. Have lots of patience. It may take several hours. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Let me know the result of this. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply. Link to post Share on other sites More sharing options...
curvykaptain Posted November 15, 2021 Author ID:1488380 Share Posted November 15, 2021 Sorry for the late reply, was busy the whole day, thanks for waiting! Here you go. Also, did the logs ever mention anything about when / how the trojan intruded my device? That would serve as valuable information because I didn't recall downloading anything that could've turned out to be malicious. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 15, 2021 ID:1488453 Share Posted November 15, 2021 Quote did the logs ever mention anything about when / how the trojan intruded my device? It is hard to tell. However, as to the malicious ( fake) "windowsupdate/protect" that may have been November 8. This last scan with the MS Safety Scanner found Threat Detected: Trojan:Win32/Ramnit.C and Removed! Threat Detected: Trojan:Win32/Ramnit.C and Removed! We will do some additional scans to keep checking this system. Starting with a new scan with Malwarebytes for Windows. Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Let me know how that goes. Next, the Malwarebytes scan. Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply.See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 😉 Link to post Share on other sites More sharing options...
curvykaptain Posted November 16, 2021 Author ID:1488530 Share Posted November 16, 2021 Here you go! Also for the next 1 week I won't be available to scan my device because I am leaving out of town and will not be carrying it with me. If there are any more subsequent scans, I will follow your instructions and notify you on around 25rd of November. Thanks for everything and see you later! malwareybytesreport.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 16, 2021 ID:1488645 Share Posted November 16, 2021 Hello. Thanks regarding the heads-up about your upcoming trip. The Malwarebytes for Windows scan found & removed PUP.Optional.WinYahoo, PUP.Optional.SearchManager, PUP.Optional.WinYahoo.TskLnk. Now then, recall that the Microsoft Safety Scanner had reported "Ramnit" infection. Here is how Malwarebytes describes Ramnit Ramnit is a versatile family that holds viruses, worms, and Trojans. They are capable of infecting EXE, DLL, and HTML files on an affected system. Your system would be safer in the long term, and for your peace of mind, to backup your personal files & documents, and then do a new clean install of Windows and then rebuild / re-install your applications. Let me know about this. I would relay to you how to go about that. In any event, I would like you to do this other special one-time scan with Sophos. This is a different special tool to check your pc for viruses, trojans & other malware. Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Attach the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Let me know what Sophos reports Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 21, 2021 ID:1489360 Share Posted November 21, 2021 Hello. I hope you are doing well. Is there a status update ? Are you needing other help ? Please advise. Link to post Share on other sites More sharing options...
curvykaptain Posted November 24, 2021 Author ID:1489730 Share Posted November 24, 2021 Hello Maurice, thank you very much for your latest response and follow up attempt. I have just returned from my vacation. However I think further scanning would be done in a few days and not necessarily right now because I have some errands to run at the moment using my device. I will absolutely get back to you once I have finished all my tasks. Once again, thank you! 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 24, 2021 ID:1489760 Share Posted November 24, 2021 Good to hear from you. I was simply thinking you could, at the appropriate point, start that run, insuring it got underway, on some evening, and then simply let it run overnight. Once it is started, you would not need to monitor it whilst it was working, All the best to you. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 6, 2021 ID:1491638 Share Posted December 6, 2021 Hello. I hope you are doing well. It has been a good while since I last heard from you. Is there a status update ? Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 17, 2021 ID:1493377 Share Posted December 17, 2021 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Tips to help protect from infection Thanks Link to post Share on other sites More sharing options...
curvykaptain Posted February 26, 2022 Author ID:1504555 Share Posted February 26, 2022 This thread is a continuation of the thread posted above. TLDR my device was infected with several viruses which I have successfully eliminated thanks to Maurice Naggar's help. However, I failed to follow through the next steps needed and the thread had been closed off as a result. As per Maurice's last advice, I have downloaded Sophos and ran a scan with it (a quick one, to my surprise) and the file has been attached along with this post. For good measure, Windows Defender didn't show anything off with my device, and another FRST scan's log has been attached as well. FRST.txt Addition.txt SophosScanAndClean_20220224_1533.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 26, 2022 ID:1504584 Share Posted February 26, 2022 Hello Chris. It has been a very very long time since last November. Sophos has, since we last heard from you, changed their tool to a "scan and clean" quick tool. This run of their tool has only flagged 4 cookies. Nothing else. Looking back on your original thread, I said this back on Novemer 16 Now then, recall that the Microsoft Safety Scanner had reported "Ramnit" infection. Here is how Malwarebytes describes Ramnit Ramnit is a versatile family that holds viruses, worms, and Trojans. They are capable of infecting EXE, DLL, and HTML files on an affected system. Your system would be safer in the long term, and for your peace of mind, to backup your personal files & documents, and then do a new clean install of Windows and then rebuild / re-install your applications. Let me know about this. Link to post Share on other sites More sharing options...
Recommended Posts