Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Fixing wuauclt.exe malware problem.

- - - - -

  • Please log in to reply
8 replies to this topic

#1
bizzybody

bizzybody

    Advanced Member

  • Member
  • PipPipPip
  • 349 posts
  • Joined 08-May 05
XP Pro SP3. Can't access Windows Update or Microsoft Update, apparently due to wuauclt.exe being replaced by some trojan or other malware.

It has Avast 5 on it, it's been fully scanned with that, latest Malware Bytes and Spybot S&D and Avira and AVG offline CDs. Comes up 100% clean on everything I've tried. Same story with yanking the power cord then booting with an offline scan CD, still 100% "clean". That usually works to kill critical parts of stealth malware, stopping it from launching and hiding so the rest can be cleaned after a normal boot.

I also tried booting with a CD and replacing the wuauclt.exe with a known good copy from another PC. Soon as I tried going to the Microsoft Update site it started the wuauclt.exe error popup again. Apparently the malware replaced the executable again but Windows' security functions aren't allowing the trojan to access the net.

System File Checker finds nothing wrong. The latest Windows Update Agent refuses to install because it's already installed. Is there a way to force it to reinstall?

Stopping the automatic updates service from a command prompt stops the error popup. Restarting the service gets the popup going again. Looks like this malware successfully masquerades as a valid service, until it tries to access the net.

I do not want to have to wipe and reinstall just to kill one stinking malware process.


How to remove advertisement from MSFN

#2
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 10,019 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

I would be interested to know what this pop-up says...
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg

#3
Richhs

Richhs

    Newbie

  • Member
  • 25 posts
  • Joined 22-November 10
  • OS:XP Pro x86
  • Country: Country Flag
Sounds like a rootkit.

Try Hitman Pro 3, I've had success with repairing windows update using this app.

Here's the link :

http://www.surfright.nl/en

#4
Tarun

Tarun

    Spectre

  • Super Moderator
  • 3,190 posts
  • Joined 27-January 04
  • OS:Windows 7 x64
  • Country: Country Flag
Run a scan using the tools in my Anti-Malware Toolkit.

#5
bizzybody

bizzybody

    Advanced Member

  • Member
  • PipPipPip
  • 349 posts
  • Joined 08-May 05
I couldn't come up with any utility that could find where the malware replacing the wuauclt.exe file was hiding, so I wiped it and did a clean install. The box was only used for some older games so not a big deal but it is irritating that whichever a-hole created whatever the malware on it was is so bleeping good at causing trouble. :P

#6
RJARRRPCGP

RJARRRPCGP

    MSFN Expert

  • Member
  • PipPipPipPipPipPip
  • 1,192 posts
  • Joined 13-April 05
  • OS:XP Pro x64
  • Country: Country Flag
I just encountered malware on my sister's laptop not long ago. It has Vista 64-bit. When I let it load, then I can't use new applications, because I get a pop-up saying that (filename) cannot be executed. (for every .exe file I try to run)

Does this sound familiar?

And if I open Task Manager early, I can kill the malware process. The process name looked suspicious, had random characters.

Then System Restore worked and I was able to get it restored to a date in 2010.

Edited by RJARRRPCGP, 20 February 2011 - 04:29 PM.

Asus P5QL Pro, Core 2 Duo E4500, eVGA GeForce 9500 GT with XP Pro x64 Edition -> Works great with Asus P5QL Pro!

#7
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 10,019 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

Does this sound familiar?


Yes, wrapper worms are very old. Lucky you got past it. I first encountered one when I worked in college. It was possible to remove the virus but then nothing worked anymore!
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg

#8
Glenn9999

Glenn9999

    Senior Member

  • Member
  • PipPipPipPip
  • 678 posts
  • Joined 23-April 07
  • OS:Windows 8 x64
  • Country: Country Flag
This is in reference to the Windows Update Automatic Update client. I would think it might help (in not reinstalling) to download the Windows Update Agent appropriate to what you are working with and run it with /WUFORCE - this would replace the files.

Edited by Glenn9999, 22 February 2011 - 10:08 AM.


#9
bizzybody

bizzybody

    Advanced Member

  • Member
  • PipPipPip
  • 349 posts
  • Joined 08-May 05

This is in reference to the Windows Update Automatic Update client. I would think it might help (in not reinstalling) to download the Windows Update Agent appropriate to what you are working with and run it with /WUFORCE - this would replace the files.


Yeah, I tried that but as soon as I went online the malware replaced wuauclt.exe and the error message popped up again.

Is there some sort of watchdog app that can be set to guard a file and report what process tries to run/replace/alter the file?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users