[bizzybody]

XP Pro SP3. Can't access Windows Update or Microsoft Update, apparently due to wuauclt.exe being replaced by some trojan or other malware.

It has Avast 5 on it, it's been fully scanned with that, latest Malware Bytes and Spybot S&D and Avira and AVG offline CDs. Comes up 100% clean on everything I've tried. Same story with yanking the power cord then booting with an offline scan CD, still 100% "clean". That usually works to kill critical parts of stealth malware, stopping it from launching and hiding so the rest can be cleaned after a normal boot.

I also tried booting with a CD and replacing the wuauclt.exe with a known good copy from another PC. Soon as I tried going to the Microsoft Update site it started the wuauclt.exe error popup again. Apparently the malware replaced the executable again but Windows' security functions aren't allowing the trojan to access the net.

System File Checker finds nothing wrong. The latest Windows Update Agent refuses to install because it's already installed. Is there a way to force it to reinstall?

Stopping the automatic updates service from a command prompt stops the error popup. Restarting the service gets the popup going again. Looks like this malware successfully masquerades as a valid service, until it tries to access the net.

I do not want to have to wipe and reinstall just to kill one stinking malware process.

[Tripredacus]

I would be interested to know what this pop-up says...

[Richhs]

Sounds like a rootkit.

Try Hitman Pro 3, I've had success with repairing windows update using this app.

Here's the link :

http://www.surfright.nl/en

[Tarun]

Run a scan using the tools in my Anti-Malware Toolkit.

[bizzybody]

I couldn't come up with any utility that could find where the malware replacing the wuauclt.exe file was hiding, so I wiped it and did a clean install. The box was only used for some older games so not a big deal but it is irritating that whichever a-hole created whatever the malware on it was is so bleeping good at causing trouble.

[RJARRRPCGP]

I just encountered malware on my sister's laptop not long ago. It has Vista 64-bit. When I let it load, then I can't use new applications, because I get a pop-up saying that (filename) cannot be executed. (for every .exe file I try to run)

Does this sound familiar?

And if I open Task Manager early, I can kill the malware process. The process name looked suspicious, had random characters.

Then System Restore worked and I was able to get it restored to a date in 2010.

This post has been edited by RJARRRPCGP: 20 February 2011 - 04:29 PM

[Tripredacus]

RJARRRPCGP, on 20 February 2011 - 04:29 PM, said:

Does this sound familiar?

Yes, wrapper worms are very old. Lucky you got past it. I first encountered one when I worked in college. It was possible to remove the virus but then nothing worked anymore!

[Glenn9999]

This is in reference to the Windows Update Automatic Update client. I would think it might help (in not reinstalling) to download the Windows Update Agent appropriate to what you are working with and run it with /WUFORCE - this would replace the files.

This post has been edited by Glenn9999: 22 February 2011 - 10:08 AM

[bizzybody]

Glenn9999, on 22 February 2011 - 10:07 AM, said:

This is in reference to the Windows Update Automatic Update client. I would think it might help (in not reinstalling) to download the Windows Update Agent appropriate to what you are working with and run it with /WUFORCE - this would replace the files.

Yeah, I tried that but as soon as I went online the malware replaced wuauclt.exe and the error message popped up again.

Is there some sort of watchdog app that can be set to guard a file and report what process tries to run/replace/alter the file?