bizzybody Posted January 4, 2011 Share Posted January 4, 2011 XP Pro SP3. Can't access Windows Update or Microsoft Update, apparently due to wuauclt.exe being replaced by some trojan or other malware.It has Avast 5 on it, it's been fully scanned with that, latest Malware Bytes and Spybot S&D and Avira and AVG offline CDs. Comes up 100% clean on everything I've tried. Same story with yanking the power cord then booting with an offline scan CD, still 100% "clean". That usually works to kill critical parts of stealth malware, stopping it from launching and hiding so the rest can be cleaned after a normal boot.I also tried booting with a CD and replacing the wuauclt.exe with a known good copy from another PC. Soon as I tried going to the Microsoft Update site it started the wuauclt.exe error popup again. Apparently the malware replaced the executable again but Windows' security functions aren't allowing the trojan to access the net.System File Checker finds nothing wrong. The latest Windows Update Agent refuses to install because it's already installed. Is there a way to force it to reinstall?Stopping the automatic updates service from a command prompt stops the error popup. Restarting the service gets the popup going again. Looks like this malware successfully masquerades as a valid service, until it tries to access the net.I do not want to have to wipe and reinstall just to kill one stinking malware process. Link to comment Share on other sites More sharing options...
Tripredacus Posted January 5, 2011 Share Posted January 5, 2011 I would be interested to know what this pop-up says... Link to comment Share on other sites More sharing options...
Richhs Posted February 3, 2011 Share Posted February 3, 2011 Sounds like a rootkit.Try Hitman Pro 3, I've had success with repairing windows update using this app.Here's the link :http://www.surfright.nl/en Link to comment Share on other sites More sharing options...
Tarun Posted February 9, 2011 Share Posted February 9, 2011 Run a scan using the tools in my Anti-Malware Toolkit. Link to comment Share on other sites More sharing options...
bizzybody Posted February 10, 2011 Author Share Posted February 10, 2011 I couldn't come up with any utility that could find where the malware replacing the wuauclt.exe file was hiding, so I wiped it and did a clean install. The box was only used for some older games so not a big deal but it is irritating that whichever a-hole created whatever the malware on it was is so bleeping good at causing trouble. Link to comment Share on other sites More sharing options...
RJARRRPCGP Posted February 20, 2011 Share Posted February 20, 2011 (edited) I just encountered malware on my sister's laptop not long ago. It has Vista 64-bit. When I let it load, then I can't use new applications, because I get a pop-up saying that (filename) cannot be executed. (for every .exe file I try to run) Does this sound familiar? And if I open Task Manager early, I can kill the malware process. The process name looked suspicious, had random characters. Then System Restore worked and I was able to get it restored to a date in 2010. Edited February 20, 2011 by RJARRRPCGP Link to comment Share on other sites More sharing options...
Tripredacus Posted February 22, 2011 Share Posted February 22, 2011 Does this sound familiar? Yes, wrapper worms are very old. Lucky you got past it. I first encountered one when I worked in college. It was possible to remove the virus but then nothing worked anymore! Link to comment Share on other sites More sharing options...
Glenn9999 Posted February 22, 2011 Share Posted February 22, 2011 (edited) This is in reference to the Windows Update Automatic Update client. I would think it might help (in not reinstalling) to download the Windows Update Agent appropriate to what you are working with and run it with /WUFORCE - this would replace the files. Edited February 22, 2011 by Glenn9999 Link to comment Share on other sites More sharing options...
bizzybody Posted February 23, 2011 Author Share Posted February 23, 2011 This is in reference to the Windows Update Automatic Update client. I would think it might help (in not reinstalling) to download the Windows Update Agent appropriate to what you are working with and run it with /WUFORCE - this would replace the files.Yeah, I tried that but as soon as I went online the malware replaced wuauclt.exe and the error message popped up again.Is there some sort of watchdog app that can be set to guard a file and report what process tries to run/replace/alter the file? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now