Hijack.WindowsUpdate

Hello, all you friendly souls in this forum.

Must acknowledge i have been lurking and learning a lot from most of the extremely knowledgeable users here. Really appreciate the ever-willing spirit of sharing that pervades this space. More power to your collective elbows!

Some clarifications i seek to a recurring problem…

On doing a complete scan in MBAM, i have twice in the last few days been informed that i have two infected objects sitting in the registry both bearing the same ominous name – Hijack.WindowsUpdate.

The following is the saved log file:

Malwarebytes’ Anti-Malware 1.40
Database version: 2720
Windows 5.1.2600 Service Pack 3

9/2/2009 1:40:46 PM
mbam-log-2009-09-02 (13-40-46).txt

Scan type: Full Scan (C:|)
Objects scanned: 166868
Time elapsed: 1 hour(s), 0 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) → Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

my question is…

Though MBAM reports that the file has been quarantined and deleted successfully, why does it reappear?

Thanks in advance.

Welcome greyshade

Do you manually turn off Automatic Updates and BITS Service?

It is un-necessary to do a MBAM Full scan as 99.9% of infections are detected by Quick scan and a Full scan is only necessary when requested by a MBAM specialist.

Thanks for the swift response, as always, YoKenny.

In fact, i have been following your advice to others in this forum for automatic updates:

if not set to automatic, at least select…Download updates, but let me choose when to install them.

Pardon my ignorance… what is the BITS Service?


Welcome to the forums, greyshade. :slight_smile:

Background Intelligent Transfer Service (BITS) is a component of modern Microsoft Windows operating systems that facilitates prioritized, throttled, and asynchronous transfer of files between machines using idle network bandwidth.

See the link below for more information:

http://en.wikipedia.org/wiki/Background_Intelligent_Transfer_Service


Thanks for the link, CharleyO! …very informative.

Background Intelligence Transfer? wow, that sounds like another name for the yeoman service provided by the Avast forum evangelists. :wink:

Ok… now, how would i set up this up for optimal use, and where?

Right click on My Computer then go to Manage then Services and Applications then Services then scroll down to Background Intelligent Transfer Service and by default it is set to Manual start and it will start by itself if it is needed.

Do not touch other Services.

Thanks, Yokenny. Did as suggested.

On arriving at the specified Computer Management screen, the ‘Status’ field is blank and the ‘Startup Type’ field is listed as automatic. When i clicked on the ‘Start the Service’ link in the left panel, i get an error message:

Could not start the Background Intelligence Transfer Service service on Local Computer.
Error 2: The system cannot find the file specified.

Had no clue of its existence, nor disappearance without a farewell. :wink:

Did another scan with MBAM this morning, and it spewed up the same fare. (see my first post for the MBAM log).

The two nasties, despite claims to being quarantined and deleted “successfully”, simply continue to resurrect at next boot.

Avast does not detect them using a boot scan, nor does SAS or DrWeB CureIt!

Even tried CCleaner assuming the temp files may be offering them sanctuary. Allowed it a stab at the Registry too. No luck.

Could not start the Background Intelligence Transfer Service service on Local Computer. Error 2: The system cannot find the file specified.

Has the missing file got anything to do with it? Can it be replaced?

I have this same problem on one of my computers.
I ran MalwareBytes and the same 2 files in the Registery file were there. MalwareBytes Quarantine and delete them.
however I am still having a problem running MSUpdates. ???
In Services, Automatic Updates is suppose to start automatically but it won’t and when i start it, it tells me it can not find the specified file, BITS is set to Manual and if I try to start it, the message comes up … can not find specified file.
I don’t know what the file is so i can not copy it from another system.
the computer is Win XP, SP3 on a Dell computer.
TrendMicro did not find this HiJack and it scans everyday. I can just image how many of my other computers are infected with this virus/worm/malware etc.

Any help would be greatly appreciated!

welcome to the forums, luv2bike2! :slight_smile:

Both of us being in the same boat, as it were, here is some additional info that a Google search came up with.

No solution in sight though, yet… but i guess, knowing the adversary is a start. :frowning:

from: computerworld.com
http://www.computerworld.com/s/article/9019118/Hackers_hijack_Windows_Update_s_downloader
(read the comments too on the site).

from: arstechnica.com:
http://arstechnica.com/business/news/2007/05/symantec-malware-can-hijack-windows-update.ars

and… from a forum user of bleepingcomputer.com
http://www.bleepingcomputer.com/forums/index.php?showtopic=254121&hl=Hijack.WindowsUpdate
might help to keep track if someone helps to solve his problem there.

It appears the problem has surfaced around May, this year, but Microsoft still seems stumped. ???

:slight_smile: Hi :

Perhaps it would be wise to “Search” and/or “Post” on the Malwarebytes
Support Forums at www.malwarebytes.org/forums , particularly their
“General Malwarebytes’ Anti-Malware Forum” about the continual “Quarantined
and deleted successfully” Findings !?

A ‘Search’ at the Malwarebytes forum did not yield anything. Interestingly however, there were cases of other similar ‘Hijack’ exploits… typically Hijack.Task Bar and Hijack.Regedit.

Have signed up there now and will be posting there in the hope of some solution.

Hi all,

Just wanted to report that an MBAM scan done today shows no sign of aforementioned ‘Hijack.WindowsUpdate nasties’ in the logfile generated.

However, have no clue how this slice of good fortune came about (not being a g33k ;)), and am certainly not one to look a gift horse in the mouth. ::slight_smile:

I have done nothing more than what was suggested here, with no encouraging results up to now.

Had been scouring other forums without success, for helpful pointers… and had eventually resigned myself to a ‘wait-until-dinner-is-ready’ type of patience situation… something i have become quite accustomed to.

Like someone said in another topic on this forum…

“computers do seem to have a mind of their own.” or what? How true. :slight_smile:

@luv2bik2

hang in there. hope you too get to see the back of these uninvited guests (pests) through something tried-and-tested, and if all fails… do not discount ‘divine intervention’. :slight_smile:

good luck!

I don’t know if this was posted previously in this topic…

looks silly but it has worked sometimes :the surface you use to place the mouse on- use a plane paper, fold it twice and place on the surface and try.

check if the mouse is working by connecting it to other computer. if its okay then try connecting different mouse to your computer and see if same thing happens.

??? ‘sublime intervention’ ? :wink:

EDIT:
@nmb,
i presume your reply was meant to be in this topic:

mouse moving on its own…
http://forum.avast.com/index.php?topic=48376.0

oops! how did i post it here ???

So, the only recommendatio is to wait ? I have exactly the same problem you had.
I have updated Malwarebytes today and still the same when scanning. If you remember you did something that apparently was irrelevant please let me know as that can be the solution. Thank you !

Alas… have nothing else to offer, but hope at this point.

Three ‘all-clear’ MBAM scans since my last post (a week back) keep me blissfully unaware :slight_smile: of what had caused the misery in the first place. Of course, that is no guarantee it won’t strike again, so have started to be more vigilant with my clicks.

I realize this is not much help to you now, but will certainly post if i am able to retrace my steps.

An ongoing search led me to the following article that states this is due to the malicious Trojan Win32/Jowspry present on the system that uses Windows itself to bypass Windows Firewall:

http://www.bestsecuritytips.com/news+article.storyid+232.htm

The article itself is dated May 2007, so it seems this curse has been around for at least two years now.

Unfortunately, there doesn’t seem to be any cure posted.

Will keep trying.

Hang in there, and good luck.

thanks greyshade,
the article recommends to run One Live Care. I did it and says that my computer is Clean of viruses and spywares. However I run Malwarebytes and find the same problem. Hijacked Windows.Update exactly the same problem you had. I cant update windows and there is a Star Icon next the clock that says that my Windows is not longer secure. When I try to update Windows it comes error # 0x8024D007. there is apparently a solution for this in the link>> http://www.techsupportforum.com/microsoft-support/windows-xp-support/260169-solved-windows-update-error-number-0x8024d007.html However it requires the Windows XP SP2 Cds which I dont have. Do you think I that reinstalling windows will solve my problem ? or better focus in eliminating these 2 malicious guests ?

sorry… i took some time to reply. was thoroughly going through some the stuff provided by your link.

Do a Google Search for “XP SP2 CDs” (include quotes). Though most of the links there are outdated, it appears MS was offering free SP2 CDs in USA Staples stores in 2004. Wouldn’t hurt to check if there are still some around.

...Do you think I that reinstalling windows will solve my problem ? or better focus in eliminating these 2 malicious guests ?

Being a miracle survivor myself… without the suggested workarounds, am not in a position to say whether reinstalling Windows holds out any promise.

Better to wait and hear from some of the experts on this forum before taking such an unenviable step.

Good luck!