Updater32.exe

[KenB2014]

I am having a problem with dozens of instances of updater32.exe running in task manager after start.

I have researched this and found it to possibly be a Win32 worm, however the only sign of updater32 that I find, is in a hidden folder C:\Program files\AVAST SECURITY\updater32.exe. Also, there are references to this in the registry. The properties for this file shows the description as "Elite". Internal name is "Hijack This".

Is this a valid system file for Avast or is this malware? It appears to be Trend Micro's Hijack This, but I don't think it installs in the program files.

Ken

[DavidR]

It certainly isn't on my system and as far as I'm aware it is nothing to do with avast 4.8.1368, avast's update process is aswUpdSv.exe and uses avast.setup when actually doing the update.

Looks like this is trying very hard to look like a legit application by using the names of popular or known security applications and I doubt it belongs to any of the names mentioned.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

If multiple scanners detect this then send the sample to avast:
Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Then:
If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware On-Demand only in free version.

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

[smarly]

Hello,
I do have the same issue. If I delete updater32.exe or remove it in regedit windows run key, it is immediately recreated.
Could you suggest a way to remove this virus ?
Many Thanks.

[DavidR]

Have you done all the things suggested in my previous reply as that is a good start point ?

[smarly]

yes I did use the MalwareBytes Anti-Malware software and it did remove the dile updater32.exe.
Now I still have some issues: the firewall crashes after few minuts and I can not restart it easily (I have to fix the register, restart windows, ...).
I suspect this to be a consequence of another part of the worm/virus.
I don't know what I can do to fix this...
Thanks.
Stan

[DavidR]

Please do as suggested and post the MBAM log as this may give further information.

Did you upload the file to VT before running MBAM, as the results of that scan would also tell us what other AVs detect it and what they are calling it. That is why we give an order to the suggestions.

Have you run SAS yet ?

What is your firewall ?

[smarly]

Hi David,
many thanks for your assistance. I have tried to upload the first file to VT. There is no virus detected:
http://www.virustotal.com/fr/analisis/ce742789661ce33a52c929771cca0b2457ffd9fd84072ee4e9716daa4246de24-1261237230
I call the first file the file that I have received and executed and that has installed the other ones (updater32.exe...). I have attached MBMAM log and I will try "SAS".
Thanks.
Stan

[DavidR]

You have uploaded a file to VT that wasn't previously mentioned, Shazzow32.exe (see ~~~ below), what I was hoping for was you to upload the file we were talking about in this topic, updater32.exe and see what other detections are revealed.

Now that MBAM has removed the updater32.exe and some other files and bad registry keys (detections appear to be good), is updater32.exe still being recreated (after a reboot) ?

~~~
I'm not sure what you meant by "I call the first file the file that I have received and executed and that has installed the other ones (updater32.exe...)."

Do you mean this is updater32.exe that you renamed to upload it to VT ?
Or do you mean this is what you think is regenerating the updater32.exe ?

If you believe this is the file creating the updater32.exe, how do you know this ?
As only one detection in VT isn't indicating that and the one detection is heuristic (more prone to false positive) and not by an AV that I have much confidence in.

You could try uploading Shazzow32.exe to this site, http://anubis.iseclab.org/?action=home, which does an in depth analysis of that file. Post the URL of the results page when the analysis is complete.

[smarly]

Unfortunately, I don't have anymore the file updater32.exe as it has been deleted by MBAM. updater32.exe was not recreated anymore after MBAM detection and removal. I believe that Shazzow32.exe created the updater32.exe as it did not has the expected effect (it did not launch any applications) and my problems has started just after executing this file.
I have uploaded to anubis.iseclab.org, I will post the result once I got it.
In fact, now that I have removed the updater32.exe, I suspect to have registry damage rather than a virus. I have some issues with the taskbar: it turns gery and oldstyle after few minuts, and some services also shutdown after few minuts ( automatic update, firewall...). When these services shutdown, process svchost.exe crashes. If I disable the automatic update service, everything is almost OK ( except that I can not update windows anymore!).

 

[DavidR]

After you run SAS and reported the findings (excluding cookies) there is a Repair tab, this list a number of common problems associated with malware damage. I have had a quick look at it but done see anything directly related to the problems you mention.