Remove WindowsUpdate.exe Gaming Trojan - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove WindowsUpdate.exe Gaming Trojan

A new trojan has surfaced, named Infostealer.Predet by Symantec researchers. The trojan modifies registry entries, logs keystrokes directly steals all types of important information from user PCs and even spreads to removable drives. But most importantly the trojan masks itself as WindowsUpdate.exe executable so that it runs on system start up. Users should be extremely careful since this is a very popular gaming malware that also steals Steam and Minecraft credentials as well as email passwords and is also reported to spread via games.

NameInfostealer.Predet
TypeGaming Trojan/Infostealer
Short DescriptionThe trojan’s payload carrying executable resembles Windows Update.
SymptomsThe user may witness the symptoms outlined in the description in this article plus may see some other unexplained activities on the computer.
Distribution MethodVia Steam and Spam mail.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Infostealer.Predet
User ExperienceJoin our forum to discuss Gaming Malware.

trojan

WindowsUpdate.exe Gaming Trojan – How Did I Get It?

One way that this trojan may use to distribute itself is by utilising spam bots on gaming engines such as Steam which is widely used by PC games. The trojan is distributed mainly in Windows 7, Windows Xp and Vista computers.

Steam users may witness unfamiliar users adding them and promising them free game giveaways, as a part of a Black Friday or Christmas promotions. The message may feature a web link to the ‘giveaway’ which is actually the malicious link inserting the payload of the trojan.

Another way this trojan may use is via spam or spoof mails pretending to be from a website the user is registered in. Usually cybercriminals tend to collect user information via cookies or using other methods before actually infecting the computer itself.

Windows Update.exe Gaming Trojan – What Does It Do?

Symantec researchers report that once the trojan has been executed it modifies the following object:

%System%\drivers\etc\hosts

It then creates a registry entry for the process WindowsUpdate.exe which is it`s payload to run every time the computer starts up. The registry key and its value is:

“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = “%AppData%\WindowsUpdate.exe”

This trojan then could try to run as Administrator on the computer.

Once done that, it starts deleting files:

%AppData%:
WindowsUpdate.exe
pid.txt
pidloc.txt
.minecraft\lastlogin
Roaming\jagex_cache\reg\
Roaming\jagex_cache\regPin\PCNAME Pin.jpeg
%Temp%:
SysInfo.txt
PCNAME\_wallet.dat
wallet.dat
screens\screenshotDIGIT.jpeg
EBFile.exe
BFile
External Removable Drive:
\autorun.inf
\Sys.exe

The trojan also has the ability to terminate processes and clear user data. It also can interact with Steam and delete key steam files that may cause the user to log out.

This cyber threat may also delete or stop key system processes and services.

Command interpreter
System configuration
Windows Task Manager
Windows Registry Editor

This infostealer then begins to gather info about the infected system:

Computer name;CPU name;Server name;OS platform;OS version;.NET version;Predator version;Predator services status: keylogger, clipboard-logger, report frequency, stealers;Local date and time;Installed language;Installed AVs;Installed;Firewalls;Internal and External IPs

After doing so, the questionable cyber threat is reported to directly steal vital user information from the computer:

Bitcoin wallet.dat;Email credentials;Browser credentials;Downloader credentials;Internet Downloader ;Manager credentials;Minecraft credentials;Steam credentials;PIN screenshots from RuneScape and EpicBot video games.

Also, symantec report that this trojan has the ability to perform other related tasks to its sole purpose which is to steal data:

Display fake error messages;Log all keystrokes;Download and execute files;Visit websites;Delete cookies from IE and Firefox browsers;Block certain websites;Spread to removable drives

Since the severity of this threat it is highly advisable to take special precautions when some of the symptoms outlined above are seen and to immediately change all of the passwords on your accounts from a safe PC.

Removing WindowsUpdate.exe Gaming Trojan Completely

In order to remove this nasty threat it is important to isolate it first. You can do this by entering in safe mode without networking and scanning your computer with malware removing tool like shown in the step-by-step tutorial below. However the best method of isolating the threat is to boot your computer in a live operating system and then unlock and scan the file-systems with it, however it is a more tech-savvy solution, because you need to select the right OS that has file-unlocking features.

Here is a tutorial on how to boot into a live OS to scan your PC:

https://sensorstechforum.com/forums/malware-removal-questions-and-guides/safe-way-to-scan-your-computer-and-detect-malware/

And here is a more automatic solution via booting in safe mode to remove the WindowsUpdate.exe Trojan:

1. Boot Your PC In Safe Mode to isolate and remove Infostealer.Predet
2. Remove Infostealer.Predet with SpyHunter Anti-Malware Tool
3. Remove Infostealer.Predet with Malwarebytes Anti-Malware.
4. Remove Infostealer.Predet with STOPZilla AntiMalware
5. Back up your data to secure it against infections by Infostealer.Predet in the future
NOTE! Substantial notification about the Infostealer.Predet threat: Manual removal of Infostealer.Predet requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.