How to Fix: Remove Update_Windows.exe / Update.exe Virus (100% CPU Usage)

Dennis Faas's picture

Infopackets Reader Mike B. writes:

" Dear Dennis,

I run a Windows Server 2003 box that has been fine until two days ago. Now, my CPU usage is 100% with multiple 'Update_Windows.exe' processes running. I've deleted the Update_Windows.exe tasks in Task Manager, but it keeps propagating. I did a virus scan, but it did not find anything; Malwarebytes antimalware also is not reporting anything. Prior to the infection, I installed the emergency May 2017 update to avoid the Windows SMB exploit / WannaCry ransomware infection. I understand Windows Server 2003 is no longer supported by Microsoft and I won't be receiving any security updates - however, I run legacy software and have been very reluctant to upgrade to a new box due to not knowing whether or not it will work with newer SQL server software. Can you please help? "

My response:

I asked Mike if he would like me to connect to his server using my remote desktop support service in order to have a closer look, and he agreed.

During the connection, it took almost 10 minutes to get to the desktop - the system was so incredibly slow. When I ran Task Manager, there were four "Update_Windows.exe" processes running, consuming 100% of his CPU. The processes were literally eating the life out of the server, making it impossible to do anything - which is why it also took 10 minutes to login. I ended all the Update_Windows.exe tasks, only to have it come back again just as Mike stated.

From experience, I know that "Update_Windows.exe" is not part of the Windows operating system, so I knew for certain that this was likely a virus of some sort. Since Mike was running Windows Server and not a standard Windows desktop system, there are very few (if any) antivirus / antimalware programs that will work for free without having to fork over money for an expensive subscription. As such, I knew my options were limited and would require command line Kung Fu to get the job done.

How to Fix: Remove Update_Windows.exe / Update.exe Virus (100% CPU Usage)

When a computer is infected with a self-propagating virus, the first thing you'll want to do is locate where the executable(s) are stored on the system. If you can do that, then renaming the .exe and/or clearing out the directory where the .exe(s) are located usually fixes the problem - but you have to act very quickly, otherwise the process will simply spawn itself again. In this case, the only way to achieve this is to write a command line batch script in Notepad, then paste the commands into a command prompt so they are rapidly executed.

On most modern Windows desktops, you can right click a task in Task Manager and select "Open file location", and this will tell you where the task / virus is located. Unfortunately, Windows Server 2003 does not have this as part of its Task Manager options. As such, I had to manually locate the file.

To do so, I opened up a command prompt and attempted to recursively locate the "Update_Windows.exe" file from the root directory of the C drive, but it came back with no results. At this point I knew the file was likely hidden. I did another search with the 'hidden files' attribute, and finally found the process located in C:\Windows\Debug.

From there I attempted to end the Update_Windows.exe tasks using "taskkill" via the command line, then rename the main Update_Windows.exe file immediately. To my surprise, the system reported that it could not find the file when attempting to rename it. I looked at the file attributes for "Update_Windows.exe" and noted it had Hidden and Archive file attributes - so I disabled them, and was able to finally rename the file using the batch script I wrote.

The virus managed to propagate itself once more during the renaming process (yes, it propagated that fast!); I ended the "Update_Windows.exe" task once again and it never came back because the Update_Windows.exe had been renamed to Update_Windows.virus, making it no longer executable (only .exe files can be executed).

Problem solved!

Update 20170627: You also will need to patch the system against SMB exploits or the infection will return. This is exactly what happened only one day after publishing this article (also noted in the comments below - thanks to 'skyhater_9456'). We wrote about the SMB exploit issue two weeks ago - read about it here - includes instructions and link to how to fix it.

Here is the batch script I wrote to mitigate the attack:

#C:
#cd c:\windows\debug
#attrib -a -r -h -s Update_Windows.exe

taskkill /f /im "Update_Windows.exe"
rename Update_Windows.exe update_windows.virus

I hope that helps, in case any one else reading this has the same issue. If my instructions helped you, please feel free to leave a comment below! If not, let's hope this was a learning experience.

PS: for the record, this particular virus was actually a Bitcoin mining hack tool (I uploaded the .exe file to virustotal.com to see what it was). In this case, the virus uses 100% of the host CPU's system as it mines for Bitcoins. The malware writer then gets paid for every Bitcoin mined (computed). On a large scale, having hundreds, thousands, or even hundreds of thousands of infected machines could make this scheme potentially profitable. I suspect the name "Update_Windows.exe" may refer to multiple virus variants, and not just this particular strain. If you are infected with a virus and are unable to get rid of it, you are welcome to contact me for additional support - described next.

Additional 1-on-1 Support: From Dennis

If your system is infected with the "Update_Windows.exe" virus or "Update.exe" virus (or something similar) and you are not able to remove it, I can help using my remote desktop support service. Simply contact me, briefly describing the issue, and I will get back to you as soon as possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question - or even a computer problem that needs  fixing - please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 5 (8 votes)

Comments

Rusty's picture

I'm so glad to know you're there in case I run into something that bafflies me like this. I hope lots of readers are benefiting from your outstanding remote services.

Stuart Berg's picture

Dennis,
Would it have worked to boot into Safe Mode and then delete the offending executable?

Another possibility might have been to boot from a Bart PE disk and then access the hard drive to delete the offending executable. Wouldn't that have worked?
Stu

Dennis Faas's picture

When it's a Windows Server, you don't really want to be shutting down and rebooting the machine at random or you will interrupt people connected to the server. And to answer your question, it would not have been any easier. Killing the process from the command line is the best approach.

CMDD's picture

I have had success using Process Explorier from MS (free) to find, suspend, modify and delete rouge files.

In fact Process Explorer is standard fare on every computer I use or support

skyhater_9456's picture

you can remove it using these instructions: https://answers.microsoft.com/en-us/windows/forum/windows_other-performance/server-2003-updatewindowsexe/974869b1-712c-438d-98ea-1dd935d359bc

But you must patch using the three tables here to prevent reinfection from this and the other attacks created by the NSA that were leaked:
https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms

Make plans to move to newer versions of windows server. You got lucky they only wanted to use your CPU. They could have easily encrypted your files and held them for ransom.

Dennis Faas's picture

Thanks for the info - you confirmed my suspicious - the user became infected again last night because the system was not yet fully patched from the SMB exploit - which I was about to patch, but his tape backup is taking 20+ hours to complete. We did write an article about the exploit here two weeks ago. Time to upgrade that server - I completely agree!

stuartb_9468's picture

I noticed that you failed to comment about the service that runs in the background. I didn't have time to analyse this but it will also contribute to the problem. If you open up services.msc and take a look near the alphabetical bottom you can find Windows_Debug that calls the Update.exe file. You should start your removal process by stopping and disabling this service then get rid of the miner's .exe files. Looking at the file debug.bat will also show you who is reaping the rewards of your computers mining efforts. In my case it was skylover@. This may not be true for all the installs out there but it was for me.

I am going to keep an eye open on this server for the next little while to see if it does anything strange for the next little while.