Windows 7 malware masquerading as Windows update?

[Alaric]

I tried to restart my computer and got a notification that updates were being configured-except I hadn't downloaded or installed any updates. It hung at 35% on the restart and when it got to the desktop I had core temps in the high 60C/low 70C range, all fans ramped up, etc. TrustedInstaller was using almost half my memory System Idle Process sits at 24k with everything closed. It normally hovers at 98. My router shows some bizarre web traffic, too. Some sites even Google knows nothing about, like rjxxwlaltzmlafp.Home, twukqdwcxytegg.Home, and wlyzatog.Home.

This one caught my eye, too. ctldl.windowsupdate.com
Except Windows update is set to notify, never download or install without permission. And there are no updates installed today according to the Installed Updates link in the WU window. I can post a snip of the weblog if it will help. It's a .csv file and OCF doesn't want to take it.

 

[Blaylock]

It's also my understanding that Microsoft will not be updating Win7 any longer.

Doing a quick Google search looks like I was off by a couple weeks. 1/14/2020 will be that last security update for Win7.

I would venture to guess you picked up a bug.

 

[Alaric]

Nope. I tried system restore and found an automatic restore point from a WU at 7:00 PM yesterday. An update (that I absolutely did not authorize) was installed that supposedly superseded a bunch of previous updates. No new updates were installed according to the Installed Updates list. After a system restore to before the 7:00 PM restore point (made by WU!) I got the below list when I tried it. There are shenanigans afoot.



edit: So either someone wrote some malware that convinces Windows it's a real update, or M$ is up to something. I really wouldn't put it past that worm Nadella to break W7 installs for the big sayonara on the 14th.

 

[Blaylock]

Something is a foot.

 

[Alaric]

 

[trents]

Time for a "reboot".

 

[Blaylock]

GIF of Alaric rebooting with the same issues. "Hmm, looks better now."

 

[Kenrou]

ctldl.windowsupdate.com is legit says Google-Fu, seem to be where WU goes to get Root Certificates since WinVista ? This might help :

https://www.adevis.dk/trusted-roots-and-disallowed-certificates/

https://www.askwoody.com/2016/unidentified-windows-update-process/

The others look hella dodgy... stop downloading dodgy stuffs from dodgy websites

 

[Alaric]

That's the thing, I don't download dodgy stuff. I'd still like to know how/why Winders and/or MS decided to just ignore my update preferences and supersede 25 updates without bothering me with the details-like the entire event. The whole thing smells of malware except malware coders usually get around System Restore pretty early in their careers.

 

[Kenrou]

https://www.computerworld.com/artic...-endpoints-and-force-server-2012-reboots.html

Also, from a 2018 thread:

 

[Alaric]

I'd like to kneecap Satya Nadella. With a moderately sized hammer.

 

[Mandrake4565]

I'd like to kneecap Satya Nadella. With a moderately sized hammer.

Just a moderately sized one?

 

[Alaric]

Well, I'm not a complete psycho. (Several parts are missing... )

Since the System Restore everything has been back to normal. I turned off Windows Update, and if need be I'll deny everything access to it with a .cmp prompt. I think it was actually Microsoft that did it. Turns out even paranoiacs have enemies. LOL

 

[Kenrou]

It's not paranoia when you know for a fact M$ is spying on you [emoji16]

 

[Alaric]

My only consolation there is someone will be bored to tears or so disgusted they have to call in sick. LOL

 

[Mandrake4565]

Al have you seen this?

Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10.

The vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI. The component has a range of functions, one of which allows developers to digitally sign their software, proving that the software has not been tampered with. But the bug may allow attackers to spoof legitimate software, potentially making it easier to run malicious software — like ransomware — on a vulnerable computer.

"The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft said.

Could this be what is your issue?

 

[Alaric]

Good thing I'm not running W10 on anything. LOL

I stand corrected. It seems all Winders OS are afflicted.

 

[Mandrake4565]

Yes from my quick glance, it seems and I quote "The vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI." Therefore, I assume older generations of Windows as well.

 

[Alaric]

The speed difference between a fresh install and a fully updated OS is astounding. I don't think the government takes malware writers seriously enough. If on US soil they should be hunted down and every member of their bloodline sterilized (With the coder beaten to death, slowly). If they're found to be in a foreign city, nuke the *******.

 

[Mandrake4565]

Tell us how you really feel...

If it's not feeding the Machine $$$$$$ or harming it, it's not relevant enough for them to care.