What is WindowsUpdate TSS?
The Malwarebytes research team has determined that WindowsUpdate TSS is a Tech Support Scam. These so-called "Tech Support Scammers" try to trick you into calling their phone number for various reasons, all of which turn out to be fraudulent in the end.
How do I know if my computer is affected by WindowsUpdate TSS?
You may see these warnings during install:
How did WindowsUpdate TSS get on my computer?
Tech Support Scammers use different methods for distributing themselves. This particular one was offered as a fake Windows Update, but it only installs files that will produce a fake Windows Activation screen with the Tech Support Scammers number.
How do I remove WindowsUpdate TSS?
Our program Malwarebytes Anti-Malware can detect and remove this potentially unwanted application, but due to the nature of the infection it takes some extra steps.
- If you click on the example picture of the product key, a few options will appear:
- Click on the CMD button to open a Command Prompt.
- In the Command prompt type taskmgr and hit Enter to open the Taskmanager.
- Select the process called fatalerror(.exe) and click on End Process.
- Then type explorer in the Command prompt and hit Enter to open a file explorer window.
- From there you can navigate around and follow the instructions below.
- Please download Malwarebytes Anti-Malware to your desktop.
- Double-click mbam-setup-{version}.exe and follow the prompts to install the program.
- At the end, be sure a check-mark is placed next to:
Launch Malwarebytes Anti-Malware - Then click Finish.
- Once the program has loaded, select Scan Now. Or select the Threat Scan from the Scan menu.
- If an update is available, it will be implemented before the rest of the scanning procedure.
- When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
- Restart your computer when prompted to do so.
Enter that in the form and click on the ENTER button and you see this:
Unfortunately clicking finish stops fatalerror.exe but it does not trigger explorer, so you will have to reboot or use Ctrl-Alt-Del to fire up the Task Manager.
Is there anything else I need to do to get rid of WindowsUpdate TSS?
- No, Malwarebytes' Anti-Malware removes WindowsUpdate TSS completely.
We hope our application and this guide have helped you eradicate this hijacker.
As you can see below the full version of Malwarebytes Anti-Malware would have protected you against the Tech Supprt Scam.
Technical details for experts
You may see these entries in FRST logs:
HKCU\...\Run: [L] => C:\Program Files (x86)\WindowsUpdate\fatalerror.exe [532480 2016-08-16] () HKCU\...\Winlogon: [Shell] C:\Program Files (x86)\WindowsUpdate\fatalerror.exe [532480 2016-08-16] () <==== ATTENTION C:\Program Files (x86)\WindowsUpdateAlterations made by the installer:
File system details [View: All details] (Selection) --------------------------------------------------- Adds the folder C:\Program Files (x86)\WindowsUpdate Adds the file fatalerror.exe"="8/16/2016 3:51 AM, 532480 bytes, A Adds the file sr60.bat"="8/16/2016 4:28 AM, 124 bytes, A Registry details [View: All details] (Selection) ------------------------------------------------ [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "L"="REG_SZ", "C:\Program Files (x86)\WindowsUpdate\fatalerror.exe" [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="REG_SZ", "C:\Program Files (x86)\WindowsUpdate\fatalerror.exe" [HKEY_CURRENT_USER\Software\WindowsUpdate\WindowsUpdate] "Path"="REG_SZ", ""Malwarebytes Anti-Malware log:
Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/25/2016 Scan Time: 9:27 AM Logfile: mbamWindowsUpdateTSS.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2016.08.25.03 Rootkit Database: v2016.08.15.01 License: Premium Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Enabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: {username} Scan Type: Threat Scan Result: Completed Objects Scanned: 318670 Time Elapsed: 8 min, 41 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 2 Ransom.TechSupportScam, HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|L, C:\Program Files (x86)\WindowsUpdate\fatalerror.exe, Quarantined, [2027b7981a8070c66cd334a45ba96a96] Backdoor.Agent.WU, HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|Shell, C:\Program Files (x86)\WindowsUpdate\fatalerror.exe, Quarantined, [202777d8fd9dc96d5fab3093986b39c7] Registry Data[b]:[/b] 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 2 Ransom.TechSupportScam, C:\Program Files (x86)\WindowsUpdate\fatalerror.exe, Quarantined, [2027b7981a8070c66cd334a45ba96a96], Ransom.TechSupportScam, C:\Users\{username}\Desktop\WindowsUpdate_Setup.exe, Quarantined, [6fd8242b6832a78f55e9ab2d2dd7669a], Physical Sectors: 0 (No malicious items detected) (end)As mentioned before the full version of Malwarebytes Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- Dynamically Blocks Malware Sites & Servers
- Malware Execution Prevention