{"id":31386,"date":"2022-12-30T09:30:20","date_gmt":"2022-12-30T04:00:20","guid":{"rendered":"http:\/\/198.58.113.91\/blog\/?p=31386"},"modified":"2023-08-27T15:55:01","modified_gmt":"2023-08-27T10:25:01","slug":"windows-update-services-deleted-every-restart","status":"publish","type":"post","link":"https:\/\/www.winhelponline.com\/blog\/windows-update-services-deleted-every-restart\/","title":{"rendered":"Windows Update services are deleted at every restart"},"content":{"rendered":"

After you restore the missing Windows Update, BITS, or the Update Orchestrator Service services using registry files, you find that the services vanish again after a restart. They don’t appear in the Services MMC.<\/p>\n

\"windows<\/p>\n

Cause<\/h2>\n

This issue happens if your computer is infected<\/strong>. Malware running as a service or scheduled task is deleting the Windows Update (“wuauserv”), Background Intelligent Transfer Service (“BITS”), Update Orchestrator Service (“UsoSvc”), Delivery Optimization (“DoSvc”), and the Windows Update Medic Service (WaasMedicSvc) services at every restart<\/strong>.<\/p>\n

For example, a trojan named trojan.Siggen18.38683<\/a>, which runs as a scheduled task, deletes all the Windows Update-related services at every startup. This is just an example. There may be similar trojans that do this.<\/p>\n

\n
  • Step 1: Run a Malwarebytes scan<\/a><\/li>\n
  • Step 2: Remove rogue Scheduled Tasks and Services Using Autoruns<\/a><\/li>\n
  • Step 3: Reset Windows Security “Exclusions”<\/a><\/li>\n
  • Step 4: Restore the missing Windows Update Services<\/a><\/li>\n<\/div>\n

    How to Resolve the Problem<\/h2>\n

    <\/a>Step 1: Run a Malwarebytes scan<\/h3>\n

    Download Malwarebytes (https:\/\/www.malwarebytes.com\/<\/code>) , update the definitions, and run a full scan.<\/p>\n

    \"malwarebytes<\/p>\n

    Editor’s note:<\/strong> In a recent case, the trojan “Trojan.Siggen18.38683” seems to have somehow evaded<\/strong> the detection engines of Malwarebytes and Microsoft Defender Antivirus, even though 41 Antivirus vendors<\/a> (including Malwarebytes and Microsoft) flagged it as malicious. You can read about it in this Microsoft Answers thread<\/a>.<\/em><\/p>\n

    \n

    <\/a>Step 2: Remove rogue Scheduled Tasks and Services Using Autoruns<\/h3>\n

    After eliminating malware from the computer, download the Autoruns<\/a> utility from Microsoft, and run the program as administrator.<\/p>\n

    Inspect the Autoruns output thoroughly. In a recent case, we found that the trojan created a fake scheduled task named “GoogleUpdateTaskMachineGNC<\/code>” or “UpdateTaskMachineQC<\/code>” that ran one of the following files at every startup.<\/p>\n

    C:\\Program Files\\Google\\Chrome\\updater.exe<\/pre>\n
    %ProgramFiles%\\Google\\Chrome\\updaterchr.exe<\/pre>\n
    \"windows<\/p>\n
    It’s an unsigned\/unverified file. Always be suspicious of the “(Not Verified)” entries in Autoruns; Autoruns highlights unverified items in pink. However, it doesn’t<\/strong> mean that the verified entries don’t require scrutiny. Every entry needs to be checked.<\/p>\n
    \"windows<\/p>\n
    \n
    \"tipsWhen in doubt, upload the module to VirusTotal to see if it’s malware. Or use Autoruns’s built-in option to upload the file hash to VirusTotal. Select the suspicious item in the list, click the “Entry” menu, and click “Check VirusTotal.” [Ref: Autoruns | Microsoft Press Store<\/a>]<\/p>\n
    \"autoruns<\/p>\n<\/div>\n
    Note that the file updaterchr.exe<\/code> is malware. It hides inside the “Google\\Chrome” directory to confuse the user.<\/p>\n
    After searching the web for the file name and task name, I came across the Dr.Web article<\/a>. As you can see, the trojan deletes all the services related to Windows Update.<\/p>\n
    See the VirusTotal report for the file(s).<\/p>\n