Jump to content
Login new information ×
Login new information

Help - Windows Update Services - clanksellagored.exe?

spudboy

By spudboy
in Software Chat

Recommended Posts

spudboy

spudboy

Posted
Posted

So my firewall started asking for in/out access for clanksellagored.exe, which is listed as being 'Windows Update Services'. So I look in the services menu and there is indeed a service with that name that I have never noticed before, along with the 'Windows Update' service that has always been there. So I did a Google, Yahoo, and DuckDuckGo search for clanksellagored.exe and there are no results whatsoever for it. I then looked closer at the service description and it says 'Updates critical windows services and programs'. it was set to Automatic, has no dependencies, and nothing else depends on it. Windows Update also works perfectly fine with 'Windows Update Services'/clanksellagored.exe set to disabled and stopped.

So my questions are where did this service come from? What exactly is it doing & why is it needed in addition to the normal 'Windows Update' service? Did everyone with Windows 8.1 have this service added in a recent Windows Update?

I scanned the exe at VirusTotal as well & it found zero results. The other odd thing(s) about it is the file properties for it says File Version: 0.0.0.0, Original Filename: Prototype.exe, and says nothing at all about Microsoft in any of the fields.

Any ideas?

Link to comment
Share on other sites
  • Replies 15
  • Views 1.3k
  • Created
  • Last Reply
Ballistic Gelatin

Ballistic Gelatin

Posted
Posted

Sounds like adware or malware masquerading as a component of Windows Update Service. This is a common tactic.

Back up the file, delete it from its original location, then check to see if it is still running in Services. It shouldn't be. Failing that, back up the registry, then search for the same file name to see if there are instances of it there.

FWIW, I searched my own system and found no instance of this file.

Link to comment
Share on other sites
unknownasphyxiated

unknownasphyxiated

Posted
Posted

google on how to delete a service

better scan your pc with a different scanner than your current av

KVRT/ESET/mbam

Link to comment
Share on other sites
spudboy

spudboy

Posted
  • Author
Posted

google on how to delete a service

better scan your pc with a different scanner than your current av

KVRT/ESET/mbam

It got a 0/55 on VirusTotal. Here's the scan info:

https://www.virustotal.com/ro/file/c00c2994bd35749c3702791050e81cae691f3aa98b5d9cada9e53875896507a3/analysis/1411447013/

Myself and one other person marked it as suspicious. Strange that nothing detects it as being bad. I also forgot to mention the location of the file. It was residing in C:\Windows\SysWOW64 along with clanksellagored.bin. The latter of which also has a copy in C:\Windows\System32. I first noticed it asking for in/out permission after installing several updates from Windows Update earlier today. Those of you that have checked your Windows 8.1 system for the file(s)... can you try running Windows Update to see if there's any updates for you that may be installing it?

For now I'm going to rename it and move it to a different location then delete the service.

Link to comment
Share on other sites
unknownasphyxiated

unknownasphyxiated

Posted
Posted

google on how to delete a service

better scan your pc with a different scanner than your current av

KVRT/ESET/mbam

It got a 0/55 on VirusTotal. Here's the scan info:

https://www.virustotal.com/ro/file/c00c2994bd35749c3702791050e81cae691f3aa98b5d9cada9e53875896507a3/analysis/1411447013/

Myself and one other person marked it as suspicious. Strange that nothing detects it as being bad. I also forgot to mention the location of the file. It was residing in C:\Windows\SysWOW64 along with clanksellagored.bin. The latter of which also has a copy in C:\Windows\System32. I first noticed it asking for in/out permission after installing several updates from Windows Update earlier today. Those of you that have checked your Windows 8.1 system for the file(s)... can you try running Windows Update to see if there's any updates for you that may be installing it?

For now I'm going to rename it and move it to a different location then delete the service.

probably it is a malware-downloader, that why no av detect it because its doesn't do anything except download malware

if you doesn't know when the file got into your pc, you might already been infected

that why i suggest you to run full scan with other av

no microsoft file come without signature especially from WU

Link to comment
Share on other sites
spudboy

spudboy

Posted
  • Author
Posted

google on how to delete a service

better scan your pc with a different scanner than your current av

KVRT/ESET/mbam

It got a 0/55 on VirusTotal. Here's the scan info:

https://www.virustotal.com/ro/file/c00c2994bd35749c3702791050e81cae691f3aa98b5d9cada9e53875896507a3/analysis/1411447013/

Myself and one other person marked it as suspicious. Strange that nothing detects it as being bad. I also forgot to mention the location of the file. It was residing in C:\Windows\SysWOW64 along with clanksellagored.bin. The latter of which also has a copy in C:\Windows\System32. I first noticed it asking for in/out permission after installing several updates from Windows Update earlier today. Those of you that have checked your Windows 8.1 system for the file(s)... can you try running Windows Update to see if there's any updates for you that may be installing it?

For now I'm going to rename it and move it to a different location then delete the service.

probably it is a malware-downloader, that why no av detect it because its doesn't do anything except download malware

if you doesn't know when the file got into your pc, you might already been infected

that why i suggest you to run full scan with other av

no microsoft file come without signature especially from WU

I'll ruin a full scan with Avira (which is what I use) and also with Mbam & the Kaspersky tool. Another thing I noticed is that the scanned file name changed in the VirusTotal results to tineslullfully.exe. I'm midway through the process of deleting all associated registry entries with all filenames and will then do the full scans.

Edit: Nothing found with MBAM or KVRT. Avira full scan won't be done for a while but since the other two found nothing I expect the same. No idea how I got this since I don't install random/mysterious/questionable software. If I look in Add/Remove going back to the beginning of the month there's not anything out of the ordinary. Just stuff like WinRar, Auslogics Disc Defrag, Firefox 32, CCleaner, and a few other very common apps. The three registry entries I found were in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\clanksellagored_RASAPI32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\clanksellagored_RASMANCS

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Update

I guess I can consider this fixed since no scans detect a single thing and I have removed the files, reg entries, and service. I would still like th know how/where it came from though as like was stated... I don't install questionable software on my PC.

Link to comment
Share on other sites
unknownasphyxiated

unknownasphyxiated

Posted
Posted

I'll ruin a full scan with Avira (which is what I use) and also with Mbam & the Kaspersky tool. Another thing I noticed is that the scanned file name changed in the VirusTotal results to tineslullfully.exe. I'm midway through the process of deleting all associated registry entries with all filenames and will then do the full scans.

same hash,i guess..plus you might choose to view the report only,not redo VT scan

Link to comment
Share on other sites
jimbojet2011

jimbojet2011

Posted
Posted

Just run malwareytes and the program may delete is if it is malware.

If you aren't certain just stop the program from running and delete it

Link to comment
Share on other sites
spudboy

spudboy

Posted
  • Author
Posted

Just run malwareytes and the program may delete is if it is malware.

If you aren't certain just stop the program from running and delete it

Did you read the prior posts? :P

Link to comment
Share on other sites
jimbojet2011

jimbojet2011

Posted
Posted

Just run malwareytes and the program may delete is if it is malware.

If you aren't certain just stop the program from running and delete it

Did you read the prior posts? :P

And did you find a proper solution dude?

Link to comment
Share on other sites
spudboy

spudboy

Posted
  • Author
Posted

Just run malwareytes and the program may delete is if it is malware.

If you aren't certain just stop the program from running and delete it

Did you read the prior posts? :P

And did you find a proper solution dude?

Did you read the prior posts? :P

Link to comment
Share on other sites
jimbojet2011

jimbojet2011

Posted
Posted

Just run malwareytes and the program may delete is if it is malware.

If you aren't certain just stop the program from running and delete it

Did you read the prior posts? :P

And did you find a proper solution dude?

Did you read the prior posts? :P

Guess not :-)

Link to comment
Share on other sites
rudrax

rudrax

Posted
Posted

Take ownership and delete the file. If that pops up again, then you are infected.

Link to comment
Share on other sites
dcs18

dcs18

Posted
Posted

Get into your startup options and then Task Scheduler and also Services to see if it is rooted into one or more of those 3 areas - disabling all instances would make it a cinch to break-off the fangs of the infection.

Personally on my systems, I would not even bother - would prefer to rather resort to a full system-wide restore (I love virgins.)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...