Winupdt.exe causing broadcast storm

Sometime mid day our network suddenly decided to stop working very well. Troubleshooting showed that pings to our switches would go through intermittently and were generally high round trip times. Putting a network analyzer to work showed that we had 17 different machines spitting out large quantities of arp request broadcasts. We went around and shut down those machines while we tried to figure out what was making them send out so many broadcasts. We then took one of the "problem" pc's off the network to troubleshoot it. Interestingly enough, the broadcasts were no longer happening. However, when we hooked the machine back up to the network and logged in the broadcasts resumed.

We finally traced the problem down to an executable running - winupdt.exe. Killing this process killed the broadcasts.

I searched for this file on the hard drive but was unable to find it!! The only file that came up under the search (I did search system folders and hidden files) was one under the prefetch folder named winupdt.exe.someothercharacters.pf.

The registry did have 3 entries to execute the file (run and run services under hkey_local_machine and run under hkey_current_user) which we deleted. Once these were deleted the pc's seemed to run normally.

My questions that remain are...

1) What is the winupdt.exe program and what does it try to do??

2) What was the point of it doing broadcasts (it seemed to be picking random ip's in the subnet and arp'ed them)?

3) Why was I not able to find the winupdt.exe program when searching for it?

Any insight you can offer would be appreciated.

 

This sounds like a Trojan pretending to be an windows update exe, so you've done good so far. I would attempt to clean your system and find this exe and delete it. Here are the instructions:

Run an online antivirus check from 3 of the following sites::
Be sure and put a check in the box by AUTO CLEAN before you do the scan If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.
http://housecall.trendmicro.com/
http://security.symantec.com/default.asp
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www.anti-trojan.net/en/onlinecheck.aspx
http://www.windowsecurity.com/trojanscan/
Make sure autoclean is enabled on the scans

Get a2 and register this freeware:
http://www.download.com/3000-2239-10262215.html?part=6251182&subj=dlpage&tag=button

Disable System Restore:
http://www.pchell.com/virus/systemrestore.shtml
If you got 2000 -- don't worry about System Restore boot in SafeMode:
http://www.cts.duq.edu/content_pages/students/s_virus/s_virus_xprestore.html

Boot in safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406/

Disconnect from the internet and physically unplug cable if DSL or Cable.

Then do this:
Show Hidden Files and Operating System Files, etc.; follow step by step:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Try running AdAware in safe mode --- Make sure you've already gotten the latest UPDATES (Open, then press the Check for Updates button) and apply the following settings:
This is where you get Adaware --- http://www.majorgeeks.com/download506.html
This is a link on how to run it --- http://www.lavahelp.net/howto/fullscan/index.html --- OR You can use the instructions here:
Click on START -- custom scanning options -- Customize.
Check the following settings:
Scan within archives
Scan active processes
Scan registry
Deep scan registry
Scan my IE Favorites for banned URL
Scan my host-file
Click on TWEAK:
Select -- Scanning Engine
Check "Unload recognized processes during scanning"
Check "Include additional Adaware settings in LogFile"
Select -- Cleaning Engine
Check "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"
Then click "proceed" to save your settings.
Click on Next then SCAN. Everything AdAware finds is safe to delete.

Now is the time to SEARCH for winupdt.exe file and delete it.

ENABLE SYSTEM RESTORE

REBOOT AGAIN, NORMAL MODE not safe mode and HIDE YOUR FILES to where they were previously.

Reconnect to Internet

Download Microsofts Critial Updates and Patches:
http://v4.windowsupdate.microsoft.com/en/default.asp

Fix these:::::::
Removing ActiveX Controls if need be:
http://support.microsoft.com/default.aspx?kbid=154850

You have to check your settings and fix your ActiveX Controls:
http://www.jfitz.com/tips/ie_security_config.html

If still having problems ATTACH a HJT log:
Don't put the HJT PROGRAM in Temporary, put it in Programs -- Also be sure you have already gotten the latest Updates/Versions (Open, Config, then MiscTools, and Check for Updates)
This is where you get HJT --- http://www.majorgeeks.com/download3155.html
This is the way to post your log::
http://forums.majorgeeks.com/showthread.php?t=35407

 

Also run that a2 trojan finder in safe mode with hidden files showning.

 

Thanks for the responses!

I do think we have gotten rid of it (even if the file is still there somewhere we killed the registry entries that kicked it off). I would run all the programs suggested but there are licensing/policy issues with running these in a corporate environment.

I just want to know how we got it, what it was, and what it was trying to do. Also, I am curious why searching for the executable turned up nothing while running winupdt.exe from the run line would still execute the program.

Thanks!
Cliff

 

Finally did find it - it was sitting in the windows/system32 folder. However it was marked as hidden and a system file. The users who had it must have had the box checked to hide protected operating system files. I'm guessing that's why when searching, even though I told it to look at hidden and system files, it still didn't turn anything up.

I still don't know what it was trying to do, why it was causing the broadcast storms, or how it spread.

Cliff