Video.UI.exe and Microsoft.Photos.exe not signed and 1 virus found in VirusTotal

Status
Not open for further replies.

psaez84

Prominent
Jan 8, 2018
1
0
510
Hi, I'm using Windows 10 Pro 64 bit and Process Explorer with "verify image signatures" and "check virustotal" options.

I can see two processes with 1 alert of virus and not signed:

C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17122.15711.0_x64__8wekyb3d8bbwe\Video.UI.exe
C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2017.39101.16720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe

These are the virustotal reports:

https://www.virustotal.com/es/file/59222d540c8cd9906ba2b295967a36c06ff70d4d15169e2ba743a57f5912a0be/analysis/
https://www.virustotal.com/es/file/6af5faacdc12caf29b3e23fc5b0b60d0c5b61e796f700b431810fe141019ef86/analysis/

Please, can you tell me if they are a virus or safe? Why are not signed if they are from microsoft? Why are they giving one virus alert on virustotal?

If you use Windows 10 Pro 64 bit, please, can you install Process Explorer and check if you detect also those problems?

Windows Defender doesn't detect any virus.

Thank you
 
Solution
Process Explorer isn't an anti-malware tool. Not all software is signed and some software is signed by suspicious sources which can lead to false positives. If you suspect something is malware, I recommend you perform a malware scan using another program such as Malwarebytes if Windows Defender doesn't report any malware.

1. Boot into safe mode using "advanced startup options", select safe mode with networking
2. Inside safe mode, download MalwareBytes, install it, hit scan (it will update before scanning)
3. Let it scan all volumes.
4. If it doesn't detect anything, you are fine. If it does, remove the malware and delete your system restore points as well.
Malware can't hide as easily in safe mode and if you do have malware. It can...
Process Explorer isn't an anti-malware tool. Not all software is signed and some software is signed by suspicious sources which can lead to false positives. If you suspect something is malware, I recommend you perform a malware scan using another program such as Malwarebytes if Windows Defender doesn't report any malware.

1. Boot into safe mode using "advanced startup options", select safe mode with networking
2. Inside safe mode, download MalwareBytes, install it, hit scan (it will update before scanning)
3. Let it scan all volumes.
4. If it doesn't detect anything, you are fine. If it does, remove the malware and delete your system restore points as well.
Malware can't hide as easily in safe mode and if you do have malware. It can also interfere with Windows Defender/MSE. I've seen malware actually disable Windows Defender or delete all its signatures rendering it functioning yet useless.
 
Solution
I found this thread after searching for video.ui.exe (aka the Movies & TV app) & Microsoft.Photos.exe (aka the Photos app) and I am including this to confirm that I have been experiencing something malware-related going on with both of them and a few other Microsoft apps, noted below.

In the last month, malware uploaded over 2 TB of data via SSL from one of my computers, primarily during nighttime hours. After the first TB (which triggered data usage warnings from Comcast and, eventually, fees) and not being able to determine the exact cause, I did a clean install on that machine with freshly created Windows 10 media using Microsoft's Media Creation Tool. I then did minimal installation and waited to see if it continued. I have an Office 365 subscription and also downloaded the latest installer directly from Microsoft and you'll see soon enough why I am mentioning this. After a week or so of nothing, the uploads resumed during the night and I didn't catch it initially, hence the other lost TB. This was with Windows Defender running and Windows Firewall on. It was at this point that I found the excellent application Glasswire and it was able to determine several source(s) of the uploads, with 3 being related to Office 365 and 2 being entrenched Windows apps (which were also the biggest data users). Glasswire has a feature to inspect with Virustotal and of the 5 apps, it only found 1/68 in the video.ui.exe file.

Solution: Blocking the following 5 apps in Windows Firewall immediately solved the issue.
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\OsfInstaller.exe
C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.18041.14611.0_x64__8wekyb3d8bbwe\Video.UI.exe
C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.18041.14611.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
There seems to be some rather clever malware that piggybacks off of Microsoft files, especially the two that are in the deeply "buried" system folder WindowsApps. Because I don't use/like the Movies & TV app, I booted into Parted Magic and changed the file extension on the Video.UI.exe file, just to cover possible future issues.

A few other things:

  • I have a Synology RT2600ac router that has current firmware and it is not on the list of routers possibly infected with malware currently out in the media.
    I reported this issue in detail to Microsoft - Hopefully, they will do something with it.
    I am a fairly savvy user and was not using any hacks, keygens or anything else that would explain how the malware got there (Which makes it extra perplexing).
    After all of this, I did start using this router's traffic reporting features, so hopefully between that info and Glasswire, I hope to avoid the issue again.
 
Status
Not open for further replies.

TRENDING THREADS