wuauclt.exe trojan

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by EYJR, May 31, 2008.

  1. EYJR

    EYJR Private E-2

    About two weeks ago while downloading BAM Manager for Boinc an AOL Search program was downloaded as well. I tried removing it and found that I now had two wuauclt.exe processes running. I found out that this process was part of the Windows Automatic Update. When I disabled automatic updates one of the wuauclt.exe processes continued to run and thus found that my computer had been infected. Attached you will find the log file you request on your Highjack This tread. Your help will be greatly appreciated as I am at my wits end with this problem. Thanks EYJR.
     

    Attached Files:

    EYJR, May 31, 2008
    #1
  2. EYJR

    EYJR Private E-2

    Response to Read & Run Me First - Malware

    About two weeks ago I downloaded BAM Manager for Boinc and along with it AOL Search was also downloaded. When I started to try and remove AOL I noticed that two wuauclt.exe processes were running. I found out that this process was part of Windows Automatic Update which I disabled. I opened Task Manager and found that one of the wuauclt.exe processes was still running. After searching the Internet I found that this could possibly be a Cult Trojan. I have run my McAfee Antivirus, Stopzilla, and Ad-Aware both in Safe Mode and normal mode but none of them has been able to remove it. McAfee's log shows that it did remove it but the process showed up again. The problems that I am encountering with my computer are; at startup it takes an unusually long time to bootup, when I try to go to a software's web site AOL Search loads although this seems to have stopped after running your recommended software. Sometimes when on the Internet I've noticed that an effort to redirect my search is made. When I turn off the computer I sometimes get a message that 99 updates are downloading and that Windows will shutdown when complete. Also it takes an extremely long time to shutdown, sometimes up to 15 to 20 minutes. There are other problems that occur on a very seldom bases which I'm sure are due to the same infection. Your help is greatly appreciated. Thanks EYJR.
     

    Attached Files:

    EYJR, May 31, 2008
    #2
  3. EYJR

    EYJR Private E-2

    Re: Response to Read & Run Me First - Malware

    Attached is the fourth log you requested. Thanks EYJR.
     

    Attached Files:

    EYJR, May 31, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If it is this process C:\WINDOWS\system32\wuauclt.exe then it is just the normal Windows Update process which is often seen running more than once. That does not mean that you don't have other infections. It just means this is normal.

    No one reuqested a Hijackthis log.
     
    chaslang, May 31, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now I see you started a second thread for the same issue. Please remain in one thread. I will be merging your second thread back to this first thread so things may look a little out of order.
     
    chaslang, May 31, 2008
    #5
  6. EYJR

    EYJR Private E-2

    Yes, I did find this process in C:\Windows\System32 where it should be but I also found it in C:\I386 and in C:Windows\prefetch. I have also disabled Windows Automatic Updates and thus the process wuauclt.exe should no longer appear in the task manager's process list, but it does. Also, after running the recommended programs I checked to see if the process was still running. When I saw that it wasn't I thought that the problem had been fixed. When one of the programs required a restart I checked the task managers process list and there it was again. I've also noticed that when I run McAfee antivirus or Stopzilla and even Ad-Aware the process simply stops and therefore, I believe, the reason why it has not been detected. I'm at the verge of reformatting my harddrive but I really don't want to because some of the software that I have on my computer I no longer have the installation discs for them. I hope you can find a solution for me. Thanks for your help.

    EYJR
     
    EYJR, Jun 3, 2008
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    All normal places for a copy of the file to exist. But the key is when you see the process running and where it is running from. For you it was C:\Windows\System32 which is okay.

    You have to Stop and Disable the service. However if you stop this service from running you will not be able to get Windows Updates. It is not malware you don't need to stop it from running.

    Services will always restart themselves if not properly Stopped and Disabled. That is why they are run a services.

    What process stops? The wuauclt.exe process? They are not going to detect it because it is not a problem.

    I am going to give you something to do below but these have nothing to do with Windows Automatic Updates running.



    Uninstall the below software:
    Java(TM) 6 Update 5
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.zestyfind.com/
    O2 - BHO: (no name) - {F8096669-5941-4B71-B136-31DA2930E359} - C:\WINDOWS\System32\aviycap.dll (file missing)
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp:p "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
    O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

    After clicking Fix, exit HJT.

    Now reboot your PC.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Also the below folders if found.
    C:\Documents and Settings\All Users\Application Data\Viewpoint
    C:\Program Files\Viewpoint
    C:\Program Files\WebSavingsfromEbates

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 4, 2008
    #7
  8. EYJR

    EYJR Private E-2

    Hi there, I did get a successful message on the fixme.reg addition to my registry. I have also attached the MGlogs.zip file as you requested. Thanks for your help. As to how things are going with my computer, the second wuauclt.exe process seems to not be showing up any more however it is still running much slower then what it use to plus it is taking an extremely long time to shut down. I am going to try and run the error checking tool which would not run in the past. I would get a message that it could not get full excess to some volume file or something like that. Maybe it will work now. Thanks EYJR.
     

    Attached Files:

    EYJR, Jun 4, 2008
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is not due to malware based on your logs which are still clean. I would suspect McAfee or something else that you are running.

    You need to allow it to run at startup.
     
    Last edited: Jun 6, 2008
    chaslang, Jun 5, 2008
    #9
  10. EYJR

    EYJR Private E-2

    I am running the "My Computer" C: drive error checking tool at start up and I'm still getting a message "unable to access the volume" needed and that check disk is complete. I've run the windows XP Operating System CD, hit the repair option so that it would re-install itself but I'm still continuing to have the exact same problems. I've also enabled Windows Automatic Updates again and again I am getting two wuaulct.exe processes. One is showing up under user name System and the other under user name eherrera. I've no idea what else to do. Any other suggestions would be appreciated. Thanks EYJR.
     
    EYJR, Jun 5, 2008
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I suggest that you post in the Software Forum as none of this is related to malware.
     
    chaslang, Jun 6, 2008
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds