wuauclt.exe in multiple directories

Discussion in 'Trojan Defence Suite' started by richrf, Jul 5, 2004.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I did a file search on my system and located two copes of wuauclt.exe in \WINDOWS\SYSTEM32 and \WINDOWS\SYSTEM32\DLLCACHE and a copy of WUAUCLT.EXE (all caps) in \I386 and a copy of WUAUCLT.EXE-1360D60A.pf in \WINDOWS\Prefetch. Is this a problem or is it O.K.? Thanks for your assistance.

    Rich
     
  2. boomansion

    boomansion Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    6
    When I press CTRL+ALT+DELETE, and look under processes thats file shows up. I always end it. What is it?
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi guys, both of you please look in [thread]15913[/thread] about posting your HijackThis log in that forum, as it does not sound good at all!
    Does TDS give any alarms on it in a Full System Scan? (fully updated and all other scanners temporary closed including their resident protection)

    Please keep us updated how it goes, posting the TDS scandump (rightclick after scanning on one of the alarms and save to text) which will help the HijackThis experts tremendously too. Promiss if TDS finds any files "possible" or "suspicious" to submit it to submit@diamondcs.com.au before deleting it.
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    wuauclt.exe = Windows Update AutoUpdate Client

    Regards,

    CrazyM
     
  5. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    As there is also a trojan with similar naming, does it show up in the registry at: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.clt.html
    http://www.sophos.com/virusinfo/analyses/trojcultb.html

    Regards,

    CrazyM
     
    Last edited: Jul 5, 2004
  6. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi CrazyM,

    No it doesn't show up when I run regedit and check that registry file.

    Thanks for helping. Any other comments or suggestions will be greatly appreciated.


    Rich
     
  7. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Jooske,

    I ran a full TDS-3 scan and everything came up O.K.

    Rich
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    The trojan referenced above has been around for awhile, if your file was suspect, TDS-3 and your NAV should have picked it up.

    Check the following in regards to Windows File Protection and the other locations you are seeing wuauclt.exe:
    http://support.microsoft.com/default.aspx?scid=kb;[LN];222193

    Regards,

    CrazyM
     
    Last edited: Jul 5, 2004
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I was concerned, sorry for stirring up things, as i remebered the nasty mentioned in several Hijackthis logs and with several instances of it i thought it being very suspicious, most certainly with Boomansion having several other suspicious files too. Glad you drop in CrazyM!
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Just edited my post above with a link which may explain what Rich is seeing.

    Regards,

    CrazyM
     
Thread Status:
Not open for further replies.