Wuauclt.exe mogući virus

Na dva računara (privatnom i službenom) imam isti problem. Po uključivanju se aktivira wuauclt.exe proces i sa njim jedan od scvhost.exe procesa i njihova zajednička potrošnja memorije dostigne 300 MB, a zauzeće procesora 100%. To traje cca 15 - 20min. i zatim se normalizuje. Za to vreme bilo kakav rad je nemoguć.

Prilično sam siguran da wuauclt.exe nije regularan proces za update Windowsa XP (koji mi je uključen automatski), jer kada se uključuje automatski update onda se javlja separatni proces pod tim imenom.

Tražio sam odgovor na ovo pitanje na netu i sva moguća rešenja (ručno čišćenje, čišćenje registry unosa, AV programi, anty spyware programi...) nisu pomogla. Većina foruma tvrdi da je u pitanju trojanac pod imenom .cult ili nešto slično.

Korisitio sam NOD/ESET, Spybot, AntySpyware i ručna čišćenja ali se ništa nije promenilo (tačnije nije pronađen trojanac za koga na netu tvrde da je krivac).

Može li mi neko pomoći, hvala unapred!

Skini Malwarebytes' Anti-Malware odavde http://download.cnet.com/Malwa...8022_4-10804572.html?tag=mncol , update-uj ga i pokreni iz Safe Mode-a...odradi Full scan, kada zavrsi klikni na Ok, Show Result i Remove Selected, tim redosledom...po zavrsetku skeniranja MBAM ce ti izbaciti log, kopiraj nam ovde...

---

Pogledaj putanju ovog procesa i znaces da li je malware ili nije...

---

Koristio sam progrma koji ste mi preporučili, ali i iz safe mode-a i iz regularnog Win XP-a rezultat je isti: 0 pretnji.
Zaista ne znam sta da radim, svi mogući AV i slični programi su pokazali da ničega nema, a ja sam ubeđen da je u pitanju neki malware

Skini HijackThis 2.0.4 odavde http://free.antivirus.com/hijackthis/ , preimenuj ga u recimo "12345.exe" i pokreni ga sa desktopa obavezno...odaberi "Do a system scan and save a logfile", kada skeniranje bude zavrseno program ce izbaciti log, kopiraj ga ovde...

Da li si proverio putanju procesa? To je vrlo bitno...

---

Evo log-a.
Po njemu putanja do wuauclt.exe je normalna (system32).
Da li se iz log-a može saznati nešto?
Izvinjavam se, ali nikako nisam uspeo da nađem opciju dodavanja fajla, tako da šaljem ceo log inline.

Hvala unapred.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:58:36, on 22.08.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GetRight\GetRight.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Vico Software\Estimator 2008\solid\GSEstimatorDbAdmin.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PRIMAVERA\Binn\sqlservr.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dejan i Vesna\Desktop\12345.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: GetRight.lnk = C:\Program Files\GetRight\GetRight.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GSEstimatorDbAdmin - Vico Software - C:\Program Files\Vico Software\Estimator 2008\solid\GSEstimatorDbAdmin.exe
O23 - Service: Google Update Service (gupdate1c9c293b6b84822) (gupdate1c9c293b6b84822) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8661 bytes

Dao sam ti da odradis ovaj izvestaj iz prostog razloga jer iz njega moze da se vidi ceo startup i da te ne bi mucio da mi pravis screenshot-ove startup kartice...
Sto se tice log-a, totalno je cist...ne vidim ni jedan trag ikakvog malware-a, takodje, sve sto smo do sad odradili dokazuje isto...
Pokusaj ovako...
1.) Start > Run > msconfig > StartUp , ukloni kvacicu u kvadraticu kod wuauclt.exe procesa odnosno, skloni ga sa liste programa koji se pokrecu pri podizanju sistema ukoliko se nalazi na navedenoj kartici...
2.) Desni klik na My Computer, Properties, Automatic Updates, Turn Off Automatic Updates...
Restartuj masinu pa vidi da li je situacija ista, prati Task Manager...

---

Probaj da iskljucis microsoft update a koristi samo windows update!

Probaj sa UnHackMe
Imao sam isti problem, mučio sam se dva dana i uspio sam ga riješiti zahvaljujući ovom programu.
Uglavnom, računar mi sada radi normalno, a wuauclt.exe više se ne pojavljuje u processes.

mora to "dublje" ...

Skini DDS Program na Desktop
http://download.bleepingcomputer.com/sUBs/dds.com

Dvoklikom pokreni dds.scr

Kad zavrsi, DDS ce otvoriti dva loga:
1. DDS.txt
2. Attach.txt

Oba izvestaja sacuvaj na Desktop.
Kopiraj mi DDS.txt

---

wuauclt.exe je regularan windows update proces koji radi sa WSUSom u domenu i kao deo windows update servisa. Moguće da nešto nije u redu sa update-om OSa. Da li je OS ažuran, legalna kopija i na službenom i na kućnom?

Pozdrav,
Denis