Non detection of viruses

Its been a long time since Avast hasn’t detected a virus on my PC. Is everything fine? I feel that it has not been able to detect Trojan Cult existing by the name of Wuaclt.exe which keeps popping up in my task manager.

Test your computer with MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.

I suggest also a full computer on-line scanning:
BitDefender
ESET NOD32
F-Secure

For detection-only, not cleaning:
Kaspersky
Trendmicro housecall

How do you know it is a virus ?
What detected it ?

The Wuaclt.exe file is the Windows Update auto update process for XP. However, a file name cane be easily created but in a different location to the legit file (c:\windows\system32\wuaclt.exe). If it only appears now and then, guess what it is Patch Tuesday anf there abouts it will appear in the task manager.

If you are identifying this purely by file name then it ‘may’ be associated with a trojan, but that is a big ‘may’ and needs to be confirmed.

Do a search for wuaclt.exe and report the locations where it is found ?

Upload any outside of the system32 folder to virustotal at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

Actually there isnt any file with the name of wuaclt.exe in my computer ??? ??? ??? ??? ??? :-\

Then how do you account for its appearance in the task manager ?

Unless you made a typo in the file name in your first post.

A search on my system (windows and sub folders) just for WU reveals this file and others associated with windows update.

It kinda appears at start up and then vanishes :stuck_out_tongue: :stuck_out_tongue: ??? ???

my hijack this log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:26 AM, on 6/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
E:\Alcohol\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [AdobeCS4ServiceManager] “C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe” -launchedbylogin
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU..\Run: [AlcoholAutomount] “E:\Alcohol\Alcohol 120\axcmd.exe” /automount
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [µTorrent] C:\Program Files\uTorrent\uTorrent.exe
O4 - HKCU..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/49.12/uploader2.cab
O17 - HKLM\System\CCS\Services\Tcpip..{9E5114B0-78E3-41F4-B56A-9EB29F3D9881}: NameServer = 218.248.255.212 218.248.255.139
O17 - HKLM\System\CCS\Services\Tcpip..{9F4868E0-41CE-4468-9607-5721854CE591}: NameServer = 218.248.240.206,218.248.240.135
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\Alcohol\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe


End of file - 8400 bytes

The Wuaclt.exe file is the Windows Update auto update process for XP. However, a file name cane be easily created but in a different location to the legit file (c:\windows\system32\wuaclt.exe). If it only appears now and then, guess what it is Patch Tuesday anf there abouts it will appear in the task manager.

It was a regular on my Online Armor firewall until it became more of a trusted item. Now not so often. Like DavidR, says, more important is the location. OA makes that clear to me when it pops up.

Hi Pranay,

Fix this with HJT:
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll Should be fixed.

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll Nasty Must be fixed! This entry was classified as bad.

You apparently have no active firewall on your OS, the Windows fw is only one way,

polonus

Vista Firewall has outbound and inbound dont miss it polonus. Its can also protect you from the virus.


@Mr.Agent - Pranay is not using Vista but is using XP. Check the beginning of the HJT log.

The reason Wuaclt.exe appears at start-up and then disappears is that at start-up it is checking for updates. Once the check is completed, it disappears since there is no longer a need for it to run.

http://www.processlibrary.com/directory/files/wuaclt/

On the other hand, there are examples of malware Modifiet Amateur HTPB using this exe for malicious reasons. So, the file you have should be tested at VirusTotal as suggested by David.

http://www.bleepingcomputer.com/startups/wuaclt.exe-23258.html

And, according to the above BleepingComputer link, the malicious use should show up as an 04 entry in a HJT log. There is no such entry in your HJT log. Most likely, Wuaclt.exe on your computer is not malicious, but, it should be tested at VirusTotal.

An analysis of your HJT log shows the following problems :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
BAD entry that should be fixed with HJT.
http://www.spyandseek.com/Search.php?search_for=E312764E-7706-43F1-8DAB-FCDD2B1E416D&search=SAS-Search (first entry on list)

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
Most consider this an unwanted toolbar. This is advertising related, so it is considered adware and may be causing popup windows on your computer.
http://www.what-is-exe.com/filenames/askbar-dll.html

O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
Rated BAD. This should be fixed with HJT.
http://www.file.net/process/searchsettings.dll.html
http://www.spyandseek.com/Search.php?search_for=E312764E-7706-43F1-8DAB-FCDD2B1E416D&search=SAS-Search (forth entry on list)

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
Most consider this an unwanted toolbar. This is advertising related, so it is considered adware and may be causing popup windows on your computer.
http://www.what-is-exe.com/filenames/askbar-dll.html

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ashServ.exe
Virusscan
Avast

ashDisp.exe
Virusscan
Avast AntiVirus

rundll32.exe
System task
Microsoft Rundll32

spoolsv.exe
System task
Microsoft Printer Spooler Service

GrooveMonitor.exe
Backgroundtask
GrooveMonitor Utility

hkcmd.exe
Application
Intel multimedia devices

igfxpers.exe
Driver
Intel Common User Interface Module

RTHDCPL.EXE
Driver
Realtek HD Audio Sound Effect Manager

igfxsrvc.exe
Driver
Intel(R) Common User Interface

ctfmon.exe
System task
Alternative User Input Services

uTorrent.exe
Backgroundtask
?Torrent

IDMan.exe
Backgroundtask
Internet Download Manager

jqs.exe
Backgroundtask
jqs.exe

HPZipm12.exe
Driver
HP Taskbar Utility

StarWindServiceAE.exe
Backgroundtask
StarWindServiceAE.exe

ashMaiSv.exe
Virusscan
Avast Anti-Virus Component

ashWebSv.exe
Virusscan
avast! Web Scanner

IEMonitor.exe
Backgroundtask
Internet Download Manager

GoogleUpdate.exe
Backgroundtask
GoogleUpdate.exe

GoogleUpdate.exe
Backgroundtask
Google Updater

explorer.exe
System task
Microsoft Windows Explorer

chrome.exe
Application
Chrome Browser

chrome.exe
Application
Chrome Browser

HijackThis.exe
Application
Merijn Hijackthis


I did realise it :slight_smile:

Sorry.

Hmmm i have the Win Xp firewall enabled though

(1.) You are using the windows firewall or a hardware firewall.

Default firewall. Not generally regarded as adquate defence.

Other firewalls are pretty complex and involve a hell lot of popups

Yes I know. Total agree :slight_smile:

But if you’re in for the long term.


Without a proper 2-way firewall (inbound and outbound protection), you will continue to have problems.

But, it is your computer … protect it or loose it … and your choice.


yeah i downloaded Outpost firewall 2009. Heard a lot of good things about it so i felt the need to check it out :wink:

Not necessarily, it entirely depends on your choice of firewall and the settings yo choose within that firewall. The Outpost Firewall doesn’t generate that many pop-ups as you can choose what level of blocking, etc. and this has an impact on the number of pop-ups.

One thing for sure not having outbound protections allows any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Isn’t Avast a sort of a firewall considering that it effectively blocks almost all the network attacks? I know it cannot monitor all outbound connections but still…