Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

wuauclt.exe - multiples in task manager


  • Please log in to reply
10 replies to this topic

#1 Computerman101

Computerman101

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 29 August 2013 - 10:33 PM

Several strange entries recently in Task Manager.  Machine is s-l-o-w but cpu performance is 10%.  svchost.exe - currently at 8 copies.  winlogon.exe is new.  plugin-container.exe - 2 copies (running Firefox).  Scanned with Malware-Antibytes,

Also running Advance System Care 6 and Avast  Please advise!  Mike G.



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:49 AM

Posted 30 August 2013 - 01:17 AM

Hello Computerman101 -

The below contains many of your problems in a brief statement -

Also running Advance System Care 6 and Avast 

Both of these programs are of an AntiVirus nature, while the IObit ASC program also includes a Registry Cleaner, and other programs in a mix.

I will leave specific instructions on the program removal when you reply.

Running 2 Antivirus programs can / will cause slowing and loss of performance -

 

Download Security Check by Screen317 from Here for a few checks -
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If any security program requests permission to access the Internet, allow it to do so.

The program is 100% safe, but since you have 2 Antivirus programs, it may request permission to run.

 

Thank You -



#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:49 PM

Posted 30 August 2013 - 03:48 AM

wuauclt.exe is part of Windows Update, and winlogon.exe is part of the logon process in Windows, if you can the path of these would be useful (by clicking on properties and looking at the location).

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 Computerman101

Computerman101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 31 August 2013 - 03:15 AM

RESULTS OF SecurityCheck.exe

 Results of screen317's Security Check version 0.99.73  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Java™ 6 Update 37  
 Java™ 6 Update 7  
 Java version out of Date!
 Adobe Flash Player     11.8.800.94  
 Adobe Reader XI  
 Mozilla Firefox (23.0.1)
 Mozilla Thunderbird (17.0.8)
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast avastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 15% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 



#5 Computerman101

Computerman101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 31 August 2013 - 03:23 AM

More strange things:in Services window:  Example:

 

DISPLAY NAME, SERVICE NAME, PATH:

Automatic Updates, wuauserv,                          C:\WINDOWS\system32\svchost.exe -k netsvcs,  AUTOMATIC, STARTED

Background Intelligent Transfer Service, BITS, C:\WINDOWS\system32\svchost.exe -k netsvcs, MANUAL, STARTED

 

COM+ Event System, EventSystem,                  C:\WINDOWS\system32\svchost.exe -k netsvcs, MANUAL, STARTED

 

What the heck is going on???



#6 Computerman101

Computerman101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 31 August 2013 - 03:38 AM

Searching for executable file now.  Avast or ASC one listed it as "??\c:\windows\system32"

 

WUAUCLY.EXE-399A8E72.pf       C:\Windows\Prefetch                         32 kb     8/30/2013

wualclt.exe                                   C:\Windows\System32                       53 KB    6/2/2012

wualclt.exe                                   C:\Windows\ServicePackFiles\i386 109 KB    4/13/2008

wualclt.exe                                   C:\Windows\System32\dllcache         53 KB    6/2/2012



That first one should read "WUAUCLT..."



#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:49 AM

Posted 31 August 2013 - 04:29 AM

RE : A.S.C. - Running 2 Antivirus programs can / will cause slowing and loss of performance -
VERY IMPORTANT that you do this and remove this ***** program -
Visit this site, or follow the links provided >> http://singularlabs.com/uninstallers/security-software/
Item #17 IObit > Info > Tool
Note: Cleans left-overs after a normal uninstall

 

 Java™ 6 Update 37  
 Java™ 6 Update 7  Java version out of Date! Version7 Update25 is current

Remove all old versions, and do not accept Add-ons with Java as they are not related

 

Note this also - Total Fragmentation on Drive C:: 15% Defragment your hard drive soon! (Do NOT defrag if SSD!)
 

Thanks -



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:49 PM

Posted 31 August 2013 - 05:32 AM

More strange things:in Services window:  Example:

 

DISPLAY NAME, SERVICE NAME, PATH:

Automatic Updates, wuauserv,                          C:\WINDOWS\system32\svchost.exe -k netsvcs,  AUTOMATIC, STARTED

Background Intelligent Transfer Service, BITS, C:\WINDOWS\system32\svchost.exe -k netsvcs, MANUAL, STARTED

 

COM+ Event System, EventSystem,                  C:\WINDOWS\system32\svchost.exe -k netsvcs, MANUAL, STARTED

 

What the heck is going on???

All of them are legitimate Windows services. See each of these links for what these services do - Automatic Updates: http://www.blackviper.com/windows-services/automatic-updates/, Background Intelligent Transfer Service: http://www.blackviper.com/windows-services/background-intelligent-transfer-service/, COM+ Event System: http://www.blackviper.com/windows-services/com-event-system/

I suggest not trying to do anything with them as it will cause more trouble, they are all fine how they are.

 

You might want to have a look at this link as it provides ways on how to improve your computer speed: http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 Computerman101

Computerman101
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:49 PM

Posted 31 August 2013 - 02:13 PM

OK, so let me repeat this to see if I have learned anything:

 

1: svchost -k netsvcs loads the service called "service name" , so the path parameter actually SHOULD be identical on each line.  It is not just the same program "netsvcs" being launched into memory.

 

2: ASC is not just a collection of on-demand tools.  It also includes real time virus proction when installed and can and does contend with other anti-virus programs.

 

Thanks, both of you, for your assistance.

 

Mike G.



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,070 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:49 PM

Posted 31 August 2013 - 02:35 PM

OK, so let me repeat this to see if I have learned anything:

 

1: svchost -k netsvcs loads the service called "service name" , so the path parameter actually SHOULD be identical on each line.  It is not just the same program "netsvcs" being launched into memory.

Not completely sure what you mean by that, but I think I understand what you are getting at, hopefully this should confirm what you want (it's a bit long winded, but covers all what svchost is there for and what it does in my own words):

 

Svchost is used to launch .dll files which are part of a service as they cannot launch themself nor can Windows itself. Svchost is Microsoft's answer to that in simple words. The key, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST is where all the services are put into different svchost groups (shown by the switch -k). Netsvcs is one group of services and there are others such as LocalService and DcomLaunch which handle different services. If a services in the -k netsvcs group needs to launch, then it will check to see if the svchost process, "C:\WINDOWS\system32\svchost.exe -k netsvcs" is already running, and if not then it will make that process to handle the netsvcs group. All of the services you listed are part of the netsvcs group and so would be running under the C:\WINDOWS\system32\svchost.exe -k netsvcs path.

 

 

Also please note that Advance System Care 6 contains a registry cleaner. I would suggest not using this part of the program as it can damage the registry if it is used improperly.  This could result in rendering your computer inoperable.  Bleeping Computer does not endorse the use of registry cleaners or optimizers as they generally are not as effective as advertised.

The company that make this program are quite dubious as well and have stolen other anti-virus and anti-malware programs definitions. Personally I wouldn't use this program, but it is up to you.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:49 AM

Posted 31 August 2013 - 06:35 PM

2: ASC is not just a collection of on-demand tools.  It also includes real time virus proction when installed and can and does contend with other anti-virus programs.

Yes - We often have problems with this program causing conflicts with many other programs.

The company has a shady past (may be a bit better now) but program removal has always been a problem.

 

In China, often these are "state owned" (even if we are not told so) and since I found that out, I refuse to use most of their programs even if they look OK -

The "state" still controls input and output, so they have been known to spy with installed programs. They also placed extras in programs that can remain even after you think it is uninstalled. This is why special tools are designed to remove these programs.

 

xXToffeeXx is giving you the correct details on these other programs.
 

 

Thanks -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users