• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

wauclt.exe in XP

F

fjf314

Member
I was recently going through my processes, and I came across one called wauclt.exe. I ran it through Process Library, which said that it was a worm. Since I had just updated and run Symantec, I figured that this must not be picking it up, so I searched Google for it to see how I should go about removing it. However, a lot of the hits that I got claimed it was a part of Window's update system and that it should be there.

Now I'm confused... is this a worm I need to get rid of, or is it supposed to be on my system. If it is a worm, does anyone know what I should do to get rid of it?

Thanks in advance for any help, I really appreciate it.
 
I read what was on that site, downloaded the removal tool, disabled System Restore, rebooted in Safe Mode, and then scanned my computer with the removal tool. It came up empty, though. However, I restarted my computer again normally so I could check out what that site had for the manual removal, and the worm didn't come up in my Processes. Any idea what this means?
 
Sorry for the double post here, but I wanted to bump the thread to the top just because I'm definitely confused now.

Since the first time that I saw it, wauclt.exe has not shown up in my Process, and I have rebooted numerous times while trying to get rid of it. After the program to remove it from Symantec didn't work, I went through the steps listed for the manual removal of the worm.

I left System Restore disabled since I ran the Symantec program, so I didn't have to worry about that. For Step 2, I again followed the instructions given on the site and found the Windows Hosts file. Four different files resulted from my search. There were two named "hosts" that when opened in Notepad contained only comments and the "127.0.0.1 localhost" line that they were supposed to have. The other files were named "lmhosts" When opened, these files contained only comments, no actual lines.

Next, I had just updated my virus definitions before I discovered the worm, but I checked to see if they could be updated again regardless. Obviously, nothing turned up. I still went back to Safe Mode, though, and ran the Symantec scanner again... and again it turned up nothing after a full system scan.

Finally, I went into the Registry. The instructions provided on the site said to navigate to two keys, being:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

and

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

which I did. However, the value it told me to delete in those keys, which is "Automated Windows Updates"="wauclt.exe" did not exist. There was nothing even remotely similar. I had actually run a registry cleaner earlier today just as part of my regular computer maintenance, so the RunServices key was practically empty. This is the first time I had ever actually looked in my Registry, so I thought that maybe some of the values were hidden. I first checked the view menu, where nothing made mention of hidden keys. I then yet again rebooted in Safe Mode to see if that would make any difference, but it didn't.

Does anyone have a clue what's going on with this right now? The one time I saw the file it was eating up a huge amount of resources... my computer started more slowly and the CPU usage was around 50%, where it's normally around 5%. After I ran it through Process Library and saw that it was said to be a worm, I was able to stop it via just doing End Process, and my CPU Usage went back to normal. Since then I haven't seen it again, despite all the times that I've rebooted and checked for it, run scanners, and even looked for it's marks in the Hosts file and the Registry. How could it have just disappeared and not even left a trace of itself?

Edit:

Also, the number of Processes I have running at the moment, 44, is what my computer normally runs.
 
Heya,

It's possible that you just had a memory resident worm meaning you got infected somehow and it only ran in memory and was unable (or didn't attempt to) write itself to disk.

Go and download autoruns from here. It will list pretty much everything that gets autostarted on boot/login.
The other tool to get would be rootkit revealer from the same guy here.

If your system's been rooted (or you stuck a Sony CD in your drive 🙂) then it's possible that some files and registry keys on your system are hidden from your AV software.

It sounds like you just got something that didn't survive a reboot but you can never be too sure.

Gaidin

Edit: Autoruns can be kind of intimidating. Once it's launched under Options check verify signatures and check to hide Microsoft entries. That will drastically lessen the amount of stuff you see starting up.
 
Thanks for the help. I ran Autoruns and just the usual stuff turned up... nothing that seemed remotely related to the worm. I think I was actually more worried by the fact that it seemed to disappear so suddenly and I had no idea what happened to it. I had actually been thinking that maybe it was somehow blocking things from being seen in my processes, hosts, and registry, but apparently this shuts down that idea. All of my checks and re-checks have turned up nothing, and now this has turned up nothing, as well.

Hopefully you're right and it was just in memory and didn't write anything to disk. Thanks again for the help, guys, I really appreciate it.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top