Suspicious processes!!!!

hi all,
after researching processes running in my task manager i came across this
process,
wuauclt.exe - This is used by the automatic update tool in Windows ME to
check the Windows Update site every so often to see if any updates need to be
installed.

it also said, The original wuauclt.exe from Microsoft gets placed in the
Located at C:\WINDOWS\System32\wuauclt.exe . If you find it anywhere else
then you should be suspicious for sure.
So i did a file search on my c:\ and found 4 files, here they are,

WUAUCLT, in, c:\1386, 137kb, application, date modified 8/29/2002

WUAUCLT.exe-1360D60A, in, c:\WINDOWS\prefetch, 25kb, pf file, date modified
9/15/2005

wuauclt, in, c:\WINDOWS\SYSTEM32, 122kb, application, date modified 5/26/2005

wuauclt, in, c:\WINDOWS\servicepackfiles\i386, 109kb, application, date
modified 8/4/2004.

could one of these be a virus/trojan? if so, how do i determine which one?

I also have 5 svchost.exe using 51,000k between them, this cant be right
surely!I have scanned with AVG, spybot s&d and ad-aware (all updated) and
found nothing. please help, thank you. lee. xp sp2

PA
Thu Sep 15 21:42:13 CDT 2005

Assuming you started off with WinXP "Gold" and later installed SP1 & SP2 and
AVG is fully updated (there were 2 updates today BTW) and finds nothing
amiss, you should be fine.

It's not that unusual to see five instances of svchost running.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/archive/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or http://aumha.net/viewforum.php?f=30
for expert analysis, not here.**


--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security

RobLee wrote:
> hi all,
> after researching processes running in my task manager i came across this
> process,
> wuauclt.exe - This is used by the automatic update tool in Windows ME to
> check the Windows Update site every so often to see if any updates need to
> be installed.
>
> it also said, The original wuauclt.exe from Microsoft gets placed in the
> Located at C:\WINDOWS\System32\wuauclt.exe . If you find it anywhere else
> then you should be suspicious for sure.
> So i did a file search on my c:\ and found 4 files, here they are,
>
> WUAUCLT, in, c:\1386, 137kb, application, date modified 8/29/2002
>
> WUAUCLT.exe-1360D60A, in, c:\WINDOWS\prefetch, 25kb, pf file, date
> modified
> 9/15/2005
>
> wuauclt, in, c:\WINDOWS\SYSTEM32, 122kb, application, date modified
> 5/26/2005
>
> wuauclt, in, c:\WINDOWS\servicepackfiles\i386, 109kb, application, date
> modified 8/4/2004.
>
> could one of these be a virus/trojan? if so, how do i determine which one?
>
> I also have 5 svchost.exe using 51,000k between them, this cant be right
> surely!I have scanned with AVG, spybot s&d and ad-aware (all updated) and
> found nothing. please help, thank you. lee. xp sp2

Steven
Thu Sep 15 22:56:18 CDT 2005

It is not unusual to see multiple instances of a system files in the places
you mention and they certainly can be different versions possibly replaced
by a trip to Windows Updates. If in doubt use your virus scanner to check
them assuming of course that you have the latest definitions installed and
check to see if the file is digitally signed in its properties which would
indicate that it is the real deal for sure.

It is normal to see several versions of svchost.exe running. SysInternals
has a free tool called Process Explorer that will show you a lot of detail
about a process including what services are running as a specific incidence
of svchost.exe., the publisher name, and whether the executable for the
process is digitally signed. Not being digitally signed does not mean that a
file is bad or bogus however. Be suspicious of any process that maps to an
executable that does not display a publisher name as the malware I have seen
in Process Explorer did not show a publisher name.

http://www.sysinternals.com/Utilities/ProcessExplorer.html -- Process
Explorer

"RobLee" <RobLee@discussions.microsoft.com> wrote in message
news:557DFAAA-E15C-460A-8E22-9103FC20F9EB@microsoft.com...
> hi all,
> after researching processes running in my task manager i came across this
> process,
> wuauclt.exe - This is used by the automatic update tool in Windows ME to
> check the Windows Update site every so often to see if any updates need to
> be
> installed.
>
> it also said, The original wuauclt.exe from Microsoft gets placed in the
> Located at C:\WINDOWS\System32\wuauclt.exe . If you find it anywhere else
> then you should be suspicious for sure.
> So i did a file search on my c:\ and found 4 files, here they are,
>
> WUAUCLT, in, c:\1386, 137kb, application, date modified 8/29/2002
>
> WUAUCLT.exe-1360D60A, in, c:\WINDOWS\prefetch, 25kb, pf file, date
> modified
> 9/15/2005
>
> wuauclt, in, c:\WINDOWS\SYSTEM32, 122kb, application, date modified
> 5/26/2005
>
> wuauclt, in, c:\WINDOWS\servicepackfiles\i386, 109kb, application, date
> modified 8/4/2004.
>
> could one of these be a virus/trojan? if so, how do i determine which one?
>
> I also have 5 svchost.exe using 51,000k between them, this cant be right
> surely!I have scanned with AVG, spybot s&d and ad-aware (all updated) and
> found nothing. please help, thank you. lee. xp sp2

Frank
Fri Sep 16 09:13:19 CDT 2005

"RobLee" <RobLee@discussions.microsoft.com> wrote in message
news:557DFAAA-E15C-460A-8E22-9103FC20F9EB@microsoft.com
> hi all,
> after researching processes running in my task manager i came across
> this process,
> wuauclt.exe - This is used by the automatic update tool in Windows ME
> to check the Windows Update site every so often to see if any updates
> need to be installed.
>
> it also said, The original wuauclt.exe from Microsoft gets placed in
> the Located at C:\WINDOWS\System32\wuauclt.exe . If you find it
> anywhere else then you should be suspicious for sure.
> So i did a file search on my c:\ and found 4 files, here they are,
>
> WUAUCLT, in, c:\1386, 137kb, application, date modified 8/29/2002
>
> WUAUCLT.exe-1360D60A, in, c:\WINDOWS\prefetch, 25kb, pf file, date
> modified 9/15/2005
>
> wuauclt, in, c:\WINDOWS\SYSTEM32, 122kb, application, date modified
> 5/26/2005
>
> wuauclt, in, c:\WINDOWS\servicepackfiles\i386, 109kb, application,
> date modified 8/4/2004.
>
> could one of these be a virus/trojan? if so, how do i determine which
> one?
>
> I also have 5 svchost.exe using 51,000k between them, this cant be
> right surely!I have scanned with AVG, spybot s&d and ad-aware (all
> updated) and found nothing. please help, thank you. lee. xp sp2

One of your problems about WUAUCLT is that your Windows Explorer has the
default setting of hiding known extensions. The one in \I386 is WUAUCLT.DL_
and is the original compressed distribution copy. The one in \prefetch is
something like WUAUCLT.EXE-399A8E72.pf and contains information to help
Windows load it faster. The one in \System32 is the wuauclt.exe that
Windows is actually using. The one in \\servicepackfiles\i386 is
wuauclt.ex_ and is the compressed of the one actually being used.

I imagine that is about as clear as mud.

It is normal to have several copies of svchost.exe running. I have six
right now. It is the Generic Host Process for Win32 Services. Whatever
that means.

--
Frank Saunders, MS-MVP OE
Please respond in Newsgroup. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com/security/protect/

RobLee
Fri Sep 16 18:29:15 CDT 2005



"Frank Saunders, MS-MVP OE" wrote:

> "RobLee" <RobLee@discussions.microsoft.com> wrote in message
> news:557DFAAA-E15C-460A-8E22-9103FC20F9EB@microsoft.com
> > hi all,
> > after researching processes running in my task manager i came across
> > this process,
> > wuauclt.exe - This is used by the automatic update tool in Windows ME
> > to check the Windows Update site every so often to see if any updates
> > need to be installed.
> >
> > it also said, The original wuauclt.exe from Microsoft gets placed in
> > the Located at C:\WINDOWS\System32\wuauclt.exe . If you find it
> > anywhere else then you should be suspicious for sure.
> > So i did a file search on my c:\ and found 4 files, here they are,
> >
> > WUAUCLT, in, c:\1386, 137kb, application, date modified 8/29/2002
> >
> > WUAUCLT.exe-1360D60A, in, c:\WINDOWS\prefetch, 25kb, pf file, date
> > modified 9/15/2005
> >
> > wuauclt, in, c:\WINDOWS\SYSTEM32, 122kb, application, date modified
> > 5/26/2005
> >
> > wuauclt, in, c:\WINDOWS\servicepackfiles\i386, 109kb, application,
> > date modified 8/4/2004.
> >
> > could one of these be a virus/trojan? if so, how do i determine which
> > one?
> >
> > I also have 5 svchost.exe using 51,000k between them, this cant be
> > right surely!I have scanned with AVG, spybot s&d and ad-aware (all
> > updated) and found nothing. please help, thank you. lee. xp sp2
>
> One of your problems about WUAUCLT is that your Windows Explorer has the
> default setting of hiding known extensions. The one in \I386 is WUAUCLT.DL_
> and is the original compressed distribution copy. The one in \prefetch is
> something like WUAUCLT.EXE-399A8E72.pf and contains information to help
> Windows load it faster. The one in \System32 is the wuauclt.exe that
> Windows is actually using. The one in \\servicepackfiles\i386 is
> wuauclt.ex_ and is the compressed of the one actually being used.
>
> I imagine that is about as clear as mud.
>
> It is normal to have several copies of svchost.exe running. I have six
> right now. It is the Generic Host Process for Win32 Services. Whatever
> that means.
>
> --
> Frank Saunders, MS-MVP OE
> Please respond in Newsgroup. Do not send email
> http://www.fjsmjs.com
> Protect your PC
> http://www.microsoft.com/security/protect/
>
> thank you all, my mind is at rest. keep up the good work. :)
>
>