# Solved: wuauclt.exe running at 99% CPU



## Dave F

Hi,

I have a laptop running Windows 2000.

The other day my daughter used it to visit various web sites to research a homework project. Since then it has become unusable, since 99% of the CPU is being used by wuauclt.exe running from c:\winnt\temp.

I understand that this is the name of the Windows auto-update program, but I believe this should run from c:\winnt\system32. My only version of this program is in the temp folder.

I can't end the process in the Task Manager ("Access is denied"), nor will Kill end it, but Killbox will, after which the laptop is OK until rebooted, at which pointed the .exe is recreated and restarted.

I found and deleted MS_update_0612_KB76062.exe, which I understand is a Trojan, but the problem persists.

My Norton Antivirus has found nothing, and neither has SUPERAntiSpyWare.
HijackThis log is attached (I think!)

Help please, before I lose all my hair!

Dave


----------



## Dave F

Oh, I forgot to mention that I did spot and allow HiJackThis to deal with mjikyied.exe (about which I could find nothing on the web), but it has had no effect on the wuauclt problem.

Do none of you clever people feel like sinking your teeth into this one?

Dave


----------



## Dave F

I noticed that c:\winnt\system32\wsys.dll was created on the same day, so I used Killbox to delete it on reboot.
wuauclt.exe has finally gone away. I'm over the moon!


----------



## cybertech

Hi, Welcome to TSG!!

Posting the log for easier viewing....

Logfile of HijackThis v1.99.1
Scan saved at 19:47:08, on 23/02/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\TEMP\wuauclt.exe
C:\WINNT\Explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Image Helper - {31677ADF-17D9-5516-E17D-3E459D631863} - C:\WINNT\system\bplctw32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg	(sets DirectMusicPath"="c:\\DISCOVER\\music)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ShutDownOnTime] C:\Program Files\ShutDownOnTime\ShutDownOnTime.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [mjikyied] C:\WINNT\System32\mjikyied.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Access 2000\Office\OSA9.EXE
O4 - Global Startup: PsiWin 2.3 Verbindungsserver.lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Sametime Meeting Room Client ST25PF1 - http://clients.eden.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://194.129.222.1/qp2.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.crmcommunity.com/CFIDE/classes/CFJava.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.54-deleon/GoogleNav.cab
O16 - DPF: {A4E84B61-1174-4309-87F0-E795A64158CC} (JNILoader Control) - http://clients.eden.com/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://ithds01/viewer/activeXViewer/activexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = stregis.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = stregis.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = stregis.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = stregis.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = stregis.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = stregis.co.uk
O20 - AppInit_DLLs: TwgProc.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: HP Web JetAdmin (HPWebJetAdmin) - Hewlett-Packard - C:\Program Files\HP Web JetAdmin\hpwebjetd.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: ServiceBroker - StreamServe, Inc. - C:\Program Files\StreamServe\3.0\Server\ServiceBroker.exe
O23 - Service: StreamServe1 - StreamServe, Inc. - C:\Program Files\StreamServe\3.0\Server\strsvc.exe
O23 - Service: Director Support Program (TWGIPC) - Tivoli Systems, an IBM Company - C:\TivoliWg\Bin\twgipcsv.exe
O23 - Service: Director Remote Control Service (TWGRCAGT) - Unknown owner - C:\TivoliWg\Bin\TWGRMTWC.exe
O23 - Service: WaveLink Network Server (WaveLinkServer) - Point Information Network, Corp. - C:\WaveLinkSuite\WaveLinkStudio\Bin\WLServer.exe
O23 - Service: WaveLink Server Startup Service (WaveLinkStartupSrvc) - Point Information Network, Corp. - C:\WaveLinkSuite\WaveLinkStudio\Bin\WLStartUp.exe


----------



## cybertech

You need to go to Windows Updates and get all service packs and security updates for W2K. This will patch numerous security holes in IE and Windows. As your machine stands now it is wide open to attack from all sorts of nasties.

Please download *ATF Cleaner* by Atribune. 
*This program is for XP and Windows 2000 only*
 
Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button. 
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All* 
Click the *Empty Selected* button. 
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt. 
If you use Opera browser
Click *Opera* at the top and choose: *Select All* 
Click the *Empty Selected* button. 
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt. 
Click *Exit* on the Main menu to close the program. 
For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

*Download and install **AVG Anti-Spyware 7.5 AVG ANTI-SPYWARE IS ONLY FOR SYSTEMS RUNNING WIN 2K and XP * 
(_This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware_) 
1. After download, double click on the file to launch the install process. 
2. Choose a language, click "*OK*" and then click "*Next*". 
3. Read the "_License Agreement_" and click "*I Agree*". 
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "*Next*", then click "*Install*". 
5. After setup completes, click "*Finish*" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray. 
6. The main "*Status*" menu will appear. Select "_Change state_" to inactivate '*Resident Shield*' and '*Automatic Updates*'. 
7. Then right click on AVG Anti-Spyware in the system tray and *uncheck* "*Start with Windows*". 
8. Go to Start > Run and type: *services.msc*
Press *"OK"*. 
Click the "*Extended tab*" and scroll down the list to find *AVG Anti-Spyware guard*. 
When you find the guard service, double-click on it. 
In the Properties Window > General Tab that opens, click the "*Stop*" button. 
From the drop-down menu next to "Startup Type", click on "*Manual*". 
Now click "*Apply*", then "*OK*" and close the Services window.
9. Select the "*Update*" button and click "*Start update*". Wait until you see the "_Update succesfull_ message. If you are having problems with the updater, manually update with the *AVG Anti-Spyware Full database installer* from *here*. Exit AVG Anti-Spyware when done - *DO NOT perform a scan yet*.

*Reboot your computer in* "*SAFE MODE*" using the *F8* method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

*Scan with AVG Anti-Spyware as follows*: 
1. Launch AVG Anti-Spyware, click on the "*Scanner*" button and choose the "*Settings*" tab. 

Under "*How to act?*", click on "*Recommended actions*" and choose "*Quarantine*" to set default action for detected malware. 
Under "*How to Scan?*" check all (default). 
Under "*Possibly unwanted software*" check all (default). 
Under "*What to Scan?*" make sure "*Scan every file*" is selected (default). 
Under "*Reports*" select "*Automatically generate report after every scan*" and UNcheck "*Only if threats were found*".
2. Click the "*Scan*" tab to return to scanning options. 
3. Click "*Complete System Scan*" to start. 
4. When the scan has finished you will be presented with a list of infected objects found. Click "*Apply all actions*" to place the files in Quarantine.

*IMPORTANT!* Do not save the report before you have clicked the *Apply all actions* button. If you do, the log that is created will indicate "*No action taken*", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "*Save Report*" to view all completed scans. Click on the most recent scan you just performed and select "*Save report as*" - the default file name will be in date/time format as follows: *Report-Scan-20060620-142816.txt*. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\ 
6. Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this: 
1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.


----------

