wuaudt.exe

Status
Not open for further replies.

Nicklous

New Member
Thread author
May 24, 2022
11
Windows 7 suddenly running through molasses. Internet speed inconsistent. Researched and investigated and it seems that I may have the wuaudt.exe by TrustedInstaller on my system. Not only have I already ran Malware program instructed in the "Read this before posting" section, along with Zemana, Hitman and AVG and none are identifying malware. Not even my Norton's full system suite of services misses it. When I open Task Manager, I will have 12 individual lines of the same item listed all with their own different data numbers. Everytime I click the suspect and "end processes" it comes back within 10 seconds. I have gone deep into the bowels of my system and can't find the location of the culprit.

Is this thing actually malware or legit?
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
794
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

In order to give you sound advice I need more information.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file:
In the Reply section in the bottom of the topic Select Click the Attach Files.
Navigate to the location of the File.
Click the file. It will appear in the reply section.
Click the Post Reply button.

Please post the logs for my review.

Wait for further instructions
 
  • Like
Reactions: upnorth

Nicklous

New Member
Thread author
May 24, 2022
11
It was my intention to qualify if I indeed have a problem before I wasted anyone's time with reports. But as you have request, they are attached.
 

Attachments

  • Addition.txt
    248.5 KB · Views: 29
  • FRST.txt
    44.9 KB · Views: 29

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
794
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

When both of the Security Software are enable in rea life it will slow down your system.
I suggest you disable one of them.

AV: AVG Antivirus (Enabled - Up to date) {18A975F9-A60C-37D8-E30B-4BEF31AD3411}
AV: Norton 360 (Enabled - Up to date) {AECE2126-F4E7-6909-11F2-1B69D1FBCBD0}
<<<>>>

I do not see any references to this program in your logs.
Did you ever install it.
<<<>>>

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.
 

Attachments

  • Fixlist.txt
    2.6 KB · Views: 34

Nicklous

New Member
Thread author
May 24, 2022
11
Hello,

I am aware running 2 Anti-viral/malware will slow my system down. I just downloaded AVG 2 days ago and happen to be extra paranoid until I get this resolved. I will eventually turn off one.

No, I did NOT intend to download the file in question. I have no memory of it.

File downloaded, FRST ran again and here here is the resulting txt file.

Performance has increased greatly since running FRST
 

Attachments

  • Fixlog.txt
    8.3 KB · Views: 27

Nicklous

New Member
Thread author
May 24, 2022
11
The item still remains but is identified as a Microsoft Update application but the performance has improved tremendously.

Thank you!
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
794
Hi,

Comment: Let see which services needs attention.

Download Farbar's Service Scanner utility
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are check marked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
<<<>>>
 
  • Like
Reactions: upnorth

Nicklous

New Member
Thread author
May 24, 2022
11
Farbar Service Scanner Version: 03-11-2021
Ran by Mark (administrator) on 27-05-2022 at 15:14:24
Running from "C:\Users\Mark\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcsvc.dll => File is digitally signed
C:\Windows\System32\Drivers\afd.sys => File is digitally signed
C:\Windows\System32\Drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
794
Hi,

Your Windows Updates service is working well.

I think your issue is cause by the setting in the MsConfig.

MSCONFIG\startupreg: TeamsMachineUninstallerLocalAppData => %LOCALAPPDATA%\Microsoft\Teams\Update.exe --uninstall --msiUninstall --source=default

This is not my forte but checking on it I found this article that may help.

Registry key reappears after deletion

In your case the service may be disabled.

8 ways to start System Configuration in Windows (all versions)

It look like this is tied to Microsoft Teams Meet the hub for teamwork in Office 365.
You should decide if you want to set it to enable or remove it completely.

If you need additional help.
 

Nicklous

New Member
Thread author
May 24, 2022
11
As it should happen, only this past week have I actually used Microsoft Teams for 2 video interviews this week. I don't believe I will ever be using again in the future since Zoom and Google can meet my video meeting needs. So my thought is I should remove it.

And you?

In the meantime, my system is moving through molasses again even with a Speed Test score of 400K+ Download and 45K upload. So something inside is working behind the scenes which doesn't show itself in the conventional manner such as Task Manager.

I access the startup in msconfog every so often and I keep most things turned off until after the system has had able time to boot up and "clear it's head" so to speak.
 

Nicklous

New Member
Thread author
May 24, 2022
11
Follow up - that would be affirmative. Everything but AVG is allowed to start in the opening sequences. I also took a look into the services tab and now remember that I have most of those items stopped.
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
794
Hi,

Run a scan with the Fabar program and post fresh logs for my review.
 

Nicklous

New Member
Thread author
May 24, 2022
11
I really do appreciate the time you are giving me with my problem.

Thank you!
 

Attachments

  • FRST.txt
    40.5 KB · Views: 25
  • Addition.txt
    249.1 KB · Views: 25

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
794
Hi,

I suggest you remove AVG completely. I have Norton 360 and that is all I need.
Having both enabled in real time will only slowdowns your system. If you want to keep it I suggest you Disable it.
Download and run their uninstaller tool from this site.


Run the program and restart the computer when the installation is completed.
-----

This fix will remove some search from Norton. This is not required.
On that must be remove is this one.
CHR DefaultSuggestURL: Default -> hxxps://ss-sym.search.ask.com/ss?limit=10&li=ff&hl=en&q={searchTerms}
The link to ask.com is some type of adware. This was not seen in your first log.
<<<>>>

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.
 

Attachments

  • Fixlist.txt
    758 bytes · Views: 26

Nicklous

New Member
Thread author
May 24, 2022
11
My apologies for late reply. Stepped away from the computer for a couple of days.

Before I remove AVG allow me to play "devil's advocate". I too have Norton's yet I got this damn Malware. So how is my first question and why should I put all my trust in Norton's? I have been a long time user and they failed me this time. Hence my installing the (free) AVG trial which is proving to be more or a nuisance than Norton's.
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
794
Hi,

New infections are created all the time.
None of the Security software is always delay in adding the new variants.

This was reported in your second log not the first.
CHR DefaultSuggestURL: Default -> hxxps://ss-sym.search.ask.com/ss?limit=10&li=ff&hl=en&q={searchTerms}
The link to ask.com is some type of adware. This was not seen in your first log.

It's some adware and not a virus.
 

Nicklous

New Member
Thread author
May 24, 2022
11
Now that we seem to have identified a culprit, what are the steps for eliminating it?
 

Nicklous

New Member
Thread author
May 24, 2022
11
In reply to your Monday morning request. Here is the file. The 2nd & 3rd are a fresh scan this afternoon.
 

Attachments

  • Fixlog.txt
    2 KB · Views: 22
  • Addition.txt
    240.2 KB · Views: 22
  • FRST.txt
    34.4 KB · Views: 24

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
794
Hi

The ASK.COM redirect has been eliminated with my last fix.
It's no longer present in your logs.
 
Status
Not open for further replies.