I received a popup that wuaclt.exe is trying to suse svchost.exe to access the internet. wuaclt is either a windows component or a trojan (cult). how can I tell the difference and how can I know whether to allow or deny access? I attach a screen shot of the popup.
thanks
[attachment deleted by admin]
Why don’t we all submit files (of which we are doubtful/unaware), so COMODO can analyze them for us, and let us know what to do. The option to submit file is available in CPF (Beta releases) under Security > Miscellaneous > Submit files to COMODO for analysis. And please don’t forget to include details (if you have any) about the submitted file and your email ID (if you want).
Lets make CPF most secured and user friendly,
(B)
Interesting question. I did a search (after changing the view file properties to include hidden and system file) but didn’t find any file by that name, only a bunch of html names relating to internet pages containing the word that I looked at (such as this forum thread).
It is a trojan!!
Comodo just saved you ;D
I notice your signature that you use kaspersky av.Hard to believe kav doesn’t detect it if it’s malware.
Don’t delete this file, it’s probably NOT a Trojan.
Symantec talks about a Trojan with a whole lot of different names, among them wuauclt.exe.
But C:\Windows\System32\wuauclt.exe is also part of Windows updating system. That’s why it wants to go on the Internet. Just the same name doesn’t mean anything at all.
If you doubt if this is a Trojan, you should use a few good on linescanners before removing it.
Regards
Peter Zwitser
Thats exactly the reason why submit feature is incorporated in Beta. let COMODO secure us and informed to the fullest.
I was just in the process of responding to pandlouk and borderline crazy when Goeroeboeroe’s post appeared.
Here are my comments anyway:
So i am not in a rush to get rid of it but just wanted to know why I got the alert from comodo. Zone Alarm never popped up about this kind of activity, and my original question remains unanswered - how can I distinguish between a legitimate windows component and a trojan of the same name? There are other processes with the same issue e.g. alg.exe which is a windows component and there can also be a trojan of the same name.
Hi, I didn’t suggest to eliminate it. I only said it is a trojan
Just keep it blocked. Some information can be found here but I am not sure if it is secure
DO NOT USE THEIR PROGRAM TO REMOVE IT.
they may install a trojan at your pc.
I just checked the /system32 folder and it has wuaclt.exe (automatic updates) and wuaclt1.exe (windows autoupdate client). These appear to be legitimate windows components. If I block these and do not allow them to contact the internet I will not be notified of windows updates.
There seem to be too many popups in comodo. When I had Zone Alarm there were nowhere nearly as many popups presumably because the straightforward and harmless issues such as addressing the lan ip address or the dead letter box are ignored.
I would be grateful for some advice as to how to adjust the program settings to get fewer popups and eliminate popups that have no security significance.
Thanks.
No one seems to have noticed that the OP mis-spelled the file name and most replies have followed hin in doing so. The file he was warned about is NOT wuaclt.exe, but IS wuauclt.exe. Because of his mis-spelling, he could not find the file, but it is part of the normal OS and is in C:windows\system32 on XP systems. It is an essential part of the Window Automatic Update process and should be allowed.
It is essential but it can be patched from a virus or other malware!
Hi,
This is not a safe assumption. We know a case that CPF raised an alert cathing a new variant of a worm and NOD32(unless heuristics enabled, which means you need to scan the individual file manually to enable heuristics scanning. ) did not catch.
[li]and lastly but most importantly this process appears to be a legitimate windows processSo i am not in a rush to get rid of it but just wanted to know why I got the alert from comodo. Zone Alarm never popped up about this kind of activity,
Ofcourse it cant.
and my original question remains unanswered - how can I distinguish between a legitimate windows component and a trojan of the same name? There are other processes with the same issue e.g. alg.exe which is a windows component and there can also be a trojan of the same name.
You can enable “Security->Advanced->Automatically approve safe applications” option and make CPF alert you in case of an emergency. If it is a legitimate windows component, then CPF wont show you this alert at all.
Egemen
Indeed I mistakenly was searching wuaclt instead of wuauclt which is found in the system32 folder.
However this file also seems to be a possible target of trojans anyway: http://www.sarc.com/avcenter/venc/data/backdoor.clt.html or 2wSysTray - 2portalmon.exe - Program Information
While my inclination is to assume that the warning I showed at the start of this discussion indeed concerned the legitimate MS autoupdate facility, after additional searching and the posts in this thread I am now becoming only more confused and concerned how to respond to this particular warning, and possibly others as well. I don’t like being paranoid, but I am aware of the dangers on the internet.
And to egemen: “automatically approve safe applications” is a default setting, and so would have been in force with the installation of the program, so this doesn’t answer the question.
UPDATE; I sent wuauclt.exe and wuauclt1.exe to Kaspersky and they confirmed that they are components of windows update. So for this case at least I believe the issue is resolved, however the question of giving correct answers to some of the popups still remains. If a popup appears immediately when I take an action, check mail, search, IM, anivirus update, etc, that must go to the internet, I presume it is legitimate and will allow the action. The problem can be with popups that do not appear in direct response to an action of mine. I gues I will just have to wait and see how matters progress and get used to Comodo.
Thanks to all posters for their assistance (V).