Guy, I'm baffled and getting pretty worried. Two days ago, I noticed that the WindowsUpdate icon was appearing in my system tray, perpetually stuck at 0%. I became suspicious when forcing termination using Task Manager of wuauclt.exe made no difference -- the program would immediately start running again.
A quick Google search turned up that this file is possibly a virus, so I scanned it using a demo of Norton Anti-Virus and using Housecall (my normal virus scanner), both of which declared the file clean. But every time I deleted the file, it recreated itself, and every time I deleted it and created a read-only file of the same name in the Windows/System32 folder, this file would be overwritten.
Finally, I disabled Windows Update and restarted the computer. This time, wuauclt.exe wasn't running and the icon didn't appear, so I thought I had perhaps been wrong in my diagnosis all along.
This morning, when I started up, my computer was chugging a lot more than usual, so I opened up Task Manager and saw wuauclt.exe in it again -- though no Windows Update icon in the system tray. When I forced termination, it restored itself, AND another previously unseen program appeared: wmiprvse.exe. Again, a Google search confirmed that this file is often infected. I forced termination of both, and neither has resumed running as of this post.
I've now downloaded and am running Sophos Anti-Virus, since the Sophos website identifies. Both of the potential threats. But I'm skeptical that they will turn anything up.
I'd rather NOT format, but I suppose as between formatting and having all of my personal information stolen, I'm willing to do a format if necessary. Still, it seems weird that if this IS a virus, no software can detect it. Yet the symptoms seem so outrageous I cannot imagine it's anything BUT a virus.
Help?
EDIT:
Sophos proclaims them clean. OS is Windows XP Pro.
Here are the file specs:
wuauclt.exe (c:\windows\system32)
Size 113,944
On Disk 114,688
Created: Friday, August 9, 2002
Modified: Tuesday, August 3, 2004
Accessed: Today, December 5, 2004
wmiprvse.exe (c:\windows\system32\wbem)
Size 203,264
On Disk 204,800
Created: 5/9/02
Modified: 5/9/02
Accessed: Today, 12/5/04
---
Logfile of HijackThis v1.97.7
Scan saved at 10:28:11 AM, on 12/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\FlashSwitch\FlashSw.exe
C:\Program Files\ICQ\ICQ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\DllHost.exe
E:\SSW\SWEEPSRV.SYS
E:\SSW\SWNETSUP.EXE
E:\SSW\WSWEEPNT.EXE
E:\SSW\ICMON.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Temporary Internet Files\Temporary Internet Files\Content.IE5\E707A5CV\HijackThis[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {46B9D770-1B7D-45D1-81B4-AC07B2F127EF} - C:\PROGRA~1\FLASHS~1\FlashBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\AdShield\AdShield\AdShield.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: FlashSwitch.lnk = C:\Program Files\FlashSwitch\FlashSw.exe
O4 - Global Startup: InterCheck Monitor.LNK = E:\SSW\ICMON.EXE
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
http://v4.windowsupdate.microsoft.co...594.5660300926
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) -
http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) -
http://www.microsoft.com/security/co...I/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F229AB32-7BF9-4225-B78F-B4680AE6FC23} (Snapfish File Upload ActiveX Control) -
http://www.snapfish.com/SnapfishUpload.cab