On a Windows 7 workstation running an up to date antivirus suite (Kaspersky) I found several suspicious processes. To look at the process activity I used the excellent ProcessMonitor from SysInternals.
One of them had an executable name wauctla.exe
located in C:\Windows
. Update: the name is probably chosen deliberately to be confused with wuauclt.exe
- the Windows Update Agent Control utility.
This process runs as a System Service. Using the Management Console services snap-in I was able to change the startup settings for this process from "Automatic" to "Disabled". However there was no way I could stop the running process via the MMC snap-in.
I still managed to stop the process with the taskkill /f /PID
command. I restarted the OS and the process is no longer seen in the process list.
There is an excellent thread on superuser on the procedures necessary to remove generic malware from computers running Windows. When the suspicious processes have been stopped and their executable files moved to a safe location away from the executable search path I want to learn more about the new malware.
What sort of threat comes from this file? Is there any antivirus software around that can detect this virus? How does it spread, should I check other computers that were accessed by the same user after this workstation was infected?
Update 2: Following the answers referring to virustotal, here is a link to the virustotal summary of this piece of malware.
wauctla.exe
isn't malicious.wauctla.exe
is used by Windows Update.wuauclt.exe
I believe.wauctla.exe
is a malware, and it's detected by Avast.