WiredWX Hobby Weather ToolsLog in

 


descriptionThe file wuauclt.exe is infected - Page 2 EmptyRe: The file wuauclt.exe is infected

more_horiz
Here is the new log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4420

Windows 6.0.6000
Internet Explorer 8.0.6001.18904

8/11/2010 7:33:42 PM
mbam-log-2010-08-11 (19-33-42).txt

Scan type: Quick scan
Objects scanned: 142358
Time elapsed: 7 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionThe file wuauclt.exe is infected - Page 2 EmptyRe: The file wuauclt.exe is infected

more_horiz
Hello.

  • Download combofix from here
    Link 1
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:

The file wuauclt.exe is infected - Page 2 CF_download_FF

The file wuauclt.exe is infected - Page 2 2aflf5z

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See HERE for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.

descriptionThe file wuauclt.exe is infected - Page 2 EmptyRe: The file wuauclt.exe is infected

more_horiz
Sorry about the delay. Here is the combofix.txt file


ComboFix 10-08-23.02 - Taimoor 08/23/2010 19:48:10.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1982.1079 [GMT -6:00]
Running from: c:\users\Taimoor\Desktop\LVR Pics\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj04.dll

c:\windows\system32\drivers\null.sys was missing
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-null_31bf3856ad364e35_6.0.6000.16386_none_a72f2b811e11f9f3\null.sys

.
((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))
.

2010-08-24 01:58 . 2010-08-24 02:04 -------- d-----w- c:\users\Taimoor\AppData\Local\temp
2010-08-24 01:58 . 2010-08-24 01:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-24 01:58 . 2010-08-24 01:58 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-08-24 01:58 . 2009-11-27 15:37 4608 ----a-w- c:\windows\system32\drivers\null.sys
2010-08-24 01:32 . 2010-08-24 01:32 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2010-08-24 00:38 . 2010-03-23 07:51 158520 -c--a-w- c:\programdata\Microsoft\Windows\WER\ReportQueue\Report114ebc5b\YTSingleInstance.dll
2010-08-18 23:44 . 2010-08-18 23:44 -------- d-----w- c:\users\Taimoor\AppData\Local\HP
2010-08-11 03:06 . 2010-08-11 03:06 -------- d-----w- c:\users\Taimoor\AppData\Roaming\Malwarebytes
2010-08-11 03:05 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-11 03:05 . 2010-08-11 03:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-11 03:05 . 2010-08-11 03:05 -------- d-----w- c:\programdata\Malwarebytes
2010-08-11 03:05 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 19:17 . 2010-08-08 19:17 -------- d-----w- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-24 01:21 . 2010-02-06 05:17 -------- d-----w- c:\programdata\avg9
2010-07-24 20:04 . 2009-01-29 02:35 -------- d-----w- c:\programdata\CanonIJPLM
2010-07-21 01:46 . 2010-07-21 01:46 1615200 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-07-21 01:46 . 2010-07-21 01:46 1107296 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
2010-07-21 01:46 . 2010-07-21 01:46 4368224 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-07-19 01:42 . 2010-07-19 01:42 452104 ----a-w- c:\users\Taimoor\AppData\Roaming\Real\Update\setup3.12\setup.exe
2010-07-15 22:10 . 2010-07-15 22:10 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-07-15 22:10 . 2010-07-15 22:10 216200 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-07-15 22:02 . 2010-07-15 22:02 1038688 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-07-15 22:02 . 2010-07-15 22:02 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll
2010-07-15 22:02 . 2010-07-15 22:02 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-07-15 22:02 . 2010-07-15 22:02 1690464 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-06-23 02:23 . 2010-06-23 02:23 501936 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb3C9.tmp.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-02-02 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-14 39408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"Logitech Vid"="c:\program files\Logitech\Logitech Vid\vid.exe" [2009-07-16 5458704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-07-10 1006264]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 4390912]
"SnapfishMediaDetector"="c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe" [2007-03-02 1441792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-09-12 77824]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-07-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-07 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-07 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-03-07 44168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Snapfish Media Detector.lnk - c:\program files\Snapfish Media Detector\SnapfishMediaDetector.exe [2007-3-2 1441792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2007-03-13 00:44 1773568 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 135664]
S3 rt70x86;Linksys Home Wireless-G USB Adaptor Driver;c:\windows\system32\DRIVERS\netr70.sys [2009-02-26 299520]

.
Contents of the 'Scheduled Tasks' folder

2010-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 00:59]

2010-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 00:59]

2010-08-24 c:\windows\Tasks\User_Feed_Synchronization-{F083740C-9BE8-4189-BDF7-25562914C17A}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: netzero.com
Trusted Zone: netzero.net
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 20:04
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000002F05CCE21133049E9F 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2864)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-08-23 20:09:10 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-24 02:09

Pre-Run: 212,501,393,408 bytes free
Post-Run: 213,201,309,696 bytes free

- - End Of File - - 29FD438C14F4F23A38AC5FFB332AA2E9

descriptionThe file wuauclt.exe is infected - Page 2 EmptyRe: The file wuauclt.exe is infected

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum