Wuauclt.exe is infected

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Wuauclt.exe is infected3rd April 2010, 12:56 am

have to run in safe mode to do anything because when i try to open something a window pops up with "this application cannot be executed wuauclt.exe is infected.

I ran OLT and ill post the logs

OTL logfile created on: 4/2/2010 8:36:03 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator.EINGLETT\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.00 Mb Total Physical Memory | 115.00 Mb Available Physical Memory | 30.00% Memory free
922.00 Mb Paging File | 723.00 Mb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 130.93 Gb Free Space | 87.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EINGLETT
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/02 20:35:14 | 000,691,712 | ---- | M] (PC Tools) -- C:\Documents and Settings\Administrator.EINGLETT\Local Settings\Temp\is-81PH6.tmp\spyware-doctor.tmp
PRC - [2010/04/02 20:35:04 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.EINGLETT\My Documents\Downloads\OTL.exe
PRC - [2010/04/02 20:32:59 | 034,595,056 | ---- | M] (PC Tools ) -- C:\Documents and Settings\Administrator.EINGLETT\My Documents\Downloads\spyware-doctor.exe
PRC - [2010/02/18 17:54:15 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/02/03 10:06:10 | 000,211,272 | ---- | M] (PC Tools) -- C:\Documents and Settings\Administrator.EINGLETT\Local Settings\Temp\is-2UPNV.tmp\InnoMonitor.exe
PRC - [2004/08/03 21:07:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2010/04/02 20:35:04 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator.EINGLETT\My Documents\Downloads\OTL.exe
MOD - [2004/08/03 21:07:00 | 001,050,624 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/11/24 19:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/11/24 19:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/11/24 19:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Stopped] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/11/24 19:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Stopped] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)

========== Driver Services (SafeList) ==========

DRV - [2009/11/24 19:50:59 | 000,094,160 | ---- | M] (ALWIL Software) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009/11/24 19:50:12 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/11/24 19:50:00 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Stopped] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/11/24 19:49:07 | 000,048,560 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/11/24 19:48:57 | 000,023,120 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/11/24 19:47:54 | 000,027,408 | ---- | M] (ALWIL Software) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/09/27 19:31:25 | 000,721,904 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/09/23 16:10:06 | 000,207,280 | ---- | M] (PC Tools) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2005/09/18 11:32:00 | 003,493,984 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2005/09/14 14:38:00 | 003,856,896 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2005/08/12 17:31:12 | 000,098,432 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2005/07/29 20:11:04 | 000,012,928 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2005/07/29 20:11:02 | 000,034,048 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2005/01/07 20:07:18 | 000,138,752 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2005/01/07 20:07:16 | 000,145,920 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Hdaudio.sys -- (HdAudAddService)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr9/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13116&gct=&gc=1&q=

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Fast Browser Search"
FF - prefs.js..browser.search.defaulturl: "http://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q="
FF - prefs.js..browser.search.order.1: "Fast Browser Search"
FF - prefs.js..browser.search.selectedEngine: "Fast Browser Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={42BEC57C-C834-2AD5-14D8-6FA346A7FEB8}&q="

FF - HKLM\software\mozilla\Firefox\extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\firefox\
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/02/18 17:56:12 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/02/18 17:54:23 | 000,000,000 | ---D | M]

[2010/04/02 19:49:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.EINGLETT\Application Data\Mozilla\Extensions
[2010/04/02 20:22:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.EINGLETT\Application Data\Mozilla\Firefox\Profiles\4tgu3j6j.default\extensions
[2010/04/02 20:22:03 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator.EINGLETT\Application Data\Mozilla\Firefox\Profiles\4tgu3j6j.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/02 20:17:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator.EINGLETT\Application Data\Mozilla\Firefox\Profiles\4tgu3j6j.default\extensions\{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}
[2010/04/02 20:17:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/04 21:06:48 | 000,003,700 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fast.png
[2009/10/04 21:06:49 | 000,001,963 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fast.xml
[2009/12/22 09:02:48 | 000,002,197 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google-search.xml

O1 HOSTS File: ([2009/11/19 13:01:59 | 000,000,161 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 winsecurepro2009.microsoft.com
O1 - Hosts: 91.212.127.227 winsecurepro2009.com
O1 - Hosts: 91.212.127.227 www.winsecurepro2009.com
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll File not found
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [acivbtjp] C:\Documents and Settings\Roy\Local Settings\Application Data\tdoupmkah\fwpcrgvtssd.exe ()
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] C:\WINDOWS\System32\HdAShCut.exe (Windows (R) Server 2003 DDK provider)
O4 - HKLM..\Run: [ISTray] C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools)
O4 - HKLM..\Run: [My Web Search Bar] C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL File not found
O4 - HKLM..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe File not found
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe (PokerStars)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab (Java Plug-in 1.6.0_16)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/07 01:32:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/02 20:35:48 | 000,233,136 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctgntdi.sys
[2010/04/02 20:35:42 | 000,207,280 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTCore.sys
[2010/04/02 20:35:42 | 000,087,784 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\PCTAppEvent.sys
[2010/04/02 20:35:35 | 000,070,408 | ---- | C] (PC Tools) -- C:\WINDOWS\System32\drivers\pctplsg.sys
[2010/04/02 20:35:28 | 000,000,000 | ---D | C] -- C:\Program Files\Spyware Doctor
[2010/04/02 20:35:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PC Tools
[2010/04/02 20:35:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Tools
[2010/04/02 20:35:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Application Data\PC Tools
[2010/04/02 20:35:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/04/02 20:31:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EINGLETT\My Documents\Downloads
[2010/04/02 20:17:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Application Data\Macromedia
[2010/04/02 20:17:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Application Data\Adobe
[2010/04/02 19:46:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Local Settings\Application Data\Mozilla
[2010/04/02 19:46:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Application Data\Mozilla
[2010/03/17 23:35:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2010/03/16 18:30:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2010/03/16 17:52:05 | 000,016,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2010/03/16 17:51:35 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
[2010/03/13 00:31:02 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.EINGLETT\Application Data\Microsoft
[2010/03/13 00:31:02 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.EINGLETT\Cookies
[2010/03/13 00:31:02 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Application Data
[2010/03/13 00:31:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Favorites
[2010/03/13 00:31:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Desktop
[2010/03/13 00:31:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator.EINGLETT\SendTo
[2010/03/13 00:31:01 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Start Menu
[2010/03/13 00:31:01 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Templates
[2010/03/13 00:31:01 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Recent
[2010/03/13 00:31:01 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.EINGLETT\PrintHood
[2010/03/13 00:31:01 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.EINGLETT\NetHood
[2010/03/13 00:31:01 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Local Settings
[2010/03/13 00:31:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EINGLETT\My Documents
[2010/03/13 00:31:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.EINGLETT\Local Settings\Application Data\Microsoft
[2010/03/12 23:50:09 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/03/10 19:13:07 | 000,000,000 | ---D | C] -- C:\WINDOWS\_VOIDjwivpecvnn
[2010/03/10 18:46:24 | 000,000,000 | ---D | C] -- C:\Program Files\Dr. Guard
[2009/08/07 01:37:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/08/07 01:32:00 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/08/07 01:32:00 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2004/12/07 12:13:40 | 000,479,432 | ---- | C] (Microsoft Corporation) -- C:\Program Files\dxsetup.exe
[2004/12/07 12:13:38 | 002,249,416 | ---- | C] (Microsoft Corporation) -- C:\Program Files\dsetup32.dll
[2004/12/07 12:13:38 | 000,069,832 | ---- | C] (Microsoft Corporation) -- C:\Program Files\DSETUP.dll
[2004/11/24 14:25:52 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/02 20:35:41 | 000,524,288 | -H-- | M] () -- C:\Documents and Settings\Administrator.EINGLETT\NTUSER.DAT
[2010/04/02 20:35:39 | 000,001,637 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/04/02 20:17:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/02 19:51:40 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/04/02 19:51:31 | 000,000,006 | ---- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/02 19:51:09 | 000,030,277 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/04/02 19:43:27 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/21 21:17:23 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/21 03:01:10 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/16 17:51:53 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/03/16 17:51:53 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/03/16 17:51:45 | 000,000,507 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/16 17:50:39 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2010/03/14 16:56:47 | 000,432,972 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 16:56:47 | 000,067,544 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/14 16:56:46 | 000,509,828 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/13 00:34:00 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator.EINGLETT\ntuser.ini
[2010/03/13 00:33:57 | 003,184,656 | -H-- | M] () -- C:\Documents and Settings\Administrator.EINGLETT\Local Settings\Application Data\IconCache.db
[2010/03/13 00:24:48 | 000,003,668 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\fiosejgfse.dll
[2010/03/12 23:53:06 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/10 19:32:30 | 000,010,730 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
[2010/03/10 19:16:05 | 000,001,586 | ---- | M] () -- C:\WINDOWS\System32\_VOIDmfeklnmal.dll
[2010/03/10 19:14:53 | 000,000,271 | ---- | M] () -- C:\WINDOWS\System32\_VOIDivtvsppowy.dat
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/02 20:35:48 | 000,007,387 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctgntdi.cat
[2010/04/02 20:35:42 | 000,007,412 | ---- | C] () -- C:\WINDOWS\System32\drivers\PCTAppEvent.cat
[2010/04/02 20:35:42 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctcore.cat
[2010/04/02 20:35:39 | 000,001,637 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Spyware Doctor.lnk
[2010/04/02 20:35:35 | 000,007,383 | ---- | C] () -- C:\WINDOWS\System32\drivers\pctplsg.cat
[2010/03/13 00:31:05 | 000,000,178 | -HS- | C] () -- C:\Documents and Settings\Administrator.EINGLETT\ntuser.ini
[2010/03/13 00:31:01 | 000,524,288 | -H-- | C] () -- C:\Documents and Settings\Administrator.EINGLETT\NTUSER.DAT
[2010/03/10 19:16:05 | 000,001,586 | ---- | C] () -- C:\WINDOWS\System32\_VOIDmfeklnmal.dll
[2010/03/10 19:15:06 | 000,010,730 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
[2010/03/10 19:13:51 | 000,000,271 | ---- | C] () -- C:\WINDOWS\System32\_VOIDivtvsppowy.dat
[2010/03/10 19:00:28 | 000,003,668 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\fiosejgfse.dll
[2009/10/19 13:15:47 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/09/27 20:29:42 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/09/27 20:29:42 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/09/27 20:29:41 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2009/09/27 19:31:23 | 000,721,904 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008/12/19 10:15:58 | 004,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/17 12:41:18 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/17 12:22:58 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/17 12:22:48 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/17 12:17:34 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/17 11:59:54 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/12/11 06:27:02 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2005/09/18 11:32:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2005/09/18 11:32:00 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2005/09/18 11:32:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2005/09/18 11:32:00 | 000,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/09/18 11:32:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2005/09/18 11:32:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2005/09/18 11:32:00 | 000,046,080 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2004/12/07 12:13:42 | 003,578,547 | ---- | C] () -- C:\Program Files\ManagedDX.CAB
[2004/12/07 12:13:42 | 001,156,363 | ---- | C] () -- C:\Program Files\BDANT.cab
[2004/12/07 12:13:42 | 000,703,080 | ---- | C] () -- C:\Program Files\BDA.cab
[2004/12/07 12:13:38 | 013,265,040 | R--- | C] () -- C:\Program Files\dxnt.cab
[2004/12/07 12:13:36 | 015,493,481 | ---- | C] () -- C:\Program Files\DirectX.cab
[2004/12/07 12:13:36 | 000,976,020 | ---- | C] () -- C:\Program Files\BDAXP.cab
[2004/12/07 11:47:32 | 000,020,717 | ---- | C] () -- C:\Program Files\DirectX SDK EULA.txt
[2004/10/03 12:50:54 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll
[2004/08/03 21:07:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

OTL Extras logfile created on: 4/2/2010 8:36:03 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Administrator.EINGLETT\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

383.00 Mb Total Physical Memory | 115.00 Mb Available Physical Memory | 30.00% Memory free
922.00 Mb Paging File | 723.00 Mb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 576 1152 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 130.93 Gb Free Space | 87.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: EINGLETT
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"223:TCP" = 223:TCP:*:Enabled:WarriorEpic
"223:UDP" = 223:UDP:*:Enabled:WarriorEpic
"860:TCP" = 860:TCP:*:Enabled:WarriorEpic
"860:UDP" = 860:UDP:*:Enabled:WarriorEpic
"262:TCP" = 262:TCP:*:Enabled:WarriorEpic
"262:UDP" = 262:UDP:*:Enabled:WarriorEpic
"367:TCP" = 367:TCP:*:Enabled:WarriorEpic
"367:UDP" = 367:UDP:*:Enabled:WarriorEpic
"90:TCP" = 90:TCP:*:Enabled:WarriorEpic
"90:UDP" = 90:UDP:*:Enabled:WarriorEpic
"311:TCP" = 311:TCP:*:Enabled:WarriorEpic
"311:UDP" = 311:UDP:*:Enabled:WarriorEpic
"33:TCP" = 33:TCP:*:Enabled:WarriorEpic
"33:UDP" = 33:UDP:*:Enabled:WarriorEpic
"770:TCP" = 770:TCP:*:Enabled:WarriorEpic
"770:UDP" = 770:UDP:*:Enabled:WarriorEpic
"876:TCP" = 876:TCP:*:Enabled:WarriorEpic
"876:UDP" = 876:UDP:*:Enabled:WarriorEpic
"946:TCP" = 946:TCP:*:Enabled:WarriorEpic
"946:UDP" = 946:UDP:*:Enabled:WarriorEpic
"987:TCP" = 987:TCP:*:Enabled:WarriorEpic
"987:UDP" = 987:UDP:*:Enabled:WarriorEpic
"991:TCP" = 991:TCP:*:Enabled:WarriorEpic
"991:UDP" = 991:UDP:*:Enabled:WarriorEpic
"600:TCP" = 600:TCP:*:Enabled:WarriorEpic
"600:UDP" = 600:UDP:*:Enabled:WarriorEpic
"448:TCP" = 448:TCP:*:Enabled:WarriorEpic
"448:UDP" = 448:UDP:*:Enabled:WarriorEpic
"87:TCP" = 87:TCP:*:Enabled:WarriorEpic
"87:UDP" = 87:UDP:*:Enabled:WarriorEpic
"710:TCP" = 710:TCP:*:Enabled:WarriorEpic
"710:UDP" = 710:UDP:*:Enabled:WarriorEpic
"282:TCP" = 282:TCP:*:Enabled:WarriorEpic
"282:UDP" = 282:UDP:*:Enabled:WarriorEpic
"363:TCP" = 363:TCP:*:Enabled:WarriorEpic
"363:UDP" = 363:UDP:*:Enabled:WarriorEpic
"740:TCP" = 740:TCP:*:Enabled:WarriorEpic
"740:UDP" = 740:UDP:*:Enabled:WarriorEpic
"708:TCP" = 708:TCP:*:Enabled:WarriorEpic
"708:UDP" = 708:UDP:*:Enabled:WarriorEpic
"612:TCP" = 612:TCP:*:Enabled:WarriorEpic
"612:UDP" = 612:UDP:*:Enabled:WarriorEpic
"774:TCP" = 774:TCP:*:Enabled:WarriorEpic
"774:UDP" = 774:UDP:*:Enabled:WarriorEpic
"214:TCP" = 214:TCP:*:Enabled:WarriorEpic
"214:UDP" = 214:UDP:*:Enabled:WarriorEpic

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files\Java\jre6\bin\javaw.exe" = C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Warrior Epic\WEShell_TGI.exe" = C:\Program Files\Warrior Epic\WEShell_TGI.exe:*:Enabled:Warrior Epic -- (True Games Interactive)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support
"{15F4085A-BC98-4590-AFFD-03BBBE49524E}" = Garmin Communicator Plugin
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 16
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}" = Garmin USB Drivers
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype

4.1
"{D69F6DA9-46CF-3EFD-DC4B-9E38F75F5B10}" = Super Collapse 3
"{DA34FE93-5DC5-48E0-ACC8-A5389E05BB51}" = iTunes
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"49CF605F02C7954F4E139D18828DE298CD59217C" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Ask Toolbar_is1" = Ask Toolbar
"avast!" = avast! Antivirus
"Browser Defender_is1" = Browser Defender 2.0.6.11
"DAEMON Tools Toolbar" = DAEMON Tools Toolbar
"Diablo II" = Diablo II
"Dr. Guard" = Dr. Guard
"FBSearchToolbar" = Fast Browser Search for Firefox (My Web Tattoo)
"Gamevance" = Gamevance
"Guild Wars" = Guild Wars
"GW Team Builder_is1" = GW Team Builder 1.2.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.8)" = Mozilla Firefox (3.5.8)
"MP3 Rocket" = MP3 Rocket
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyWebSearch bar Uninstall" = My Web Search (Kazulah)
"NVIDIA Drivers" = NVIDIA Drivers
"PokerStars.net" = PokerStars.net
"RatingsMigration" = Windows Media Player 9 Series Power Toy - Ratings Migration
"Spyware Doctor" = Spyware Doctor 7.0
"ST5UNST #1" = Typing Tutor
"Super Collapse 3" = Super Collapse 3 (remove only)
"The Weather Channel Desktop 6" = The Weather Channel Desktop 6
"Warrior Epic" = Warrior Epic
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XP Codec Pack" = XP Codec Pack
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Software Update" = Yahoo! Software Update

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 10/11/2009 5:57:41 PM | Computer Name = EINGLETT | Source = avast! | ID = 33554522
Description = AAVM - initialization error: Unhandled exception in AavmProviderStop
[Inner], MAIL.

Error - 11/5/2009 4:26:18 PM | Computer Name = EINGLETT | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\Roy\Application Data\Mozilla\Firefox\Profiles\d0o7jw35.default\sessionstore.js
failed, 0000A413.

Error - 11/5/2009 10:04:17 PM | Computer Name = EINGLETT | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://244.webim0028.webim.myspace.com/api/v1/events.json failed, 0000A413.

[ Application Events ]
Error - 2/7/2010 5:36:12 PM | Computer Name = EINGLETT | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: The data is invalid.

Error - 2/13/2010 10:29:39 AM | Computer Name = EINGLETT | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: The data is invalid.

Error - 2/13/2010 10:29:41 AM | Computer Name = EINGLETT | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: The data is invalid.

Error - 2/13/2010 10:29:41 AM | Computer Name = EINGLETT | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: The data is invalid.

Error - 2/13/2010 10:29:42 AM | Computer Name = EINGLETT | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: The data is invalid.

Error - 2/13/2010 10:29:43 AM | Computer Name = EINGLETT | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: The data is invalid.

Error - 2/13/2010 10:29:44 AM | Computer Name = EINGLETT | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: The data is invalid.

Error - 2/13/2010 10:29:44 AM | Computer Name = EINGLETT | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: The data is invalid.

Error - 2/13/2010 10:29:45 AM | Computer Name = EINGLETT | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at:
with error: The data is invalid.

Error - 2/22/2010 1:27:36 AM | Computer Name = EINGLETT | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.1.3685, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 3/11/2010 10:53:56 PM | Computer Name = EINGLETT | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

Error - 3/12/2010 12:00:55 AM | Computer Name = EINGLETT | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
to connect.

Error - 3/12/2010 12:00:55 AM | Computer Name = EINGLETT | Source = Service Control Manager | ID = 7000
Description = The avast! Web Scanner service failed to start due to the following
error: %%1053

Error - 3/12/2010 12:01:28 AM | Computer Name = EINGLETT | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
to connect.

Error - 3/12/2010 12:01:28 AM | Computer Name = EINGLETT | Source = Service Control Manager | ID = 7000
Description = The avast! Web Scanner service failed to start due to the following
error: %%1053

Error - 3/12/2010 12:01:31 AM | Computer Name = EINGLETT | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2147500053

Error - 3/12/2010 12:02:01 AM | Computer Name = EINGLETT | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the avast! Web Scanner service
to connect.

Error - 3/12/2010 12:02:01 AM | Computer Name = EINGLETT | Source = Service Control Manager | ID = 7000
Description = The avast! Web Scanner service failed to start due to the following
error: %%1053

Error - 3/12/2010 12:03:45 AM | Computer Name = EINGLETT | Source = Service Control Manager | ID = 7034
Description = The avast! Web Scanner service terminated unexpectedly. It has done
this 1 time(s).

Error - 3/12/2010 12:05:08 AM | Computer Name = EINGLETT | Source = Service Control Manager | ID = 7023
Description = The Computer Browser service terminated with the following error:
%%1460

< End of report >

Re: Wuauclt.exe is infected3rd April 2010, 3:00 am

Hello! We need to do some diagnostics to get started.

1. Please download Profiles by noahdfear.

Save it to your desktop.
Double-click profiles.exe and post its log when you reply

2. Download Win32kDiag by ad13 and save it to your Desktop.

Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

3. Please download Cheetah-Anti-Rogue by me, and save to your Desktop.

Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
Double-click on Cheetah-Anti-Rogue.cmd to start.
It will finish quickly and launch a log.
Post the contents of it in your next reply.

4. In your next reply, please post the following logs for my review:

Profiles log (1)
Win32kDiag log (2)
Cheetah log (3)

Thanks! Smile...

Re: Wuauclt.exe is infected3rd April 2010, 2:31 pm

Profiles:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1993962763-1085031214-725345543-1003
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Roy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1993962763-1085031214-725345543-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator.EINGLETT

SystemRoot REG_SZ C:\WINDOWS

Win32kDiag:
Running from: C:\Documents and Settings\Roy\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\Roy\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

Cheetah:
Cheetah-Anti-Rogue v1.3.35
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 04/03/2010 - Time: 10:29:01 - Arch.: x86

-- Malware removal tools check --

-- Known infection --

C:\Program Files\Dr. Guard (Dr. Guard.RGE)
C:\Documents and Settings\All Users\Application Data\fiosejgfse.dll (User Protection.RGE)
Warning: detected presence of TDSS Rootkit!

Extra message: Detection only.

EOF

Re: Wuauclt.exe is infected3rd April 2010, 5:52 pm

Please download TDSSKiller and save it to your Desktop.

Extract the file and run it.
Once completed it will create a log in your C:\ drive.
Please post the contents of that log.

Re: Wuauclt.exe is infected3rd April 2010, 6:25 pm

14:13:43:593 3168 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
14:13:43:593 3168 ================================================================================
14:13:43:593 3168 SystemInfo:

14:13:43:593 3168 OS Version: 5.1.2600 ServicePack: 2.0
14:13:43:593 3168 Product type: Workstation
14:13:43:625 3168 ComputerName: EINGLETT
14:13:43:625 3168 UserName: Roy
14:13:43:625 3168 Windows directory: C:\WINDOWS
14:13:43:625 3168 Processor architecture: Intel x86
14:13:43:625 3168 Number of processors: 1
14:13:43:625 3168 Page size: 0x1000
14:13:43:671 3168 Boot type: Normal boot
14:13:43:671 3168 ================================================================================
14:13:44:046 3168 UnloadDriverW: NtUnloadDriver error 2
14:13:44:046 3168 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
14:13:44:921 3168 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:13:44:921 3168 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:13:44:921 3168 wfopen_ex: Trying to KLMD file open
14:13:44:921 3168 wfopen_ex: File opened ok (Flags 2)
14:13:44:921 3168 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:13:44:921 3168 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:13:44:921 3168 wfopen_ex: Trying to KLMD file open
14:13:44:921 3168 wfopen_ex: File opened ok (Flags 2)
14:13:44:921 3168 Initialize success
14:13:44:921 3168
14:13:44:937 3168 Scanning Services ...
14:13:46:046 3168 Raw services enum returned 315 services
14:13:46:265 3168 Suspicious serv _VOIDd.sys (h: 0, b: 1)
14:13:46:265 3168 Heur detect _VOIDd.sys
14:13:46:265 3168 RegNode HKLM\SYSTEM\ControlSet001\services\_VOIDd.sys infected by TDSS rootkit ... 14:13:46:296 3168 will be deleted on reboot
14:13:46:312 3168 RegNode HKLM\SYSTEM\ControlSet002\services\_VOIDd.sys infected by TDSS rootkit ... 14:13:46:359 3168 will be deleted on reboot
14:13:46:375 3168 File C:\WINDOWS\system32\drivers\_VOIDbpxjetqfvn.sys infected by TDSS rootkit ... 14:13:46:390 3168 will be deleted on reboot
14:13:46:390 3168 File C:\WINDOWS\system32\_VOIDpfloxkbxdm.dll infected by TDSS rootkit ... 14:13:46:390 3168 will be deleted on reboot
14:13:46:390 3168 File C:\WINDOWS\system32\_VOIDivtvsppowy.dat infected by TDSS rootkit ... 14:13:46:390 3168 will be deleted on reboot
14:13:46:390 3168 File C:\WINDOWS\system32\_VOIDatnkoywftd.dll infected by TDSS rootkit ... 14:13:46:390 3168 will be deleted on reboot
14:13:46:390 3168 File C:\WINDOWS\system32\_VOIDlqbuxolxbd.dll infected by TDSS rootkit ... 14:13:46:390 3168 will be deleted on reboot
14:13:46:390 3168
14:13:46:390 3168 Scanning Kernel memory ...
14:13:46:390 3168 Devices to scan: 12
14:13:46:390 3168
14:13:46:390 3168 Driver Name: Disk
14:13:46:390 3168 IRP_MJ_CREATE : F75DCC30
14:13:46:390 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:390 3168 IRP_MJ_CLOSE : F75DCC30
14:13:46:390 3168 IRP_MJ_READ : F75D6D9B
14:13:46:390 3168 IRP_MJ_WRITE : F75D6D9B
14:13:46:390 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:390 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:390 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:390 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:390 3168 IRP_MJ_FLUSH_BUFFERS : F75D7366
14:13:46:390 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:390 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:390 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:390 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:390 3168 IRP_MJ_DEVICE_CONTROL : F75D744D
14:13:46:390 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75DAFC3
14:13:46:390 3168 IRP_MJ_SHUTDOWN : F75D7366
14:13:46:390 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:390 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:390 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:390 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:390 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:390 3168 IRP_MJ_POWER : F75D8EF3
14:13:46:390 3168 IRP_MJ_SYSTEM_CONTROL : F75DDA24
14:13:46:390 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:390 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:390 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:437 3168 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:13:46:437 3168
14:13:46:437 3168 Driver Name: usbstor
14:13:46:437 3168 IRP_MJ_CREATE : 827FD1F8
14:13:46:437 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:437 3168 IRP_MJ_CLOSE : 827FD1F8
14:13:46:437 3168 IRP_MJ_READ : 827FD1F8
14:13:46:437 3168 IRP_MJ_WRITE : 827FD1F8
14:13:46:437 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:437 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:437 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:437 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:437 3168 IRP_MJ_FLUSH_BUFFERS : 804F3418
14:13:46:437 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:437 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:437 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:437 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:437 3168 IRP_MJ_DEVICE_CONTROL : 827FD1F8
14:13:46:437 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : 827FD1F8
14:13:46:437 3168 IRP_MJ_SHUTDOWN : 804F3418
14:13:46:437 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:453 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:453 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:453 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:453 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:453 3168 IRP_MJ_POWER : 827FD1F8
14:13:46:453 3168 IRP_MJ_SYSTEM_CONTROL : 827FD1F8
14:13:46:453 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:453 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:453 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:484 3168 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
14:13:46:484 3168
14:13:46:500 3168 Driver Name: Disk
14:13:46:500 3168 IRP_MJ_CREATE : F75DCC30
14:13:46:500 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:500 3168 IRP_MJ_CLOSE : F75DCC30
14:13:46:500 3168 IRP_MJ_READ : F75D6D9B
14:13:46:500 3168 IRP_MJ_WRITE : F75D6D9B
14:13:46:500 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:500 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:500 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:500 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:500 3168 IRP_MJ_FLUSH_BUFFERS : F75D7366
14:13:46:500 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:500 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:500 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:500 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:500 3168 IRP_MJ_DEVICE_CONTROL : F75D744D
14:13:46:500 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75DAFC3
14:13:46:500 3168 IRP_MJ_SHUTDOWN : F75D7366
14:13:46:500 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:500 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:500 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:500 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:500 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:500 3168 IRP_MJ_POWER : F75D8EF3
14:13:46:500 3168 IRP_MJ_SYSTEM_CONTROL : F75DDA24
14:13:46:500 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:500 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:500 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:500 3168 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:13:46:500 3168
14:13:46:500 3168 Driver Name: Disk
14:13:46:500 3168 IRP_MJ_CREATE : F75DCC30
14:13:46:500 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:500 3168 IRP_MJ_CLOSE : F75DCC30
14:13:46:500 3168 IRP_MJ_READ : F75D6D9B
14:13:46:500 3168 IRP_MJ_WRITE : F75D6D9B
14:13:46:500 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:500 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:500 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:500 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:500 3168 IRP_MJ_FLUSH_BUFFERS : F75D7366
14:13:46:500 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:500 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:500 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:500 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:500 3168 IRP_MJ_DEVICE_CONTROL : F75D744D
14:13:46:500 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75DAFC3
14:13:46:500 3168 IRP_MJ_SHUTDOWN : F75D7366
14:13:46:500 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:500 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:500 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:500 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:500 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:500 3168 IRP_MJ_POWER : F75D8EF3
14:13:46:500 3168 IRP_MJ_SYSTEM_CONTROL : F75DDA24
14:13:46:500 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:500 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:500 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:500 3168 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:13:46:500 3168
14:13:46:500 3168 Driver Name: Disk
14:13:46:500 3168 IRP_MJ_CREATE : F75DCC30
14:13:46:500 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:500 3168 IRP_MJ_CLOSE : F75DCC30
14:13:46:500 3168 IRP_MJ_READ : F75D6D9B
14:13:46:500 3168 IRP_MJ_WRITE : F75D6D9B
14:13:46:500 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:500 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:500 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:500 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:500 3168 IRP_MJ_FLUSH_BUFFERS : F75D7366
14:13:46:515 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:515 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:515 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:515 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:515 3168 IRP_MJ_DEVICE_CONTROL : F75D744D
14:13:46:515 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75DAFC3
14:13:46:515 3168 IRP_MJ_SHUTDOWN : F75D7366
14:13:46:515 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:515 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:515 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:515 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:515 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:515 3168 IRP_MJ_POWER : F75D8EF3
14:13:46:515 3168 IRP_MJ_SYSTEM_CONTROL : F75DDA24
14:13:46:515 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:515 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:515 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:515 3168 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:13:46:515 3168
14:13:46:515 3168 Driver Name: Disk
14:13:46:515 3168 IRP_MJ_CREATE : F75DCC30
14:13:46:515 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:515 3168 IRP_MJ_CLOSE : F75DCC30
14:13:46:515 3168 IRP_MJ_READ : F75D6D9B
14:13:46:515 3168 IRP_MJ_WRITE : F75D6D9B
14:13:46:515 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:515 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:515 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:515 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:515 3168 IRP_MJ_FLUSH_BUFFERS : F75D7366
14:13:46:515 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:515 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:515 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:515 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:515 3168 IRP_MJ_DEVICE_CONTROL : F75D744D
14:13:46:515 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75DAFC3
14:13:46:515 3168 IRP_MJ_SHUTDOWN : F75D7366
14:13:46:515 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:515 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:515 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:515 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:515 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:515 3168 IRP_MJ_POWER : F75D8EF3
14:13:46:515 3168 IRP_MJ_SYSTEM_CONTROL : F75DDA24
14:13:46:515 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:515 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:515 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:515 3168 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:13:46:515 3168
14:13:46:515 3168 Driver Name: usbstor
14:13:46:515 3168 IRP_MJ_CREATE : 827FD1F8
14:13:46:515 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:515 3168 IRP_MJ_CLOSE : 827FD1F8
14:13:46:515 3168 IRP_MJ_READ : 827FD1F8
14:13:46:515 3168 IRP_MJ_WRITE : 827FD1F8
14:13:46:515 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:515 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:515 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:515 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:515 3168 IRP_MJ_FLUSH_BUFFERS : 804F3418
14:13:46:515 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:515 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:515 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:515 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:515 3168 IRP_MJ_DEVICE_CONTROL : 827FD1F8
14:13:46:515 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : 827FD1F8
14:13:46:515 3168 IRP_MJ_SHUTDOWN : 804F3418
14:13:46:515 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:515 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:515 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:515 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:515 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:515 3168 IRP_MJ_POWER : 827FD1F8
14:13:46:515 3168 IRP_MJ_SYSTEM_CONTROL : 827FD1F8
14:13:46:515 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:515 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:515 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:531 3168 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
14:13:46:531 3168
14:13:46:531 3168 Driver Name: usbstor
14:13:46:531 3168 IRP_MJ_CREATE : 827FD1F8
14:13:46:531 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:531 3168 IRP_MJ_CLOSE : 827FD1F8
14:13:46:531 3168 IRP_MJ_READ : 827FD1F8
14:13:46:531 3168 IRP_MJ_WRITE : 827FD1F8
14:13:46:531 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:531 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:531 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:531 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:531 3168 IRP_MJ_FLUSH_BUFFERS : 804F3418
14:13:46:531 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:531 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:531 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:531 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:531 3168 IRP_MJ_DEVICE_CONTROL : 827FD1F8
14:13:46:531 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : 827FD1F8
14:13:46:531 3168 IRP_MJ_SHUTDOWN : 804F3418
14:13:46:531 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:531 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:531 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:531 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:531 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:531 3168 IRP_MJ_POWER : 827FD1F8
14:13:46:531 3168 IRP_MJ_SYSTEM_CONTROL : 827FD1F8
14:13:46:531 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:531 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:531 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:531 3168 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
14:13:46:531 3168
14:13:46:531 3168 Driver Name: usbstor
14:13:46:531 3168 IRP_MJ_CREATE : 827FD1F8
14:13:46:531 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:531 3168 IRP_MJ_CLOSE : 827FD1F8
14:13:46:531 3168 IRP_MJ_READ : 827FD1F8
14:13:46:531 3168 IRP_MJ_WRITE : 827FD1F8
14:13:46:531 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:531 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:531 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:531 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:531 3168 IRP_MJ_FLUSH_BUFFERS : 804F3418
14:13:46:531 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:531 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:531 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:531 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:531 3168 IRP_MJ_DEVICE_CONTROL : 827FD1F8
14:13:46:531 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : 827FD1F8
14:13:46:531 3168 IRP_MJ_SHUTDOWN : 804F3418
14:13:46:531 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:531 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:531 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:531 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:531 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:531 3168 IRP_MJ_POWER : 827FD1F8
14:13:46:531 3168 IRP_MJ_SYSTEM_CONTROL : 827FD1F8
14:13:46:531 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:531 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:531 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:531 3168 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
14:13:46:531 3168
14:13:46:531 3168 Driver Name: usbstor
14:13:46:531 3168 IRP_MJ_CREATE : 827FD1F8
14:13:46:531 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:531 3168 IRP_MJ_CLOSE : 827FD1F8
14:13:46:531 3168 IRP_MJ_READ : 827FD1F8
14:13:46:531 3168 IRP_MJ_WRITE : 827FD1F8
14:13:46:531 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:531 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:531 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:531 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:531 3168 IRP_MJ_FLUSH_BUFFERS : 804F3418
14:13:46:546 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:546 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:546 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:546 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:546 3168 IRP_MJ_DEVICE_CONTROL : 827FD1F8
14:13:46:546 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : 827FD1F8
14:13:46:546 3168 IRP_MJ_SHUTDOWN : 804F3418
14:13:46:546 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:546 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:546 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:546 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:546 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:546 3168 IRP_MJ_POWER : 827FD1F8
14:13:46:546 3168 IRP_MJ_SYSTEM_CONTROL : 827FD1F8
14:13:46:546 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:546 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:546 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:546 3168 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
14:13:46:546 3168
14:13:46:546 3168 Driver Name: Disk
14:13:46:546 3168 IRP_MJ_CREATE : F75DCC30
14:13:46:546 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:546 3168 IRP_MJ_CLOSE : F75DCC30
14:13:46:546 3168 IRP_MJ_READ : F75D6D9B
14:13:46:546 3168 IRP_MJ_WRITE : F75D6D9B
14:13:46:546 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:546 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:546 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:546 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:546 3168 IRP_MJ_FLUSH_BUFFERS : F75D7366
14:13:46:546 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:546 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:546 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:546 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:546 3168 IRP_MJ_DEVICE_CONTROL : F75D744D
14:13:46:546 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75DAFC3
14:13:46:546 3168 IRP_MJ_SHUTDOWN : F75D7366
14:13:46:546 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:546 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:546 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:546 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:546 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:546 3168 IRP_MJ_POWER : F75D8EF3
14:13:46:546 3168 IRP_MJ_SYSTEM_CONTROL : F75DDA24
14:13:46:546 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:546 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:546 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:546 3168 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:13:46:546 3168
14:13:46:546 3168 Driver Name: atapi
14:13:46:546 3168 IRP_MJ_CREATE : 82B761F8
14:13:46:546 3168 IRP_MJ_CREATE_NAMED_PIPE : 804F3418
14:13:46:546 3168 IRP_MJ_CLOSE : 82B761F8
14:13:46:546 3168 IRP_MJ_READ : 804F3418
14:13:46:546 3168 IRP_MJ_WRITE : 804F3418
14:13:46:546 3168 IRP_MJ_QUERY_INFORMATION : 804F3418
14:13:46:546 3168 IRP_MJ_SET_INFORMATION : 804F3418
14:13:46:546 3168 IRP_MJ_QUERY_EA : 804F3418
14:13:46:546 3168 IRP_MJ_SET_EA : 804F3418
14:13:46:546 3168 IRP_MJ_FLUSH_BUFFERS : 804F3418
14:13:46:546 3168 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F3418
14:13:46:546 3168 IRP_MJ_SET_VOLUME_INFORMATION : 804F3418
14:13:46:546 3168 IRP_MJ_DIRECTORY_CONTROL : 804F3418
14:13:46:546 3168 IRP_MJ_FILE_SYSTEM_CONTROL : 804F3418
14:13:46:546 3168 IRP_MJ_DEVICE_CONTROL : 82B761F8
14:13:46:546 3168 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82B761F8
14:13:46:546 3168 IRP_MJ_SHUTDOWN : 804F3418
14:13:46:546 3168 IRP_MJ_LOCK_CONTROL : 804F3418
14:13:46:546 3168 IRP_MJ_CLEANUP : 804F3418
14:13:46:546 3168 IRP_MJ_CREATE_MAILSLOT : 804F3418
14:13:46:546 3168 IRP_MJ_QUERY_SECURITY : 804F3418
14:13:46:546 3168 IRP_MJ_SET_SECURITY : 804F3418
14:13:46:546 3168 IRP_MJ_POWER : 82B761F8
14:13:46:546 3168 IRP_MJ_SYSTEM_CONTROL : 82B761F8
14:13:46:546 3168 IRP_MJ_DEVICE_CHANGE : 804F3418
14:13:46:546 3168 IRP_MJ_QUERY_QUOTA : 804F3418
14:13:46:546 3168 IRP_MJ_SET_QUOTA : 804F3418
14:13:46:562 3168 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
14:13:46:562 3168 Reboot required for cure complete..
14:13:46:750 3168 Cure on reboot scheduled successfully
14:13:46:750 3168
14:13:46:828 3168 Completed
14:13:46:828 3168
14:13:46:828 3168 Results:
14:13:46:828 3168 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
14:13:46:828 3168 Registry objects infected / cured / cured on reboot: 2 / 0 / 2
14:13:46:828 3168 File objects infected / cured / cured on reboot: 5 / 0 / 5
14:13:46:828 3168
14:13:46:828 3168 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:13:46:828 3168 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:13:46:843 3168 KLMD(ARK) unloaded successfully

Re: Wuauclt.exe is infected3rd April 2010, 6:34 pm

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

Re: Wuauclt.exe is infected3rd April 2010, 9:43 pm

ComboFix 10-04-03.01 - Roy 04/03/2010 17:30:20.1.1 - x86
Running from: c:\documents and settings\Roy\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100313-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\_VOIDmainqt.dll
c:\documents and settings\All Users\Application Data\fiosejgfse.dll
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\program files\Dr. Guard
c:\program files\Dr. Guard\drgext.dll
c:\windows\_VOIDjwivpecvnn
c:\windows\AppPatch\AcAdProc.dll
c:\windows\system32\_VOIDmfeklnmal.dll
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\SIntf16.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))
.

2010-04-03 00:43 . 2010-04-03 00:43 -------- d-----w- C:\_OTL
2010-04-03 00:39 . 2009-11-10 14:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-03 00:39 . 2009-11-10 14:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-03 00:39 . 2009-11-10 14:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-04-03 00:39 . 2009-11-10 14:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-03 00:39 . 2009-10-28 05:36 1152444 ----a-w- c:\windows\UDB.zip
2010-04-03 00:39 . 2008-11-26 16:08 131 ----a-w- c:\windows\IDB.zip
2010-04-03 00:35 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-04-03 00:35 . 2009-10-06 20:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-04-03 00:35 . 2009-09-23 20:10 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-04-03 00:35 . 2010-02-05 13:25 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-04-03 00:35 . 2010-04-03 21:36 -------- d-----w- c:\program files\Spyware Doctor
2010-04-03 00:35 . 2010-04-03 00:40 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-03 00:35 . 2010-04-03 00:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-03-13 03:50 . 2010-03-13 04:17 -------- d-----w- c:\documents and settings\Administrator

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-03 21:28 . 2010-04-03 00:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-03 21:04 . 2009-09-27 05:00 -------- d-----w- c:\documents and settings\Roy\Application Data\Skype
2010-04-03 20:08 . 2009-09-27 05:01 -------- d-----w- c:\documents and settings\Roy\Application Data\skypePM
2010-04-03 00:35 . 2010-04-03 00:35 -------- d-----w- c:\documents and settings\Administrator.EINGLETT\Application Data\PC Tools
2010-04-02 01:39 . 2009-09-07 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-03-24 19:08 . 2010-04-02 01:48 52224 ----a-w- c:\documents and settings\Roy\Application Data\Mozilla\Firefox\Profiles\d0o7jw35.default\extensions\{37d6d330-27cc-41d1-a1f2-158744751199}\components\FFExternalAlert.dll
2010-03-24 19:08 . 2010-04-02 01:48 101376 ----a-w- c:\documents and settings\Roy\Application Data\Mozilla\Firefox\Profiles\d0o7jw35.default\extensions\{37d6d330-27cc-41d1-a1f2-158744751199}\components\RadioWMPCore.dll
2010-03-16 21:51 . 2010-03-16 21:51 -------- d-----w- c:\program files\Windows Media Connect 2
2010-03-13 03:53 . 2009-08-08 21:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-10 23:13 . 2010-02-07 16:02 -------- d-----w- c:\program files\Warrior Epic
2010-01-03 22:23 . 2010-01-03 22:23 1245321 ----a-w- c:\documents and settings\All Users\Application Data\NeoEdge Networks\Yahoo_SuperCollapse3\IAF.dll
2004-12-07 16:13 . 2004-12-07 16:13 703080 -c--a-w- c:\program files\BDA.cab
2004-12-07 16:13 . 2004-12-07 16:13 3578547 ----a-w- c:\program files\ManagedDX.CAB
2004-12-07 16:13 . 2004-12-07 16:13 1156363 -c--a-w- c:\program files\BDANT.cab
2004-12-07 16:13 . 2004-12-07 16:13 479432 ----a-w- c:\program files\dxsetup.exe
2004-12-07 16:13 . 2004-12-07 16:13 69832 ----a-w- c:\program files\DSETUP.dll
2004-12-07 16:13 . 2004-12-07 16:13 2249416 ----a-w- c:\program files\dsetup32.dll
2004-12-07 16:13 . 2004-12-07 16:13 13265040 ----a-r- c:\program files\dxnt.cab
2004-12-07 16:13 . 2004-12-07 16:13 976020 ----a-w- c:\program files\BDAXP.cab
2004-12-07 16:13 . 2004-12-07 16:13 15493481 ----a-w- c:\program files\DirectX.cab
2004-12-07 15:47 . 2004-12-07 15:47 20717 ----a-w- c:\program files\DirectX SDK EULA.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"acivbtjp"="c:\documents and settings\Roy\Local Settings\Application Data\tdoupmkah\fwpcrgvtssd.exe" [2010-04-01 269312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"acivbtjp"="c:\documents and settings\Roy\Local Settings\Application Data\tdoupmkah\fwpcrgvtssd.exe" [2010-04-01 269312]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Warrior Epic\\WEShell_TGI.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"223:TCP"= 223:TCP:WarriorEpic
"223:UDP"= 223:UDP:WarriorEpic
"860:TCP"= 860:TCP:WarriorEpic
"860:UDP"= 860:UDP:WarriorEpic
"262:TCP"= 262:TCP:WarriorEpic
"262:UDP"= 262:UDP:WarriorEpic
"367:TCP"= 367:TCP:WarriorEpic
"367:UDP"= 367:UDP:WarriorEpic
"90:TCP"= 90:TCP:WarriorEpic
"90:UDP"= 90:UDP:WarriorEpic
"311:TCP"= 311:TCP:WarriorEpic
"311:UDP"= 311:UDP:WarriorEpic
"33:TCP"= 33:TCP:WarriorEpic
"33:UDP"= 33:UDP:WarriorEpic
"770:TCP"= 770:TCP:WarriorEpic
"770:UDP"= 770:UDP:WarriorEpic
"876:TCP"= 876:TCP:WarriorEpic
"876:UDP"= 876:UDP:WarriorEpic
"946:TCP"= 946:TCP:WarriorEpic
"946:UDP"= 946:UDP:WarriorEpic
"987:TCP"= 987:TCP:WarriorEpic
"987:UDP"= 987:UDP:WarriorEpic
"991:TCP"= 991:TCP:WarriorEpic
"991:UDP"= 991:UDP:WarriorEpic
"600:TCP"= 600:TCP:WarriorEpic
"600:UDP"= 600:UDP:WarriorEpic
"448:TCP"= 448:TCP:WarriorEpic
"448:UDP"= 448:UDP:WarriorEpic
"87:TCP"= 87:TCP:WarriorEpic
"87:UDP"= 87:UDP:WarriorEpic
"710:TCP"= 710:TCP:WarriorEpic
"710:UDP"= 710:UDP:WarriorEpic
"282:TCP"= 282:TCP:WarriorEpic
"282:UDP"= 282:UDP:WarriorEpic
"363:TCP"= 363:TCP:WarriorEpic
"363:UDP"= 363:UDP:WarriorEpic
"740:TCP"= 740:TCP:WarriorEpic
"740:UDP"= 740:UDP:WarriorEpic
"708:TCP"= 708:TCP:WarriorEpic
"708:UDP"= 708:UDP:WarriorEpic
"612:TCP"= 612:TCP:WarriorEpic
"612:UDP"= 612:UDP:WarriorEpic
"774:TCP"= 774:TCP:WarriorEpic
"774:UDP"= 774:UDP:WarriorEpic
"214:TCP"= 214:TCP:WarriorEpic
"214:UDP"= 214:UDP:WarriorEpic

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-09-27 721904]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-09-23 207280]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]

--- Other Services/Drivers In Memory ---

*Deregistered* - PCTSDInjDriver32
.
Contents of the 'Scheduled Tasks' folder

2010-04-03 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-01-17 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZQfox000&ptb=RLaNzCVB9mTNWjaX4TwT_g
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Roy\Application Data\Mozilla\Firefox\Profiles\d0o7jw35.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2502906&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={BBE59F84-B79B-EC85-6C36-A559E437D96E}&q=
FF - component: c:\documents and settings\Roy\Application Data\Mozilla\Firefox\Profiles\d0o7jw35.default\extensions\{37d6d330-27cc-41d1-a1f2-158744751199}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Roy\Application Data\Mozilla\Firefox\Profiles\d0o7jw35.default\extensions\{37d6d330-27cc-41d1-a1f2-158744751199}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\Roy\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Roy\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Search
FF - user.js: keyword.URL - hxxp://www.sicto.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=3oOAX9Ew&q=
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll
HKCU-Run-DW6 - (no file)
HKCU-Run-Dr. Guard - c:\program files\Dr. Guard\drguard.exe
AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-Dr. Guard - c:\program files\Dr. Guard\Uninstall.exe
AddRemove-FBSearchToolbar - c:\program files\FBSearch Toolbar\FbsUninstall.exe
AddRemove-Gamevance - c:\program files\Gamevance\gvun.exe
AddRemove-The Weather Channel Desktop 6 - c:\program files\The Weather Channel FW\Desktop\TheWeatherChannelCustomUninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-03 17:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-04-03 17:39:12
ComboFix-quarantined-files.txt 2010-04-03 21:39

Pre-Run: 140,753,416,192 bytes free
Post-Run: 143,846,416,384 bytes free

- - End Of File - - AC2934260F7EE62FFAB9BE46A34C9F95

Re: Wuauclt.exe is infected4th April 2010, 2:05 am

1. ComboFix re-run

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the box below into it:

killall::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"acivbtjp"=-

DDS::
uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=ZQfox000&
uInternet Settings,ProxyServer = http=127.0.0.1:5555
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2502906&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=18&tid={BBE59F84-B79B-EC85-6C36-A559E437D96E}&q=
FF - user.js: keyword.URL - hxxp://www.sicto.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&rls=3oOAX9Ew&q=

Folder::
c:\documents and settings\Roy\Local Settings\Application Data\tdoupmkah

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

2. Online Scan

Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

3. Post logs

Make sure to post these logs for my review:

ComboFix log
ESET Scan log

Also, let me know how your computer is running.

Thanks! Smile...

Re: Wuauclt.exe is infected4th April 2010, 5:26 am

ComboFix froze after the reboot when it was making the log, tried it 3 times and froze computer all 3

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d2f4c2a6fcb0af42800d118a34bd5fff
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-04 04:40:39
# local_time=2010-04-04 12:40:39 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=769 16775125 100 98 0 205713052 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=35862
# found=38
# cleaned=38
# scan_time=6139
C:\Qoobox\Quarantine\C\Documents and Settings\Roy\Local Settings\Application Data\tdoupmkah\fwpcrgvtssd.exe.vir Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\Dr. Guard\drgext.dll.vir a variant of Win32/Kryptik.DBT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP221\A0071928.exe Win32/Adware.CoreguardAntivirus.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP221\A0071930.dll a variant of Win32/Kryptik.DBT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP221\A0071931.dll a variant of Win32/Kryptik.DBT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093088.dll a variant of Win32/Kryptik.DBT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093092.exe Win32/Adware.CoreguardAntivirus.F application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093096.dll a variant of Win32/Adware.Gamevance.AE application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093097.dll a variant of Win32/Adware.Gamevance.AE application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093098.exe Win32/Adware.Gamevance.AE application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093100.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093101.DLL Win32/Adware.FunWeb application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093102.DLL Win32/Adware.FunWeb application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093104.DLL Win32/Adware.FunWeb application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093106.DLL Win32/Adware.FunWeb application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093107.SCR Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093109.DLL Win32/Adware.FunWeb application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093110.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093111.EXE Win32/Adware.FunWeb application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093112.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093116.EXE Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093117.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093118.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093119.EXE Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093120.EXE Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093121.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093122.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093123.DLL a variant of Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093124.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093125.EXE Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093129.EXE Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093131.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093133.EXE Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093136.DLL Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093180.dll a variant of Win32/Kryptik.DBT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093183.scr Win32/Toolbar.MyWebSearch application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{E89085B5-2616-4CEB-96E1-BB040BF462C1}\RP246\A0093276.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

it's running much better

Re: Wuauclt.exe is infected5th April 2010, 3:22 am

RKill by Grinler
Link #1
Link #2
Link #3

Download Link #1.
Save it to your Desktop.
Double click the RKill desktop icon.
If you are using Vista please right click and run as Admin!
A black screen will briefly flash indicating a successful run.
If this does not occur please delete that application and download Link #2.
Continue process until the tool runs.
If the tool does not run from any of the links tell me about it.

This only kills the active infection, the actual infection will not be gone.

Then, try the ComboFix fixes again.

Wuauclt.exe is infected

descriptionWuauclt.exe is infected3rd April 2010, 12:56 am

descriptionRe: Wuauclt.exe is infected3rd April 2010, 3:00 am

descriptionRe: Wuauclt.exe is infected3rd April 2010, 2:31 pm

descriptionRe: Wuauclt.exe is infected3rd April 2010, 5:52 pm

descriptionRe: Wuauclt.exe is infected3rd April 2010, 6:25 pm

descriptionRe: Wuauclt.exe is infected3rd April 2010, 6:34 pm

descriptionRe: Wuauclt.exe is infected3rd April 2010, 9:43 pm

descriptionRe: Wuauclt.exe is infected4th April 2010, 2:05 am

descriptionRe: Wuauclt.exe is infected4th April 2010, 5:26 am

descriptionRe: Wuauclt.exe is infected5th April 2010, 3:22 am

descriptionRe: Wuauclt.exe is infected