antivirus software alert... file wuauclt.exe is infected...

Windows Security Alerts constantly pop up warning that I have a virus. Pop up windows lead me to a website trying to get me to purchase antivirus software (antispycraft.com). One of the windows that pops up every few seconds reads, "application cannot be executed. The file wuauclt.exe is infected. Do you want to activate your antivirus software now? " Browser keeps popping up with porn sites/ viagra ads. I've tried to disable the free version of AVG antivirus installed on my computer thinking that may be what's infected, but I'm not able to open 'add/ uninstall program'. I've also tried to download spyware suggested to me, but the virus is blocking me from opening any downloads. Any suggestions? I would greatly appreciate any help on this. I've never dealt with a computer virus before. Thanks!

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:

• Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  
• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  
• If you have already asked for help somewhere, please post the link to the topic you were helped.
  
• We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:
  
  Reply to this topic with the word BUMP, or
  see this topic.
  
  
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

---

Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  
• It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  
• Please post its log in your next reply.
  
• After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.


Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

RKill log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Josie Rassat on 08/25/2010 at 12:17:15.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Josie Rassat\Local Settings\Application Data\uhlulgyiq\bhnvlmjshdw.exe
C:\Program Files\Mozilla Firefox\firefox.exe


Rkill completed on 08/25/2010 at 12:17:20.

Log entry from running ComboFix:


ComboFix 10-08-24.0C - Josie Rassat 08/25/2010 13:07:28.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.556 [GMT -4:00]
Running from: c:\documents and settings\Josie Rassat\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Josie Rassat\Local Settings\Application Data\uhlulgyiq
c:\documents and settings\Josie Rassat\Local Settings\Application Data\uhlulgyiq\bhnvlmjshdw.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 )))))))))))))))))))))))))))))))
.

2010-08-24 04:31 . 2010-08-24 04:31 -------- d-----w- c:\documents and settings\Josie Rassat\Local Settings\Application Data\Google
2010-08-24 04:31 . 2010-08-24 04:32 -------- d-----w- c:\program files\Google
2010-08-24 04:31 . 2010-01-22 12:56 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-08-24 04:31 . 2010-01-22 12:56 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-08-24 04:31 . 2010-08-25 16:33 -------- d-----w- c:\program files\Spyware Doctor
2010-08-24 04:30 . 2010-08-25 16:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-20 05:01 . 2010-08-20 05:01 -------- d-----w- c:\program files\iPod
2010-08-20 05:01 . 2010-08-20 05:02 -------- d-----w- c:\program files\iTunes
2010-08-20 04:56 . 2010-08-20 04:56 -------- d-----w- c:\program files\Bonjour
2010-08-20 04:44 . 2010-08-20 04:44 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-24 04:31 . 2010-08-24 04:31 1152444 ----a-w- c:\windows\is-LSMVP.tmp
2010-08-22 03:01 . 2009-09-25 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-08-22 02:06 . 2009-09-29 03:11 -------- d-----w- c:\documents and settings\Josie Rassat\Application Data\BitTorrent
2010-08-20 05:01 . 2009-07-12 13:46 -------- d-----w- c:\program files\Common Files\Apple
2010-08-13 14:29 . 2009-05-30 08:42 -------- d-----w- c:\program files\Microsoft Works
2010-08-11 05:02 . 2009-09-22 00:42 -------- d-----w- c:\documents and settings\Josie Rassat\Application Data\vlc
2010-06-30 12:31 . 2008-04-25 20:33 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:10 . 2008-04-25 20:33 667136 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:10 . 2008-04-25 20:33 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 02:14 . 2008-04-25 20:33 1861120 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-25 20:33 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-25 20:33 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-26 01:44 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-25 20:33 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-05-30 08:48 . 2009-05-30 08:48 75 --sh--r- c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-30 136600]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WLSS"="c:\program files\Wireless Select Switch\WLSS.exe" [2009-01-01 550184]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2008-11-05 623912]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-11-11 442536]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-01-30 206064]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [5/30/2009 4:35 AM 14248]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [5/30/2009 4:46 AM 135936]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [5/30/2009 7:16 AM 148056]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [5/30/2009 7:16 AM 133472]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [5/30/2009 7:16 AM 271328]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [5/30/2009 7:16 AM 162816]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/30/2009 7:16 AM 1684736]
.
Contents of the 'Scheduled Tasks' folder

2010-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14986&l=dis
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:6522
FF - ProfilePath - c:\documents and settings\Josie Rassat\Application Data\Mozilla\Firefox\Profiles\uo0plept.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\Josie Rassat\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-xujxtwll - c:\documents and settings\Josie Rassat\Local Settings\Application Data\uhlulgyiq\bhnvlmjshdw.exe
HKLM-Run-xujxtwll - c:\documents and settings\Josie Rassat\Local Settings\Application Data\uhlulgyiq\bhnvlmjshdw.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-25 13:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-08-25 13:13:35
ComboFix-quarantined-files.txt 2010-08-25 17:13

Pre-Run: 82,354,671,616 bytes free
Post-Run: 83,947,958,272 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F9A0E0DAE26820D27B19AC4559454C12

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the codebox below into it:
  

  Code:

  dds::
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:6522
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

---

Please download Malwarebytes Anti-Malware from Download.CNET.com.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.