wuauclt.exe is infected

View previous topic View next topic Go down

wuauclt.exe is infected

Post by Leif on 15th March 2010, 11:35 pm

Got error message "application cannot be executed. The file wuauclt.exe is infected. Do you want to activate your antivirus software now?" . calt press alt ctrl delete or get to add remove programs. After searching the web, I found this forum and followed the instruction. Please help. Thanks.

Leif
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-03-15
OS OS : wiindows xp
Points Points : 24663
# Likes # Likes : 0

View user profile

Back to top Go down

Re: wuauclt.exe is infected

Post by Belahzur on 16th March 2010, 1:13 am

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245090
# Likes # Likes : 1

View user profile

Back to top Go down

OLT.TXT

Post by Leif on 17th March 2010, 11:22 pm

OTL logfile created on: 3/17/2010 6:56:43 PM - Run 1
OTL by OldTimer - Version 3.1.37.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 232.00 Mb Available Physical Memory | 45.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 146.81 Gb Free Space | 63.04% Space Free | Partition Type: NTFS
Drive D: | 3.92 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-4DM0FJDTM5
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/17 18:50:52 | 000,556,032 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
PRC - [2010/03/15 19:02:18 | 000,318,208 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fvwoso\yptqsftav.exe
PRC - [2010/01/07 22:27:32 | 000,557,056 | ---- | M] (BitLeader) -- C:\Program Files\lg_fwupdate\fwupdate.exe
PRC - [2009/08/25 19:44:30 | 000,117,640 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/07/08 16:24:46 | 000,871,424 | ---- | M] (Nero AG) -- C:\Program Files\Ahead\InCD\InCDsrv.exe
PRC - [2005/06/02 15:54:34 | 000,086,606 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2004/10/14 12:32:18 | 000,450,560 | ---- | M] () -- C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe


========== Modules (SafeList) ==========

MOD - [2010/03/17 18:50:52 | 000,556,032 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
MOD - [2007/09/15 14:19:19 | 000,079,408 | ---- | M] (GRISOFT s.r.o.) -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll
MOD - [2004/08/04 03:57:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (CLTNetCnService)
SRV - [2009/08/25 19:44:30 | 000,117,640 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe -- (Norton AntiVirus)
SRV - [2007/09/15 14:19:22 | 000,312,880 | ---- | M] (GRISOFT s.r.o.) [On_Demand | Stopped] -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe -- (AVG Anti-Spyware Guard)
SRV - [2005/07/08 16:24:46 | 000,871,424 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\InCDsrv.exe -- (InCDsrv)
SRV - [2005/06/02 15:54:34 | 000,086,606 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2002/09/27 11:56:20 | 000,139,264 | ---- | M] (Intel(R) Corporation) [On_Demand | Stopped] -- c:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2010/02/02 21:02:33 | 000,482,432 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NAV\1008000.029\ccHPx86.sys -- (ccHP)
DRV - [2009/11/08 20:24:36 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2009/11/04 07:03:48 | 001,323,568 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100111.003\NAVEX15.SYS -- (NAVEX15)
DRV - [2009/11/04 07:03:48 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2009/11/04 07:03:48 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100111.003\NAVENG.SYS -- (NAVENG)
DRV - [2009/10/28 18:37:22 | 000,329,592 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100106.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2009/08/25 19:44:31 | 000,310,320 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NAV\1008000.029\SYMEFA.SYS -- (SymEFA)
DRV - [2009/08/25 19:44:31 | 000,308,272 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\NAV\1008000.029\SRTSP.SYS -- (SRTSP)
DRV - [2009/08/25 19:44:31 | 000,259,632 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NAV\1008000.029\BHDrvx86.sys -- (BHDrvx86)
DRV - [2009/08/25 19:44:31 | 000,217,136 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\NAV\1008000.029\SYMTDI.SYS -- (SYMTDI)
DRV - [2009/08/25 19:44:31 | 000,089,904 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NAV\1008000.029\SYMFW.SYS -- (SYMFW)
DRV - [2009/08/25 19:44:31 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NAV\1008000.029\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2009/08/25 19:44:31 | 000,036,400 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NAV\1008000.029\SYMNDIS.SYS -- (SYMNDIS)
DRV - [2009/08/25 19:44:31 | 000,033,072 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\Drivers\NAV\1008000.029\SYMIDS.SYS -- (SYMIDS)
DRV - [2009/08/25 19:44:18 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIMMP)
DRV - [2009/08/25 19:44:18 | 000,036,400 | R--- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SymIM.sys -- (SymIM)
DRV - [2007/09/15 14:19:20 | 000,011,000 | ---- | M] () [Kernel | System | Running] -- C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys -- (AVG Anti-Spyware Driver)
DRV - [2007/07/30 16:43:31 | 000,062,865 | ---- | M] (Funk Software, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\odysseyIM3.sys -- (odysseyIM3)
DRV - [2006/09/05 12:03:16 | 000,003,968 | ---- | M] (GRISOFT, s.r.o.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AvgAsCln.sys -- (AvgAsCln)
DRV - [2006/03/13 22:06:01 | 000,028,672 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDrm.sys -- (incdrm)
DRV - [2006/02/08 15:44:00 | 003,846,016 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/07/08 16:17:54 | 000,099,584 | ---- | M] (Nero AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2005/07/08 16:17:36 | 000,029,696 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDpass.sys -- (InCDPass)
DRV - [2004/06/17 23:41:16 | 000,386,688 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\netwg311.sys -- (netwg311)
DRV - [2002/10/15 00:00:00 | 000,101,431 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\IdeChnDr.sys -- (IdeChnDr) Intel(R)
DRV - [2002/10/15 00:00:00 | 000,013,891 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\IdeBusDr.sys -- (IdeBusDr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="
FF - prefs.js..browser.startup.homepage: "http://www.google.ca"


FF - HKLM\software\mozilla\Firefox\Extensions\\{3112ca9c-de6d-4884-a869-9855de68056c}: C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2007/09/08 10:01:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/14 09:34:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/13 17:38:02 | 000,000,000 | ---D | M]

[2008/09/06 14:29:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/05/10 09:33:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2e1t0p0z.default\extensions
[2008/09/06 14:30:27 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2e1t0p0z.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/03/17 18:53:33 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2008/12/13 18:51:20 | 000,292,880 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 bin.errorprotector.com ## added by CiD
O1 - Hosts: 127.0.0.1 br.errorsafe.com ## added by CiD
O1 - Hosts: 127.0.0.1 br.winantivirus.com ## added by CiD
O1 - Hosts: 127.0.0.1 br.winfixer.com ## added by CiD
O1 - Hosts: 127.0.0.1 cdn.drivecleaner.com ## added by CiD
O1 - Hosts: 127.0.0.1 cdn.errorsafe.com ## added by CiD
O1 - Hosts: 127.0.0.1 cdn.winsoftware.com ## added by CiD
O1 - Hosts: 127.0.0.1 de.errorsafe.com ## added by CiD
O1 - Hosts: 127.0.0.1 de.winantivirus.com ## added by CiD
O1 - Hosts: 127.0.0.1 download.cdn.drivecleaner.com ## added by CiD
O1 - Hosts: 127.0.0.1 download.cdn.errorsafe.com ## added by CiD
O1 - Hosts: 127.0.0.1 download.cdn.winsoftware.com ## added by CiD
O1 - Hosts: 127.0.0.1 download.errorsafe.com ## added by CiD
O1 - Hosts: 127.0.0.1 download.systemdoctor.com ## added by CiD
O1 - Hosts: 127.0.0.1 download.winantispyware.com ## added by CiD
O1 - Hosts: 127.0.0.1 download.windrivecleaner.com ## added by CiD
O1 - Hosts: 127.0.0.1 download.winfixer.com ## added by CiD
O1 - Hosts: 127.0.0.1 drivecleaner.com ## added by CiD
O1 - Hosts: 127.0.0.1 dynamique.drivecleaner.com ## added by CiD
O1 - Hosts: 127.0.0.1 errorprotector.com ## added by CiD
O1 - Hosts: 127.0.0.1 errorsafe.com ## added by CiD
O1 - Hosts: 127.0.0.1 es.winantivirus.com ## added by CiD
O1 - Hosts: 127.0.0.1 fr.winantivirus.com ## added by CiD
O1 - Hosts: 127.0.0.1 fr.winfixer.com ## added by CiD
O1 - Hosts: 10057 more lines...
O2 - BHO: (no name) - {22F34525-FC1F-4947-BB50-CC703912F18A} - C:\WINDOWS\System32\awtqpMFx.dll File not found
O2 - BHO: (no name) - {309EF80B-9561-43CF-8501-73002131B9C9} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5BA54959-C612-4BBE-B841-FB25CD98AF7C} - No CLSID value found.
O2 - BHO: (no name) - {5C81503A-B448-447C-B766-0C880B6EE46C} - No CLSID value found.
O2 - BHO: (no name) - {64E81918-66F3-43AA-8429-9A5C02A0BF72} - No CLSID value found.
O2 - BHO: (no name) - {66CD7F6E-6B85-40E1-AD70-FD97B635B77C} - No CLSID value found.
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (no name) - {939AFF5F-6D9B-4461-A2BE-8BB4021E5C2B} - No CLSID value found.
O2 - BHO: (no name) - {D11223A3-9AD5-4135-BFC8-4B2015DEBD68} - No CLSID value found.
O2 - BHO: (no name) - {F433B643-9A98-4186-A188-CAAA1CC73B3E} - No CLSID value found.
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LGODDFU] C:\Program Files\lg_fwupdate\fwupdate.exe (BitLeader)
O4 - HKLM..\Run: [WMC_AutoUpdate] File not found
O4 - HKLM..\Run: [xqbyrinh] C:\Documents and Settings\Owner\Local Settings\Application Data\fvwoso\yptqsftav.exe ()
O4 - HKCU..\Run: [] File not found
O4 - HKCU..\Run: [draw tool] C:\DOCUME~1\Owner\APPLIC~1\RECTFI~1\Mapi Ball Anti.exe File not found
O4 - HKCU..\Run: [xqbyrinh] C:\Documents and Settings\Owner\Local Settings\Application Data\fvwoso\yptqsftav.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} [You must be registered and logged in to see this link.] (Windows Genuine Advantage Validation Tool)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} [You must be registered and logged in to see this link.] (TTestGenXInstallObject)
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} [You must be registered and logged in to see this link.] (Pearson Installation Assistant 2)
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} [You must be registered and logged in to see this link.] (F-Secure Online Scanner 3.0)
O16 - DPF: {EEC9DBCC-04AD-4A1B-BEA7-C6DAD9515D5A} [You must be registered and logged in to see this link.] (Pearson MyEconLab Player Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 64.71.255.198
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {57B86673-276A-48B2-BAE7-C6DBB3020EB8} - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (GRISOFT s.r.o.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/30 15:49:34 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{75537840-3d0c-11de-9334-000cf16ad04e}\Shell\AutoRun\command - "" = F:\InstallTomTomHOME.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/17 18:50:52 | 000,556,032 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/03/15 19:03:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\fvwoso
[2010/03/11 08:14:15 | 003,555,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\moviemk.exe
[2010/03/03 07:54:38 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
[2010/02/15 23:03:17 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/02/15 23:03:04 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/02/15 23:03:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/02/15 23:00:51 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/02/15 23:00:11 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/02/15 22:59:22 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update
[2010/02/15 22:59:12 | 002,065,696 | ---- | C] (Apple, Inc.) -- C:\WINDOWS\System32\usbaaplrc.dll
[2010/02/15 22:58:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Apple
[2009/12/05 21:33:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/01/21 16:56:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2008/10/13 16:15:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/09/08 14:15:14 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/09/07 12:04:47 | 023,661,600 | ---- | C] (DivX, Inc.) -- C:\Program Files\DivXInstaller.exe
[2007/07/30 16:00:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/07/30 15:49:21 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[13 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/17 18:53:30 | 000,000,361 | ---- | M] () -- C:\WINDOWS\lgfwup.ini
[2010/03/17 18:53:21 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/17 18:53:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/17 18:52:14 | 007,864,320 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/03/17 18:52:14 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/03/17 18:50:52 | 000,556,032 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2010/03/17 18:48:01 | 000,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/17 18:48:01 | 000,311,934 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/17 18:48:01 | 000,040,196 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/17 18:43:48 | 000,012,664 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/15 18:01:52 | 000,034,816 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Cpost_cv.doc
[2010/03/15 17:43:46 | 000,036,352 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Porter_resume.doc
[2010/03/02 20:49:13 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/24 07:45:23 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/02/24 04:00:31 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/21 12:04:02 | 000,002,424 | -H-- | M] () -- C:\Documents and Settings\Owner\Desktop\ZbThumbnail.info
[2010/02/21 10:00:11 | 000,228,864 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/15 23:04:00 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/02/15 23:01:08 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[13 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\Owner\My Documents\*.tmp files -> C:\Documents and Settings\Owner\My Documents\*.tmp -> ]
[1 C:\Documents and Settings\Owner\Desktop\*.tmp files -> C:\Documents and Settings\Owner\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,100,864 | -HS- | C] () -- C:\WINDOWS\System32\vetahadu.dll
[2099/01/01 12:00:00 | 000,011,168 | -H-- | C] () -- C:\WINDOWS\System32\kabarese
[2010/03/15 18:01:52 | 000,034,816 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Cpost_cv.doc
[2010/03/14 18:23:36 | 000,036,352 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Porter_resume.doc
[2010/02/15 23:01:08 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/02/15 22:59:32 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/03/19 15:35:30 | 001,807,662 | -HS- | C] () -- C:\WINDOWS\System32\ipegowin.ini
[2009/03/18 20:31:01 | 001,807,653 | -HS- | C] () -- C:\WINDOWS\System32\ibiwovaw.ini
[2009/03/18 08:35:46 | 001,751,104 | -HS- | C] () -- C:\WINDOWS\System32\utipogaf.ini
[2009/03/18 08:31:59 | 000,002,098 | -HS- | C] () -- C:\WINDOWS\System32\nifarake.dll
[2009/03/18 08:31:42 | 000,002,098 | -HS- | C] () -- C:\WINDOWS\System32\nadojizu.dll
[2009/03/17 13:18:41 | 001,746,833 | -HS- | C] () -- C:\WINDOWS\System32\osanojoy.ini
[2009/03/16 22:18:51 | 001,722,836 | -HS- | C] () -- C:\WINDOWS\System32\izaseren.ini
[2009/03/16 12:41:12 | 001,703,008 | -HS- | C] () -- C:\WINDOWS\System32\eworowuy.ini
[2009/03/16 07:30:14 | 001,702,995 | -HS- | C] () -- C:\WINDOWS\System32\ativehuh.ini
[2009/03/15 10:19:30 | 000,002,098 | -HS- | C] () -- C:\WINDOWS\System32\natulevo.dll
[2009/03/14 00:39:06 | 001,702,995 | -HS- | C] () -- C:\WINDOWS\System32\oyusuvob.ini
[2009/03/13 12:39:10 | 001,835,082 | -HS- | C] () -- C:\WINDOWS\System32\urimiriw.ini
[2009/03/12 20:43:01 | 001,933,837 | -HS- | C] () -- C:\WINDOWS\System32\ikudowil.ini
[2009/03/12 08:44:10 | 001,835,082 | -HS- | C] () -- C:\WINDOWS\System32\iyokijir.ini
[2009/03/10 11:47:46 | 000,002,098 | -HS- | C] () -- C:\WINDOWS\System32\dafamupu.dll
[2009/03/10 11:47:44 | 000,002,098 | -HS- | C] () -- C:\WINDOWS\System32\popefuha.dll
[2009/03/09 23:49:20 | 000,000,121 | -HS- | C] () -- C:\WINDOWS\System32\oyopesof.ini
[2009/03/08 15:05:04 | 000,002,098 | -HS- | C] () -- C:\WINDOWS\System32\zimuworo.dll
[2009/03/08 15:05:04 | 000,002,098 | -HS- | C] () -- C:\WINDOWS\System32\fapawozi.dll
[2009/03/06 19:10:25 | 001,840,365 | -HS- | C] () -- C:\WINDOWS\System32\awidobil.ini
[2009/03/05 10:50:44 | 001,840,365 | -HS- | C] () -- C:\WINDOWS\System32\elejugas.ini
[2009/03/04 21:53:34 | 001,829,247 | -HS- | C] () -- C:\WINDOWS\System32\enilofab.ini
[2009/03/04 09:53:36 | 001,829,260 | -HS- | C] () -- C:\WINDOWS\System32\imosuyag.ini
[2009/03/03 14:03:11 | 001,657,242 | -HS- | C] () -- C:\WINDOWS\System32\ayiruley.ini
[2009/02/18 23:49:36 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ogohofon.ini
[2009/02/18 11:49:54 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\adoteneg.ini
[2009/02/17 22:44:53 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ivayoyot.ini
[2009/02/17 10:45:01 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\eyojotov.ini
[2009/02/16 22:44:17 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ihavumog.ini
[2009/02/16 10:44:47 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\uwelenak.ini
[2009/02/15 10:31:01 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\odolomir.ini
[2009/02/14 22:31:12 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\osimegey.ini
[2009/02/14 10:30:12 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\atabofuy.ini
[2009/02/13 16:13:32 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\obusorus.ini
[2009/02/13 16:13:06 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\asuginep.ini
[2009/02/11 20:12:23 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ivadozat.ini
[2009/02/10 20:40:29 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\emamewos.ini
[2009/02/09 15:15:46 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\imegovus.ini
[2009/02/08 13:10:32 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ozotisuk.ini
[2009/02/07 17:14:33 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ahinibes.ini
[2009/02/06 15:40:11 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\uvimugod.ini
[2009/02/04 16:25:31 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\aziwilor.ini
[2009/02/03 15:33:06 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\etapayoj.ini
[2009/02/02 13:23:39 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ubodidem.ini
[2009/01/30 12:53:07 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\otemogaf.ini
[2009/01/29 17:50:06 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\epekesek.ini
[2009/01/28 20:15:58 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\iwilihad.ini
[2009/01/27 13:44:58 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ekigimut.ini
[2009/01/26 13:37:42 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ewotevuz.ini
[2009/01/24 23:56:39 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ebobitut.ini
[2009/01/23 16:08:04 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\iseyatul.ini
[2009/01/22 09:20:22 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\alatopus.ini
[2009/01/20 13:29:23 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\oruyofid.ini
[2009/01/19 13:50:27 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\evusizew.ini
[2009/01/18 23:58:46 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\uzohureh.ini
[2009/01/18 11:59:10 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\idihujil.ini
[2009/01/17 13:48:07 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\eyitohef.ini
[2009/01/17 01:46:46 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\orulujum.ini
[2009/01/16 13:47:09 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\okuyupif.ini
[2009/01/15 12:09:38 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\umedaluv.ini
[2009/01/15 11:11:03 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ebuvakew.ini
[2009/01/14 16:11:47 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\avihavef.ini
[2009/01/13 13:30:53 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\opivaget.ini
[2009/01/12 13:08:20 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ebokuwed.ini
[2009/01/11 10:56:16 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\aveviyaz.ini
[2009/01/10 19:56:09 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\awhdljkn.ini
[2009/01/10 16:15:04 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\ukihozuy.ini
[2009/01/09 19:55:58 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\amkieioy.ini
[2008/12/16 19:35:01 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\gnslyqtu.ini
[2008/12/16 17:12:47 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\tmufekcy.ini
[2008/12/15 12:25:23 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\lknwokpb.ini
[2008/12/14 16:55:58 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\berwoeht.ini
[2008/01/10 18:02:22 | 000,000,643 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2008/01/10 18:02:08 | 000,328,704 | ---- | C] () -- C:\WINDOWS\System32\dosfnt32.dll
[2008/01/05 22:33:10 | 000,001,359 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/10/22 17:17:34 | 000,047,104 | ---- | C] () -- C:\WINDOWS\System32\KMVIDC32.DLL
[2007/10/15 09:25:20 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/10/01 19:30:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2007/09/15 14:16:41 | 011,470,608 | ---- | C] () -- C:\Program Files\avgas-setup-7[1].5.0.50.exe
[2007/09/15 14:11:32 | 000,744,529 | ---- | C] () -- C:\Program Files\bazookasetup.exe
[2007/09/13 21:12:08 | 000,054,584 | ---- | C] () -- C:\WINDOWS\System32\drivers\sbapifs.sys
[2007/09/13 21:07:24 | 000,013,632 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Svclog.log
[2007/09/08 09:58:14 | 000,882,888 | ---- | C] () -- C:\Program Files\Google Updater.exe
[2007/09/04 17:27:43 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/09/04 17:24:33 | 000,000,361 | ---- | C] () -- C:\WINDOWS\lgfwup.ini
[2007/09/04 17:17:15 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2007/09/04 17:16:42 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2007/09/03 13:45:04 | 004,862,464 | ---- | C] () -- C:\Program Files\BitComet_0.91_setup.exe
[2007/08/28 16:20:32 | 000,228,864 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/30 16:24:47 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2002/10/07 18:15:36 | 000,016,384 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
< End of report >

Leif
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-03-15
OS OS : wiindows xp
Points Points : 24663
# Likes # Likes : 0

View user profile

Back to top Go down

EXTRAS.TXT

Post by Leif on 17th March 2010, 11:23 pm

OTL Extras logfile created on: 3/17/2010 6:56:43 PM - Run 1
OTL by OldTimer - Version 3.1.37.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 232.00 Mb Available Physical Memory | 45.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 146.81 Gb Free Space | 63.04% Space Free | Partition Type: NTFS
Drive D: | 3.92 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-4DM0FJDTM5
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Jukebox -- File not found
"C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" = C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe:*:Enabled:SpybotSD -- (Safer Networking Limited)
"C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe" = C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe:*:Enabled:AppSvc32 -- File not found
"C:\Program Files\Ahead\InCD\InCDsrv.exe" = C:\Program Files\Ahead\InCD\InCDsrv.exe:*:Enabled:InCDsrv -- (Nero AG)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)
"C:\WINDOWS\system32\net1.exe" = C:\WINDOWS\system32\net1.exe:*:Enabled:net1 -- (Microsoft Corporation)
"C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe" = C:\Program Files\Norton AntiVirus\Engine\16.2.0.7\ccSvcHst.exe:*:Enabled:ccSvcHst -- File not found
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- File not found
"C:\WINDOWS\system32\net.exe" = C:\WINDOWS\system32\net.exe:*:Enabled:net -- (Microsoft Corporation)
"C:\Program Files\Canon\CAL\CALMAIN.exe" = C:\Program Files\Canon\CAL\CALMAIN.exe:*:Enabled:CALMAIN -- (Canon Inc.)
"C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe" = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe:*:Enabled:wlancfg5 -- ()
"C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" = C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe:*:Enabled:PIFSvc -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0627E8E9-6822-4A5E-9225-286741CDC3E4}" = FileViewerUtility 1.0
"{0A146245-DB79-4197-BF5D-FE1A699A2CC7}" = Camera Window DS
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(TM) 6 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}" = Camera Window DVC
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6179550A-3E7C-499E-BCC9-9E8113E0A285}" = LG ODD Auto Firmware Update
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}" = Camera Window MC
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{901F8ED7-13E8-43EF-B738-2FE89B0588EB}" = Camera Access Library
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{936D42B8-FE51-41D5-A74A-6182F6CDB17B}" = NETGEAR WG311v2 802.11g Wireless PCI Adapter
"{9984DF60-1C5B-11D3-ACA1-908A4FC10801}" = Intel Application Accelerator
"{A1D0D14A-B776-4907-BC00-5149F2298086}" = Camera Support Core Library
"{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}" = Camera Window DVC
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Plus Web Player
"{B8CD1189-53D6-4C51-8082-14B812EABBA8}" = Canon Camera WIA Driver
"{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}" = RAW Image Task 2.2
"{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon ZoomBrowser EX (E)
"{EF4EF65F-4D62-44D7-82C9-1AECCBA74C50}" = Intel(R) PROSet
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVGAntiSpyware75" = AVG Anti-Spyware 7.5
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"InCD!UninstallKey" = InCD
"InstallShield_{0627E8E9-6822-4A5E-9225-286741CDC3E4}" = Canon Utilities FileViewerUtility 1.0
"InstallShield_{0A146245-DB79-4197-BF5D-FE1A699A2CC7}" = Canon Camera Window DSLR 5 for ZoomBrowser EX
"InstallShield_{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D}" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"InstallShield_{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D}" = Canon Camera Window MC 6 for ZoomBrowser EX
"InstallShield_{901F8ED7-13E8-43EF-B738-2FE89B0588EB}" = Canon Camera Access Library
"InstallShield_{936D42B8-FE51-41D5-A74A-6182F6CDB17B}" = NETGEAR WG311v2 802.11g Wireless PCI Adapter
"InstallShield_{A1D0D14A-B776-4907-BC00-5149F2298086}" = Canon Camera Support Core Library
"InstallShield_{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F}" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"InstallShield_{B8CD1189-53D6-4C51-8082-14B812EABBA8}" = Canon IXY 320, PowerShot S230, IXUS v3 WIA Driver
"InstallShield_{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4}" = Canon RAW Image Task for ZoomBrowser EX
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"NAV" = Norton AntiVirus
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PROSet" = Intel(R) PRO Network Adapters and Drivers
"VLC media player" = VLC media player 1.0.3
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/25/2010 2:53:14 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 489
Description = wuauclt (1692) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 2/25/2010 2:53:19 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 455
Description = wuaueng.dll (1692) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 2/25/2010 2:53:29 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 489
Description = wuauclt (1692) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 2/25/2010 2:53:29 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 455
Description = wuaueng.dll (1692) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 2/27/2010 5:27:45 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 490
Description = wuauclt (2648) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 2/27/2010 5:28:00 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 489
Description = wuauclt (2648) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 2/27/2010 5:28:00 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 455
Description = wuaueng.dll (2648) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 2/27/2010 5:28:16 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 489
Description = wuauclt (2648) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 2/27/2010 5:28:16 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 455
Description = wuaueng.dll (2648) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 3/15/2010 6:54:02 PM | Computer Name = HOME-4DM0FJDTM5 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 10.0.2627.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ Application Events ]
Error - 2/25/2010 2:53:14 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 489
Description = wuauclt (1692) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 2/25/2010 2:53:19 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 455
Description = wuaueng.dll (1692) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 2/25/2010 2:53:29 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 489
Description = wuauclt (1692) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 2/25/2010 2:53:29 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 455
Description = wuaueng.dll (1692) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 2/27/2010 5:27:45 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 490
Description = wuauclt (2648) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk"
for read / write access failed with system error 32 (0x00000020): "The process
cannot access the file because it is being used by another process. ". The open
file operation will fail with error -1032 (0xfffffbf8).

Error - 2/27/2010 5:28:00 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 489
Description = wuauclt (2648) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 2/27/2010 5:28:00 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 455
Description = wuaueng.dll (2648) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 2/27/2010 5:28:16 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 489
Description = wuauclt (2648) An attempt to open the file "C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log"
for read only access failed with system error 32 (0x00000020): "The process cannot
access the file because it is being used by another process. ". The open file
operation will fail with error -1032 (0xfffffbf8).

Error - 2/27/2010 5:28:16 PM | Computer Name = HOME-4DM0FJDTM5 | Source = ESENT | ID = 455
Description = wuaueng.dll (2648) SUS20ClientDataStore: Error -1032 (0xfffffbf8)
occurred while opening logfile C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log.

Error - 3/15/2010 6:54:02 PM | Computer Name = HOME-4DM0FJDTM5 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 10.0.2627.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2/23/2010 9:14:02 PM | Computer Name = HOME-4DM0FJDTM5 | Source = DCOM | ID = 10010
Description = The server {1F87137D-0E7C-44D5-8C73-4EFFB68962F2} did not register
with DCOM within the required timeout.

Error - 2/23/2010 9:17:24 PM | Computer Name = HOME-4DM0FJDTM5 | Source = DCOM | ID = 10010
Description = The server {1F87137D-0E7C-44D5-8C73-4EFFB68962F2} did not register
with DCOM within the required timeout.

Error - 2/23/2010 9:20:16 PM | Computer Name = HOME-4DM0FJDTM5 | Source = DCOM | ID = 10010
Description = The server {1F87137D-0E7C-44D5-8C73-4EFFB68962F2} did not register
with DCOM within the required timeout.

Error - 2/23/2010 9:20:39 PM | Computer Name = HOME-4DM0FJDTM5 | Source = DCOM | ID = 10010
Description = The server {16D99191-6280-4B33-A2F5-04805A0FC582} did not register
with DCOM within the required timeout.

Error - 2/25/2010 12:27:44 AM | Computer Name = HOME-4DM0FJDTM5 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Norton AntiVirus service.

Error - 2/25/2010 11:49:05 AM | Computer Name = HOME-4DM0FJDTM5 | Source = DCOM | ID = 10010
Description = The server {1F87137D-0E7C-44D5-8C73-4EFFB68962F2} did not register
with DCOM within the required timeout.

Error - 3/11/2010 8:23:29 AM | Computer Name = HOME-4DM0FJDTM5 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the stisvc service.

Error - 3/13/2010 11:28:37 AM | Computer Name = HOME-4DM0FJDTM5 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 192.168.1.100 on
the Network Card with network address 000CF16AD04E.

Error - 3/13/2010 6:22:20 PM | Computer Name = HOME-4DM0FJDTM5 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Windows Internet Explorer 7 for Windows XP.

Error - 3/15/2010 7:23:43 PM | Computer Name = HOME-4DM0FJDTM5 | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).


< End of report >

Leif
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-03-15
OS OS : wiindows xp
Points Points : 24663
# Likes # Likes : 0

View user profile

Back to top Go down

Re: wuauclt.exe is infected

Post by Belahzur on 18th March 2010, 12:05 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245090
# Likes # Likes : 1

View user profile

Back to top Go down

Re: wuauclt.exe is infected

Post by Leif on 28th March 2010, 8:38 pm

ComboFix 10-03-28.01 - Owner 03/28/2010 16:18:56.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.239 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\Combo-Fix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\NI.GSCNS
c:\documents and settings\Owner\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Owner\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\Owner\Local Settings\Application Data\fvwoso
c:\documents and settings\Owner\Local Settings\Application Data\fvwoso\yptqsftav.exe
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ENCSC-Download.com.2.5.1040.0.exe
c:\windows\system32\adoteneg.ini
c:\windows\system32\ahinibes.ini
c:\windows\system32\alatopus.ini
c:\windows\system32\amkieioy.ini
c:\windows\system32\asuginep.ini
c:\windows\system32\atabofuy.ini
c:\windows\system32\ativehuh.ini
c:\windows\system32\aveviyaz.ini
c:\windows\system32\avihavef.ini
c:\windows\system32\awhdljkn.ini
c:\windows\system32\awidobil.ini
c:\windows\system32\ayiruley.ini
c:\windows\system32\aziwilor.ini
c:\windows\system32\berwoeht.ini
c:\windows\system32\ebobitut.ini
c:\windows\system32\ebokuwed.ini
c:\windows\system32\ebuvakew.ini
c:\windows\system32\ekigimut.ini
c:\windows\system32\elejugas.ini
c:\windows\system32\emamewos.ini
c:\windows\system32\enilofab.ini
c:\windows\system32\epekesek.ini
c:\windows\system32\etapayoj.ini
c:\windows\system32\evusizew.ini
c:\windows\system32\eworowuy.ini
c:\windows\system32\ewotevuz.ini
c:\windows\system32\eyitohef.ini
c:\windows\system32\eyojotov.ini
c:\windows\system32\gnslyqtu.ini
c:\windows\system32\ibiwovaw.ini
c:\windows\system32\idihujil.ini
c:\windows\system32\ihavumog.ini
c:\windows\system32\ikudowil.ini
c:\windows\system32\imegovus.ini
c:\windows\system32\imosuyag.ini
c:\windows\system32\ipegowin.ini
c:\windows\system32\iseyatul.ini
c:\windows\system32\ivadozat.ini
c:\windows\system32\ivayoyot.ini
c:\windows\system32\iwilihad.ini
c:\windows\system32\iyokijir.ini
c:\windows\system32\izaseren.ini
c:\windows\system32\lknwokpb.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\obusorus.ini
c:\windows\system32\odolomir.ini
c:\windows\system32\ogohofon.ini
c:\windows\system32\okuyupif.ini
c:\windows\system32\opivaget.ini
c:\windows\system32\orulujum.ini
c:\windows\system32\oruyofid.ini
c:\windows\system32\osanojoy.ini
c:\windows\system32\osimegey.ini
c:\windows\system32\otemogaf.ini
c:\windows\system32\oyopesof.ini
c:\windows\system32\oyusuvob.ini
c:\windows\system32\ozotisuk.ini
c:\windows\system32\tmufekcy.ini
c:\windows\system32\ubodidem.ini
c:\windows\system32\ukihozuy.ini
c:\windows\system32\umedaluv.ini
c:\windows\system32\urimiriw.ini
c:\windows\system32\utipogaf.ini
c:\windows\system32\uvimugod.ini
c:\windows\system32\uwelenak.ini
c:\windows\system32\uzohureh.ini
c:\windows\system32\VB6KO.DLL
c:\windows\system32\vetahadu.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-11 12:14 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 20:29 . 2007-09-04 21:24 -------- d-----w- c:\program files\lg_fwupdate
2010-03-15 23:55 . 2009-01-16 22:19 -------- d-----w- c:\program files\uTorrent
2010-03-15 23:55 . 2009-01-16 22:19 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-02-24 11:47 . 2010-01-11 18:08 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-02-16 03:21 . 2007-09-03 17:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-02-16 03:03 . 2010-02-16 03:03 -------- d-----w- c:\program files\iTunes
2010-02-16 03:03 . 2010-02-16 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-16 03:03 . 2010-02-16 03:03 -------- d-----w- c:\program files\iPod
2010-02-16 03:03 . 2008-12-14 15:54 -------- d-----w- c:\program files\Common Files\Apple
2010-02-16 03:01 . 2010-02-16 03:00 -------- d-----w- c:\program files\QuickTime
2010-02-16 02:59 . 2010-02-16 02:59 -------- d-----w- c:\program files\Apple Software Update
2010-02-16 02:58 . 2010-02-16 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-16 02:54 . 2010-01-13 11:51 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2010-02-02 00:20 . 2010-03-28 20:29 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-01-23 00:51 . 2010-01-23 00:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-08 02:28 . 2007-09-04 21:24 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2009-12-31 16:14 . 2003-03-31 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2007-09-15 18:16 . 2007-09-15 18:16 11470608 -c--a-w- c:\program files\avgas-setup-7[1].5.0.50.exe
2007-09-15 18:11 . 2007-09-15 18:11 744529 -c--a-w- c:\program files\bazookasetup.exe
2007-09-08 13:58 . 2007-09-08 13:58 882888 -c--a-w- c:\program files\Google Updater.exe
2007-09-07 16:04 . 2007-09-07 16:04 23661600 -c--a-w- c:\program files\DivXInstaller.exe
2007-09-03 17:45 . 2007-09-03 17:45 4862464 -c--a-w- c:\program files\BitComet_0.91_setup.exe
2004-10-01 19:00 . 2007-09-04 21:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-02-12 14:06 . 2009-02-12 14:06 120 --sh--w- c:\windows\system32\asuginep.tmp
2009-03-16 02:20 . 2009-03-16 02:20 1702986 --sh--w- c:\windows\system32\ativehuh.tmp
2009-03-06 21:47 . 2009-03-06 21:47 1840365 --sh--w- c:\windows\system32\awidobil.tmp
2009-03-10 15:47 . 2009-03-10 15:47 2098 --sh--w- c:\windows\system32\dafamupu.dll
2009-02-10 20:22 . 2009-02-10 20:22 120 --sh--w- c:\windows\system32\emamewos.tmp
2009-03-16 14:19 . 2009-03-16 14:19 1702999 --sh--w- c:\windows\system32\eworowuy.tmp
2009-03-08 19:05 . 2009-03-08 19:05 2098 --sh--w- c:\windows\system32\fapawozi.dll
2009-03-10 03:48 . 2009-03-10 03:48 1840365 --sh--w- c:\windows\system32\ikutujah.tmp
2009-02-16 02:32 . 2009-02-16 02:32 120 --sh--w- c:\windows\system32\iparepur.tmp
2009-03-18 12:31 . 2009-03-18 12:31 2098 --sh--w- c:\windows\system32\nadojizu.dll
2009-03-15 14:19 . 2009-03-15 14:19 2098 --sh--w- c:\windows\system32\natulevo.dll
2009-03-18 12:32 . 2009-03-18 12:31 2098 --sh--w- c:\windows\system32\nifarake.dll
2009-03-10 15:47 . 2009-03-10 15:47 2098 --sh--w- c:\windows\system32\popefuha.dll
2009-03-20 15:58 . 2009-03-20 15:58 1809320 --sh--w- c:\windows\system32\upeteloy.tmp
2009-02-05 21:56 . 2009-02-05 21:56 120 --sh--w- c:\windows\system32\uzefenef.tmp
2009-03-08 19:05 . 2009-03-08 19:05 2098 --sh--w- c:\windows\system32\zimuworo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-01-08 557056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG311v2 Smart Configuration.lnk - c:\program files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 450560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"IgfxTray"=c:\windows\System32\igfxtray.exe
"PrinTray"=c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe
"PRONoMgr.exe"=c:\program files\Intel\NCS\PROSet\PRONoMgr.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"SoundMan"=SOUNDMAN.EXE
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"InCD"=c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\Program Files\\Ahead\\InCD\\InCDsrv.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\WINDOWS\\system32\\net1.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\net.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Canon\\CAL\\CALMAIN.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\NETGEAR WG311v2 Adapter\\wlancfg5.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [2/2/2010 9:02 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [2/2/2010 9:02 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [2/2/2010 9:02 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100106.001\IDSXpx86.sys [1/8/2010 8:46 PM 329592]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 9:02 PM 117640]
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uLocal Page =
uStart Page = [You must be registered and logged in to see this link.]
mLocal Page =
mStart Page =
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2e1t0p0z.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{22F34525-FC1F-4947-BB50-CC703912F18A} - c:\windows\system32\awtqpMFx.dll
BHO-{309EF80B-9561-43CF-8501-73002131B9C9} - (no file)
BHO-{5BA54959-C612-4BBE-B841-FB25CD98AF7C} - (no file)
BHO-{5C81503A-B448-447C-B766-0C880B6EE46C} - (no file)
BHO-{64E81918-66F3-43AA-8429-9A5C02A0BF72} - (no file)
BHO-{66CD7F6E-6B85-40E1-AD70-FD97B635B77C} - (no file)
BHO-{939AFF5F-6D9B-4461-A2BE-8BB4021E5C2B} - (no file)
BHO-{D11223A3-9AD5-4135-BFC8-4B2015DEBD68} - (no file)
BHO-{F433B643-9A98-4186-A188-CAAA1CC73B3E} - (no file)
HKCU-Run-draw tool - c:\docume~1\Owner\APPLIC~1\RECTFI~1\Mapi Ball Anti.exe
HKCU-Run-xqbyrinh - c:\documents and settings\Owner\Local Settings\Application Data\fvwoso\yptqsftav.exe
HKLM-Run-WMC_AutoUpdate - (no file)
HKLM-Run-xqbyrinh - c:\documents and settings\Owner\Local Settings\Application Data\fvwoso\yptqsftav.exe
SafeBoot-AVG Anti-Spyware Driver



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-28 16:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\System32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-03-28 16:35:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 20:35

Pre-Run: 157,273,677,824 bytes free
Post-Run: 158,860,320,768 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - FB4F09F1C5787360909D15C81F58C753

Leif
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-03-15
OS OS : wiindows xp
Points Points : 24663
# Likes # Likes : 0

View user profile

Back to top Go down

Re: wuauclt.exe is infected

Post by Belahzur on 29th March 2010, 12:17 am


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\program files\BitComet_0.91_setup.exe
    c:\program files\bazookasetup.exe
    c:\windows\system32\asuginep.tmp
    c:\windows\system32\ativehuh.tmp
    c:\windows\system32\awidobil.tmp
    c:\windows\system32\dafamupu.dll
    c:\windows\system32\emamewos.tmp
    c:\windows\system32\eworowuy.tmp
    c:\windows\system32\fapawozi.dll
    c:\windows\system32\ikutujah.tmp
    c:\windows\system32\iparepur.tmp
    c:\windows\system32\nadojizu.dll
    c:\windows\system32\natulevo.dll
    c:\windows\system32\nifarake.dll
    c:\windows\system32\popefuha.dll
    c:\windows\system32\upeteloy.tmp
    c:\windows\system32\uzefenef.tmp
    c:\windows\system32\zimuworo.dll

    DDS::
    uLocal Page =
    mLocal Page =
    mStart Page =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245090
# Likes # Likes : 1

View user profile

Back to top Go down

Re: wuauclt.exe is infected

Post by Leif on 29th March 2010, 2:53 am

ComboFix 10-03-28.01 - Owner 03/28/2010 22:42:19.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.292 [GMT -4:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\My Documents\Downloads\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}

FILE ::
"c:\program files\bazookasetup.exe"
"c:\program files\BitComet_0.91_setup.exe"
"c:\windows\system32\asuginep.tmp"
"c:\windows\system32\ativehuh.tmp"
"c:\windows\system32\awidobil.tmp"
"c:\windows\system32\dafamupu.dll"
"c:\windows\system32\emamewos.tmp"
"c:\windows\system32\eworowuy.tmp"
"c:\windows\system32\fapawozi.dll"
"c:\windows\system32\ikutujah.tmp"
"c:\windows\system32\iparepur.tmp"
"c:\windows\system32\nadojizu.dll"
"c:\windows\system32\natulevo.dll"
"c:\windows\system32\nifarake.dll"
"c:\windows\system32\popefuha.dll"
"c:\windows\system32\upeteloy.tmp"
"c:\windows\system32\uzefenef.tmp"
"c:\windows\system32\zimuworo.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\bazookasetup.exe
c:\program files\BitComet_0.91_setup.exe
c:\windows\system32\asuginep.tmp
c:\windows\system32\ativehuh.tmp
c:\windows\system32\awidobil.tmp
c:\windows\system32\dafamupu.dll
c:\windows\system32\emamewos.tmp
c:\windows\system32\eworowuy.tmp
c:\windows\system32\fapawozi.dll
c:\windows\system32\ikutujah.tmp
c:\windows\system32\iparepur.tmp
c:\windows\system32\nadojizu.dll
c:\windows\system32\natulevo.dll
c:\windows\system32\nifarake.dll
c:\windows\system32\popefuha.dll
c:\windows\system32\upeteloy.tmp
c:\windows\system32\uzefenef.tmp
c:\windows\system32\zimuworo.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-29 )))))))))))))))))))))))))))))))
.

2010-03-28 20:29 . 2010-02-02 00:20 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-03-11 12:14 . 2009-10-23 14:27 3555328 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-29 01:11 . 2007-09-04 21:24 -------- d-----w- c:\program files\lg_fwupdate
2010-03-15 23:55 . 2009-01-16 22:19 -------- d-----w- c:\program files\uTorrent
2010-03-15 23:55 . 2009-01-16 22:19 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2010-02-24 11:47 . 2010-01-11 18:08 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-02-16 03:21 . 2007-09-03 17:23 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-02-16 03:03 . 2010-02-16 03:03 -------- d-----w- c:\program files\iTunes
2010-02-16 03:03 . 2010-02-16 03:03 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-16 03:03 . 2010-02-16 03:03 -------- d-----w- c:\program files\iPod
2010-02-16 03:03 . 2008-12-14 15:54 -------- d-----w- c:\program files\Common Files\Apple
2010-02-16 03:01 . 2010-02-16 03:00 -------- d-----w- c:\program files\QuickTime
2010-02-16 02:59 . 2010-02-16 02:59 -------- d-----w- c:\program files\Apple Software Update
2010-02-16 02:58 . 2010-02-16 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-02-16 02:54 . 2010-01-13 11:51 -------- d-----w- c:\documents and settings\Owner\Application Data\dvdcss
2010-01-23 00:51 . 2010-01-23 00:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-08 02:28 . 2007-09-04 21:24 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2009-12-31 16:14 . 2003-03-31 12:00 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2007-09-15 18:16 . 2007-09-15 18:16 11470608 -c--a-w- c:\program files\avgas-setup-7[1].5.0.50.exe
2007-09-08 13:58 . 2007-09-08 13:58 882888 -c--a-w- c:\program files\Google Updater.exe
2007-09-07 16:04 . 2007-09-07 16:04 23661600 -c--a-w- c:\program files\DivXInstaller.exe
2004-10-01 19:00 . 2007-09-04 21:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-01-08 557056]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG311v2 Smart Configuration.lnk - c:\program files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-14 450560]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HotKeysCmds"=c:\windows\System32\hkcmd.exe
"IgfxTray"=c:\windows\System32\igfxtray.exe
"PrinTray"=c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe
"PRONoMgr.exe"=c:\program files\Intel\NCS\PROSet\PRONoMgr.exe
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
"SoundMan"=SOUNDMAN.EXE
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"InCD"=c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\Program Files\\Ahead\\InCD\\InCDsrv.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=
"c:\\WINDOWS\\system32\\net1.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\net.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Canon\\CAL\\CALMAIN.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\NETGEAR WG311v2 Adapter\\wlancfg5.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [2/2/2010 9:02 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [2/2/2010 9:02 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [2/2/2010 9:02 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100106.001\IDSXpx86.sys [1/8/2010 8:46 PM 329592]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 9:02 PM 117640]
.
Contents of the 'Scheduled Tasks' folder

2010-03-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2e1t0p0z.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-28 22:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
Completion time: 2010-03-28 22:52:27
ComboFix-quarantined-files.txt 2010-03-29 02:52
ComboFix2.txt 2010-03-28 20:35

Pre-Run: 158,180,229,120 bytes free
Post-Run: 158,131,740,672 bytes free

- - End Of File - - 72EEA2FDBBB86F8AA11FEB06EE941356

Leif
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-03-15
OS OS : wiindows xp
Points Points : 24663
# Likes # Likes : 0

View user profile

Back to top Go down

Re: wuauclt.exe is infected

Post by Belahzur on 29th March 2010, 6:23 pm

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 8.1.2
    Java(TM) 6 Update 11

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34917
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245090
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum