Infected wuauclt.exe

[millee81]

Help! I was using my laptop fine until this morning and then after I start it up from hibernate at work, I realize that there is a pop up saying "Application cannot be executed. The file wuauclt.exe is infected. Do you want to activate your antivirus or not?"  I thought it was from my avg free (since the icon colors were the same) and clicked yes but a different "antivirus" scanner popped up and now it won't let me open anything.  A message opens up with a the options to activate my antivirus or stay unprotected and no matter what I press I can't do anything.  I restarted up my laptop in safe mode and tried to run avg but anything it scanned was "locked and could not test".  I loaded hijack onto a usb but then I wasn't sure and I deleted it from the usb while in safe mode. I've turned the laptop's wireless button to off.

So I guess I have two questions aside from the please help!:::
1) if there's nothing else on the usb, is it still carrying the virus? Can it plug it into my home pc?
2) Is it safe for me to turn on the wireless button in order to post onto the forum or do you recommend that I use the usb to tranfer the logs back and forth?

I appreciate any and all help I get!!!

[millee81]

the reason I ask #1 is because before I started the laptop up in safe mode it wouldn't open the hijack saying that it was infected. but then I started up in safe mode, installed it, and then deleted it off of the usb.  So is my usb a "safe" mode of transferring information again?

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Please don't use your usb memory stick until we get this cleaned up. Follow the directions below.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 4 different versions. If one of them won't run then download and try to run the other one.
 
Vista and Win7 users need to right click Rkill and choose Run as Administrator
 

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.

*************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
*******************************************
Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[millee81]

Thanks! I've got the files downloaded onto a cd-rw and now am ready to boot up my laptop again. I'm assuming I should do this in safe mode?

[millee81]

oh also!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here


The "here" had no link!! My laptop won't connect to the internet in safe mode I guess! Please provide the link I need to unzip~

[SuperDave]

Reboot your computer back in Normal mode. SAS won't run in Safe Mode so you will have to wait until you're able to get back on your computer in Normal Mode.

[millee81]

But it is running and scanning in safe mode right now... for the past hour and a half and it's found 75 threats so far... one adware  of unknown origin and 74 adware tracking cookies...

So then should I cancel it and reboot anyways?

[millee81]

Hi! So I spent the whole night scanning and stuff. Here are the logs for the different scans I did both in safe mode and reg mode. 

I went into safe mode first and then did rkill which gave me this log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Jinju on 09/13/2010 at 20:16:59.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\Windows\system32\conime.exe


Rkill completed on 09/13/2010  at 20:17:01.

Then while in safe mode I installed the SAS but it wouldn't connect to the internet to update and your directions did not have the link for the file I was told to unzip and I checked through some other forums too to look for it to no avail so I ran an SAS scan without the update and received the following log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/13/2010 at 10:39 PM

Application Version : 4.42.1000

Core Rules Database Version : 5410
Trace Rules Database Version: 3222

Scan type       : Complete Scan
Total Scan Time : 02:15:46

Memory items scanned      : 308
Memory threats detected   : 0
Registry items scanned    : 9809
Registry threats detected : 0
File items scanned        : 240602
File threats detected     : 75

Adware.Unknown Origin
   C:\PROGRAM FILES\HEWLETT-PACKARD\HP ADVISOR\COMPSHOP\TEMPLATES\AD.HTML

Adware.Tracking Cookie
   C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\jinhee@apmebf[1].txt
   C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\jinhee@atwola[2].txt
   C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\jinhee@collective-media[2].txt
   C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
   C:\Users\Jinhee\AppData\Roaming\Microsoft\Windows\Cookies\Low\jinhee@statcounter[1].txt
   .apmebf.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .intermundomedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .intermundomedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .lfstmedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .lfstmedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   .invitemedia.com [ C:\Users\Jinhee\AppData\Roaming\Mozilla\Firefox\Profiles\zut2haxi.default\cookies.sqlite ]
   files.adbrite.com [ C:\Users\Jinju\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][2].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][1].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][2].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][2].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][1].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@apmebf[1].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@bizrate[2].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][1].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][1].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@imrworldwide[2].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@insightexpressai[1].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@media6degrees[1].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@mixrmedia[2].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\[email protected][1].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@specificclick[2].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@specificmedia[1].txt
   C:\Users\Jinju\AppData\Local\Temp\Low\Cookies\jinju@statcounter[1].txt
   a.media.abcfamily.go.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   a.media.soapnet.go.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   acvs.mediaonenetwork.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   atdmt.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   bannerfarm.ace.advertising.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   cache.specificmedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   cdn4.specificclick.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   content.oddcast.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   convoad.technoratimedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   ia.media-imdb.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   interclick.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   m.uk.2mdn.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   m1.2mdn.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   macromedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   media-mars.pictela.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   media.king5.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   media.mtvnservices.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   media.scanscout.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   media.socialvibe.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   media.tattomedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   media01.kyte.tv [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   media1.break.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   mediaforgews.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   msnbcmedia.msn.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   nasimg.nasmedia.co.kr [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   objects.tremormedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   s0.2mdn.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   secure-us.imrworldwide.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   serving-sys.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   speed.pointroll.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   static.2mdn.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   udn.specificclick.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   uk.2mdn.net [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   vhss-a.oddcast.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   video.unrulymedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]
   www.blogsmithmedia.com [ C:\Users\Jinju\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\5MSJP753 ]

Then while in safe mode ran the Mbam and received this log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.6002.18005

9/14/2010 12:07:34 AM
mbam-log-2010-09-14 (00-07-34).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 363532
Time elapsed: 1 hour(s), 9 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Jinju\AppData\Local\Temp\0.6806630733000587.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Then I rebooted into regular mode, had to use rkill again since the virus was still active and got this log:


This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Jinju on 09/14/2010 at  0:21:12.


Services Stopped:


Processes terminated by Rkill or while it was running:


C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Jinju\Desktop\rkill.exe


Rkill completed on 09/14/2010  at  0:21:19.

I noticed the internet connection was up again so I tried to update the SAS, but it said there was an error.  So I rechecked the firewall and added the program to be allowed through but the error showed up again so SAS has not been updated.  In the meantime, I updated Mbam and rescanned my computer and received this log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4611

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

9/14/2010 7:18:07 AM
mbam-log-2010-09-14 (07-18-07).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 388129
Time elapsed: 3 hour(s), 22 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kjekljnc (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Jinju\AppData\Roaming\urpkunejc\rkfanemuqiw.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.
C:\Users\Jinju\AppData\Local\urpkunejc\rkfanemuqiw.exe (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

I have rebooted my laptop and the malware or virus seems to be gone!! Nothing is popping up for now~  Is my laptop "cured"??  What about my usb now? Can I use it?

Thanks again!!

[SuperDave]

What about my usb now? Can I use it?

No. Please remind me to fix this at the end of the cleaning process.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[millee81]

Help! HOw do I disable AVG Anti-Virus?  I followed the directions to disable my avg 8.5 resident shield but the menu says the anti-virus and anti-spyware is still active and the link you provided does not help! I can't go any further on the combo fix until I do because combofix wants me to disable it before I click ok.

In the meantime here's the log of security check:

Results of screen317's Security Check version 0.99.5 
 Windows Vista Service Pack 2 (UAC is enabled)
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 AVG Free 8.5   
 Antivirus up to date! 
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 HijackThis 2.0.2   
 Java(TM) 6 Update 18 
 Java(TM) SE Runtime Environment 6
 Java(TM) 6 Update 4 
 Java(TM) 6 Update 7 
 Out of date Java installed!
 Adobe Flash Player 10.1.82.76 
Adobe Reader 8.1.2
Out of date Adobe Reader installed!
 Mozilla Firefox (3.5.12) Firefox Out of Date! 
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 AVG avgwdsvc.exe
 AVG avgtray.exe
 AVG avgrsx.exe
 AVG avgnsx.exe
 AVG avgemc.exe
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

[millee81]

Okay, so I've disabled Windows Defender and the Resident shield portion of avg free 8.5.  According to my Windows Security Alert it says that they're both reported off, but then when I actually go into the avg the icons for the anti-virus and anti-spyware says they're active which is what I think the combo fix is warning me against~

How do I turn those off or should I just click ok to continue combofix?

[millee81]

never mind. I uninstalled avg and started up combofix. Here's the log:

ComboFix 10-09-14.01 - Jinju 09/14/2010  22:30:09.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.958.76 [GMT -4:00]
Running from: c:\users\Jinju\Desktop\commy.exe.exe
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((   Files Created from 2010-08-15 to 2010-09-15  )))))))))))))))))))))))))))))))
.

2010-09-15 02:50 . 2010-09-15 02:50   --------   d-----w-   c:\users\Jinhee\AppData\Local\temp
2010-09-15 02:50 . 2010-09-15 02:50   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-09-14 02:53 . 2010-09-14 02:53   --------   d-----w-   c:\users\Jinju\AppData\Roaming\Malwarebytes
2010-09-14 02:53 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-14 02:53 . 2010-09-14 02:53   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-14 02:53 . 2010-09-14 02:53   --------   d-----w-   c:\programdata\Malwarebytes
2010-09-14 02:53 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-14 00:18 . 2010-09-14 00:18   --------   d-----w-   c:\users\Jinju\AppData\Roaming\SUPERAntiSpyware.com
2010-09-14 00:18 . 2010-09-14 00:18   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-09-14 00:18 . 2010-09-14 04:46   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-09-13 16:15 . 2010-09-13 16:15   --------   d-----w-   c:\program files\Trend Micro
2010-09-13 05:15 . 2010-09-14 11:18   --------   d-----w-   c:\users\Jinju\AppData\Local\urpkunejc
2010-09-13 05:15 . 2010-09-14 07:50   --------   d-----w-   c:\users\Jinju\AppData\Roaming\urpkunejc
2010-08-30 19:46 . 2010-08-30 19:46   --------   d-----w-   c:\users\Jinju\AppData\Local\WinZip

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 02:16 . 2008-07-25 21:33   --------   d-----w-   c:\users\Jinju\AppData\Roaming\OpenOffice.org2
2010-09-15 02:10 . 2007-09-05 02:36   13025   ----a-w-   c:\users\Jinju\AppData\Roaming\nvModes.dat
2010-09-15 01:52 . 2008-07-08 21:07   --------   d-----w-   c:\programdata\avg8
2010-09-14 04:00 . 2007-11-29 01:09   1356   ----a-w-   c:\users\Jinju\AppData\Local\d3d9caps.dat
2010-09-13 13:49 . 2010-02-16 20:17   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-09-08 00:30 . 2009-05-28 18:37   --------   d-----w-   c:\programdata\Motive
2010-08-21 07:04 . 2007-06-29 13:00   --------   d-----w-   c:\programdata\Microsoft Help
2010-08-21 07:03 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-06-29 15:47 . 2010-08-12 22:11   834048   ----a-w-   c:\windows\system32\wininet.dll
2010-06-28 16:13 . 2010-08-12 22:11   78336   ----a-w-   c:\windows\system32\ieencode.dll
2010-06-21 13:37 . 2010-08-12 22:10   2037760   ----a-w-   c:\windows\system32\win32k.sys
2010-06-18 17:31 . 2010-08-12 22:10   36864   ----a-w-   c:\windows\system32\rtutils.dll
2010-06-18 15:04 . 2010-08-12 22:10   302080   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-06-18 15:04 . 2010-08-12 22:10   144896   ----a-w-   c:\windows\system32\drivers\srv2.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"NetZero_uoltray"="c:\program files\NetZero\exec.exe" [2008-05-07 1701376]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2006-11-21 1474560]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-08-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-11-24 167936]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-14 90191]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-14 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-14 7766016]
"Mouse Suite 98 Daemon"="ICO.EXE" [2006-11-03 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-11-10 46704]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-14 623888]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-05-26 1468296]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]

c:\users\Jinju\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\V CAST Music Manager\MEMonitor.exe [2007-11-2 951640]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-1-21 393216]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Connections.lnk - c:\program files\HP Connections\6811507\Program\HP Connections.exe [2007-6-29 34520]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2008-4-10 479232]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2010-4-5 494920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-09-15 c:\windows\Tasks\User_Feed_Synchronization-{90EE62B4-9066-4567-B527-472EEF2CA871}.job
- c:\windows\system32\msfeedssync.exe [2008-05-27 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/?src=aim
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Display All Images with Full Quality - c:\program files\NetZero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\NetZero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: netzero.com
Trusted Zone: netzero.net
FF - ProfilePath - c:\users\Jinju\AppData\Roaming\Mozilla\Firefox\Profiles\w5fweigy.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\users\Jinju\AppData\Local\Yahoo!\BrowserPlus\2.9.2\Plugins\npybrowserplus_2.9.2.dll
FF - plugin: c:\users\Jinju\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Jinju\AppData\Roaming\Move Networks\plugins\npqmp071505000010.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-14 22:51
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3996722006-3211200769-4179047636-1000\¬ î**]
@Allowed: (Read) (RestrictedCode)
"MachineID"=hex:4c,ad,ed,b1,a9,09,b1,00
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3768)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
c:\windows\System32\pelscrll.dll
c:\windows\System32\PELCOMM.dll
c:\windows\System32\PELHOOKS.dll
.
Completion time: 2010-09-14  23:00:43
ComboFix-quarantined-files.txt  2010-09-15 03:00

Pre-Run: 77,538,639,872 bytes free
Post-Run: 78,839,193,600 bytes free

- - End Of File - - E2FE00B5E65EC4B08886E2D57555BD7C


My usb? =)

[SuperDave]

You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology

******************************************

Please update your AVG to version 9.0 Please make sure that you have an AV on your computer.

Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  DDS::
  
  uInternet Settings,ProxyServer = http=127.0.0.1:6092
  Trusted Zone: netzero.com
  Trusted Zone: netzero.net
  
  Folder::
  c:\users\Jinju\AppData\Local\urpkunejc
  c:\users\Jinju\AppData\Roaming\urpkunejc
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• I don't need to see the log from this script.
  

*************************************
* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

[millee81]

how long is the root repeal going to take? it's been going for since about 6pm and still not done?

[millee81]

I ran the root repeal last night went to bed, and woke up to my computer having restarted and I can't find a log.  Took it to work where I ran it all day, kept it on in the car ride home only to see it restart itself and now there is a message from windows saying that it had recovered from an unexpected shutdown with the following problem detail:

Problem signature:
  Problem Event Name:   BlueScreen
  OS Version:   6.0.6002.2.2.0.768.3
  Locale ID:   1033

Additional information about the problem:
  BCCode:   d1
  BCP1:   00000000
  BCP2:   00000002
  BCP3:   00000000
  BCP4:   8074B395
  OS Version:   6_0_6002
  Service Pack:   2_0
  Product:   768_1

Files that help describe the problem:
  C:\Windows\Minidump\Mini091610-01.dmp
  C:\Users\Jinju\AppData\Local\temp\WER-213284-0.sysdata.xml
  C:\Users\Jinju\AppData\Local\temp\WER84D8.tmp.version.txt

Read our privacy statement:
  http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409


What does this mean? Should I do root repeal AGAIN?