Infected wuauclt.exe

[SuperDave]

Please try this one instead.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.
• Once the scan is complete, you may receive another notice about rootkit activity.
• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

[millee81]

ok so you want me to scan this? Because I double clicked and it opened the program and it's on a screen where in the Type column it says attachedDevice, in Name it says \Driver\kbdclass \Device\KeyboardClass0 and then the Value column says Wdf01000.sys (WDF Dynamic/Microsoft Corporation

A whole bunch of things checked off on the right including my c:\ drive andthen scan copy and save... buttons.  So I should click Scan?

[millee81]

i wasn't asked if i wanted to perform a full scan... that's why I was wondering and I don't see anything regarding rootkits...

[millee81]

and the show all box is in grey and unchecked so I can't check it~!!

[millee81]

never mind on that last one about the show all... I misread it~ I must've read your thing a dozen timesa nd i'm confused now...

[millee81]

gmer.exe has stopped working~ windows is checking for a solution to the problem. -.-;;

[SuperDave]

Ok. Let's try this instead.

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

Code: [Select]

@echo off
Copy /y gmer.exe ark.exe
Start ark.exe
Save it into the gmer folder as  File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.

[millee81]

I did what you told me to, saved the notepad file, and then dblclicked it. Verified the checked and unchecked boxes and then clicked scan.  In the middle of the scan, a blue screen appeared saying that windows is stopped to prevent the system from getting further damage and then it restarted.  I started windows normally and then when the "Windows has recovered from an unexpected shutdown" screen came up, this was in the details:

Problem signature:
  Problem Event Name:   BlueScreen
  OS Version:   6.0.6002.2.2.0.768.3
  Locale ID:   1033

Additional information about the problem:
  BCCode:   50
  BCP1:   B3C00008
  BCP2:   00000000
  BCP3:   9EF7B53E
  BCP4:   00000002
  OS Version:   6_0_6002
  Service Pack:   2_0
  Product:   768_1

Files that help describe the problem:
  C:\Windows\Minidump\Mini091710-02.dmp
  C:\Users\Jinju\AppData\Local\temp\WER-130931-0.sysdata.xml
  C:\Users\Jinju\AppData\Local\temp\WERCB69.tmp.version.txt

Read our privacy statement:
  http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

*sigh* what's going on?  is this a virus or another malware that's preventing the scans to go through? Thanks for being patient with me~
 

[SuperDave]

sigh* what's going on?  is this a virus or another malware that's preventing the scans to go through? Thanks for being patient with me~

I don't think so. I never could get GMER to run on my computer. Let's try another one.

Please download Rooter and Save it to your desktop.

• Double click it to start the tool.
• Click Scan.
• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
  

[millee81]

Rooter.exe (v1.0.2) by Eric_71
.
The token does not have the SeDebugPrivilege privilege ! (error:1300)
Can not acquire SeDebugPrivilege !
Please run the tool as administrator ..
.
Windows Vista Home Edition (6.0.6002) Service Pack 2
[32_bits] - x86 Family 15 Model 72 Stepping 2, AuthenticAMD
.
Error OpenService (wscsvc) : 6
Error OpenSCManager : 5
Error OpenService (MpsSvc) : 6
Windows Defender -> Disabled !
User Account Control (UAC) -> Enabled
.
Internet Explorer 7.0.6002.18005
Mozilla Firefox 3.5.13 (en-US)
.
C:\  [Fixed-NTFS] .. ( Total:142 Go - Free:73 Go )
D:\  [Fixed-NTFS] .. ( Total:6 Go - Free:0 Go )
E:\  [CD_Rom]
.
Scan : 15:46.22
Path : C:\Users\Jinju\Desktop\Rooter.exe
User : Jinju ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
Locked smss.exe (508)
Locked csrss.exe (576)
Locked wininit.exe (628)
Locked csrss.exe (640)
Locked services.exe (672)
Locked lsass.exe (688)
Locked lsm.exe (696)
Locked winlogon.exe (800)
Locked svchost.exe (876)
Locked svchost.exe (940)
Locked svchost.exe (1084)
Locked svchost.exe (1128)
Locked svchost.exe (1140)
Locked audiodg.exe (1228)
Locked SLsvc.exe (1264)
Locked svchost.exe (1304)
Locked svchost.exe (1444)
Locked spoolsv.exe (1660)
Locked svchost.exe (1684)
Locked AppleMobileDeviceService.exe (1880)
Locked mDNSResponder.exe (1920)
Locked CLCapSvc.exe (1932)
Locked HPHC_Service.exe (1976)
Locked svchost.exe (12)
Locked LSSrvc.exe (664)
Locked McciCMService.exe (624)
Locked svchost.exe (772)
Locked svchost.exe (1324)
Locked svchost.exe (1456)
Locked svchost.exe (1472)
Locked svchost.exe (1872)
Locked SearchIndexer.exe (1220)
Locked XAudio.exe (2152)
Locked CLSched.exe (2184)
Locked hpqwmiex.exe (2212)
Locked taskeng.exe (2616)
______ C:\Windows\system32\Dwm.exe (2908)
______ C:\Windows\system32\taskeng.exe (2932)
______ C:\Windows\Explorer.EXE (2972)
______ C:\Program Files\iTunes\iTunesHelper.exe (3772)
______ C:\Program Files\Verizon\McciTrayApp.exe (3780)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (3788)
______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (3796)
______ C:\Windows\vsnp2uvc.exe (3804)
______ C:\Program Files\HP\QuickPlay\QPService.exe (3816)
______ C:\Program Files\Windows Media Player\wmpnscfg.exe (1396)
______ C:\Windows\System32\ICO.EXE (1772)
______ C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (2260)
______ C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (2288)
______ C:\Program Files\Microsoft IntelliPoint\ipoint.exe (1452)
______ C:\Program Files\Windows Sidebar\sidebar.exe (2392)
______ C:\Program Files\NetZero\exec.exe (2556)
______ C:\Windows\ehome\ehtray.exe (744)
______ C:\Program Files\AIM6\aim6.exe (1076)
______ C:\Program Files\Windows Live\Messenger\msnmsgr.exe (1236)
______ C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (1436)
______ C:\Program Files\HP Connections\6811507\Program\HP Connections.exe (872)
______ C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (2660)
______ C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (1252)
______ C:\Program Files\V CAST Music Manager\MEMonitor.exe (2712)
______ C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (2424)
Locked wmpnetwk.exe (2872)
______ C:\Program Files\OpenOffice.org 2.4\program\soffice.exe (2428)
______ C:\Windows\System32\rundll32.exe (2988)
______ C:\Windows\ehome\ehmsas.exe (1036)
______ C:\Windows\System32\Pelmiced.exe (3248)
______ C:\Program Files\NetZero\exec.exe (1068)
______ C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN (3552)
Locked iPodService.exe (676)
______ C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe (3868)
______ C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe (3204)
______ C:\Program Files\NetZero\qsacc\x1exec.exe (3660)
______ C:\Program Files\AIM6\aolsoftware.exe (2724)
______ C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe (3980)
Locked PresentationFontCache.exe (4392)
______ C:\Windows\system32\conime.exe (4736)
______ C:\Windows\system32\wuauclt.exe (5496)
Locked TrustedInstaller.exe (5580)
Locked SearchFilterHost.exe (2220)
Locked WmiPrvSE.exe (5092)
Locked SearchProtocolHost.exe (5116)
______ C:\Users\Jinju\Desktop\Rooter.exe (4992)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:153335637504)
\Device\Harddisk0\Partition2 (Start_Offset:153335669760 | Length:6703603200)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
C:\Windows\Tasks\User_Feed_Synchronization-{90EE62B4-9066-4567-B527-472EEF2CA871}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 15:48.53
.
C:\Rooter$\Rooter_1.txt - (18/09/2010 | 15:48.53)


That was quick! Usb? lol

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[millee81]

C:\Users\Jinju\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\38566918-6d218ade   a variant of Java/TrojanDownloader.Agent.NAN trojan   deleted - quarantined

and I guess these are the same but I'm posting the C:\Program Files\ESET\ESET Online Scanner\log.txt file anyways:


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=e96da94d460a4e419f4917970917995a
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-19 01:28:22
# local_time=2010-09-18 09:28:22 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777215 100 0 69212177 69212177 0 0
# compatibility_mode=5892 16776638 100 100 0 121457337 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=249606
# found=1
# cleaned=1
# scan_time=9891
C:\Users\Jinju\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\24\38566918-6d218ade   a variant of Java/TrojanDownloader.Agent.NAN trojan (deleted - quarantined)   00000000000000000000000000000000   C


Is my laptop clean? =) how do I clean my usb now?

[SuperDave]

First of all, please run a scan on your USB with your AV program. Please hold down the shift key while inserting the USB storage device for at least 10 secs. Now run the AV scan. Also scan it with SAS and MBAM. If these come out clean you should now save any important information on your storage device before running the program below.

Panda USB and AutoRun Vaccine

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Download Panda USB and AutoRun Vaccine and save it to your desktop.

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.

[millee81]

Thank you SuperDave!! So does this mean my laptop and my usb are clean and ready for use?

[millee81]

oh and can I delete the notepad logs from my desktop?  Which programs do you recommend I keep on my computer to use regularly?