Help please eliminating WUAUDIT.EXE

**JonTom** · 2013-01-06, 00:50

Hello drcurious

I am perplexed.

Me too

the file does not appear in your DDS logs, nor was it removed by Combofix and as you mentioned it was not picked up by systemlook.

How is the machine running in general? Are there any symptoms being displayed that are out of the ordinary? (Redirects, popups, error messages etc).

Lets continue with the following:

Please work through the following steps
- Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
- NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
- Copy and Paste the text in the quotebox below into the open Notepad window:
  
  Firefox::
  FF - ProfilePath - c:\documents and settings\Owner.A-1STORAGE\Application Data\Mozilla\Firefox\Profiles\ggz2ycl5.default\
  FF - prefs.js: network.proxy.http_port - 61980
  FF - prefs.js: network.proxy.type - 4
- Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
- Close any open browsers.
- Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Refering to the picture below, drag CFScript.txt into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
- Once the log is produced, re-engage your resident anti virus.
Temporary File Cleaner
- Download TFC to your desktop.
- Close any open windows.
- Double click the TFC icon to run the program.
- TFC will close all open programs itself in order to run.
- Click the Start button to begin the process.
- Allow TFC to run uninterrupted.
- The program should not take long to finish.
- Once complete it should automatically reboot your machine.
- If your machine does not reboot automatically, manually reboot to ensure a complete clean.
- Note: After running TFC your machine may take slightly longer to boot the first time. This is normal.
MalwareBytes AntiMalware:
- I can see that you have MBAM installed.
- Double click on your MalwareBytes AntiMalware icon to launch the program.
- Click on the "Update" tab and then on "Check for Updates".
- The program will now install the latest Malware definition files.
- Once complete, click on the "Scanner" tab, select "Perform Quick Scan"and then click on "Scan".
- Once the program has scanned your computer, a log file will be created in Notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- If the scan detects any Malware-related objects, make sure that everything is checked, and click "Remove Selected" <– Very Important.
- When disinfection is completed, a log will open in Notepad and you may be prompted to restart your computer.
- The log is automatically saved by MBAM and can be viewed by clicking the "Logs" tab.
- Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart your computer, please do so immediately.
- Come back here to this thread and Paste the log in your next reply.
Please post the Combofix log and the MBAM log in your next reply.

**drcurious** · 2013-01-06, 14:45

Dear JonTom,

Thanks for continuing your investigation of the mysterious disappearing WUAUDIT.EXE. As far as my machine's performance, it has been normal, but occasionaly it will slow down so I check Task Manager to see what is using CPU. Sometimes a McAfee process is slowing things down for no apparent reason. It was when checking Task Manager that I discovered the unrecognized WUAUDIT.EXE but now I can't remember if it was using CPU or not.

Here are the logs that you requested:

ComboFix 13-01-05.01 - Owner 01/05/2013 22:33:28.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.513 [GMT -6:00]
Running from: c:\documents and settings\Owner.A-1STORAGE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner.A-1STORAGE\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2012-12-06 to 2013-01-06 )))))))))))))))))))))))))))))))
.
.
2013-01-01 00:04 . 2013-01-01 00:04 388096 ----a-r- c:\documents and settings\Owner.A-1STORAGE\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2013-01-01 00:04 . 2013-01-01 00:04 -------- d-----w- c:\program files\Trend Micro
2012-12-27 22:37 . 2012-12-27 22:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2012-12-19 14:51 . 2012-11-09 12:50 84432 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-12-12 09:47 . 2012-12-12 09:47 16363960 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-16 12:23 . 2005-04-13 16:55 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-12 09:47 . 2012-04-09 22:23 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-12 09:47 . 2011-06-10 01:35 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-11-28 02:31 . 2012-11-28 02:31 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-28 02:31 . 2012-06-30 16:21 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-28 02:31 . 2011-10-17 02:15 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-28 02:31 . 2010-02-11 16:59 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-13 01:25 . 2005-04-13 16:56 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-09 12:56 . 2012-08-09 02:36 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-11-09 12:53 . 2012-08-09 02:08 167344 ----a-w- c:\windows\system32\mfevtps.exe
2012-11-09 12:53 . 2012-08-09 02:36 91168 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-11-09 12:52 . 2012-08-09 02:36 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-11-09 12:52 . 2012-08-09 02:36 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-11-09 12:51 . 2012-02-22 18:29 565352 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-11-09 12:50 . 2012-08-09 02:36 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-11-09 12:50 . 2012-08-09 02:36 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-11-09 12:49 . 2012-08-09 02:36 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-11-09 12:49 . 2012-02-22 18:29 132912 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-11-02 02:02 . 2005-04-13 16:55 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2005-04-13 16:56 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2005-04-13 16:55 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2005-04-13 16:55 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2005-04-13 16:55 385024 ------w- c:\windows\system32\html.iec
2012-12-05 02:03 . 2012-12-05 02:03 262112 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Owner.A-1STORAGE\Application Data\mjusbsp\cdloader2.exe" [2012-02-01 50592]
"CGFLoader"="c:\program files\Calibrize\CalibrizeLoader.exe" [2007-11-26 1961984]
"CalibrizeResume"="c:\program files\Calibrize\CalibrizeResume.exe" [2007-11-26 413696]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2012-12-21 109336]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"CHotkey"="zHotkey.exe" [2005-05-03 543232]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-09-12 1278648]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2012-10-29 296096]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-09-23 15512424]
"NvMediaCenter"="NvMCTray.dll" [2012-09-23 108392]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-09-23 1634112]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\Owner.A-1STORAGE\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-3-28 2168360]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2012-08-15 17:46 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Documents and Settings\\Owner.A-1STORAGE\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Documents and Settings\\Owner.A-1STORAGE\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/8/2012 8:36 PM 91168]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2012 8:36 PM 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2012 8:36 PM 167784]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [8/8/2012 8:36 PM 168880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [8/8/2012 8:08 PM 167344]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/8/2012 8:36 PM 60480]
R3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 9:09 PM 267568]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/8/2012 8:36 PM 362640]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/19/2012 8:51 AM 84432]
R3 Pcouffin;Low level access layer for CD devices;c:\windows\system32\drivers\Pcouffin.sys [10/31/2006 12:48 PM 47360]
R3 SNXPCARD;SNXPCARD;c:\windows\system32\drivers\snxpcard.sys [3/10/2007 6:41 PM 23040]
R3 SNXPSERX;SNXPSERX;c:\windows\system32\drivers\snxpserx.sys [3/10/2007 6:41 PM 56320]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2012 8:36 PM 167784]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [9/27/2006 4:12 PM 10664]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [11/14/2012 7:38 AM 146872]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/19/2012 8:51 AM 84432]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/8/2012 8:36 PM 92192]
S3 snxcard;SUNIX Industrial Multiport Serial Card Driver;c:\windows\system32\drivers\snxcard.sys [1/5/2007 10:18 AM 14976]
S3 snxport;SUNIX Industrial Port Driver;c:\windows\system32\drivers\snxport.sys [1/5/2007 10:19 AM 54912]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 09:47]
.
2013-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-01-05 c:\windows\Tasks\ConfigExec.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09]
.
2013-01-06 c:\windows\Tasks\DataUpload.job
- c:\program files\Microsoft Fix it Center\MatsApi.dll [2011-06-14 03:09]
.
2013-01-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-11 06:04]
.
2013-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-02-11 06:04]
.
2013-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-607317455-4106850741-3124670952-1006Core.job
- c:\documents and settings\Owner.A-1STORAGE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 02:14]
.
2013-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-607317455-4106850741-3124670952-1006UA.job
- c:\documents and settings\Owner.A-1STORAGE\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-03 02:14]
.
2013-01-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-607317455-4106850741-3124670952-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 19:27]
.
2013-01-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-607317455-4106850741-3124670952-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-07-27 19:27]
.
2013-01-04 c:\windows\Tasks\ReclaimerUpdateFiles_Owner.job
- c:\documents and settings\Owner.A-1STORAGE\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 03:01]
.
2013-01-05 c:\windows\Tasks\ReclaimerUpdateXML_Owner.job
- c:\documents and settings\Owner.A-1STORAGE\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 03:01]
.
2013-01-05 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Owner.job
- c:\documents and settings\Owner.A-1STORAGE\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.30\agent\rnupgagent.exe [2012-12-14 03:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Free YouTube Download - c:\documents and settings\Owner.A-1STORAGE\Application Data\DVDVideoSoftIEHelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\Owner.A-1STORAGE\Application Data\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner.A-1STORAGE\Application Data\Mozilla\Firefox\Profiles\ggz2ycl5.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1|http://my.ebay.com/ws/eBayISAPI.dll?...ard.php?init=1
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-05 22:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1060)
c:\program files\Citrix\GoToAssist\615\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(1896)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2013-01-05 22:46:50
ComboFix-quarantined-files.txt 2013-01-06 04:46
ComboFix2.txt 2013-01-05 00:26
.
Pre-Run: 146,561,130,496 bytes free
Post-Run: 146,545,369,088 bytes free
.
- - End Of File - - 64FC26C648E05E83D47CFF51A1AEC625

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.06.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: A-1STORAGE [administrator]

1/6/2013 12:52:33 AM
mbam-log-2013-01-06 (00-52-33).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 362498
Time elapsed: 2 hour(s), 17 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

**drcurious** · 2013-01-06, 15:20

Dear JonTom,

I was able to get WUAUDIT.EXE to appear in the Task Manager list on a reboot with McAfee virus and firewall off, and ran a DDS right away. After the log appeared, WUAUDIT.EXE still showed in Task Manager. I opened FireFox to send this post and now WUAUDIT.EXE has disappeared.

Here is the DDS log:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Owner at 8:12:24 on 2013-01-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.445 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Calibrize\CalibrizeResume.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120808213631.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
BHO: FDMIECookiesBHO Class: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: &RoboForm Toolbar: {724D43A0-0D85-11D4-9908-00400523E39A} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
uRun: [cdloader] "c:\documents and settings\owner.a-1storage\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [CGFLoader] c:\program files\calibrize\CalibrizeLoader.exe
uRun: [CalibrizeResume] c:\program files\calibrize\CalibrizeResume.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [CHotkey] zHotkey.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner~1.a-1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Customize Menu - c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: Fill Forms - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Free YouTube Download - c:\documents and settings\owner.a-1storage\application data\dvdvideosoftiehelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\owner.a-1storage\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: Save Forms - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://chil.solidworks.com/htdocs/pdownload/edrawings/e2007sp03/cab/eModelsStandard.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158264384363
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{C1ACEBC7-1070-497B-B702-67F4BEB7519C} : DHCPNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner.a-1storage\application data\mozilla\firefox\profiles\ggz2ycl5.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1|http://my.ebay.com/ws/eBayISAPI.dll?...ard.php?init=1
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\owner.a-1storage\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\owner.a-1storage\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\owner.a-1storage\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-2-22 565352]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-8-8 91168]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-8-8 203400]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-8-8 168880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-8-8 167344]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-8-8 60480]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-8-8 234824]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-8-8 362640]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2012-12-19 84432]
R3 SNXPCARD;SNXPCARD;c:\windows\system32\drivers\snxpcard.sys [2007-3-10 23040]
R3 SNXPSERX;SNXPSERX;c:\windows\system32\drivers\snxpserx.sys [2007-3-10 56320]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-9-27 10664]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-11-14 146872]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-8-8 65488]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2012-12-19 84432]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-8-8 92192]
S3 snxcard;SUNIX Industrial Multiport Serial Card Driver;c:\windows\system32\drivers\snxcard.sys [2007-1-5 14976]
S3 snxport;SUNIX Industrial Port Driver;c:\windows\system32\drivers\snxport.sys [2007-1-5 54912]
.
=============== File Associations ===============
.
ShellExec: MRSIDV~1.EXE: Open="c:\progra~1\lizard~1\mrsidv~1\MRSIDV~1.EXE""" %1""
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
.
=============== Created Last 30 ================
.
2013-01-04 23:52:00 -------- d-sha-r- C:\cmdcons
2013-01-04 23:43:53 98816 ----a-w- c:\windows\sed.exe
2013-01-04 23:43:53 256000 ----a-w- c:\windows\PEV.exe
2013-01-04 23:43:53 208896 ----a-w- c:\windows\MBR.exe
2013-01-01 00:04:18 388096 ----a-r- c:\documents and settings\owner.a-1storage\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2013-01-01 00:04:15 -------- d-----w- c:\program files\Trend Micro
2012-12-19 14:51:27 84432 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-12-12 09:47:19 16363960 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
==================== Find3M ====================
.
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 22:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-12 09:47:22 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-12 09:47:22 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-28 02:31:15 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-28 02:31:13 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-28 02:31:13 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-28 02:31:13 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-27 19:41:44 1101436 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-11-27 19:41:44 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-11-27 19:41:37 1101436 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-09 12:56:16 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-11-09 12:53:22 167344 ----a-w- c:\windows\system32\mfevtps.exe
2012-11-09 12:53:02 91168 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-11-09 12:52:22 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-11-09 12:52:12 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-11-09 12:51:12 565352 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-11-09 12:50:20 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-11-09 12:50:00 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-11-09 12:49:40 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-11-09 12:49:10 132912 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 8:14:07.96 ===============

**JonTom** · 2013-01-06, 22:36

Hello drcurious

Sometimes a McAfee process is slowing things down for no apparent reason.

It was when checking Task Manager that I discovered the unrecognized WUAUDIT.EXE but now I can't remember if it was using CPU or not.

McAfee is known to draw heavily on system resources so thats why your system may be slowing. Your system logs indicate that you presently have around 500 MB of free RAM available. If you run any resource intensive applications that draw heavily on the remaining RAM, you may very well notice an impact on system speed/performance.

Your MBAM log looks good.

I was able to get WUAUDIT.EXE to appear in the Task Manager list on a reboot with McAfee virus and firewall off, and ran a DDS right away. After the log appeared, WUAUDIT.EXE still showed in Task Manager. I opened FireFox to send this post and now WUAUDIT.EXE has disappeared.

Please make sure that you keep your security engaged. This problem appears to be intermittent in nature. The file in question, while present in your task manager does not appear to reside on you machine long enough for us to detect or remove it (or at all). Unless we can get a path to the file and investigate it further we are stuck.

Lets continue with the following:

Please run the following scan
- Note:Internet Explorer is preferred for this scan, although it will run with other browsers.
- Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
- Please disable your real time security programs before performing the scan.
- Scan your system with Eset Online Scanner
- Place a check mark in the box YES, I accept the Terms Of Use.
- Click the button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
- Check
- Click the button.
- Accept any security warnings from your browser.
- Check
- Make sure that the option to "Remove Found Threats" is UN checked.
- Push the "Start" button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push
- Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
- Push the button.
- Push
Please post the ESET log in your next reply.

**drcurious** · 2013-01-07, 19:32

Dear JonTom,

I have not seen WUAUDIT.EXE appear since my last post.

Here is the ESET log:

C:\Downloads\Software\CouponPrinter.exe probably a variant of Win32/Adware.Softomate.AD application
C:\Downloads\Software\freefireworks.exe multiple threats

**JonTom** · 2013-01-07, 23:01

Hello drcurious

Lets take care of those detections:

Please make all files and folders Visible:
- Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
- Choose to "Show hidden files and folders".
- Uncheck the "Hide protected operating system files" and the "Hide extensions for known file types" boxes.
- Close the window with "OK".
Please search for and delete the following files
- NOTE: DO NOT double click on ANY executable (.exe) files in the next step!!!
- Right-click your "Start" button and select "Explore".
- Navigate to and delete the following files in bold.
- C:\Downloads\Software\CouponPrinter.exe <==== Delete this file.
  
  C:\Downloads\Software\freefireworks.exe <==== Delete this file.
- Once deleted, empty your recycle bin and let me know how the machine is running.

**drcurious** · 2013-01-08, 00:19

Hi JonTom,

I have removed those two entries. My computer seems to be running smoothly at this time.

Chris

Thread: Help please eliminating WUAUDIT.EXE

Thread Tools

Display

Hybrid View

Posting Permissions