Help please eliminating WUAUDIT.EXE

[drcurious]

Dear JonTom,

I was able to get WUAUDIT.EXE to appear in the Task Manager list on a reboot with McAfee virus and firewall off, and ran a DDS right away. After the log appeared, WUAUDIT.EXE still showed in Task Manager. I opened FireFox to send this post and now WUAUDIT.EXE has disappeared.

Here is the DDS log:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.9.2
Run by Owner at 8:12:24 on 2013-01-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.445 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled*
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Calibrize\CalibrizeResume.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120808213631.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
BHO: FDMIECookiesBHO Class: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: &Google: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: &RoboForm Toolbar: {724D43A0-0D85-11D4-9908-00400523E39A} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &Google: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
uRun: [cdloader] "c:\documents and settings\owner.a-1storage\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [CGFLoader] c:\program files\calibrize\CalibrizeLoader.exe
uRun: [CalibrizeResume] c:\program files\calibrize\CalibrizeResume.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [CHotkey] zHotkey.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\owner~1.a-1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDrives = dword:0
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: Customize Menu - c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: Fill Forms - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Free YouTube Download - c:\documents and settings\owner.a-1storage\application data\dvdvideosoftiehelpers\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\documents and settings\owner.a-1storage\application data\dvdvideosoftiehelpers\freeyoutubetomp3converter.htm
IE: Save Forms - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBC} - c:\program files\java\jre7\bin\jp2iexp.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
IE: {76c5fb99-dd0a-4186-9e75-65d1bf3da283} - c:\program files\amazon\add to wish list ie extension\run.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - hxxp://chil.solidworks.com/htdocs/pdownload/edrawings/e2007sp03/cab/eModelsStandard.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158264384363
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{C1ACEBC7-1070-497B-B702-67F4BEB7519C} : DHCPNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\program files\mcafee\msc\McSnIePl.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner.a-1storage\application data\mozilla\firefox\profiles\ggz2ycl5.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbay&gbh=1|http://my.ebay.com/ws/eBayISAPI.dll?...ard.php?init=1
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\owner.a-1storage\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\owner.a-1storage\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\owner.a-1storage\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nprpplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpplugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1168638.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2012-2-22 565352]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2012-8-8 91168]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-8-8 203400]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-8-8 168880]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-8-8 167344]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-8-8 60480]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2012-8-8 234824]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-8-8 362640]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2012-12-19 84432]
R3 SNXPCARD;SNXPCARD;c:\windows\system32\drivers\snxpcard.sys [2007-3-10 23040]
R3 SNXPSERX;SNXPSERX;c:\windows\system32\drivers\snxpserx.sys [2007-3-10 56320]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-8-8 167784]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-9-27 10664]
S3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-11-14 146872]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2012-8-8 65488]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2012-12-19 84432]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-8-8 92192]
S3 snxcard;SUNIX Industrial Multiport Serial Card Driver;c:\windows\system32\drivers\snxcard.sys [2007-1-5 14976]
S3 snxport;SUNIX Industrial Port Driver;c:\windows\system32\drivers\snxport.sys [2007-1-5 54912]
.
=============== File Associations ===============
.
ShellExec: MRSIDV~1.EXE: Open="c:\progra~1\lizard~1\mrsidv~1\MRSIDV~1.EXE""" %1""
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
.
=============== Created Last 30 ================
.
2013-01-04 23:52:00 -------- d-sha-r- C:\cmdcons
2013-01-04 23:43:53 98816 ----a-w- c:\windows\sed.exe
2013-01-04 23:43:53 256000 ----a-w- c:\windows\PEV.exe
2013-01-04 23:43:53 208896 ----a-w- c:\windows\MBR.exe
2013-01-01 00:04:18 388096 ----a-r- c:\documents and settings\owner.a-1storage\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2013-01-01 00:04:15 -------- d-----w- c:\program files\Trend Micro
2012-12-19 14:51:27 84432 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-12-12 09:47:19 16363960 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
==================== Find3M ====================
.
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 22:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-12-12 09:47:22 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-12 09:47:22 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-11-28 02:31:15 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-11-28 02:31:13 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-11-28 02:31:13 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-11-28 02:31:13 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-11-27 19:41:44 1101436 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-11-27 19:41:44 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-11-27 19:41:37 1101436 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-11-13 01:25:12 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-11-09 12:56:16 60480 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-11-09 12:53:22 167344 ----a-w- c:\windows\system32\mfevtps.exe
2012-11-09 12:53:02 91168 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-11-09 12:52:22 9648 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-11-09 12:52:12 92192 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-11-09 12:51:12 565352 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2012-11-09 12:50:20 362640 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-11-09 12:50:00 65488 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-11-09 12:49:40 234824 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-11-09 12:49:10 132912 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2012-11-02 02:02:42 375296 ----a-w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 8:14:07.96 ===============

[JonTom]

Hello drcurious

Sometimes a McAfee process is slowing things down for no apparent reason.

It was when checking Task Manager that I discovered the unrecognized WUAUDIT.EXE but now I can't remember if it was using CPU or not.

McAfee is known to draw heavily on system resources so thats why your system may be slowing. Your system logs indicate that you presently have around 500 MB of free RAM available. If you run any resource intensive applications that draw heavily on the remaining RAM, you may very well notice an impact on system speed/performance.

Your MBAM log looks good.

I was able to get WUAUDIT.EXE to appear in the Task Manager list on a reboot with McAfee virus and firewall off, and ran a DDS right away. After the log appeared, WUAUDIT.EXE still showed in Task Manager. I opened FireFox to send this post and now WUAUDIT.EXE has disappeared.

Please make sure that you keep your security engaged. This problem appears to be intermittent in nature. The file in question, while present in your task manager does not appear to reside on you machine long enough for us to detect or remove it (or at all). Unless we can get a path to the file and investigate it further we are stuck.

Lets continue with the following:

1. Please run the following scan
   
   
   
   • Note:Internet Explorer is preferred for this scan, although it will run with other browsers.
   • Note for Vista/Windows 7 Users: ESET is compatible but Internet Explorer must be run as Administrator. To do this, right-click on your Internet Explorer icon and select "Run as Administrator".
   • Please disable your real time security programs before performing the scan.
   
   
   
   
   • Scan your system with Eset Online Scanner
   • Place a check mark in the box YES, I accept the Terms Of Use.
   • Click the button.
   • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps).
   • Click on to download the ESET Smart Installer. Save it to your desktop.
   • Double click on the icon on your desktop.
   
   
   
   
   • Check
   • Click the button.
   • Accept any security warnings from your browser.
   • Check
   • Make sure that the option to "Remove Found Threats" is UN checked.
   • Push the "Start" button.
   • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
   • When the scan completes, push
   • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
   • Push the button.
   • Push
   
   
   Please post the ESET log in your next reply.

[drcurious]

Dear JonTom,

I have not seen WUAUDIT.EXE appear since my last post.

Here is the ESET log:

C:\Downloads\Software\CouponPrinter.exe probably a variant of Win32/Adware.Softomate.AD application
C:\Downloads\Software\freefireworks.exe multiple threats

[JonTom]

Hello drcurious

Lets take care of those detections:

1. Please make all files and folders Visible:
   
   
   
   • Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
   • Choose to "Show hidden files and folders".
   • Uncheck the "Hide protected operating system files" and the "Hide extensions for known file types" boxes.
   • Close the window with "OK".
   
   
   
2. Please search for and delete the following files
   
   
   
   • NOTE: DO NOT double click on ANY executable (.exe) files in the next step!!!
   • Right-click your "Start" button and select "Explore".
   • Navigate to and delete the following files in bold.
   
   
   
   
   • C:\Downloads\Software\CouponPrinter.exe <==== Delete this file.
     
     C:\Downloads\Software\freefireworks.exe <==== Delete this file.
   
   
   
   
   • Once deleted, empty your recycle bin and let me know how the machine is running.

[drcurious]

Hi JonTom,

I have removed those two entries. My computer seems to be running smoothly at this time.

Chris

[JonTom]

Hello drcurious

I have removed those two entries. My computer seems to be running smoothly at this time.

Thats good news Provided you are no longer having any problems we can remove our tools.

Before we do so:

1. Foistware
   
   
   
   • I can see from your log that you have Viewpoint Media Player installed.
   • Viewpoint Media Player is considered as foistware rather than malware since it is installed without user's approval but doesn't spy or do anything "bad".
   • It is recommended that you remove Viewpoint products. However, this choice is up to you.
   • To remove these programs, click "Start" and then on "Control Panel" and then on "Add or Remove Programs".
   • Select Viewpoint Media Player and click on "Remove".
   • If you are prompted to restart your machine to complete the uninstall please do so.
   
   
   
2. Please Uninstall Combofix
   
   
   
   • Click on "Start" and then on "Run".
   • Now type combofix /uninstall in the run box and click "OK". Please note the space between the "x" and the "/Uninstall", it needs to be there.
   
   
   
3. Removal of Tools
   
   
   
   • You no longer need aswMBR, DDS or Systemlook. Please delete them from your machine.
   
   
   
   Once you have completed the above steps you should be good to go! If you have any further questions, please feel free to ask.
   
   
4. Finally, please take the time to read through the information provided below:
   
   Enhance your System Security
   
   
   • For an excellent list of free anti virus software, free online virus scanners, free spyware detection/removal and free firewalls, click here.
   
   
   
   • IMPORTANT! Please make sure you only have ONE firewall and ONE real-time antivirus installed on your system. When using "on demand" scanners, first update the detection signature files, then disconnect from the internet and disable your resident security program before running the scan.
   • Once complete, remember to re-engage your resident security before going online.
   
   
   Web Browsers and Browser Security
   
   Firefox
   
   • You can download Firefox from here.
   
   
   No-Script
   
   • If you use Firefox as your default browser, No-Script can provide additional security by preventing malicious scripts from being executed on your system.
   • You can download No-Script by clicking here.
   
   
   Internet Explorer
   
   • The newest version of Internet Explorer is available from here.
   • Please Note: IE9 is not configured to run on XP machines.
   
   
   SpywareBlaster
   
   • If you use Internet Explorer as your default browser, SpywareBlaster would be a valuable addition to your online security.
   • SpywareBlaster prevents malicious ActiveX objects from being downloaded onto your system.
   • You can download SpywareBlaster by clicking here.
   
   
   Web of Trust
   
   • When using search engines, Web of Trust provides you with an easy way of telling the good sites from the bad and is compatible with both Firefox and Internet Explorer.
   • Coloured symbols are displayed next to search results, giving you more confidence in the links you choose to click on: Green (To go), Yellow (Caution) and Red (Stop).
   • You can download Web of Trust by clicking here.
   
   
   Keep your Software Updated
   
   • Outdated software can sometimes have vulnerabilities that are exploitable by malware.
   • Check if there are available updates for your installed software with Secunia's Online Software Inspector by clicking here.
   
   
   Passwords
   
   • Learn how to create strong passwords by clicking here and test the strength of the passwords you already use by clicking here.
   
   
   General Reading
   
   • PC Safety and Security - What do I need?
     
   • How to prevent Malware (by Miekiemoes)
   
   
   Learn How To Combat Malware
   
   • Would you like to learn how to fight back against malware and help others? Enroll at the What The Tech (Formerly Tom Coyotes) Malware Classroom by clicking here.

[drcurious]

Dear JonTom,

Thanks so much for your help! I will get back to you if I have other questions.

Chris

[JonTom]

Thanks so much for your help!

You are Very Welcome

As this problem appears to be resolved this topic is now closed.

Best wishes,

JonTom