Cont+Atl+Delete triggers virus

I’ve cleaned my system with avast, MBAM, CCleaner, HJT. I had to replace notepad.exe, regedit.exe, msconfig.exe and wuauclt.exe to clear up a malicious site loading virus wXw.update-microsoft-windows.com

System runs better than ever however everytime I hit Cont+Atl+Delete it triggers a virus and avast reports that the wuauclt.exe is infected again and deletes it (wuauclt.exe).

How can I find the nasty file(s) that’s hiding somewhere on my computer?

Hello TheyGotMe

Post HJT log here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:16 PM, on 7/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
e:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\MICROS~4\GAMECO~1\STRATE~1\daemon14.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
e:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\AutoWindow_Sizer\sizer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Symantec\pcAnywhere\Winaw32.exe
C:\Program Files\Symantec\pcAnywhere\awrem32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ihomes3000.com/6260
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - E:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - E:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [Daemon14] C:\PROGRA~1\MICROS~4\GAMECO~1\STRATE~1\daemon14.exe
O4 - HKLM..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 “EPSON Stylus C88 Series” /O6 “USB001” /M “Stylus C88”
O4 - HKLM..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 “EPSON Stylus CX4800 Series” /O6 “USB002” /M “Stylus CX4800”
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM..\Run: [LogitechCommunicationsManager] “C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe”
O4 - HKLM..\Run: [LogitechQuickCamRibbon] “C:\Program Files\Logitech\QuickCam\Quickcam.exe” /hide
O4 - HKLM..\Run: [RoxWatchTray] “C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe”
O4 - HKLM..\Run: [avast!] e:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [POINTER] point32.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “E:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 “EPSON Stylus C88 Series” /M “Stylus C88” /EF “HKCU”
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra ‘Tools’ menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

cont in next post

cont from last post

O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - e:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - e:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - e:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - e:\Program Files\Spyware Doctor\pctsSvc.exe


End of file - 9618 bytes

Also, I can’t upgrade to XP SP3 “Access Denied” error occurs at end of installation and reverts back to SP2

Can you please download superantispyware http://filehippo.com/download_superantispyware/
Update it and run a full scan.If it finds any infected items,quarantine it and post back a log.

Edit:I see you already have superantispyware on your computer.Please run a scan with it

@TheyGotMe

There is spyware doctor installed and also symantec products can be seen. list the security products you currently use now and previously used.

The only AV software running is avast. Spyware doctor but not running. It is installed for troubleshooting purposes only. My system did have Nortons AV a couple of years ago but I uninstalled it. Symantec PC Anywhere is installed but has nothing to do with NAV except I think they both use LiveUpdate 3.1 (Symantec Corp software).

Firewall is stock MS. All MS updates are installed except XP SP3 (error occurs when I try to ipdate).

Results of SAS after update and full scan.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/22/2009 at 10:11 PM

Application Version : 4.26.1006

Core Rules Database Version : 4012
Trace Rules Database Version: 1952

Scan type : Complete Scan
Total Scan Time : 00:35:56

Memory items scanned : 522
Memory threats detected : 0
Registry items scanned : 8141
Registry threats detected : 0
File items scanned : 33901
File threats detected : 18

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@ads.lucidmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@networksolutions.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@chitika[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[3].txt
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.techguy[2].txt
C:\Documents and Settings\Owner\Cookies\owner@dmtracker[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@at.atwola[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@microsoftinternetexplorer.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt

Hmmm. Cookies are a minor privacy issue. It’s not them disabling your taskmanager.

Try a test: instead of pressing ctrl alt del, try right clicking the lower taskbar, bring up taskmanager from there. Does the warning message then come up?

Try locating the file wuauclt.exe and upload it to www.virustotal.org for an online scan by several different scanners. Post the url to the result page here, please.

On my computer it is in System32, and is listed as having a file size of “50.0 KB (51,224 bytes)” (slightly larger on the disk). This is normally a legitimate file. If it is located anywhere else but System32, that could be suspicious.

I would not be in the slightest surprised if the Symantec programs were causing interference, somehow. Even to the point of causing this behaviour. There is no malware I can see in that HJT log.

If you can do without the Symantec products, uninstall them, then run the latest Noton Removal Tool (this from MajorGeeks. Also available at Symantec.)

Following this, repair your Avast installation via “add/remove programs”

Couple of questions: Any reason you haven’t updated to SP3? Recommend. Fairly strongly. Might even fix the issue.
Unrelated: Is that “SWF catcher” add-on useful?

PS: You say in the first post you had to replace a number of files.

From where did you get these replacements?

You cant update windows since wuauclt.exe is infected. what you can do is, download the sp3 manually and install it.

Yes, this is true.
Get it Here.
(Warning. This is a large download. Save it somewhere. That way, if you ever need to re-install Windows, it saves a lengthy download for updates. A vulnerable time, if you see what I mean.)

Please do the other stuff first, though, if you wouldn’t mind.Let’s see what’s at play, here.

From an old Dell laptop I had on a shelf. It is the only computer I have that still had XP SP2 although it was XP Pro. I scanned them first on VirusTotal and they were 0/41.

Agree that first let us see the result of virustotal.com

Launching from taskbar also causes avast warning and deletes wuauclt.exe file. FYI - I can see it in the avast chest.

The one I replace it with is 51K and clean according to VirusTotal.com.

post the link of virus total here and send the file to avast by clicking the email to avast icon, after that, just do a manual update of avast. then get the sp3 and install it. your windows update should work now.

It is useful for grabbing basic swf files from Web pages. Doesn’t work with dynamic swf files (files that contain paths in the swf coding).

Post the results of the clean file?

Isn’t avast already aware of the virus if it’s catching it and moving it to the chest? What’s the purpose of sending it to avast? I’ll do it but I’m curious.

I did a manual update and avast reported I’m already up to date program: 4.8.1335 and Vps: 090722-0.

I downloaded SP3 to install manually. I’ll give it a try but nothing is fixed yet. The only difference will be I don’t have to download it first. The update always downloaded and made it through 70% to 80% (35 minutes) of the install and looks like it tries to replace an existing file and can’t “Access Denied” message. I really don’t know.

Isn't avast already aware of the virus if it's catching it and moving it to the chest? What's the purpose of sending it to avast? I'll do it but I'm curious.
In case it turns out to be a FP. But I've just tried scanning that file on my system, it comes up clean. So there is more at play, here.
I downloaded SP3 to install manually. I'll give it a try but nothing is fixed yet. The only difference will be I don't have to download it first. The update always downloaded and made it through 70% to 80% (35 minutes) of the install and looks like it tries to replace an existing file and can't "Access Denied" message. I really don't know.
Must admit, I really don't know, either. Does it say what file the "access denied" message comes up at? What is the malware name given to the wuauclt file by Avast?

I’m guessing, but this sounds a bit “rootkit-y”. Think I better hold off any more replying 'till someone with better cleaning knowledge turns up.

you have the answer to why is it needed to upload to avast - if virustotal is telling its clean and avast is detecting it as a virus.

after clicking email to avast if you have manually updated your avast then the file will be uploaded to avast.