I’ve cleaned my system with avast, MBAM, CCleaner, HJT. I had to replace notepad.exe, regedit.exe, msconfig.exe and wuauclt.exe to clear up a malicious site loading virus wXw.update-microsoft-windows.com
System runs better than ever however everytime I hit Cont+Atl+Delete it triggers a virus and avast reports that the wuauclt.exe is infected again and deletes it (wuauclt.exe).
How can I find the nasty file(s) that’s hiding somewhere on my computer?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:16 PM, on 7/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
The only AV software running is avast. Spyware doctor but not running. It is installed for troubleshooting purposes only. My system did have Nortons AV a couple of years ago but I uninstalled it. Symantec PC Anywhere is installed but has nothing to do with NAV except I think they both use LiveUpdate 3.1 (Symantec Corp software).
Firewall is stock MS. All MS updates are installed except XP SP3 (error occurs when I try to ipdate).
Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@ads.lucidmedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@networksolutions.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@chitika[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[3].txt
C:\Documents and Settings\Owner\Cookies\owner@sales.liveperson[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.techguy[2].txt
C:\Documents and Settings\Owner\Cookies\owner@dmtracker[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@at.atwola[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
C:\Documents and Settings\Owner\Cookies\owner@microsoftinternetexplorer.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Hmmm. Cookies are a minor privacy issue. It’s not them disabling your taskmanager.
Try a test: instead of pressing ctrl alt del, try right clicking the lower taskbar, bring up taskmanager from there. Does the warning message then come up?
Try locating the file wuauclt.exe and upload it to www.virustotal.org for an online scan by several different scanners. Post the url to the result page here, please.
On my computer it is in System32, and is listed as having a file size of “50.0 KB (51,224 bytes)” (slightly larger on the disk). This is normally a legitimate file. If it is located anywhere else but System32, that could be suspicious.
I would not be in the slightest surprised if the Symantec programs were causing interference, somehow. Even to the point of causing this behaviour. There is no malware I can see in that HJT log.
If you can do without the Symantec products, uninstall them, then run the latest Noton Removal Tool (this from MajorGeeks. Also available at Symantec.)
Following this, repair your Avast installation via “add/remove programs”
Couple of questions: Any reason you haven’t updated to SP3? Recommend. Fairly strongly. Might even fix the issue.
Unrelated: Is that “SWF catcher” add-on useful?
Yes, this is true.
Get it Here.
(Warning. This is a large download. Save it somewhere. That way, if you ever need to re-install Windows, it saves a lengthy download for updates. A vulnerable time, if you see what I mean.)
Please do the other stuff first, though, if you wouldn’t mind.Let’s see what’s at play, here.
From an old Dell laptop I had on a shelf. It is the only computer I have that still had XP SP2 although it was XP Pro. I scanned them first on VirusTotal and they were 0/41.
post the link of virus total here and send the file to avast by clicking the email to avast icon, after that, just do a manual update of avast. then get the sp3 and install it. your windows update should work now.
Isn’t avast already aware of the virus if it’s catching it and moving it to the chest? What’s the purpose of sending it to avast? I’ll do it but I’m curious.
I did a manual update and avast reported I’m already up to date program: 4.8.1335 and Vps: 090722-0.
I downloaded SP3 to install manually. I’ll give it a try but nothing is fixed yet. The only difference will be I don’t have to download it first. The update always downloaded and made it through 70% to 80% (35 minutes) of the install and looks like it tries to replace an existing file and can’t “Access Denied” message. I really don’t know.
Isn't avast already aware of the virus if it's catching it and moving it to the chest? What's the purpose of sending it to avast? I'll do it but I'm curious.
In case it turns out to be a FP. But I've just tried scanning that file on my system, it comes up clean. So there is more at play, here.
I downloaded SP3 to install manually. I'll give it a try but nothing is fixed yet. The only difference will be I don't have to download it first. The update always downloaded and made it through 70% to 80% (35 minutes) of the install and looks like it tries to replace an existing file and can't "Access Denied" message. I really don't know.
Must admit, I really don't know, either.
Does it say what file the "access denied" message comes up at?
What is the malware name given to the wuauclt file by Avast?
I’m guessing, but this sounds a bit “rootkit-y”. Think I better hold off any more replying 'till someone with better cleaning knowledge turns up.