Com-Central.net

Next door neighbor contracted "wuausclt.exe" bug, that affects several system files. Tried to help him out (he's using Firefox and Windows on a laptop. Windows of a version I'm not familiar with). Has no AV, so I tried to do a system restore, but the bug saw right through my little trick and bumps from that page in a fraction of a second. Tries to sell you a wipe for it's own virus.

Next move is to "reset to as system was new", if we can. He doesn't have any special apps on there so only some image files will be lost, if even those. Not critical.

Any other ideas?

I don't think it's a virus (but it could become one, or more).
It sounds more like adware.
Whatever he does, he MUST NOT click the link to the anti-virus it's trying to sell.
The trouble with that stuff is that it could be relatively harmless in itself, but they tend to also have a secondary package which can install a trojan subsequently to download more serious stuff by clicking their link.

I looked it up in the Symantec database and it's apparently quite adept at chainging registry files.
THIS might help (although it's not quite the same name as yours, with the 's' missing).

I would do the following in sequence:-

1) get good anti-virus, spyware, and firewall ready.

2) Clean disk of everything. Wipe it. There's nothing left on there you want because it's highly likely that thing will have left roots that will just re-install it, or worse, in a few weeks.
Save any important files to DVD for repair later.

3) Start again.

4) Install appropriate security.

5) Load DVD to drive and check for viruses before transferring any old files.

I had one of these a couple of years ago (my fault, I was clicking a sequence of messages without looking and clicked one of these without even seeing it. It was resident in my System Restore memory so, every time I cleaned it out, it would simply re-install itself (and a trojan I can't remember the name of) from there.

One thing, if your friend is still adamant about not bothering with security, just point out how easy it is for someone to take control of his computer, use it as a zombie, and start downlowing (for example) child porn. If someone does, he'd be responsible until and unless he can prove it wasn't him.
He should get security.

Thanks,

I already admonished him about some form of protection and browser settings. It was, in all likelihood, wide open...just used for wife's "facebook".

...apart from 7 Y.O. daughter playing a game which also led to an....unsavory link.

I think he needs to wipe it and institute some serious controls.

from another forum

"I spent the morning trying to get rid of a virus called AV Security. It tells you that you are infected and the only way out is to buy the AV Security software ($50 for a 3 month license!) This is bogus, they are really after a credit card number. It came right through my AVG free antivirus. I googled it and found it is really running amuck and very hard to delete in that it disables ALL the executables in your Windows files and all your apps like Photoshop, FSDS, FSX, etc. I solved the problem by restoring to yesterday noon (July 3, 2010). "
The Bad news is you may have picked it up days or even weeks ago, one of the newest tricks they are using is a dorman period and or a wait time before the malware payload is released. I had a system infected in March that had been offline for almost 3 weeks and the user triggered the payload part way though the first day back to work after their vacation. In that case the system was off line but powered up while the user was away, when they reutrned the system received a security patch the first thing after they logged in, a complete system scan found nothing (normal procedure for Trend Micro - after any update it runs a full system scan).

The user had still not connected to our Intranet let alone the Internet, however they ran a report and saved it in HTML format, when they double clicked on the html file to open it ie was the program that opened the report, and poof the scareware Infection message, Luckly they were smart enough to pull the plug and call me before they did anything. After some serious investigating I foumd the file that had carried the payload, it had been dormant for almost a month. I was able to clean it with some serious effort and as far as I can tell it was using a cookie counter to trigger the payload, simply stated it went wild when the number of stored cookies reached a specifec amount the payload was released and the next time ie was started the message appears.

I am not trying to scare you or anyone, I just want to point out even if it appears you were infected by a specific site, or had only visited a few in a specific period of time, it is not absolute proof, of the cause you might have picked up the bug weeks ago and something you did or some external signal set it loose."

HTH

"
"

This is a good description/explanation of what you're dealing with;
www.symantec.com/norto...id=mislead

www.symantec.com/conne...w-me-money

www.symantec.com/conne...ney-part-2

www.symantec.com/conne...ney-part-3

www.symantec.com/conne...rt-tipping

Also, I still can't find anything on the file you list but "wuauclt.exe" seems to be a required file for Windows to update.
This may just be a file where the actual problem has been detected;These things will evolve and re-install themselves in a number of new places each time you find /remove them from another.
That makes it very hard to remove all traces of it, not to mention any damage it's already done to your registry which a simple anti-virus won't fix.