Author Topic: wuaudit.exe virus  (Read 1631 times)

Offline gallegoj

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
wuaudit.exe virus
« on: September 29, 2013, 12:42:25 PM »
Hello everyone, I need some help to remove a trojan that is detected with avast. It is detected as wuaudit.exe virus. I run all the software described in http://forum.avast.com/index.php?topic=53253.0 but it is still there.

I do not know what else  to do and I loosing my patience with this Trojan.
Please, can someone help me?

Here are the LOGs

Thanks

Offline Eddy

  • avast! Evangelist
  • Serious Graphoman
  • ***
  • Posts: 9935
  • Gender: Male
  • Watching (over?) you
    • Malware removal, Biljart and other things.
    • Personal Message (Offline)
Re: wuaudit.exe virus
« Reply #1 on: September 29, 2013, 12:47:00 PM »
Run a bootscan with avast and run Malwarebytes. That should take care of the problem.

And please search this webboard before posting.
http://forum.avast.com/index.php?topic=130078.0

Offline magna86

  • Anti Malware Fighter
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3249
  • Gender: Male
    • Ambulanta MyCity Forum - ASAP Member
    • Personal Message (Offline)
Re: wuaudit.exe virus
« Reply #2 on: September 29, 2013, 12:54:51 PM »
@gallegoj

I will look at your logs.

This fix shall fix your problem:
Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]
:FILES
ipconfig /flushdns /c
C:\Users\Jonathan\AppData\Local\Temp\tsiVi032.dll
C:\Users\Jonathan\AppData\Local\Temp\iswizard
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\agoenciogemlojlhccbcpcfflicgnaak
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\chmimgmjdabgiilljdjfbonifbhiglao
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\eimhlfnbjllicocigjdalpodkokffbmm
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\enadeelnincmhhilgbiphjbjnnagnhmh
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbpifhknilaflibiifjhhofddbbchmhh
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\flogpfmjdekjoilcnmmchanikomlidie
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdbabpaggdgcakhjllleobffeghmhjme
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdbabpaggdgcakhjllleobffeghmhjme
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdkjifoifglkpcdffkenpinlbjgephlo
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmbgaklkmjakoegficnlkhebmhkjfich
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijecamokjmiajijbajfnlbkfknpplkdf
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfdckejfnkaemompfjhecfmhjgnchmjg
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgdfnbpkmkkdhgidgcpdkgpdlfjcgnnh
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\loamdenijebhollnjgehcfbnpeelfhlk
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjocghlclkpgheifflemilcnblodjohg
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\okboeogmnhjpgbeaokfogelclpblaemo
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooagbcohbmlpkfkdnodbomgphbcecalj
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooagbcohbmlpkfkdnodbomgphbcecalj
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia

:OTL
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\S-1-5-21-1365072474-943141896-2643588273-1000..\Run: [tsiVideo] C:\Users\Jonathan\AppData\Local\Temp\tsiVi032.dll ()

:COMMANDS
[CREATERESTOREPOINT]
[EMPTYTEMP]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log


---- Next -----


aswMBR shows traces of posible TDL rootkit. We shall re-check that.




Download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it, accept all pop-up on start.

  •     Press Start Scan

     
  •   If Suspicious object is detected, the default action will be Skip, click on Continue.
     
  •   If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

Offline gallegoj

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: wuaudit.exe virus
« Reply #3 on: September 29, 2013, 11:28:12 PM »
@Eddy: Thanks for your advice. I run a bootscan with avast and run Malwarebytes but the threat was still there. I read the other posts before creating this one and they always suggest to start a new post. that is why I opened a new post

@magna86: I run OTL with the  script you gave me and also I run the TDSSkiller. the TDSSkiller didn't find anything.
I am sending the two logs. It seems the problem is solved until now.

should I check something more? should I delete any of the software I've installed?

Thanks,

gallegoj

Offline Pondus

  • avast! √úberevangelist
  • Maybe Bot
  • *****
  • Posts: 21799
  • Gender: Male
    • Personal Message (Offline)
Re: wuaudit.exe virus
« Reply #4 on: September 30, 2013, 12:38:18 AM »
Quote
should I check something more? should I delete any of the software I've installed?
magna86 is in bed now, check back tomorrow   ;)

Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline magna86

  • Anti Malware Fighter
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3249
  • Gender: Male
    • Ambulanta MyCity Forum - ASAP Member
    • Personal Message (Offline)
Re: wuaudit.exe virus
« Reply #5 on: September 30, 2013, 10:02:37 AM »

@magna86: I run OTL with the  script you gave me and also I run the TDSSkiller. the TDSSkiller didn't find anything.
I am sending the two logs. It seems the problem is solved until now.

should I check something more? should I delete any of the software I've installed?


I shall need both OTL and TDSSK logs. Please post them here.

Offline gallegoj

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: wuaudit.exe virus
« Reply #6 on: September 30, 2013, 01:02:48 PM »
Hi,

I forgot to attach the logs in the last reply, sorry for that.

Offline magna86

  • Anti Malware Fighter
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3249
  • Gender: Male
    • Ambulanta MyCity Forum - ASAP Member
    • Personal Message (Offline)
Re: wuaudit.exe virus
« Reply #7 on: September 30, 2013, 01:59:06 PM »
Let's check with TDSSKiller a little deeper.




  • Re-run TDSSKiller.exe and click on Change parametres.
  • Under Additional options check the boxes next to:
    - Verify Driver Digital Signature;
    - Detect TDLFS file system
    - Use KSN to scan objects
  • Click OK, and then click Start Scan button.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the C:\ directory.


==========================


How's youir computer running now?

Offline gallegoj

  • Newbie
  • *
  • Posts: 4
    • Personal Message (Offline)
Re: wuaudit.exe virus
« Reply #8 on: October 01, 2013, 02:00:10 AM »
Hi Magna,

Sorry for answering late, but it is difficult for me to get access to my laptop during working time.
I run the TDSSkiller again with the parameters that you suggested. It didn't detect any threat. I am attaching the LOG.

Offline magna86

  • Anti Malware Fighter
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3249
  • Gender: Male
    • Ambulanta MyCity Forum - ASAP Member
    • Personal Message (Offline)
Re: wuaudit.exe virus
« Reply #9 on: October 01, 2013, 08:58:44 AM »
That's it.  :)

> Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.




I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now