Help please: wuaudit.exe

Hello. I get a message saying that
“Trojan horse blocked
Object: C:\Users\username\AppData\Local\Temp\iswizard\wuaudit.exe
Infection: Win32:BitCoinMiner-CA [Trj]
Action: Moved to chest
Process: C:\Windows\SysWOW64\rundll32.exe”. It pops up repeatedly.
What should I do to clean it? Thanks for help.

Hi,

Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Scan result

Addition

Downloaded keygens and using torents make your computer infected.

Kod:

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


HKCU\...\Run: [tsiVideo] - C:\Users\Baysu\AppData\Local\Temp\\tsiVi432.dll [1504256 2013-07-17] () <===== ATTENTION
MountPoints2: {be8189f0-63d4-11e2-be6f-002683174a31} - "G:\Autorun.exe" 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.delta-homes.com/?utm_source=b&utm_medium=newgdp&from=newgdp&uid=OCZ-AGILITY3_OCZ-H2PI7WRP0E35M7L3&ts=1373011973
URLSearchHook: (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} -  No File
SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = 
SearchScopes: HKLM-x32 - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.delta-homes.com/web/?utm_source=b&utm_medium=newgdp&from=newgdp&uid=OCZ-AGILITY3_OCZ-H2PI7WRP0E35M7L3&ts=0
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Folder: C:\Windows\system32\oobe
File: C:\Windows\System32\services.exe
CMD: ipconfig /flushdns
C:\Users\Baysu\AppData\Local\Temp\tsiVi432.dll
C:\Users\Baysu\AppData\Local\Temp\\tsiVi432.dll

  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

====== THEN ======

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

====== THEN ======

Re-run FRST;

[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

NEXT

[*]Type (copy) wuaudit.exe;Services.exe into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
[*]Exit FRST.
[*]Close the command window.
[*]Boot back into normal mode and post me the FRST.txt and Search.txt logs please.

The first three files are here. But I couldn’t clearly understand the last 2 steps. Which command window and which normal mode? Should I just exit FRST and re-run it?

Sorry, was not been able to respond earlier.

Which command window and which normal mode?

I’ve used the wrong speech, sorry. I was wanted fresh FRST’s log. That’s what I got. :slight_smile:

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.delta-homes.com/?utm_source=b&utm_medium=newgdp&from=newgdp&uid=OCZ-AGILITY3_OCZ-H2PI7WRP0E35M7L3&ts=1373011973
End

  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

======= THEN ========

Download the ESET services repair tool, extract the file to your desktop.

[*]Double-click ServicesRepair.exe.
[*]If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
[*]Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
[*]A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.

How’s your computer running now?

I think it’s ok now. I don’t see that message anymore. Thanks so much for your help :slight_smile:

You may remove used tools + preform some post cleanings;

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Be safe. :wink:

OK I’ve done it. Thanks so much for help :slight_smile: