help with removing wuaudit.exe

system · August 16, 2013, 3:35pm

hi there
having a problem with this trojan, having struggled with it quite a bit before coming here
i took the first few steps from a similar post in this forum, and attaching the logs
thanks in advance to anyone willing to help

system · August 16, 2013, 4:05pm

hello

uninstall Spybot search and destroy

==

Attention!!!: Only these links are officials do not download the tool on other links!!
Attention!!!: this tool can be detected wrongly as virus
Attention!!!: this tool is powerful to follow scrupulously the instructions below

All the processes " not vital of Windows " are going to be cut, register(record) your work. There will be an extinction of the office(desk) during the scan - > no panic.

Deactivate all your protections if possible, antivirus, sandbox, firewalls

Download and register(record) Pre_Scan on your office(desk):

http://Http://services.service-webmaster.fr/cpt-clics/clics-30453-6820.html (renamed(reappointed) winlogon)

Or, if the link is not functional:

http://Http://www.archive-host.com/files/1731274/ecd939269bcc7cdfed2d2e726c22709a32db3067/winlogon.exe (Renamed(reappointed) winlogon)
http://Http://www.security-helpzone.com/Tools/g3n/winlogon.exe (renamed(reappointed) winlogon)

If the tool is boosted(relaunched) several times, he will propose you a menu and if no option is asked, launch the option " Scan|Kill "

If the tool is blocked(surrounded) by the infection use this version with these other extensions:

http://Http://www.security-helpzone.com/Tools/g3n/Pre_Scan.scr
http://Http://www.security-helpzone.com/Tools/g3n/Pre_Scan.pif
http://Http://www.security-helpzone.com/Tools/g3n/Pre_Scan.com

If the tool detects a proxy and if you did not install(settle) click " to delete(eliminate) the proxy "

It is possible that black windows flash, let it work.

The tool is going to send on a server the viruses which it quarantined so that I can study these more in-depth infections.

Let the tool restart your computer.

Post Pre_Scan_date_hour.txt which appear in the root of your record(disk) system (generally C:)

DO NOT POST IT ON THE FORUM!!! it is too long

Accommodate the report on http://cjoint.com then give the link obtained

system · August 16, 2013, 8:01pm

hey, thanks a lot for helping

spybot is uninstalled

system · August 16, 2013, 9:18pm

ok I wait for the report

system · August 17, 2013, 4:55am

i got a blue screen while in the process, attaching the log file which is shoter than expected

system · August 17, 2013, 7:53am

ok managed to finish the run, log is attached

system · August 17, 2013, 11:40am

hello

Launch it again , click on “Diag”

Accommodate the report c:\ Pre_Diag_xx_xx_xx.txt on http://cjoint.com then give the link obtained

system · August 17, 2013, 12:28pm

diag log
http://cjoint.com/?3HroBOAtpLo

system · August 17, 2013, 12:52pm

do you know that ?

C:\Users\Yoav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\eclipse.exe

system · August 17, 2013, 1:03pm

yes

system · August 17, 2013, 2:03pm

Download and register ( direct link) http://www.bleepingcomputer.com/download/adwcleaner/dl/125/ ADWCleaner on your office(desk):

Wait that the window of confirmation of download arrives

launch it, (For vista / 7 / 8 = > right click " as administrator(director) ")

Click abolition(deletion) and post C:\Adwcleaner[Sx].txt

system · August 17, 2013, 7:05pm

adwCleaner log

system · August 17, 2013, 8:17pm

ok it’s on a good way

==

Download Junkware Removal Tool:

Http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/

Do not click Download, wait that the window of download arrives for confirmation

Register(Record) this file on the office(desk).

Close quite your browsers

Under XP, double-click on the icon and presses a touch when it will be asked.
Under Vista/7/8 , right click and " Execute as administrator(director) ".
NB: the office(desk) will disappear one moment, it is normal.
Let the program work, don’t touch anything
Post the report generated in the end of the analysis.

system · August 17, 2013, 8:27pm

i’m getting an error
7-zip internal error code 105

system · August 17, 2013, 8:41pm

ok deactivate your protections or launch it again in safemode

system · August 17, 2013, 9:03pm

ok JRT has finished, log is attached

also - each time the os boots up im presented with the following message
“There was a problem starting c:\users*username*\appData\local\temp\tsivi132.dll the specific module could not be found”

system · August 17, 2013, 10:12pm

ok that’s not a problem it’ll disappear…

Launch Pre_Scan again , click on “Diag”

Accommodate the report c:\ Pre_Diag_xx_xx_xx.txt on http://cjoint.com then give the link obtained

I’ll do a script to delete the rests

system · August 18, 2013, 5:10am

diag log
http://cjoint.com/?3Hshkh83WFW

system · August 18, 2013, 2:46pm

hello

confirm that you’re in Israel please

==

Select the bold text below, then CTRL + C :

[b]Kill::

Key::
[HKU\S-1-5-21-2369604876-1934198422-3652077016-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]|[tsiVideo]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\Settings{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}]
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{7825CFB6-490A-436B-9F26-4A7B5CFC01A9}]
[HKU\S-1-5-21-2369604876-1934198422-3652077016-1000\Software\65]
[HKLM\Software\Object]
[HKLM\Software\SOFTWARE]
[HKLM\Software\Wow6432Node\Object]

File|Fold::
C:\Program Files (x86)\Spybot - Search & Destroy 2
C:\765d3b4619528d698803bc997e50a6
C:\Windows\1C4551A64743409391E41477CD655043.TMP
C:\Windows\6833245EDD86479A882A8360D62C8194.TMP
C:\Windows\MultiKMS
C:\Users\Yoav\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BS.Player
C:\ProgramData\Spybot - Search & Destroy
C:\Users\Yoav\AppData\Local\28050
C:\Program Files (x86)\Spybot - Search & Destroy 2

Driver::
21675396
AVGIDSDRIVER
AVGIDSEH
AVGIDSFILTER
AVGIDSHA
AVGRKX64
AVGTDIA
AVG_ANTI-SPYWARE_DRIVER
AVG Anti-Spyware Driver

MBR::

Clean::

Reboot::[/b]

Attention!!! Think in re - deactivate your protections

launch Pre_scan again, then choose the option “Script”

A page is going to open

Logically the text which you selected is there already, thus you close and the program is going to work.

Otherwise stick him(it) (right click/paste or ctrl+V) in the blank page.

Then tab file = > register(record) (not to register(record) under), then close the text

Black windows risk to flash, it is normal, it is the program which works

Post Pre_Script.txt who will appear on the office(desk) at the end of work

system · August 18, 2013, 3:30pm

hey
what do you mean by “re - deactivate your protections”?

help with removing wuaudit.exe

Announcements