wuaudit.exe in my system!

Hi!

Now I got these strange virus warnings popping up frequently since yesterday! With this message included from Avast! (Unfortunally it´s displayed in Swedish so I´ll try translate it as well as I can and hope you will understand the basic meaning.)

[u][i]Troyan Hores have been blocked!

Avast! File system has blocked a threat.
No further action needed.
Object: C:\Users\Jack.…\wuaudit.exe
Infection: Win32:BitCoinMiner-CA [Trj]
Process: C:\Windows\SysWOW64\rundll32.exe

The treath was localized and blocked when the file was created or changed.[/i][/u]

Then I read some actual threads with a similar problem! But I don´t get some parts of your support scenario and when you are mentioning the OLT by Oldtimer I am confused and don´t get the message!

This is what you´ve been writing:“Warning This fix is only relevant for this system and no other, using on another computer may cause problems. Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot.”

  1. Which system are you mention here? It´s not clarified since you only write “system”, can you please be more specific?

  2. Is this the second software in a series of four to eliminate the problem with the virus? You also mention adwcleaner.exe that I understand shall be the first in a row of four to use! Then you suggest aswMBR.exe and RogueKiller.exe as the third and fourth. Am I correct?

  3. Can I safely remove the files in the Quarantine and every infected file on my computer that will be found or could they have damaged important root files in my system to?

Jack

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

Monitoring

Here are the log file from adwcleaner!

Before you suggest me to use the OTL.exe please answer the question I already mentioned above!

“I don´t get some parts of your support scenario and when you are mentioning the OTL.exe. I am confused and don´t get the message! This is what you´ve been writing:”

(Warning This fix is only relevant for this system and no other, using on another computer may cause problems. Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot.)

Can I or can´t I use OLT.exe on a windows 7 system or what do you mean?

Sure. You can use it on W7, don’t worry.

Ok! Thanks!

NP, now please continue with your logs.

Log for Malware Bytes anti malware!

Log file for OTL.exe

Question: Is the file extras.txt supposed to be attached as well?

Just for your notation! I didn´t run “fix” or anything else after I did the check with these anti malwares and other applications you suggest. I just ran the programs and then attached the log files. Correct or what?

Hi,
Well done with logs. Where is aswMBR logs? You need to run that as well.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:commands
[CREATERESTOREPOINT]

:files
C:\$Recycle.Bin\S-1-5-21-112790860-2575705475-4214353926-1000
C:\Users\Jack\AppData\Local\Temp\iswizard\dwm.exe
C:\Users\Jack\AppData\Local\Temp\iswizard\iswizard.7z
C:\Users\Jack\AppData\Local\Temp\iswizard
C:\ProgramData\IBUpdaterService\repository.xml
C:\ProgramData\BrowserDefender
C:\Users\Jack\AppData\Local\Temp\tsiVi232.dll
C:\Users\Jack\AppData\Roaming\Spotify\Data\libcef.dll
C:\Users\Jack\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
C:\Users\Jack\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
C:\Users\Jack\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia
C:\Program Files (x86)\mixidj
dir C:\Users\Jack\AppData\Local\Programs /c
C:\Users\Jack\AppData\Roaming\BabSolution
C:\Users\Jack\AppData\Roaming\Babylon
C:\Users\Jack\AppData\Roaming\Softonic
ipconfig /flushdns /c

:OTL
IE - HKU\S-1-5-21-112790860-2575705475-4214353926-1000\SOFTWARE\Microsoft\Internet Explorer\Main,bProtector Start Page = http://mixidj.delta-search.com/?babsrc=HP_ss&mntrId=D82F00A0C6000000&affID=121124&tsp=4927
IE - HKU\S-1-5-21-112790860-2575705475-4214353926-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mixidj.delta-search.com/?babsrc=HP_ss&mntrId=D82F00A0C6000000&affID=121124&tsp=4927
IE - HKU\S-1-5-21-112790860-2575705475-4214353926-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&babsrc=SP_ss_din2g&mntrId=D82F00A0C6000000&affID=121124&tsp=4927
IE - HKU\S-1-5-21-112790860-2575705475-4214353926-1000\..\SearchScopes\{2008C2ED-C644-4A1E-AC7E-59412B282E70}: "URL" = http://search.softonic.com/MOY00014/tb_v1?q={searchTerms}&SearchSource=4&cc=&mi=d82f47e300000000000000a0c6000000&r=168
IE - HKU\S-1-5-21-112790860-2575705475-4214353926-1001\SOFTWARE\Microsoft\Internet Explorer\Main,bProtector Start Page = http://mixidj.delta-search.com/?babsrc=HP_ss&mntrId=D82F00A0C6000000&affID=121124&tsp=4927
IE - HKU\S-1-5-21-112790860-2575705475-4214353926-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mixidj.delta-search.com/?babsrc=HP_ss&mntrId=D82F00A0C6000000&affID=121124&tsp=4927
IE - HKU\S-1-5-21-112790860-2575705475-4214353926-1001\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&babsrc=SP_ss_din2g&mntrId=D82F00A0C6000000&affID=121124&tsp=4927
IE - HKU\S-1-5-21-112790860-2575705475-4214353926-1001\..\SearchScopes\{2008C2ED-C644-4A1E-AC7E-59412B282E70}: "URL" = http://search.softonic.com/MOY00014/tb_v1?q={searchTerms}&SearchSource=4&cc=&mi=d82f47e300000000000000a0c6000000&r=168
CHR - homepage: http://mixidj.delta-search.com/?babsrc=HP_ss&mntrId=D82F00A0C6000000&affID=121124&tsp=4927
O2 - BHO: (mixidj Helper Object) - {4D6A9BBF-402C-4301-B1EF-28D04F71D761} - C:\Program Files (x86)\mixidj\mixidj\1.8.18.8\bh\mixidj.dll (MixiDJ)
O3 - HKLM\..\Toolbar: (MixiDJ Toolbar) - {CA9B9C89-4662-4ADC-9C23-A452BECD5D19} - C:\Program Files (x86)\mixidj\mixidj\1.8.18.8\mixidjTlbr.dll (MixiDJ)
O4 - HKU\S-1-5-21-112790860-2575705475-4214353926-1000..\Run: [tsiVideo] C:\Users\Jack\AppData\Local\Temp\tsiVi232.dll ()
O33 - MountPoints2\{becefc5b-c118-11e2-ad1e-74d02b25dbd8}\Shell - "" = AutoRun
O33 - MountPoints2\{becefc5b-c118-11e2-ad1e-74d02b25dbd8}\Shell\AutoRun\command - "" = F:\windows\Data\AutoRun.exe -- [2011-08-24 17:56:07 | 000,179,736 | R--- | M] (ZTE Corporation)
O33 - MountPoints2\F\Shell - "" = AutoRun
O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\windows\Data\AutoRun.exe -- [2011-08-24 17:56:07 | 000,179,736 | R--- | M] (ZTE Corporation)
@Alternate Data Stream - 1213 bytes -> C:\Users\Jack\AppData\Local\Temp:5t81qv0SW5Zvlit7VYps

:commands
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

======= THEN ========

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

======= THEN ========

Re-check:

Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Hi Magna86!

I haven´t rerunned OTL.exe yet, just planned to follow your first suggestion about creating a log file from “aswMBR” as well. I tried that a couple of times but it failed and I got this message:

“avast! Antirootkit has stopped working!
A problem caused the program to stop working properly!
Windows will close the program and notify you if a solution is available!”

Is there any solution for going around this problem before I do anything else or shall I rerun OTL.exe and copy/paste the code you supported me with first?

Regards Jack

Hm, got a few questions!

I haven´t rerun OTL.exe yet! But I downloaded the MCShield-setup.exe file and it asked me to press intall. So I accepted since there were no option to just saving the file it. Did I do something wrong here since you wrote that I should´ve rerun the OTL.exe first and paste/copy your attached command lines? All this happend because the aswMBR crashed during it´s installation process.

Is there a specifik order to follow for all these suggested programs installations and actions?

About letting OTL.exe rerun I copied/pasted your attached command lines and pressed fix, let the process run and then restarted my computer. Here is the log file from the rerun of OTL.exe.

MCShield log file attached!

Hi,

For some unknown reason, aswMBR fail to load his drivers. Skip aswMBR for now.
Calm down and please do not panic, everything will be okay in the end. You’re in good hands. ;D

I’m waiting requested FRST logs…

Hi, all!
I decided this problem by very simpy way:

  1. change Security property for folder \ISWIZARD to ADMIN only (my account)
  2. delete ALL files from this folder
  3. create 2 empty files with property RO (Read only):
    iswizard.7z
    proxy.conf

Now virus wuaudit.exe can’t replace MY files his own body files :wink: