wuaudit.exe trojan bitcoinminer and browser homepage redirects to www.qvo6.com

Hello, just like the others… I need some help to remove wuaudit.exe and dwm.exe that avast has detected and can not delete the source file…

And how to remove an adware that redirects all my browser’s homepage to qvo6.com ?
thanks before :slight_smile:

follow guide and attach logs. http://forum.avast.com/index.php?topic=53253.0

run in order listed AdwCleaner / Malwarebytes / OTL / aswMBR

removal experts will be notified when logs are attached

Here they are…

and here…

removers are notified … should be here any minute

Hi,

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:files
C:\Windows\SysNative\drivers\avgtpx64.sys
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater
C:\Users\asus\AppData\Local\Temp\tsiVi332.dll

:services
avgtp
vToolbarUpdater15.5.0

:OTL
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=cor&from=cor&uid=HitachiXHTS545050A7E380_TE85113Q1GNNUR1GNNURX&ts=1373743484
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.qvo6.com/?utm_source=b&utm_medium=cor&from=cor&uid=HitachiXHTS545050A7E380_TE85113Q1GNNUR1GNNURX&ts=1373743484
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {33BB0A4E-99AF-4226-BDF6-49120163DE86}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=cor&from=cor&uid=HitachiXHTS545050A7E380_TE85113Q1GNNUR1GNNURX&ts=1373743484
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=cor&from=cor&uid=HitachiXHTS545050A7E380_TE85113Q1GNNUR1GNNURX&ts=1373743484
IE - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=cor&from=cor&uid=HitachiXHTS545050A7E380_TE85113Q1GNNUR1GNNURX&ts=1373743484
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.simplesearches.info/?l=1&q={searchTerms}&pid=821&r=2013/08/18&hid=48710286&lg=EN&cc=ID&unqvl=31
IE - HKU\S-1-5-21-1266034173-1240694035-3983495922-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=cor&from=cor&uid=HitachiXHTS545050A7E380_TE85113Q1GNNUR1GNNURX&ts=1373743484
IE - HKU\S-1-5-21-1266034173-1240694035-3983495922-1000\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=cor&from=cor&uid=HitachiXHTS545050A7E380_TE85113Q1GNNUR1GNNURX&ts=1373743484
IE - HKU\S-1-5-21-1266034173-1240694035-3983495922-1000\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.simplesearches.info/?l=1&q={searchTerms}&pid=821&r=2013/08/18&hid=48710286&lg=EN&cc=ID&unqvl=31
FF - prefs.js..browser.search.defaultenginename,S: S", "WebSearch"
FF - prefs.js..browser.search.defaulturl: "http://websearch.simplesearches.info/?pid=821&r=2013/08/18&hid=48710286&lg=EN&cc=ID&unqvl=31&l=1&q="
FF - prefs.js..browser.search.order.1,S: S", "WebSearch"
FF - prefs.js..browser.search.selectedEngine,S: S", "WebSearch"
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG Secure Search\FireFoxExt\15.5.0.2
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\mozilla_cc@internetdownloadmanager.com: C:\Users\asus\AppData\Roaming\IDM\idmmzcc5 [2013/03/17 17:38:25 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\SeaMonkey\Extensions\\mozilla_cc@internetdownloadmanager.com: C:\Users\asus\AppData\Roaming\IDM\idmmzcc5 [2013/03/17 17:38:25 | 000,000,000 | ---D | M]
O2 - BHO: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - No CLSID value found.
O4 - HKU\S-1-5-21-1266034173-1240694035-3983495922-1000..\Run: [tsiVideo] C:\Users\asus\AppData\Local\Temp\tsiVi332.dll ()
O33 - MountPoints2\{160fbdc3-e15b-11e2-a276-001e101fe5e1}\Shell - "" = AutoRun
O33 - MountPoints2\{160fbdc3-e15b-11e2-a276-001e101fe5e1}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- [2011/03/17 03:57:22 | 000,148,320 | R--- | M] ()
O33 - MountPoints2\{254fbe44-0a71-11e3-9468-001e101f2500}\Shell - "" = AutoRun
O33 - MountPoints2\{254fbe44-0a71-11e3-9468-001e101f2500}\Shell\AutoRun\command - "" = I:\Startme.exe
O33 - MountPoints2\{39fe579d-8805-11e2-976e-2016d84a64a3}\Shell - "" = AutoRun
O33 - MountPoints2\{39fe579d-8805-11e2-976e-2016d84a64a3}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- [2011/03/17 03:57:22 | 000,148,320 | R--- | M] ()
O33 - MountPoints2\{39fe57a0-8805-11e2-976e-2016d84a64a3}\Shell - "" = AutoRun
O33 - MountPoints2\{39fe57a0-8805-11e2-976e-2016d84a64a3}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- [2011/03/17 03:57:22 | 000,148,320 | R--- | M] ()
O33 - MountPoints2\{62394ba9-87fa-11e2-8e18-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{62394ba9-87fa-11e2-8e18-806e6f6e6963}\Shell\AutoRun\command - "" = F:\Autorun.exe
O33 - MountPoints2\{b96ee1c9-ea38-11e2-b8f1-50465d3dd49a}\Shell - "" = AutoRun
O33 - MountPoints2\{b96ee1c9-ea38-11e2-b8f1-50465d3dd49a}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- [2011/03/17 03:57:22 | 000,148,320 | R--- | M] ()
O33 - MountPoints2\{d29c3671-880f-11e2-b0b2-2016d84a64a3}\Shell - "" = AutoRun
O33 - MountPoints2\{d29c3671-880f-11e2-b0b2-2016d84a64a3}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- [2011/03/17 03:57:22 | 000,148,320 | R--- | M] ()
O33 - MountPoints2\{dff573cd-e951-11e2-a70e-001e101f2c0e}\Shell - "" = AutoRun
O33 - MountPoints2\{dff573cd-e951-11e2-a70e-001e101f2c0e}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- [2011/03/17 03:57:22 | 000,148,320 | R--- | M] ()
O33 - MountPoints2\{f48e431e-87f7-11e2-8928-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{f48e431e-87f7-11e2-8928-806e6f6e6963}\Shell\AutoRun\command - "" = F:\AsInsWiz.exe

:commands
[CREATERESTOREPOINT]
[emptytemp]



[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

.

Please download zoek.zip and save it to your desktop.

[list]
[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

Here the report… What next ? :smiley:

Rerun zoek

Copy the text present inside the code box below and paste it into the large window in the zoek tool:

ndibdjnfmopecpmkdieinmbadjfpblof;chr
C:\ProgramData\\ChromeExt\\avg.crx;chr
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes];r
"DefaultScope"="http://www.google.com";r
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}];r
emptyclsid;
autoclean;

Click on Run Script button

Save notepad to your Desktop and attach here zoek-results.log

Next zoek-results:

How is your computer behaving now?

My browser homepage is normal right now ;D

And my avast! doesn’t detect the virus activity anymore… looks like my system back to normal :smiley:

Yup.

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

.

Make sure all your applications and browsers are up-to-date by visiting Secunia Online Software Inspector here:

Free Online Computer Scan - Online Software Inspector (OSI) - Secunia
http://secunia.com/vulnerability_scanning/online/

Click '[b]Start Scanner[/b]'
Wait for Status/Currently Processing: at the lower left to say 'Java Applet loaded successfully. (allow java to run) Press "Start" to begin.'
Click '[b]Start[/b]'.
The scan should take less than a minute or so.
When done, [u]download and install[/u] all the recommended updates.

Thank You Very Much Mr. Argus ^^

but, is it neccesary to online scan by visiting Secunia Online Software Inspector ?

is not necessary :slight_smile:

OK…

I’ve done the scan that just completed on my PC did not detect any insecure programs via secunia OSI :smiley:
Thank you for your help :smiley: