Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot get rid of WUAuthHost.exe and dcomcnfg.exe malware


  • Please log in to reply
4 replies to this topic

#1 confuxion

confuxion

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:09:00 PM

Posted 23 August 2013 - 11:03 PM

About two weeks ago, I downloaded the UseNext Usenet software to give it a trial run. It was around this time that I just by chance noticed a weird file in my C:\Program Files\Common Files\ folder named "WUAuthHost.exe". It jumped out at me b/c the file's icon was a picture of a naked lady's backside. I have no idea if I can truly correlate this malware to my use of the UseNext software.

 

My first inclination was to run a scan using Malwarebytes Anti-Malware 1.75 (most recent version). As I suspected, I was infected, and in addition to there being some infected Registry entries (see screenshot below of Malwarebytes' Quarantine), there were two files that Malwarebytes pointed to:

 

C:\Program Files\Common Files\WUAuthHost.exe

C:\Users\[NAME]\AppData\Local\Temp\dcomcnfg.exe  (this file would alternately show up at C:\Users\[NAME]\AppData\Roaming\dcomcnfg.exe)

 

Upon telling Malwarebytes to get rid of these nefarious entries, I received a prompt telling me that I needed to restart in order to fully remove them. Now, from prior experience with Malwarebytes, I was under the impression that the program would automatically launch once I rebooted, to at least let me know that it had removed the infections. This did not happen, and, again, I'm not sure if this is part of the problem. So, after rebooting, I simply launched MWB manually, went the the Quarantine tab, and there were the entries that were originally found! I figured I was out of the woods. But then I discovered that those same two files had reappeared, despite MWB appearing to have quarantined them. There is also a process that I noticed in the Task Manager called "Windows Audio HDi Driver", and it's located at C:\Windows\system32\audiohd.exe. There is also a startup entry for this process, which only reappears (upon rebooting) after I delete it.

 

You can see from the screenshot at the end of this post that there are multiple instances of the malware MWB discovered, all purporting to be in the quarantine. But all I have to do is reboot and they will be back in the same locations they've been appearing in. I'm not sure if MWB is malfuntioning, and not properly getting rid of this malware when it should be, or if it just keeps coming back each time after I quarantine and reboot. Regardless, I'm looking for some expertise in getting rid of this malware. Thanks in advance to anyone kind enough to help me.

 

Additionally, I just finished running an antivirus scan on my "C:" drive, Operating Memory, and Boot Sector using Eset NOD32 Antivirus v6 (most recent version), and it said no threats were detected.

 

BTW - All of the options are selected on the Protection tab of MWB, fwiw.

 

mwbytes-quarantine-ss.jpg



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:00 AM

Posted 24 August 2013 - 04:25 AM

Antivirus Report of wuauthhost.exe: wuauthhost.exe - Malware
wuauthhost.exe - Dangerous
wuauthhost.exe - High Risk
WUAuthHost.exe is Trojan/Backdoor
.

Download Security Check by Screen317
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If any security program requests permission to access the Internet, allow it to do so.



Download MiniToolBox, Save it to your desktop and run it.
Checkmark the following boxes:
•List last 10 Event Viewer log
•List Installed Programs
•List Users, Partitions and Memory size.
•List Minidump Files
Click Go and copy / paste the result (Result.txt).

If you have either of the following 2 programs installed, be sure to Update them and then run a Full Scan -

Please download Malwarebytes Anti-Malware Free (aka MBAM)
Do not accept the Free Trial Version offered at this time ............
* Double-click MBAM -setup.exe and follow the prompts to install the program.
* At the end, be sure to Check for Updates to be so it is current
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Scan, then click Quick Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
If you are not sure of any items, post the log and ask if it should be removed.
Be sure to reboot the computer after you post the log.


Download SUPERAntiSpyware Free (aka SAS)
Do not accept the 14 day Free Trial Version offered at this time .............
* Double-click SAS -setup.exe and follow the prompts to install the program.
* At the end, be sure to Check for Updates to be so it is current
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
Be sure to reboot the computer after you post the log.
 

Please download AdwCleaner by Xplode onto your desktop.
* Close all open programs and internet browsers.
* Double click on adwcleaner.exe to run the tool.
* Click on Delete.
* Confirm each time with Ok.
* NOTE : Your computer will be rebooted automatically, and a log file will open after the restart.
* Please post the contents of that logfile with your next reply.
* You can find the logfile at C:\AdwCleaner[S1].txt as well.


See This Page for general details on Windows Audio HDi Driver - (Related to above infection)
 

Download TFC to your desktop

This will remove Junk / Temp Files that are no longer needed and may interfere with later work
• Close any / all open windows.
• Double click the TFC icon to run the program
• TFC will now close all open programs by itself in order to run.
• Click the Start button to begin the process.

• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it may automatically reboot your machine.
• if it doesn't, please manually reboot to ensure a complete clean

 

Once you post these reports, we can decide on a next step.

Thank You -


Edited by noknojon, 24 August 2013 - 04:28 AM.


#3 confuxion

confuxion
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:09:00 PM

Posted 25 August 2013 - 09:52 AM

Thank you so much, noknojon, for being willing to help me! The strangest thing has happened, though. For some reason, MBAM appeared to clean up all traces of this malware. Perhaps it just needed to be run as many times as it did to finally get rid of the malware. All I know is that those files I referred to are no longer there, there are no longer any startup entries for their processes, and everything appears to be okay. Is there any chance that this malware lies "dormant" for a period of time and then reappears? Hopefully not. I'm going to run one more full scan with MBAM to double-check that the malware is no longer there. Thanks for your help regardless!



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:00 AM

Posted 25 August 2013 - 04:49 PM

<< Is there any chance that this malware lies "dormant" for a period of time and then reappears? >>

Without knowing of the infection in greater detail (even a name) I can not answer that.

 

I will keep an eye here for a few days if the problem arises again -

 

Regards -



#5 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:00 AM

Posted 05 September 2013 - 07:03 PM

As you have not asked for more help in the past 2 weeks, we will assume the problem is fixed.

 

Please start a new topic if you have other problems ...........

 

Thank You -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users