Vista Antivirus 2011 - wua.exe
Publicado: Jue May 19, 2011 8:45 am
Este es muy similar al XP Antivirus y unos cuantos otros. Es basicamente otro rogue Virus. La infeccion ocurrio en una computadora con Windows Vista Home Premium.
Como lo elimine:
Use Autoruns nuevamente y busque una entrada rara, primero en el Administrador de Tareas o Task Manager. Aqui fue que vi el programa wua.exe ejecutado. Al terminarlo manualmente, desaparecia la ventana del antivirus, pero segundos despues volvio a aparecer. Inmediatamente use Autoruns y busque que estaba iniciando el archivo wua.exe
Elimine esta entrada y todo volvio a la normalidad. Finalmente, con Malwarebytes Antimalware se eliminaron el resto de las infecciones:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QueryExplorer Service (Adware.QueryExplorer)
HKEY_CLASSES_ROOT\AppID\{0D82ACD6-A652-4496-A298-2BDE705F4227} (Adware.ClickPotato)
HKEY_CLASSES_ROOT\AppID\{7025E484-D4B0-441a-9F0B-69063BD679CE} (Adware.ClickPotato)
HKEY_CLASSES_ROOT\AppID\{8258B35C-05B8-4c0e-9525-9BCCC70F8F2D} (Adware.ClickPotato)
HKEY_CLASSES_ROOT\AppID\{A89256AD-EC17-4a83-BEF5-4B8BC4F39306} (Adware.ClickPotato)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100EB1FD-D03E-47FD-81F3-EE91287F9465} (Adware.ShopperReports)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7CDDCDC-BEEB-4685-A062-978F5E07CEEE} (Adware.ShopperReports)
HKEY_CLASSES_ROOT\ShopperReports.Reporter (Adware.ShopperReports)
HKEY_CLASSES_ROOT\ShopperReports.Reporter.1 (Adware.ShopperReports)
HKEY_LOCAL_MACHINE\SOFTWARE\QueryExplorer (Adware.QueryExplorer)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QueryExplorer (Adware.QueryExplorer)
Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\SRS_IT_E8790571B576555B31AB93 (Malware.Trace) -> Value: SRS_IT_E8790571B576555B31AB93
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\usuario\AppData\Local\wua.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe)
Folders Infected:
c:\programdata\queryexplorer (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464} (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\chrome (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\defaults (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\defaults\preferences (Adware.QueryExplorer)
c:\program files\queryexplorer (Adware.QueryExplorer)
Files Infected:
c:\programdata\queryexplorer\queryexplorer117.exe (Adware.QueryExplorer)
c:\Users\usuario\downloads\pcmightymax2009_320.exe (Rogue.PCMightyMax)
c:\Users\usuario\downloads\xvidsetup(2).exe (Adware.Hotbar.Gen)
c:\Users\usuario\downloads\xvidsetup.exe (Adware.Hotbar)
c:\Users\usuario\local settings\application data\wua.exe (Trojan.ExeShell.Gen)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\chrome.manifest (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\install.rdf (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\chrome\queryexplorer.jar (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\defaults\preferences\prefs.js (Adware.QueryExplorer)
c:\program files\queryexplorer\queryexplorer.exe (Adware.QueryExplorer)
c:\program files\queryexplorer\uninstall.exe (Adware.QueryExplorer)
Como lo elimine:
Use Autoruns nuevamente y busque una entrada rara, primero en el Administrador de Tareas o Task Manager. Aqui fue que vi el programa wua.exe ejecutado. Al terminarlo manualmente, desaparecia la ventana del antivirus, pero segundos despues volvio a aparecer. Inmediatamente use Autoruns y busque que estaba iniciando el archivo wua.exe
Elimine esta entrada y todo volvio a la normalidad. Finalmente, con Malwarebytes Antimalware se eliminaron el resto de las infecciones:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QueryExplorer Service (Adware.QueryExplorer)
HKEY_CLASSES_ROOT\AppID\{0D82ACD6-A652-4496-A298-2BDE705F4227} (Adware.ClickPotato)
HKEY_CLASSES_ROOT\AppID\{7025E484-D4B0-441a-9F0B-69063BD679CE} (Adware.ClickPotato)
HKEY_CLASSES_ROOT\AppID\{8258B35C-05B8-4c0e-9525-9BCCC70F8F2D} (Adware.ClickPotato)
HKEY_CLASSES_ROOT\AppID\{A89256AD-EC17-4a83-BEF5-4B8BC4F39306} (Adware.ClickPotato)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100EB1FD-D03E-47FD-81F3-EE91287F9465} (Adware.ShopperReports)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7CDDCDC-BEEB-4685-A062-978F5E07CEEE} (Adware.ShopperReports)
HKEY_CLASSES_ROOT\ShopperReports.Reporter (Adware.ShopperReports)
HKEY_CLASSES_ROOT\ShopperReports.Reporter.1 (Adware.ShopperReports)
HKEY_LOCAL_MACHINE\SOFTWARE\QueryExplorer (Adware.QueryExplorer)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QueryExplorer (Adware.QueryExplorer)
Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\SRS_IT_E8790571B576555B31AB93 (Malware.Trace) -> Value: SRS_IT_E8790571B576555B31AB93
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\usuario\AppData\Local\wua.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe)
Folders Infected:
c:\programdata\queryexplorer (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464} (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\chrome (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\defaults (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\defaults\preferences (Adware.QueryExplorer)
c:\program files\queryexplorer (Adware.QueryExplorer)
Files Infected:
c:\programdata\queryexplorer\queryexplorer117.exe (Adware.QueryExplorer)
c:\Users\usuario\downloads\pcmightymax2009_320.exe (Rogue.PCMightyMax)
c:\Users\usuario\downloads\xvidsetup(2).exe (Adware.Hotbar.Gen)
c:\Users\usuario\downloads\xvidsetup.exe (Adware.Hotbar)
c:\Users\usuario\local settings\application data\wua.exe (Trojan.ExeShell.Gen)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\chrome.manifest (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\install.rdf (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\chrome\queryexplorer.jar (Adware.QueryExplorer)
c:\program files\mozilla firefox\extensions\{27e679cc-6aab-4b2a-bb87-096fe4178464}\defaults\preferences\prefs.js (Adware.QueryExplorer)
c:\program files\queryexplorer\queryexplorer.exe (Adware.QueryExplorer)
c:\program files\queryexplorer\uninstall.exe (Adware.QueryExplorer)
