“Wuapp.exe” Monero Miner Virus. How to remove.

De Master Yoda

Staff member

This article has been created in order to help you by explaining how to remove the wuapp.exe Monero cryptocurrency miner malware from your computer and how to restore your computer back to working state.

New cryptocurrency miner infects user computers after which hijackers the legitimate wuapp.exe Windows Update process and uses it in order to mine for the cryptocurrency Monero. The virus makes sure that the victim’s computer is connected to a Monero mining pool and this results in the cryptocurrency being mined at the expense of the victim’s CPU and GPU resources. If your wuapp.exe process is ramping up the temperature of your GPU, there is a good chance that your PC may have been infected with the wuapp.exe miner malware. If this is the case, we advise you to read the following article.

Threat Summary
Name wuapp.exe Miner
Type Miner malware.
Short Description Hijacks the Windows Update Service process in order to mine for the cryptocurrency Monero.
Symptoms The wuapp.exe process running in the background with an elevated GPU usage and hightened temperature.
Distribution Method Via malicious websites, malicious e-mails as well as other methods of replication.
Detection Tool See If Your System Has Been Affected by wuapp.exe Miner

Wuapp.exe Miner Malware – Infection
In order to infect computers, the wuapp.exe miner does not target any computer in particular, but rather spreads via massive distribution tools, like spam bots that send web links online on forums or chats or files uploaded for free download online. Such files are often:

  • Fake setups of a program you may be looking for.
  • Key generators.
  • Software license activators.
In addition to simply being uploaded passively online, the wuapp.exe miner may also contain various different types of files or infection scripts on URLs that can be spread via malicous spam e-mails that may be sent to you via spam bots, configured to make the spam e-mails appear very realistic and trustworthy, like the fake dropbox e-mail below, containing link to an external malicious site:

Nijaz Muratović

It can't be detected using task manager. I detected it using procmon from sysinternals.com or proxifier from proxifier.com. When task manager is opened wuapp.exe immediately closes before it can be seen with task manager. Easiest to detect by running procmon and opening filters and command line button and i see this command line being active:
"C:\Windows\System32\wuapp.exe" -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u zcashminer@gmx.com -p x -t 1
One way to stop virus is to simply open task manager. You'll notice fan will stop blowing so fast.
Also I knew cpu usage was supposed to be high, but cpu usage won't be seen in task manager because as i said it closes. I think virus came with some flashing tool from hovatek.com which is for android mediatek phones. Tool didn't work fully. And work in temp folder, hides all real files...suspicious.

Oh but I could not detect who is running it. Which app. Noticed suspicious scheduled task and removed all. Also nothing in startup... But in task manager was visible win32.exe and location is C:\Users\Nijaz\AppData\Local\kAUNCUkNWH. So look like this app is guilty!!!

yes win32.exe was running that command, when i ended that task and removed it didn't restart
previously it would restart that command (visible in proxifier) immediately as soon as task manager is closed!