BITCOIN TROJAN and dwm.exe

Hey I’ve found that my computer has a trojan bitcoin miner. It is located here C:\Users\admin\AppData\Local\Temp\iswizard05\dwm.exe…

I have run many many anti viruses and anti malwares(including malwarebytes,Quickheal antimalware).They detect and repair the file but it appears again after sometime.

I tried to delete the iswizard05 folder but it appears again.

Please help.

Hi,

I suspect I know what is wrong but cannot fix it. In order for someone else to help you follow this guide.

Note, Attach all of your MBAM Log files.

Guide: http://forum.avast.com/index.php?topic=53253.0

Attach OTL and aswMBR

Note, aswMBR is compatible w/ Windows 7 only

I had not used “MALWAREBYTES” earlier earlier. (i mentioned it by mistake.sorry for the mistake).

I performed the check right now.

MBAM log is here…

I am in Monitor mode . . .

I can give you a analysis or fix when I see the OTL logs. :slight_smile:

OTL logs…

Hi lokesh13793,

You have an interesting new variant of adware that even modify the LSP (Layered Service Provider) chain. This can be tricky, therefore after OTL we shall deploy ComboFix to fix this and some other stuff …

Also, can you post the aswMBR log as well?

=> Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:PROCESSES KillAllProcesses

:COMMANDS
[CREATERESTOREPOINT]

:SERVICES
SBUpd
VideoAcceleratorService

:FILES
ipconfig /flushdns /c
C:\Users\admin\AppData\Roaming\Yontoo
C:\Program Files (x86)\Yontoo
C:\Program Files (x86)\SpeedBit Video Accelerator
C:\Program Files\Common Files\SpeedBit
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\r32yi8db.default\extensions{7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D}
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\r32yi8db.default\searchplugins\speedbit.xml
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\r32yi8db.default\searchplugins\SweetIM Search.xml
C:\USERS\ADMIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\R32YI8DB.DEFAULT\EXTENSIONS\PLUGIN@YONTOO.COM
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\palpbfjgianahgbbeodmcohjdmaelbeo
C:\Users\admin\AppData\Local\Conduit
C:\Program Files (x86)\WinZip Registry Optimizer
C:\Users\admin\Desktop\greendetect

:REG
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
“{75DEED91-7B14-49DC-A5F3-B60E633AC4A5}”=-
“{889DF117-14D1-44EE-9F31-C5FB5D47F68B}”=-
“Quick Heal AntiVirus Pro”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
“SpeedBit Video Accelerator”=-

:OTL
@Alternate Data Stream - 172 bytes → C:\ProgramData\TEMP:D5FBE8F9
@Alternate Data Stream - 149 bytes → C:\ProgramData\TEMP:05E9FFE5
@Alternate Data Stream - 132 bytes → C:\ProgramData\TEMP:862BDB1A
@Alternate Data Stream - 122 bytes → C:\ProgramData\TEMP:56E2E879
IE - HKLM..\SearchScopes{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: “URL” = http://home.speedbit.com/search.aspx?site=shdefault&pid=%s&aid=%s&shr=%d&q={searchTerms}
IE - HKU\S-1-5-21-809820033-1606449299-2475194092-1000..\SearchScopes{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: “URL” = http://go.speedbit.com/search.aspx?s=Unknown&q={searchTerms}
FF - prefs.js…browser.search.defaultenginename: “Speedbit”
FF - prefs.js…browser.search.defaulturl: “http://go.speedbit.com/search.aspx?s=D3UaWIT8&q=
FF - prefs.js…browser.search.order.1: “Speedbit Search”
FF - prefs.js…extensions.enabledAddons: plugin%40yontoo.com:1.20.02
FF - prefs.js…extensions.enabledAddons: %7B7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D%7D:1.6.55.1
FF - prefs.js…extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:24.0
FF - prefs.js…keyword.URL: “http://go.speedbit.com/search.aspx?s=Unknown&q=
CHR - Extension: IDM Integration = C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm\6.15.8_0
CHR - Extension: Speedbit New Tab = C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\palpbfjgianahgbbeodmcohjdmaelbeo\1.0_1
O2:64bit: - BHO: (no name) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No CLSID value found.
O3 - HKU\S-1-5-21-809820033-1606449299-2475194092-1000..\Toolbar\WebBrowser: (no name) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - No CLSID value found.
O16 - DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} https://browsercheck.qualys.com/qbc_ax.cab (Reg Error: Key error.)

:COMMANDS
[EMPTYTEMP]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

======================================
Next …

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

======================================
Re-check …

Re-run OTL, just hit the QuickScan and post me fresh OTL.txt logreprot.

I will be just providing the aswMBR logs…

I wanted to ask can I use uTorrent or Bittorrent to download torrents??

awsMBR is performing the scan.

I will be running the OTL fix after that.
Does the OTL fix provided involve uninstalling QUICKHEAL???

aswMBR log file

I guess the OTL fix code line-

“Quick Heal AntiVirus Pro”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

will uninstall my antivirus. :-
Its an original one which I have purchased.
Can I install it again afterwards??

I have mix it up the words “AntiVirus Pro” with one known Rogue program + I do not see him as running … ??? And I did not even know that it exists … ;D

PS: Why do you use that unknown antivirus as Quick Heal AntiVirus Pro while you can buy avast ( better AV ) or use the free version?
Known that I am not member of avast tim, I am volunteer, that’s why I’m saying …

Wait, I’ll re-code the script for OTL …

Ok, this is fixed OTL Script. Run this one …

:PROCESSES KillAllProcesses

:COMMANDS
[CREATERESTOREPOINT]

:SERVICES
SBUpd
VideoAcceleratorService

:FILES
ipconfig /flushdns /c
C:\Users\admin\AppData\Roaming\Yontoo
C:\Program Files (x86)\Yontoo
C:\Program Files (x86)\SpeedBit Video Accelerator
C:\Program Files\Common Files\SpeedBit
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\r32yi8db.default\extensions{7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D}
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\r32yi8db.default\searchplugins\speedbit.xml
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\r32yi8db.default\searchplugins\SweetIM Search.xml
C:\USERS\ADMIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\R32YI8DB.DEFAULT\EXTENSIONS\PLUGIN@YONTOO.COM
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\palpbfjgianahgbbeodmcohjdmaelbeo
C:\Users\admin\AppData\Local\Conduit
C:\Program Files (x86)\WinZip Registry Optimizer
C:\Users\admin\Desktop\greendetect

:REG
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
“{889DF117-14D1-44EE-9F31-C5FB5D47F68B}”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
“SpeedBit Video Accelerator”=-

:OTL
@Alternate Data Stream - 172 bytes → C:\ProgramData\TEMP:D5FBE8F9
@Alternate Data Stream - 149 bytes → C:\ProgramData\TEMP:05E9FFE5
@Alternate Data Stream - 132 bytes → C:\ProgramData\TEMP:862BDB1A
@Alternate Data Stream - 122 bytes → C:\ProgramData\TEMP:56E2E879
IE - HKLM..\SearchScopes{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: “URL” = http://home.speedbit.com/search.aspx?site=shdefault&pid=%s&aid=%s&shr=%d&q={searchTerms}
IE - HKU\S-1-5-21-809820033-1606449299-2475194092-1000..\SearchScopes{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: “URL” = http://go.speedbit.com/search.aspx?s=Unknown&q={searchTerms}
FF - prefs.js…browser.search.defaultenginename: “Speedbit”
FF - prefs.js…browser.search.defaulturl: “http://go.speedbit.com/search.aspx?s=D3UaWIT8&q=
FF - prefs.js…browser.search.order.1: “Speedbit Search”
FF - prefs.js…extensions.enabledAddons: plugin%40yontoo.com:1.20.02
FF - prefs.js…extensions.enabledAddons: %7B7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D%7D:1.6.55.1
FF - prefs.js…extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:24.0
FF - prefs.js…keyword.URL: “http://go.speedbit.com/search.aspx?s=Unknown&q=
CHR - Extension: IDM Integration = C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm\6.15.8_0
CHR - Extension: Speedbit New Tab = C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\palpbfjgianahgbbeodmcohjdmaelbeo\1.0_1
O2:64bit: - BHO: (no name) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - No CLSID value found.
O3 - HKU\S-1-5-21-809820033-1606449299-2475194092-1000..\Toolbar\WebBrowser: (no name) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - No CLSID value found.
O16 - DPF: {7D2FB79E-E58C-4DB5-A36F-AC1C73967F4D} https://browsercheck.qualys.com/qbc_ax.cab (Reg Error: Key error.)

:COMMANDS
[EMPTYTEMP]

My computer vendor adviced for QUICKHEAL,so I bought it and have been buying it for past 5 years.
My friends have suggested AVAST.
QuickHeal AV will expire in SEPTEMBER,2014.

Now I am going to buy AVAST for sure as it is better and has got this awesome forum.

One more thing I asked can I use BITTORENT for downloading?

I am not able to access my internet after running the OTL script.
please help.
I need my internet urgently.

Hi,

I have to go now. We shall continue later.

In OTL Script there is nothing that is related to internet conection. OTL is not the cause of internet faliure. Without OTL Fix logs I can’t tell you much.
Continue with ComboFix. CF shall attempt to restore internet connection. Post here bouth logs …

Do not worry, it will solve this thing. :wink:

PS: Or you can use system restore. OTL has been created system restore point before execution …

I need to go now …

Later …

i can’t access the internet using the pc.
i can access it using my mobile as i have a wigi.

please help. :cry:

Can anyone else help me out??? :cry:

MAGNA 86,Thanx for your help. 8)

It proved to be helpful.

My PC is running normally now. :slight_smile:

BITCOIN TROJAN dmw.exe hasn’t been detected again. :smiley:

Thank you very much.
Will contact again if any problem occurs.

Logs?

We’re not done yet.