Dwm.exe, bitcoin miner trojan

Hey I’ve found that my computer has a trojan Dwm.exe, read about it and its a bitcoin miner. It is located here C\Users\Appdata\Local\Temp\iswizard

Ran up malwarebytes and it found these files: iswizard.7z and wuaudit.exe

Tried to delete it with more than one anti virus and couldn’t manage delete or even to spot it out. Used malwarebytes as well, spotted it but couldnt remove it(even if you remove it manualy, comes back right after)

What can I do to get rid of this annoying trojan?

Sometimes that temp folder protects itself, if TFC does not work then run OTL (details here http://forum.avast.com/index.php?topic=53253.0 )

Thank you both, going to try it now

TFC didn’t work. Used OTL and theres the log.

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=1372647993
IE:64bit: - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=0
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=1372647993
IE - HKLM\..\SearchScopes,DefaultScope = {33BB0A4E-99AF-4226-BDF6-49120163DE86}
IE - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=0
IE - HKU\S-1-5-21-1707020488-421807252-2630900403-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=1372647993
IE - HKU\S-1-5-21-1707020488-421807252-2630900403-1001\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=0
O4 - HKU\S-1-5-21-1707020488-421807252-2630900403-1001..\Run: [tsiVideo] C:\Users\Abel\AppData\Local\Temp\tsiVi032.dll ()


:Files
C:\Users\Appdata\Local\Temp\iswizard 

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[
]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[
]post the contents of JRT.txt into your next message.

OTL log
Going to run JRT now

JRT log

How is the computer now ?

Should I run something to check it? The boot time is less than 1min and was around 2min and I barely install stuff, I usualy look on what I am doing but I can’t guess where all that crap came from.

QV06 is a bit of a pain and does come bundled with “free” programmes … See here http://blog.avast.com/

The main thing is Chrome could you see if QV06 is still there

It isnt, not even on ie either. Thanks a lot for the help, without you guys I couldn’t even get rid of this crap. Should I keep any of the programs that I downloaded so I can keep an eye on the system? Because some anti virus don’t detect some stuff and thats kinda scary…

Runned malwarebytes and it found 2 items, exactly the same ones that found before :frowning:

files: iswizard.7z and wuaudit.exe

folder: C\Users\Appdata\Local\Temp\iswizard

OK run this OTL fix and post the log that appears after reboot please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:Files
C:\Users\Appdata\Local\Temp\iswizard

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

OTL log

Pretty sure its fine by now, since malwarebytes can no longer find the files.
Thanks a lot for the help

If you are happy then run OTL and press the cleanup button :slight_smile: