system
1
Hey I’ve found that my computer has a trojan Dwm.exe, read about it and its a bitcoin miner. It is located here C\Users\Appdata\Local\Temp\iswizard
Ran up malwarebytes and it found these files: iswizard.7z and wuaudit.exe
Tried to delete it with more than one anti virus and couldn’t manage delete or even to spot it out. Used malwarebytes as well, spotted it but couldnt remove it(even if you remove it manualy, comes back right after)
What can I do to get rid of this annoying trojan?
Sometimes that temp folder protects itself, if TFC does not work then run OTL (details here http://forum.avast.com/index.php?topic=53253.0 )
system
4
Thank you both, going to try it now
system
5
TFC didn’t work. Used OTL and theres the log.
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:OTL
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=1372647993
IE:64bit: - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=0
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=1372647993
IE - HKLM\..\SearchScopes,DefaultScope = {33BB0A4E-99AF-4226-BDF6-49120163DE86}
IE - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=0
IE - HKU\S-1-5-21-1707020488-421807252-2630900403-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=1372647993
IE - HKU\S-1-5-21-1707020488-421807252-2630900403-1001\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=0
O4 - HKU\S-1-5-21-1707020488-421807252-2630900403-1001..\Run: [tsiVideo] C:\Users\Abel\AppData\Local\Temp\tsiVi032.dll ()
:Files
C:\Users\Appdata\Local\Temp\iswizard
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download Junkware Removal Tool to your desktop.
[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.
system
7
OTL log
Going to run JRT now
How is the computer now ?
system
10
Should I run something to check it? The boot time is less than 1min and was around 2min and I barely install stuff, I usualy look on what I am doing but I can’t guess where all that crap came from.
QV06 is a bit of a pain and does come bundled with “free” programmes … See here http://blog.avast.com/
The main thing is Chrome could you see if QV06 is still there
system
12
It isnt, not even on ie either. Thanks a lot for the help, without you guys I couldn’t even get rid of this crap. Should I keep any of the programs that I downloaded so I can keep an eye on the system? Because some anti virus don’t detect some stuff and thats kinda scary…
system
13
Runned malwarebytes and it found 2 items, exactly the same ones that found before 
files: iswizard.7z and wuaudit.exe
folder: C\Users\Appdata\Local\Temp\iswizard
OK run this OTL fix and post the log that appears after reboot please
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:Files
C:\Users\Appdata\Local\Temp\iswizard
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
system
16
Pretty sure its fine by now, since malwarebytes can no longer find the files.
Thanks a lot for the help
If you are happy then run OTL and press the cleanup button 