Help with Malware (DWM.exe Trojan.BitcoinMiner)

Hi there everyone.

I recently bought the Legendary Edition of Skyrim off Steam, and fell in love with modding. In my fervor, I forgot about the possibilities of infected mods - and got caught because of it.

So now, I’ve got a trojan I can’t get rid of.

I installed Malwarebytes and it regularly pops up with with prompts about the trojan (as well as blocking attempts to access uTorrent.exe, as well as an avast process occaisonally avchost.exe I think) and I remove them, but they just keep coming back. I run scans with avast and malwarebytes, and they keep coming back.

I’m not exactly the greatest with computers, so if anyone could help me with this (as well as making it simplistic enough to follow) it would be greatly appreciated, as I wouldn’t have the first clue about where to start.

Do what is shown here: http://forum.avast.com/index.php?topic=53253.0

Run in order listed and ATTACH the logs.

After that malware removers will be notified. :smiley:

here we go!

final log attached.

malware removers are notified…

your AdwCleaner log say search to remove the crap found, run again and click delete
same with Malwarebytes… update Malwarebytes, run quick scan… click remove selected

Monitoring.

Hi,

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
O4 - HKU\S-1-5-21-510831596-2570460828-551723652-1000..\Run: [tsiVideo] C:\Users\Smuggle\AppData\Local\Temp\tsiVi032.dll ()
O33 - MountPoints2\{ba8a9655-2455-11e2-92b1-902b34a73991}\Shell - "" = AutoRun
O33 - MountPoints2\{ba8a9655-2455-11e2-92b1-902b34a73991}\Shell\AutoRun\command - "" = F:\Setup.exe -- [2013/06/27 20:41:31 | 001,180,229 | R--- | M] (Wizards of the Coast LLC    
MOD - [2013/08/06 15:18:47 | 001,504,256 | ---- | M] () -- C:\Users\Smuggle\AppData\Local\Temp\tsiVi032.dll
@Alternate Data Stream - 1121 bytes -> C:\Users\Smuggle\AppData\Local\Temp:SVUY267gkL0tIL2kZxxQdN

:commands
[CREATERESTOREPOINT]
[emptytemp]



[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

Thanks for the help!

How is your computer behaving now?

I think that might’ve done the trick, just ran Malwarebytes again and 0 infected files!

Thank you so much for your help!!

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Hello

today avast comes with a message every few minutes about a trojan horse : wuaudit.exe & win32BitCoinMiner.

It has slowed down my pc and although i manually delete the folder in C\users\username\AppData\local\temp\iswizard\waudit.exe it somehow manages to show up again.

I also scanned and removed all problems found by Malwarebytes Anti Malware and HitMan Pro3 but didn’t fix the problem.

I think i did the procedure listed in http://forum.avast.com/index.php?topic=53253.0 and now i got 3 log files ready to sent to you in case you could help me.

Thanks a lot for your time

@stamopoulos

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.


:OTL
MOD - [2013/08/19 09:12:30 | 001,504,768 | ---- | M] () -- C:\Users\George\AppData\Local\Temp\tsiVi332.dll
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://websearch.pur-esult.info/?pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.pur-esult.info/?l=1&q={searchTerms}&pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR
IE - HKU\S-1-5-21-1090180737-2106620449-67545335-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://websearch.pur-esult.info/?pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR
IE - HKU\S-1-5-21-1090180737-2106620449-67545335-1000\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.pur-esult.info/?l=1&q={searchTerms}&pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR
FF - prefs.js..browser.search.defaulturl: "http://websearch.pur-esult.info/?pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR&l=1&q="
FF - prefs.js..browser.search.order.1: "WebSearch"
FF - prefs.js..browser.search.order.1,S: S", "WebSearch"
FF - prefs.js..browser.search.selectedEngine,S: S", "WebSearch"
FF - prefs.js..browser.search.defaultenginename,S: S", "WebSearch"
FF - prefs.js..keyword.URL: "http://websearch.pur-esult.info/?pid=722&r=2013/08/18&hid=2708562839&lg=EN&cc=GR&l=1&q="
[2013/08/18 12:37:56 | 000,007,828 | ---- | M] () -- C:\Users\George\AppData\Roaming\Mozilla\Firefox\Profiles\il3le3rz.default\searchplugins\WebSearch.xml
O4 - HKU\S-1-5-21-1090180737-2106620449-67545335-1000..\Run: [tsiVideo] C:\Users\George\AppData\Local\Temp\tsiVi332.dll ()
O33 - MountPoints2\{dc5dc6a4-e220-11e2-89fd-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{dc5dc6a4-e220-11e2-89fd-806e6f6e6963}\Shell\AutoRun\command - "" = E:\Install.exe -- [2007/03/21 17:54:34 | 001,787,904 | R--- | M] (RUNET www.runet-software.com)

:commands
[CREATERESTOREPOINT]
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

.

Please download zoek.exe and save it to your desktop.

[list]
[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:


process;
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

Hi I have a similar problem with my computer.

My Internet security program keeps flashing up that a harmful Trojan was prevented from opening. it is quarantined every time fortunately but i want it gone before it gets in. The Trojan is listed as dwn.exe trojan

I have used all the programs in this post as well as doing numerous scans, quarantining and deleting but it keeps coming back.
Can you advise the process to get rid of it if possible
Thanks in advance

you should not run the tools without instructions…
any fix posted here is made for one specific computer based on the logs attached

if you want help, start your own topic and follow instructions here http://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes / OTL / aswMBR logs