PLEASE HELP! I have problems with bitcoinminer trojan. It appears in avast as Win32:BitCoinMiner-CA(Trj) with this location: C:\User\Name\AppData\Local\Temp\iswizard\wuaudit.exe
Any expert out there who want to help this poor soul!
PLEASE HELP! I have problems with bitcoinminer trojan. It appears in avast as Win32:BitCoinMiner-CA(Trj) with this location: C:\User\Name\AppData\Local\Temp\iswizard\wuaudit.exe
Any expert out there who want to help this poor soul!
Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0
C:\User\Name\AppData\Local\Temp\iswizard\[b]wuaudit.exe[/b]also upload wuadit.exe to www.virustotal.com and test With 40+ malware scanners post link to scan result here
Monitoring …
Hi, sorry for keep you waiting!
here are my logs
another log extra from OTL
sorry, I couldn’t upload wuaudit.exe to virustotal
Hi,
Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/
Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.
[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe
[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”
[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
Please attach the two following logs from the mbar folder:
system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.
============= Next ===========
Please download zoek.exe and save it to your desktop.
[*] Close any open browsers.
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…
[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:
process;
srinfo;
systemscpecs;
installedprogs;
dwm.exe;z
iswizard;z
filesrcm;
startupall;
C:\Windows\System32\services.exe;i
skipfix-iedefaults;
firefoxlook;
chromelook;
[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)
[*] Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”
is safe to install and run Malwarebytes AntiRootkit?
do you think we use tools here that are not safe. :
sorry for doubting you hehehehe
here are the logs from mbar y zoek
Hi,
Do you know what “Bamboo” software on your computer is? If not, uninstall it.
Re-run zoek.exe as you did before but use this script:
emptyclsid;
C:\Users\Argus\AppData\Local\Temp\iswizard;f
C:\Users\Argus\AppData\Local\Temp\tsiVi132.dll;f
C:\Users\Argus\AppData\Local\Temp\tsiVi032.dll;f
C:\Users\Argus\AppData\Local\Temp\AcDeltree.exe;f
C:\Program Files (x86)\IObit;f
C:\users\Argus\AppData\Roaming\IObit;f
C:\ProgramData\IObit;f
[HKEY_USERS\S-1-5-21-2052984275-2819042778-3786034648-1001\Software\Microsoft\Windows\CurrentVersion\Run];r
"tsiVideo"=-;r
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run];r
"tsiVideo"=-;r
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main];r
"Start Page"="http://www.google.com";r
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}];r
FFdefaults;
chrdefaults;
shortcutfix;
resetIEproxy;
netsh int ip reset >> %temp%\log.txt;b
ipconfig /flushdns >> %temp%\log.txt;b
resethosts;
emptyalltemp;
autoclean;
Attach here fresh zoek log.
Hi,
Yes I Know, it is the bamboo tablet driver v5.2.4
Here is the new log form zoek.exe
Hi,
Please go to this filesharing website and upload sample which was created by zoek.exe program.
C:\Users\Public\Desktop[b]sample_052013_0631.zip[/b]
http://www.wikisend.com/
Paste here download link.
PS: brake download link by changing “http://” into “hxxp://”
Let’s see did we remove all and successfully. Please run zoek again with this script, attach here zoek results and tell me how is your computer running now.
iswizard;z
dwm.exe;z
here is the link for the .zip file
hxxp://wikisend.com/download/942488/sample_052013_0631.zip
In a few moments I will upload the zoek log
Here is the final log from zoek.exe
My computer looks good, no virus or malware alert for the moment
I think it is clean, Thank you so much for the help
@ Zam1990
I don’t see attachments. You forgot to attach.
ups!!
here it goes
Ok, you are clean. Just to kill some remains and we are done.
Run zoek one last time with this script:
C:\Windows\Prefetch\DWM.EXE-A2101CC8.pf;f
C:\Windows\Prefetch\DWM.EXE-6FFD3DA8.pf;f
emptytemp;
I don’t need zoek reports.
Please download DelFix by “Xplode” to your Desktop.
Run the tool and check the following boxes below;
[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore
Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
I don’t need DelFix log report.
I recommended to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link
Softpedija - Mirror download link
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
Finally it’s over
Thank you very much for helping me, for your time and effort, I’m glad there are people like you.
keep it up guys
greetings and best wishes