Dwm.exe, bitcoin miner trojan

[carlosg]

Hey I've found that my computer has a trojan Dwm.exe, read about it and its a bitcoin miner. It is located here C\Users\Appdata\Local\Temp\iswizard

Ran up malwarebytes and it found these files: iswizard.7z and wuaudit.exe

Tried to delete it with more than one anti virus and couldn't manage delete or even to spot it out. Used malwarebytes as well, spotted it but couldnt remove it(even if you remove it manualy, comes back right after)

What can I do to get rid of this annoying trojan?

[true indian]

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

[essexboy]

Sometimes that temp folder protects itself, if TFC does not work then run OTL (details here http://forum.avast.com/index.php?topic=53253.0 )

[carlosg]

Thank you both, going to try it now

[carlosg]

TFC didn't work. Used OTL and theres the log.

[essexboy]

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=1372647993
IE:64bit: - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=0
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=1372647993
IE - HKLM\..\SearchScopes,DefaultScope = {33BB0A4E-99AF-4226-BDF6-49120163DE86}
IE - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=0
IE - HKU\S-1-5-21-1707020488-421807252-2630900403-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=1372647993
IE - HKU\S-1-5-21-1707020488-421807252-2630900403-1001\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=adk&from=adk&uid=HitachiXHTS547550A9E384_120912J2360051FVD2UCX&ts=0
O4 - HKU\S-1-5-21-1707020488-421807252-2630900403-1001..\Run: [tsiVideo] C:\Users\Abel\AppData\Local\Temp\tsiVi032.dll ()


:Files
C:\Users\Appdata\Local\Temp\iswizard

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download Junkware Removal Tool to your desktop.

• Right-mouse click JRT.exe and select "Run as Administrator" the tool will open and start scanning your system
• please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• post the contents of JRT.txt into your next message.

[carlosg]

OTL log
Going to run JRT now

[carlosg]

JRT log

[essexboy]

How is the computer now ?

[carlosg]

Should I run something to check it? The boot time is less than 1min and was around 2min and I barely install stuff, I usualy look on what I am doing but I can't guess where all that crap came from.

[essexboy]

QV06 is a bit of a pain and does come bundled with "free" programmes .. See here http://blog.avast.com/

The main thing is Chrome could you see if QV06 is still there

[carlosg]

It isnt, not even on ie either. Thanks a lot for the help, without you guys I couldn't even get rid of this crap. Should I keep any of the programs that I downloaded so I can keep an eye on the system? Because some anti virus don't detect some stuff and thats kinda scary..

[carlosg]

Runned malwarebytes and it found 2 items, exactly the same ones that found before

files: iswizard.7z and wuaudit.exe

folder: C\Users\Appdata\Local\Temp\iswizard

[essexboy]

OK run this OTL fix and post the log that appears after reboot please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:Files
C:\Users\Appdata\Local\Temp\iswizard

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

[carlosg]

OTL log