[ROOTKIT INFECTION] PUP.BitMiner: kwrd.dll

**KamikazeKarrot** · 12-27-2011, 05:31 AM

My aunt told me she disabled and/or removed McAfee. Clearly that did not happen.

Good news: I ran the removal tool, and the computer is starting normally now. I'm going to run MBA-M, post the logs, and restart unless I hear otherwise from you.

**jholland1964** · 12-27-2011, 05:44 AM

Absolutely, be sure to update MBA-M of course and then do the full system scan in normal mode, have it remove all, reboot and post back here with the log. Wonder how she "removed" it? Sounds like she just went in and deleted the files, which of course removes the visible traces but not the program.

**KamikazeKarrot** · 12-27-2011, 06:12 AM

Don't know really. She's usually pretty good with computers.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122605

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

12/26/2011 8:26:41 PM
mbam-log-2011-12-26 (20-26-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 337760
Time elapsed: 37 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.

Restarting now.

EDIT: Restart worked. Going to run ESET now.

**jholland1964** · 12-27-2011, 07:36 AM

Log is usually always located here

C:\Program Files\EsetOnlineScanner\log.txt.

I haven't seen one that is located where you found it.

**jholland1964** · 12-27-2011, 06:54 AM

Don't be doing anything else when ESET is running.

**KamikazeKarrot** · 12-27-2011, 07:16 AM

I couldn't find the ESET log file at C:\Program Files\EsetOnlineScanner\log.txt. I did manage to find C:\Program Files (x86)\EST\EST Online Scanner\log.txt, which reads as follows:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=53251

I don't know that that's what you're looking for. I can tell you that it quarantined and deleted two files and found another one working in the active memory, something like that. Couple of trojans.

**KamikazeKarrot** · 12-27-2011, 07:38 AM

There's no such filepath on the computer. Also, the only file on the entire C: drive named "log.txt" is the one I copied and pasted above.

**jholland1964** · 12-27-2011, 07:42 AM

Is this a 64bit operating system? Even if it is there should be Two listings in C drive. I am running Windows 7 64bit and there are two...the first one is generally program files that are 64bit and the other is the one for 32bit programs.
C:\Program Files\

C:\Program Files (x86)\

**KamikazeKarrot** · 12-27-2011, 07:47 AM

There are two separate Program Files folders as you listed, but there is no C:\Program Files\EsetOnlineScanner. There is only C:\Program Files (x86)\ESET\ESET Online Scanner.

I'm running ESET again to see if I can find a log this time. It's at 98% right now. The same trojan is being detected: "probably a variant of Win32/Olmarik.AVQ trojan".

**jholland1964** · 12-27-2011, 07:51 AM

Write down names and locations of everything found, in case there is no log again.

Thread: [ROOTKIT INFECTION] PUP.BitMiner: kwrd.dll

Thread Tools

Display

Hybrid View

Thread Information

Users Browsing this Thread

Posting Permissions