[ROOTKIT INFECTION] PUP.BitMiner: kwrd.dll

[KamikazeKarrot]

If you go to your "List of found threats" at the end of the scan, there are two links at the bottom to let you either "Copy to clipboard" or "Export to text file...". I did both. The text file's a little messy, but here's the clipboard copy.

C:\WINDOWS\assembly\temp\U\80000032.@ probably a variant of Win32/Olmarik.AVQ trojan cleaned by deleting - quarantined
Operating memory a variant of Win32/Sirefef.DN trojan

Also, this may not be related but the touchpad has been getting a little bit spotty. It stops responding every few seconds.

I'm going to run DDS again unless I hear otherwise.

[KamikazeKarrot]

Should I check off "Delete quarantined files" before I hit finish on the ESET scanner? It appear to be holding that Olmarik file and C:\WINDOWS\system64\consrv.dll as well.

[jholland1964]

Honestly won't matter, you have a rootkit on the system, it will bring the infections back in. Just close out the ESET and do the following:

The first thing you need to do is download tdsskiller from the following link and save it to your desktop.

TDSSKiller Download Link - http://support.kaspersky.com/viruses...?qid=208280684

When you get to the above page, please click on the Download TDSSKiller.exe. to download the file. If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.

Once the file has completed downloading, you should now have the TDSSKiller icon on your desktop

1. Before you can run TDSSKiller, you first need to rename it so that you can get it to run. To do this, right-click on the TDSSKiller.exe icon that should now be on your Desktop and select Rename. You can now edit the name of the file and should name it a random name with the .com extension. For example, 123.com or 23kjasd123.com. If a random name does not work, please try renaming it as iexplore.com and attempt to run it again.
2. Once the file is renamed, you should double-click on it to launch it. When you run the program, Windows may display a warning asking if you are sure you want to run the file.
3. If you receive this warning, please click on the Run button to allow TDSSKiller to run. If you did not receive this warning, then TDSSKiller should have started and you can proceed to step 6.
   
   TDSSKiller will now start and display the welcome screen
4. At this screen click on the Start scan button to have TDSSKiller scan your computer for the TDSS infection.
   
   TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen telling you that the rootkit was found.
5. To remove the infection simply click on the Continue button and TDSSKiller will attempt to clean the infection. If it does not say Cure, leave it at the default action of Skip and press the Continue button. Do not change it to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.
6. When it has finished cleaning the infection you will see a report stating whether or not it was successful probably telling you that a reboot is required to complete the clean up.
7. Click on the Reboot now button to reboot your computer and finish the removal of the TDSS infection from your computer.

Post back here with that log. And then update MBA-M once more and run another Full Scan, have it Remove everything found and again Reboot. Post back with that log.

[KamikazeKarrot]

I ran TDSSKiller without any issue. It didn't pick up anything. I restarted the computer, and now I'm getting the exact same BSOD problem as before. I can't start in either Normal or Safe Mode. I can try the Startup Repair Disc again if necessary.

[jholland1964]

Oh brother, now this makes no sense what so ever. You were able to download, rename and run the program in less than 15 minutes? Very unusual. See if you can get the computer back up and running agian however it was that you did it before.
There is most definitely a rootkit there...for one thing your MBA-M scans are not taking long enough, tellling me it is not being allowed to run as long as it should. The ESET scan also ran in very short order....both of those scans usually take nearly an hour each.

[KamikazeKarrot]

I'll try to download TDSSKiller from this computer, rename it, and insert it via USB drive.

For now, time to try another Startup Repair...

[jholland1964]

Also, it CAN be run in Safe Mode if needed. Of course a USB normally will not work in Safe Mode though, but see what you can come up with.

[KamikazeKarrot]

After messing around with the file on a clean computer, I don't think I managed to change the file extension on the infected one. Because known file extensions are set to hidden by default, I ended up only changing the name, ending up with "iexplore.com.exe" instead of "iexplore.com". I fixed it this time around. We'll see how that works if/when the infected computer boots again.

[jholland1964]

Ok, keep me posted....as I know you will.

[KamikazeKarrot]

I ran the Repair and am moving on to the Memory Diagnostic. Shouldn't be MUCH longer now.