[ROOTKIT INFECTION] PUP.BitMiner: kwrd.dll

**jholland1964** · 12-28-2011, 01:27 AM

· Make sure that combofix.exe that you downloaded is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
· Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

File::

c:\program files (x86)\RegTask\RegTask.exe

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt

Post back with that log.

**KamikazeKarrot** · 12-28-2011, 01:32 AM

As I said before, I can not currently open any programs. I managed to inject the CFscript.txt file via flash drive, but when I drag it onto Combo-Fix.exe, I get the following error message:

C:\Users\Katie Wyland\Desktop\Combo-Fix.exe

Illegal operation attempted on a registry key that has been marked for deletion.

**jholland1964** · 12-28-2011, 01:35 AM

If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
You may have to reboot multiple times before this is corrected. I have seen it take three or four times. Don't just restart, actually power down and power back up. Try this at least three times before reporting back.
After each reboot then try the CFScript. If it doesn't work then shut down and reboot again until it does work

**KamikazeKarrot** · 12-28-2011, 01:41 AM

That fixed it. Running CFscript.txt through Combo-Fix.exe now.

**KamikazeKarrot** · 12-28-2011, 01:53 AM

ComboFix 11-12-27.01 - Katie Wyland 12/27/2011 15:51:19.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4056.3000 [GMT -5:00]
Running from: c:\users\Katie Wyland\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Katie Wyland\Desktop\CFscript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files (x86)\RegTask\RegTask.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\RegTask\RegTask.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-11-27 to 2011-12-27 )))))))))))))))))))))))))))))))
.
.
2011-12-27 20:57 . 2011-12-27 20:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-27 18:54 . 2011-12-27 18:54 -------- d-----w- c:\program files\CCleaner
2011-12-27 06:32 . 2011-12-27 06:32 -------- d-s---w- c:\windows\SysWow64\Microsoft
2011-12-26 22:54 . 2011-12-26 22:54 -------- d-----w- c:\program files (x86)\ESET
2011-12-26 22:54 . 2011-12-26 22:54 -------- d--h--w- c:\windows\AxInstSV
2011-12-26 03:02 . 2011-12-26 03:02 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-12-26 00:50 . 2011-12-26 00:50 -------- d-----w- C:\$AVG
2011-12-26 00:05 . 2011-12-26 00:05 -------- d--h--w- c:\programdata\Common Files
2011-12-26 00:04 . 2011-12-27 00:38 -------- d-----w- c:\programdata\AVG2012
2011-12-26 00:04 . 2011-12-27 07:10 -------- d-----w- c:\program files (x86)\AVG
2011-12-25 23:43 . 2011-12-27 07:35 -------- d-----w- c:\programdata\MFAData
2011-12-25 22:52 . 2011-12-25 22:52 -------- d-----w- c:\users\Katie Wyland\AppData\Roaming\Malwarebytes
2011-12-25 22:52 . 2011-12-27 07:12 -------- d-----w- c:\programdata\Malwarebytes
2011-12-25 22:52 . 2011-12-27 07:34 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-25 22:52 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-25 22:26 . 2011-12-27 07:10 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-14 22:30 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 22:30 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 22:30 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 22:30 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-14 22:30 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 22:30 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2011-12-17 16:29 . 2011-09-30 02:09 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-25 20:46 . 2011-11-25 20:46 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm1 0139.bin
2011-11-10 10:54 . 2010-06-25 09:59 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2011-09-29 16:29 . 2011-11-09 15:30 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-27_20.02.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-25 10:34 . 2011-12-27 20:50 45608 c:\windows\system32\wdi\ShutdownPerformanceDiagnos tics_SystemData.bin
+ 2009-07-14 05:10 . 2011-12-27 20:50 36976 c:\windows\system32\wdi\BootPerformanceDiagnostics _SystemData.bin
- 2009-07-14 05:10 . 2011-12-27 19:00 36976 c:\windows\system32\wdi\BootPerformanceDiagnostics _SystemData.bin
+ 2011-06-17 13:36 . 2011-12-27 20:50 9360 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2546522653-3633348197-1799191212-1000_UserData.bin
- 2011-12-27 20:02 . 2011-12-27 20:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
+ 2011-12-27 20:58 . 2011-12-27 20:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
- 2011-12-27 20:02 . 2011-12-27 20:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2011-12-27 20:58 . 2011-12-27 20:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2009-07-14 04:54 . 2011-12-27 20:58 262144 c:\windows\SysWOW64\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-12-27 20:02 262144 c:\windows\SysWOW64\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 02:36 . 2011-12-27 19:44 624178 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-12-27 20:55 624178 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-12-27 20:55 106522 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-12-27 19:44 106522 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2011-12-27 20:57 420348 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\FontCache-System.dat
- 2009-07-14 05:01 . 2011-12-27 19:53 420348 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\FontCache-System.dat
+ 2011-06-17 23:07 . 2011-12-27 20:57 420348 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\FontCache-S-1-5-21-2546522653-3633348197-1799191212-1000-8192.dat
- 2011-06-17 23:07 . 2011-12-27 19:53 420348 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\FontCache-S-1-5-21-2546522653-3633348197-1799191212-1000-8192.dat
- 2009-07-14 04:54 . 2011-12-27 20:02 3883008 c:\windows\SysWOW64\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-12-27 20:58 3883008 c:\windows\SysWOW64\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-12-27 20:02 7536640 c:\windows\SysWOW64\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
+ 2009-07-14 04:54 . 2011-12-27 20:58 7536640 c:\windows\SysWOW64\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Facebook Update"="c:\users\Katie Wyland\AppData\Local\Facebook\Update\FacebookUpdat e.exe" [2011-10-22 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-19 494064]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\Katie Wyland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\ v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework6 4\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 136176]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EX E [2010-01-10 4925184]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-06-26 1124848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsus bflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHl pa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileReposi tory\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AE STSr64.exe [2009-03-02 89600]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\dr ivers\mbam.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2546522653-3633348197-1799191212-1000Core.job
- c:\users\Katie Wyland\AppData\Local\Facebook\Update\FacebookUpdat e.exe [2011-10-22 02:34]
.
2011-12-27 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2546522653-3633348197-1799191212-1000UA.job
- c:\users\Katie Wyland\AppData\Local\Facebook\Update\FacebookUpdat e.exe [2011-10-22 02:34]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 02:09]
.
2011-12-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 02:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-06 384296]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-02-25 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-21 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-21 387608]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2010-02-21 365592]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
Trusted Zone: statcrunch.com
TCP: DhcpNameServer = 192.168.1.1 71.242.0.12
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macrome d\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUt il11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\In terface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\In terface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\In terface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\ Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\ Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\ Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PC W\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Dell DataSafe Local Backup\Toaster.exe
c:\program files (x86)\Dell Support Center\bin\sprtsvc.exe
.
************************************************** ************************
.
Completion time: 2011-12-27 16:02:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-27 21:02
ComboFix2.txt 2011-12-27 20:19
.
Pre-Run: 254,473,285,632 bytes free
Post-Run: 254,402,166,784 bytes free
.
- - End Of File - - 4AAC5863C4AE90378FD56E9398856D40

**jholland1964** · 12-28-2011, 01:57 AM

Good, now update MBA-M and run a new full scan with it. Have it remove everything found and reboot the computer, post back with the log.

After that then run the ESET scanner again and follow the same procedure. Post back with that log.

**jholland1964** · 12-28-2011, 01:59 AM

Then after doing both of the above download this program, Revo Uninstaller. It is a paid program but it has a 30 day free trial.
http://www.revouninstaller.com/revo_..._download.html

Here also is the user manual to see how to use it.

http://www.revouninstaller.com/manua...sersmanual.pdf

You need to look for McAfee and if it finds anything have it uninstall anything called McAfee.

**jholland1964** · 12-28-2011, 02:03 AM

I am having company for dinner this evening so will check back when I can. Don't think I have abandoned you, just taking care of my guests.

**KamikazeKarrot** · 12-28-2011, 02:04 AM

No worries. Hopefully it's pretty much down for the count now anyway. I'll run the MBAM scan, the ESET scan, and the Revo scan.

**KamikazeKarrot** · 12-28-2011, 02:41 AM

Here's the MBA-M log. It found kwrd.dll again. I went ahead and deleted it. Let's see if we get the same crashing problem on restart. This is why ComboFix creates System Restore points, I imagine.

EDIT: Oh hey look it booted to Normal Mode just fine. On to ESET.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122704

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

12/27/2011 4:49:04 PM
mbam-log-2011-12-27 (16-49-04).txt

Scan type: Full scan (C:\|)
Objects scanned: 324107
Time elapsed: 36 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.

Thread: [ROOTKIT INFECTION] PUP.BitMiner: kwrd.dll

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions