[ROOTKIT INFECTION] PUP.BitMiner: kwrd.dll

[jholland1964]

MBA-M releases database updates all day long. That's why the instruction is always given to update before each and every scan. I believe this new version was just released this evening.

Yes, please do. I would also like you to go into Windows Services and look for listings for that "blasted" McAfee.
To get to Windows Services do the following:

Open the Start Menu.A) In the search line, type services.msc and press Enter.
If prompted, click on Continue in the UAC prompt, or provide the administrator password to approve.

Now when that opens the Services are all in alphabetical order so scroll down and look to see if you see any McAfee listings. If you do, double click to open the properties, if it says it is running, click the Stop button. Once it stops then in the middle there is a section that says Start Up type. If it says Automatic, then click the little arrow and change it to Disabled.

Do this for any and all McAfee listings. This really is a "stab in the dark" but there has to be some reason that thing keeps showing up in the logs. Maybe there is a service listed, even though it's not on there anymore and if it's trying to start then maybe that is what triggers these listings.

[KamikazeKarrot]

MBA-M came up clean. No sign of McAfee in the Services list.

[jholland1964]

Hi, Have to say to begin today, you have truly been a real pleasure to work with and you obviously "know your stuff" when it comes to computers, so I have to thank you.
Now I have done some more research here, this thing is, as I am sure it is with you, driving me crazy! It appears what has been on the computer is the Zero Access Rootkit and as you've seen, a "bear to remove". One thing it seems to have done is corrupt all of those McAfee files so that the removal of course didn't fully work and the files are there but can't be found. We need to really attempt to get rid of all of them so that any new security software works properly. So here is what I want you to try.
First of all, as I said earlier, delete that DDS if you have not already done so.
I also want you to Uninstall Combofix. Follow these instructions:
Click on the Start button () and then in the Search field enter

combofix /uninstall, as shown in the image below with the blue arrow.

Please note that there is a space between combofix and /uninstall.

Once you have typed this in, press Enter on your keyboard. A Open File security warning will appear asking if you are sure you want to run ComboFix. Please click on the Run button to start the program.

ComboFix will now uninstall itself from your computer and remove any backups and quarantined files. When it has finished you will be greeted by a dialog box stating that ComboFix has been uninstalled. You can now delete the ComboFix.exe program from your computer. ComboFix has now been uninstalled from the computer.

After you have done those two removals. Do the following:

We need to determine if you are still infected with Zero.Access Rootkit

1. Open the Task Manager by pressing Ctrl + Shift + Esc on your keyboard or by right-clicking the Start Menu bar and selecting Task Manager.

2. Be sure that "Show processes from all users" is selected at the bottom left-hand corner of the window. Click "Image Name" to sort this column alphabetically and then look at the top of the list.

If you are infected with the Zero.Access rootkit, you will see a running process such as "1077238835:3433286335.exe" (example only; your computer may display different numbers).
====================================
IF you see a process similar to that one above ESET has provided a stand-alone malware removal tool to hopefully remove it. Follow the steps below.

• . Download, save and run the 'Win32/Sirefef' stand-alone malware removal tool while in Normal Mode and follow the prompts as directed.
• Restart your computer into Safe Mode with Networking after running the stand-alone tool.
  [o] Reboot and begin pressing the F8 key on your keyboard after the logo loads
  [o] Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER
• . Run the ESET Online Scanner while in Safe Mode with Networking.

(Note: If you receive an error during any part of the process, locate the ESET Online Scanner program by clicking Start> Control Panel> Add/Remove Programs and remove it from your system. Run the scan again by double-clicking the esetsmartinstaller.exe installer you downloaded before. No restart is necessary after running the ESET Online Scanner.)

• . Once the machine is clean and while still in Safe Mode with Networking, run the ESET Uninstaller. Follow the instructions by clicking one of the links below for your operating system.
• Windows 7/2008 R2/2008

Post back with your results. If you didn't see a process similar to the one noted above then post back immediately, if you do see one then follow the rest of the instructions. After that then we can work to get that McAfee off the computer.

[KamikazeKarrot]

Well I have to fire a thank you right back at you. Your dedication to killing this has been a lot of help. I'm unfortunately on the road most of today, but I'm in the passenger seat. I have the infected laptop and my laptop with me and an iPhone, so I can still communicate and take any steps that don't require Internet access.

When I attempt "combofix /uninstall", I get an error message that says:

"Windows cannot find 'Combo-Fix.exe'. Make sure you typed the name correctly, and them try again."

Also, do you want me to remove other programs as well like MBA-M, CCleaner, Revo, and HijackThis?

[jholland1964]

You didn't type it in correctly, you have to type in combofix, not the "rename" you gave it. .exe should never be on there either. It has to be written exactly as shown.

Revo can go, as can Hijackthis but the other two are fine, those are permanent programs you need to keep.

[KamikazeKarrot]

I did type it in exactly as instructed: "combofix /uninstall", and that's the message I get. The dash and the .exe only appear in the error message.

[jholland1964]

Ok, for now skip that and move on to the rest of the instructions. Did you have " marks typed in the uninstall request? Those shouldn't be there either.

[jholland1964]

Are you still here?

[KamikazeKarrot]

I did not include the quotes. I'm going to have to wait to carry out the remaining steps until I get home or coincidentally near a Wi-Fi hotspot for an extended period (probably the former). I'll get back to you as soon as possible.

[jholland1964]

You shouldn't ever use a Wi-Fi hotspot with an infected computer or while attempting to clean a known infected computer. Public hot spots are open networks that are vulnerable to security breaches. Because they do not encrypt data, your passwords, email messages, and other information can be visible to hackers. If the infection is still on the computer then a whole lot more could come in AND go out because those are not secure.
Wait until you can get to a secure connection. Whenever you are ready just post the requested info and then we can work getting combofix off, and the rest of that McAfee junk so you can put on a good anti-virus program on there. For a firewall I strongly recommend the built in Windows 7 firewall, it is very good, plus doesn't require downloading of other files. For now though, leave it turned off also.