[ROOTKIT INFECTION] PUP.BitMiner: kwrd.dll

[KamikazeKarrot]

I figured as much. I wasn't really planning on it, just throwing it out there as a last ditch option. I'll get back to you after I get home later tonight. I'll try to check in later with an estimate of when that might be.

[jholland1964]

Any time is fine. I check in here all the time. I "think" that we can get this all wrapped up shortly, "may" have also found a way to get rid of those left over, corrupted McAfee files. But this has all been pretty much "shots in the dark" until I found this new info today so hopefully it will all be cleaned up. Then we can get on with securing this computer.
Judy

[KamikazeKarrot]

On my way home now. Apparently we weren't running as many errands as anticipated. Should be back to run the other steps in about ten minutes.

[jholland1964]

Take your time, do them in order, ignoring of course the combofix uninstall and beginning with that rootkit removal tool from ESET. Any trouble with one, stop and post back.

[KamikazeKarrot]

There aren't any processes listed comprised of a long string of numbers. Everything running looks normal.

[jholland1964]

Very good.
Please download OTC by OldTimer and save to your Desktop.

• Connect to the Internet and double-click on OTC.exe to start the program.
• Click on the green CleanUp! button.
• If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.
• When it has finished, OTC will ask you to reboot so it can remove itself.

-- Doing this will remove any specialized tools downloaded and used. If OTC does not delete itself, then delete the file manually when done.
-- Any leftover folders/files related to ComboFix which were not remove can be deleted manually (right-click on them and choose delete).

Report back with the results.

[KamikazeKarrot]

ComboFix and OTC both appear to be gone now.

[jholland1964]

Ok, let's see if we can get rid of the McAfee stuff.
Do this again:

ComboFix by sUBs from

http://www.bleepingcomputer.com/down...virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Post back with that new combofix log. If you still have the problem getting combofix to run, of course, change the name again, but try first to run it without the name change.

[KamikazeKarrot]

ComboFix 11-12-28.03 - Katie Wyland 12/28/2011 16:53:51.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4056.2734 [GMT -5:00]
Running from: c:\users\Katie Wyland\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 21:58 . 2011-12-28 21:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-26 22:54 . 2011-12-26 22:54 -------- d-----w- c:\program files (x86)\ESET
2011-12-26 00:50 . 2011-12-26 00:50 -------- d-----w- C:\$AVG
2011-12-26 00:05 . 2011-12-26 00:05 -------- d--h--w- c:\programdata\Common Files
2011-12-26 00:04 . 2011-12-27 00:38 -------- d-----w- c:\programdata\AVG2012
2011-12-26 00:04 . 2011-12-27 07:10 -------- d-----w- c:\program files (x86)\AVG
2011-12-25 23:43 . 2011-12-27 07:35 -------- d-----w- c:\programdata\MFAData
2011-12-25 22:52 . 2011-12-25 22:52 -------- d-----w- c:\users\Katie Wyland\AppData\Roaming\Malwarebytes
2011-12-25 22:52 . 2011-12-27 07:12 -------- d-----w- c:\programdata\Malwarebytes
2011-12-25 22:52 . 2011-12-28 05:06 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-25 22:52 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-25 22:26 . 2011-12-27 07:10 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-14 22:30 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-14 22:30 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-14 22:30 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2011-12-14 22:30 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2011-12-14 22:30 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2011-12-14 22:30 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2011-12-17 16:29 . 2011-09-30 02:09 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-11-25 20:46 . 2011-11-25 20:46 158056 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm1 0139.bin
2011-11-10 10:54 . 2010-06-25 09:59 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Facebook Update"="c:\users\Katie Wyland\AppData\Local\Facebook\Update\FacebookUpdat e.exe" [2011-10-22 137536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-06-19 494064]
"DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-09 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
c:\users\Katie Wyland\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\ v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework6 4\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 136176]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EX E [2010-01-10 4925184]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2009-06-26 1124848]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsus bflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHl pa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileReposi tory\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AE STSr64.exe [2009-03-02 89600]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-12-24 652872]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-01-13 705856]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\dr ivers\mbam.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2546522653-3633348197-1799191212-1000Core.job
- c:\users\Katie Wyland\AppData\Local\Facebook\Update\FacebookUpdat e.exe [2011-10-22 02:34]
.
2011-12-28 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2546522653-3633348197-1799191212-1000UA.job
- c:\users\Katie Wyland\AppData\Local\Facebook\Update\FacebookUpdat e.exe [2011-10-22 02:34]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 02:09]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-09-30 02:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-06 384296]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-02-25 487424]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-21 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-21 387608]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2010-02-21 365592]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
Trusted Zone: statcrunch.com
TCP: DhcpNameServer = 192.168.1.1 71.242.0.12
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macrome d\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUt il11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11 e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\In terface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\In terface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\In terface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\ Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\ Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\ Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PC W\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-12-28 17:00:36
ComboFix-quarantined-files.txt 2011-12-28 22:00
.
Pre-Run: 265,348,861,952 bytes free
Post-Run: 265,303,842,816 bytes free
.
- - End Of File - - 3FB22A96157340B9715880AB4213998D

[jholland1964]

Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above SecCenter::

SecCenter::
{86355677-4064-3EA7-ABB3-1B136EB04637}
{BE0ED752-0A0B-3FFF-80EC-B2269063014C}
{3D54B793-665E-3129-9103-206115370C8A}

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe which still should be on the desktop.
This will start ComboFix again. Ignore any warnings about McAfee. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.