Page 1 of 13 12311 ... LastLast
Results 1 to 10 of 128

Thread: [ROOTKIT INFECTION] PUP.BitMiner: kwrd.dll

  1. #1

    [ROOTKIT INFECTION] PUP.BitMiner: kwrd.dll

    I got put on family tech support for a nasty rootkit infection (I speak only from Google searching) on my cousin's computer. After we removed a swath of other infections, MalwareBytes picked up kwrd.dll, which I've found several threads about across the Internet. Figured I'd come back here since many of them mentioned the same cocktail of anti-malware software I used on my last rootkit problem.

    The computer in question is a Dell Inspiron notebook running Windows 7. The symptoms are as follows:
    - Before we started running MalwareBytes on it, it was redirecting her pages on Internet Explorer and changing her home page.
    - Even when MalwareBytes removes kwrd.dll, it reappears later.
    - Computer will not boot normally anymore. Most of the time, it went Dell screen, Windows screen, then restarts, then Dell screen, then it says it didn't boot properly and asks if I want to Launch Startup Repair or Start Windows Normally. Occasionally, I could get through to Safe Mode. It took a lot of restarting and a little bit of luck.

    I did try the Startup Repair option. It sat there doing what seemed like nothing for a while. I declined the System Restore option at first but eventually gave it a shot. It, again, didn't seem to do anything at first, but I ended up going three hours back. I tried removing things again, and the same problem happened.

    I've run MalwareBytes again. The only infected file it found was kwrd.dll. I restarted the computer, and now I can't even get it to boot in Safe Mode. It keeps giving me this message: "STOP: c0000135 The program can't start because %hs is missing from your computer. Try reinstalling the program to fix this problem." I'll keep trying, but for the time being, I can't get any logs for you.

    EDIT (12/26/11, 5:07 am EST): A little Google searching later, I've come to find that the above BSOD message is caused by AVG anti-virus, which my aunt had insisted we install on the computer before it completely bugged out. I've been following the steps to counter this with AVG's Rescue Disc (http://forums.avg.com/ww-en/avg-foru...=show&id=94159), but I can't get the file renaming step to happen. In other threads, people have vaguely recommended some other rescue discs, but I'm operating pretty blindly as it is.
    Last edited by KamikazeKarrot; 12-26-2011 at 01:49 PM.

  2. #2
    Join Date
    Mar 2008
    Location
    London England
    Posts
    103
    If you can start in safe mode - un-install Avg, that may solve one problem.
    Can you run the Avg rescue Cd and let it scan and clean the Pc?

    If no - you may have a boot sector virus - download Kaspersky and burn to a Cd, Dvd, on a working Pc.
    http://www.howtogeek.com/howto/36403...r-infected-pc/

    It will create a list of infected files - do not delete any Exe file or anything in a Windows folder.
    Make a list of exe files and Windows folders - you may need to reinstall them with the Win7 Cd.

    AntiVirus Rescue Cds.
    http://www.techmixer.com/free-bootab...download-list/


    Other free Anti-virus programs.
    http://www.avast.com/free-antivirus-download
    http://www.avira.com/en/avira-free-antivirus
    Last edited by S Templar; 12-26-2011 at 03:19 PM.

  3. #3
    Join Date
    Aug 2006
    Location
    The Middle
    Age
    71
    Posts
    4,079
    Leave the Avg rescue Cd suggestion alone for the moment please.

    Please post the MBA-M log and also do the following:

    Download DDS by sUBs and save it to your Desktop.
    http://www.bleepingcomputer.com/download/anti-virus/dds
    Be sure follow the instructions below carefully
    If your AV has a script blocker, please disable it
    DoubleClick on dds.scr to run the tool
    * A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
    * Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).
    Copy&Paste both the DDS.txt and the DDS Attach.txt into your post for assistance.
    Notice I say copy/paste BOTH logs. The Attach.txt log says at the top to attach it, please do not attach it but copy/paste it also
    Both of these logs are very long and because of that will take multiple replies in order to post them here. Please split the logs carefully as each and every line must be seen.

  4. #4
    I can't post the MBAM log or run the DDS scan. I can't get the HDD to boot at all, Safe Mode or otherwise. I can boot from the AVG rescue disc, though. I'm pretty sure if I can disable the AVG files like their website says to, I can get it to boot and carry out those steps. But that's just a somewhat informed guess.

  5. #5
    Join Date
    Aug 2006
    Location
    The Middle
    Age
    71
    Posts
    4,079
    When exactly do you receive this STOP: c0000135 error? Has the computer been completely shut down, not restarted but powered off entirely and then restarted with the power button?
    An anti-virus program is likely not the reason this error would occur below are the most likely reasons:
    1. An outdated or misbehaving device driver.
    2. Computer virus.
    3. A corrupted program.
    4. A problem with your computer's memory.
    5. Hard disk or motherboard is corrupted

    Exactly HOW are you trying to start in safe mode? When exactly do you receive this error code?

  6. #6
    I have to power the computer down completely to restart it. I turned off automatic restarts when the system crashes to see what the brief flash of error message is, and I don't know how to switch it back on. I turn on the computer, the Dell screen comes up, I hit F8 after it disappears, and from the long list of choices I pick Safe Mode. It starts Loading Windows Files, the list of files builds up, it gets to \Windows\system32\DRIVERS\CLASSPNP.sys, nothing happens for a moment, then I get the STOP: c0000135 message.

    I figured out how to use the AVG Rescue Disc as indicated but to no avail. Same problem.

  7. #7
    Join Date
    Aug 2006
    Location
    The Middle
    Age
    71
    Posts
    4,079
    Have you tried all of the options covered in this link?
    http://windows.microsoft.com/en-US/w...s-in-Windows-7

  8. #8
    After the Dell screen, if I don't do anything, I get a screen that allows me to run the Startup Repair Tool or Start Windows Normally. I've tried the Startup Repair Tool a few times. It says it might take a few minutes, but tends to (apparently) do nothing for far longer. System Restore is offered almost immediately as an option in the Startup Repair Tool. It worked once, but I'm not sure how. It went back to the Startup Repair Tool "this might take a few minutes" screen and stayed there until I restarted. When I did, the system had restored to three hours earlier. I can't seem to get it to work again. I haven't made any Images or run a Memory Diagnostic.

    I'll burn the CD, try everything from there, and get back to you.

  9. #9
    I'm letting the CD do its work, but it's basically the same issue as before. It automatically goes to Startup Repair and asks me if I want to System Restore. Then it sits there for a while. It's pushing a half hour on the same screen right now, but I'm going to let it go until further notice.

    Here's the screen in question. It was sent from my phone and attached from an uninfected computer, so no worries on the attachment.
    Click image for larger version. 

Name:	StartupRepair.jpg 
Views:	12 
Size:	29.4 KB 
ID:	2076

  10. #10
    Alright, the Startup Repair finished. It said "Startup Repair cannot repair this computer automatically". The problem details were as follows:

    Problem signature:
    - Problem Event Name: StartupRepairOffline
    - Problem Signature 01: 6.1.7600.16385
    - Problem Signature 02: 6.1.7600.16385
    - Problem Signature 03: unknown
    - Problem Signature 04: 195
    - Problem Signature 05: ExternalMedia
    - Problem Signature 06: 1
    - Problem Signature 07: NoRootCause
    - OS Version: 6.1.7600.2.0.0.256.1
    - Locale ID: 1033

    Here are the diagnosis and repair details:

    Startup Repair diagnosis and repair log
    -----------------------------
    Last successful boot time: 12/26/2011 2:58:38 AM (GMT)
    Number of repair attempts: 1

    Session details:
    -----------------------------
    System Disk = \Device\Harddisk0
    Windows directory = D:\Windows
    AutoChk Run = 0
    Number of root causes = 1

    Test Performed:
    -----------------------------
    Name: Check for updates
    Result: Completed successfully. Error code = 0x0
    Time taken = 0 ms

    Test Performed:
    -----------------------------
    Name: System disk test
    Result: Completed successfully. Error code = 0x0
    Time taken = 0 ms

    Test Performed:
    -----------------------------
    Name: Disk failure diagnosis
    Result: Completed successfully. Error code = 0x0
    Time taken = 172 ms

    Test Performed:
    -----------------------------
    Name: Disk metadata test
    Result: Completed succesfully. Error code = 0x0
    Time taken = 62 ms

    Test Performed:
    -----------------------------
    Name: Target OS test
    Result: Completed successfully. Error code = 0x0
    Time taken = 172 ms

    Test Performed:
    -----------------------------
    Name: Volume content check
    Result: Completed successfully. Error code = 0x0
    Time taken = 218 ms

    Test Performed:
    -----------------------------
    Name: Boot manager diagnosis
    Result: Completed successfully. Error code = 0x0
    Time taken = 62 ms

    Test Performed:
    -----------------------------
    Name: System boot log diagnosis
    Result: Completed successfully. Error code = 0x0
    Time taken = 0 ms

    Test Performed:
    -----------------------------
    Name: Event log diagnosis
    Result: Completed successfully. Error code = 0x0
    Time taken = 125 ms

    Test Performed:
    -----------------------------
    Name: Internal state check
    Result: Completed successfully. Error code = 0x0
    Time taken = 0 ms

    Test Performed:
    -----------------------------
    Name: Boot status test
    Result: Completed successfully. Error code = 0x0
    Time taken = 0 ms

    Test Performed:
    -----------------------------
    Name: Setup state check
    Result: Completed successfully. Error code = 0x0
    Time taken = 531 ms

    Test Performed:
    -----------------------------
    Name: Registry hives check
    Result: Completed successfully. Error code = 0x0
    Time taken = 3463 ms

    Test Performed:
    -----------------------------
    Name: Windows boot log diagnosis
    Result: Completed successfully. Error code = 0x0
    Time taken = 0 ms

    Test Performed:
    -----------------------------
    Name: Bugcheck analysis
    Result: Completed successfully. Error code = 0x0
    Time taken = 1154 ms

    Test Performed:
    -----------------------------
    Name: Access control test
    Result: Completed successfully. Error code = 0x0
    Time taken = 12745 ms

    Test Performed:
    -----------------------------
    Name: File system test (chkdsk)
    Result: Completed successfully. Error code = 0x0
    Time taken = 16 ms

    Test Performed:
    -----------------------------
    Name: Software installation log diagnosis
    Result: Completed successfully. Error code = 0x0
    Time taken = 0 ms

    Test Performed:
    -----------------------------
    Name: Fallback diagnosis
    Result: Completed successfully. Error code = 0x0
    Time taken = 0 ms

    Root cause found:
    -----------------------------
    Unspecified changes to system configuration might have caused the problem.

    Repair action: System Restore
    Result: Failed. Error code = 0x1f
    Time taken = 2477374 ms

    Repair action: System files integrity check and repair
    Result: Failed. Error code = 0x490
    Time taken = 886804 ms

    -----------------------------
    -----------------------------

    I hit finish and am now can choose a recovery tool from the list. I'm going to run a Windows Memory Diagnostic and post when that's finished.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •