Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help purging kwrd.dll malware (PUP.Bitminer) [Solved]


  • This topic is locked This topic is locked

#31
emeraldire

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
OTL logfile created on: 1/5/2012 6:08:19 PM - Run
OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
64bit-Windows 7 Ultimate Service Pack 1 (Version = 6.1.7601) - Type = System
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 88.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 95.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\Windows | %ProgramFiles% = D:\Program Files (x86)
Drive C: | 100.00 Mb Total Space | 74.12 Mb Free Space | 74.12% Space Free | Partition Type: NTFS
Drive D: | 446.93 Gb Total Space | 355.96 Gb Free Space | 79.64% Space Free | Partition Type: NTFS
Drive E: | 967.22 Mb Total Space | 753.94 Mb Free Space | 77.95% Space Free | Partition Type: FAT
Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: REATOGO | User Name: SYSTEM
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days
Using ControlSet: ControlSet001

========== Custom Scans ==========


< D:\_OTL\MovedFiles\01042012_002435\D_Windows\*.* /s >
< End of report >
  • 0

Advertisements


#32
michaelg9

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello

That didn't work, try this instead:

Open OTL as before.
Press the None button
Paste this under Custom Scans\Fixes:

D:\_OTL\MovedFiles\*.* /s


Press Run Scan
Post the log here
  • 0

#33
emeraldire

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
The log file is too large to post, i get the message:

!Your Post was too long. Please go back and shorten it a little.


I tried posting only 1/2 of the log, and still got the error message on this site. The file size is (1.3 Mb in size) and I cannot find a zip utility that is working with this virtual OS.

I know you said put everything in one post, but that is not possible with this large log. For this reason, this post contains Part 1 of 2 of the OTL log as an attachment. My next post will contain part 2 of 2 of the OTL log as an attachment. Sorry for any confusion.

Attached Files


  • 0

#34
emeraldire

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Part 2 of 2 OTL Log:

Attached Files


  • 0

#35
michaelg9

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello
Thanks! That was what I was searching for, I'll need to ask some colleagues of mine to see how we will fix this so stay tuned

I know you said put everything in one post, but that is not possible with this large log. For this reason, this post contains Part 1 of 2 of the OTL log as an attachment. My next post will contain part 2 of 2 of the OTL log as an attachment. Sorry for any confusion.

There is no problem with that. What I wanted from you is to post all the logs in one go, because when I see some logs posted before some time, I may think you finished the steps and waiting for more instructions :thumbsup:

Edited by michaelg9, 06 January 2012 - 06:14 AM.

  • 0

#36
emeraldire

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Please let me know whether you think we can get my machine back in a pre-crash state before tonight/tomorrow morning, as i need to plan whether to work Sat from my office (special request) or can work remotely Sat afternoon from this PC. I need to let people know at work if I plan to be there over the weekend.

This may not be possible to determine, but I at least wanted to check. Thank you again for all of your help!
Em
  • 0

#37
michaelg9

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello

I have posted for some suggestions on these issue, normally it doesn't take long to receive an answer.

Start OTLPE as you did before.
Open OTL
Paste this under custom scans/fixes.

:Files
xcopy D:\_OTL\MovedFiles\01042012_002435\C_Windows\system64 D:\windows\system32 /H /S /I /c

Note: D: represents your windows drive. If it's not D:, change the bold parts of this to the windows letter only:

:Files
xcopy [windowsdrive]:\_OTL\MovedFiles\01042012_002435\C_Windows\system64 [windowsdrive]:\windows\system32 /H /S /I /c

Press Run Fix
A black window will open for some time, don't touch anything. It won't take more than 5-10 mins
After it finishes, it will produce a fix log. Post it here


If we don't make the computer bootable until tonight, as you want the computer tomorrow, we will perform a repair install instead of a clean install. That will re-install just the operating system, your files will not be deleted.
You have the windows CD/DVD right?
  • 0

#38
emeraldire

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thank you for the update. I will run the scans when I get off for lunch in ~1.5 - 2hrs.

I do not have the Windows disks. Can we just re-apply the registry from the Combofix run a couple days ago? or perhaps do system restore based on my much earlier Nov 2011 restore point (not sure if this is accessible).

Edited by emeraldire, 06 January 2012 - 09:34 AM.

  • 0

#39
michaelg9

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
The registry isn't the problem. Folders were moved from the system32 folder but with the command above they will go back and hopefully the computer will boot
  • 0

#40
emeraldire

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I ran OTL again but did NOT press NONE button again since you did not say to do so.
Log immediately comes back as the following:

Error: Unable to interpret <xcopy D:\_OTL\MovedFiles\01042012_002435\C_Windows\system64 D:\windows\system32 /H /S /I /c> in the current context!

OTLPE by OldTimer - Version 3.1.48.0 log created on 01062012_113755


Hopefully this is just a syntax issue?

Edited by emeraldire, 06 January 2012 - 12:01 PM.

  • 0

Advertisements


#41
michaelg9

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Hello

2 things:

That wasn't a scan. You must press the Run Fix button. Did you do that?
Did you copy the :Files line above the command in OTL?
  • 0

#42
emeraldire

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Sorry, missed the Files: at the top :blush:

Attached is the resulting log file (too long to post). It ran for maybe 10 sec before completing:

Attached File  01062012_121511.log   932.99KB   50 downloads
  • 0

#43
michaelg9

michaelg9

    Trusted Helper

  • Malware Removal
  • 2,949 posts
Nice. Can the computer now boot???
  • 0

#44
emeraldire

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I will check now and post the result, thanks! I was waiting to make sure there was nothing else to do before trying :)
  • 0

#45
emeraldire

emeraldire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Slow to start again, Avast! service failing to start, but back in business!! Thank you!!!! I have to return to work now, will be back later in the evening (~6-7pm CST)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP