TechSpot

Firefox redirects / Pup.bitminer/kwrd.dll virus found

Inactive
By MW3Killer
Dec 27, 2011
  1. MW3Killer

    MW3Killer TS Rookie Topic Starter Posts: 37

    Hi Bobbye,

    Yes I understand now, thank you for making that clear on "redirects".

    I will be running the CFscript and post the log when finished.

    Thanks for being patient with me.

    MW3
     
  2. MW3Killer

    MW3Killer TS Rookie Topic Starter Posts: 37

    Bobbye,

    That just killed all programs, it says "Firefox" has been set for deletion.

    I click on any icon and they have all been set for deletion.

    So I am doing a system restore as we speak!

    I am using my backup laptop as we speak.....

    It's restarting from system restore at the moment.

    MW3
     
  3. MW3Killer

    MW3Killer TS Rookie Topic Starter Posts: 37

    Bobbye,

    So I got everything back, only took a couple of minutes on the system restore.

    So what's next?

    MW3
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    System Restore undoes everything we have done. The logs are no longer valid.

    What are you referring to when you say "that." The "KillAll" in the script has nothing to do with Firefox. Most of it was for entries for uTorrent and the Conduit Engine.

    Why id you let me know about this before you did the restore?
     
  5. MW3Killer

    MW3Killer TS Rookie Topic Starter Posts: 37

    If the Killall scripts have nothing to do with all programs, then why did "All" programs say they are set for "Deletion" and could be accessed????

    I also restored the system to the exact point before the script change.

    Here we are two to three days later asking questions about why didn't you tell me before a system restore!

    This is my work laptop I can't stop business and do nothing waiting around hoping you will reply asap when I know that's not realistic with as many topics you are handling.



    MW3
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You ran Combofix on your own, with no instructions or guidance:
    ComboFix 11-12-27.01 - BlackOps 12/27/2011 8:19.2.1 - x64
    It deleted c:\windows\system32\java.exe

    The system was full of uTorrent Toolbar and Conduit entries.

    Combofix was also run ComboFix2.txt 2011-12-21 04:04


    The Eset log Showed that the consrv.dll.vir for the Win64/Sirefef.E trojan shows that Combofix has quarantined the entry at some point. The same entry also shows in a restore point.
    Currently there is still an active entry for the Win32/Olmarik.AVQ trojan. This same entry also appears in a restore point. This was removed in OTM
    --------------------
    When you ran Combofix again ComboFix 11-12-30.01 - BlackOps 12/30/2011 13:16:15.3.1 - x64, it deleted some entries associated with the Win32/Olmarik.AVQ trojan .

    I then set up script to remove the uTorrent and Conduit entries - however, I did not ask you to uninstall either one- but I cautioned you about both.

    I referred you to a site to set the Services configurations as you are erroring out of many, apparently because they are not set correctly.

    You ran Combofix again. It shows run from the script. IT does not show any deletions.
    ComboFix 11-12-30.01 - BlackOps 01/02/2012 20:12:35.4.1 - x64
    But it appeared that you had not copied the script into Combofix-or-that entries I had set for removal of uTorrent and Conduit Engine had either not been included, or had not been removed.

    The KillAll switch was therefore used to try and remove these same processes. This switch does not remove programs or browsers it only kills all non essential running processes. It is often used when there is an abundance of processes related to file sharing or other non-desirable running processes.
    ----------------------------------
    Since I wasn't sure you were describing a true redirect, I took time and attempted to clarify the different between a malware redirect and the Firefox warning about preventing a 'redirect.'
    ----------------------------------
    I don't know why you are getting the message about programs being set for deletion. If the malware is still present, it could be one of the many false alerts or message it gives. You did not give me a chance to explore that.
    --------------------------------
    As for this being your work computer: did you choose to ignore the IT for the office and instead, decide to seek the free help in the forum all provided by volunteers? That being the case, you need to understand that most of us do have anther life and occasionally, such as during a holiday season, we try to reacquaint ourselves with that life and the people in it.

    If you want instant help trying to cleanup your system, then you will need to either access the IT person at your work-or-pay $300-$400 to the Geek Squad who would most likely just reformat and reinstall the OS.
    ==========================================
    If you still have malware problems and want to continue, please describe your current malware related problems and I will instruct you in what to do.
    .=========================================
    Time I spent with the above, about 30 min. Number of other members I could have been helping in that time, 4+/-
     
  7. MW3Killer

    MW3Killer TS Rookie Topic Starter Posts: 37

    Just to remind you, WE are past that! Did you forget???

    Is there a reason now you grasping for things that have already past?

    You advised me to do (below quote) this "AFTER" I ran the combofix! Did you forget???

    I know what it cost's for a IT person is there another reason your bringing this up?

    Did you ever ask me before if I had a IT person for the company I worked for??

    I'm currently confused about the tactics you are taking!

    I am not upset, but it sounds like you are upset about answering questions!

    My Laptop works! and it will continue to work, because I do have training.

    Talk to me Bobbye! You okay??

    MW3

     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I do not use "tactics." You assumed the KillAll script killed all your programs and restore the system. I attempted to explain that was not the case.
    ============================================
    Please tell me what problems remain, if any if you want to continue. If you would prefer not to continue, please advise.
     
  9. MW3Killer

    MW3Killer TS Rookie Topic Starter Posts: 37

    Okay I understand that :)
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Let me know if you would like to continue. If yes, please give me a description of any remaining malware symptoms.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.