BleepingComputer.com: Pup.Bitminer successfully removed 2/06/2012

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Pup.Bitminer successfully removed 2/06/2012

#1 User is offline   bdstx4 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 19-January 12

Posted 08 February 2012 - 04:13 PM

I have successfully permanently removed PUP.BITMINER on 2/06/2012

I discovered it on a computer back in early December. Latest Malwarebytes would remove everything but PUP.BITMINER kept coming back the next time I rebooted then opened a browser. Even
with the latest Malwarebytes. Things like Kasperky TDSS and Norton power eraser detected nothing.

The Pup.Bitminer file malwarebytes kept detecting coming back was C:\Windows\assembly\temp\kwrd.dll. So after a pass of mwbytes removing this without rebooting I
installed Webroot Secure Anywhere Complete. It is a cloud based scanner. It detected 2 files and a registry key within a few seconds.

2 Files Removed-
c:\windows\system32\config\systemprofile\appdata\local\hretywa.dll
c:\windows\system32\consrv.dll

1 Registry Key Deleted-
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hretywa\DllName

Here is the actual webroot log-
Automated Cleanup Engine

Starting Routine> Removing c:\windows\system32\config\systemprofile\appdata\local\hretywa.dll...#(PX5: E276E87A0024F0C72CC800589ABB6A00C8275DB8 - MD5: 35B12F2AE9857CE6B6627AA0076A57D3)...
Deleting File> c:\windows\system32\config\systemprofile\appdata\local\hretywa.dll
Writing Registry Value> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hretywa - DllName
Deleting Registry Value> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hretywa - DllName
Starting Routine> Removing c:\windows\system32\consrv.dll...#(PX5: AFCDF21700FAD2B9D4A900653170EF001BC071B9 - MD5: 63E99B675A1337DB6D8430195EA3EFD2)...
Deleting File> c:\windows\system32\consrv.dll

Webroot did not give a name to the infection. Just the info above with MD5 sums. Webroot tech support told me they do not always give names to infections but use the MD5 sums
for identifying infections. Pup.bitminer has been gone now 2 days with heavy internet use by this computer.

I am not specifically endorsing Webroot software. It has worked in this case for me.

Heades Up- If you try the webroot secure anwhere product it installs a toolbar in your browsers that by default disables your browsers capability to remember
passwords. The webroot software has no problem with malwarebytes being installed or running.

Respectfully,
bdstx4

This post has been edited by Budapest: 09 February 2012 - 05:17 PM
Reason for edit: Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest

#2 User is offline   bdstx4 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 19-January 12

Posted 08 February 2012 - 07:11 PM

I made this same forum post on Malwarebytes.org consumer forums. It appears to have been removed already from their forums.

I am not trying to sell anybody anything. I am just sharing information.

If any of my posts help you. That is what I intended. If you try something else that is fine with me.
I was just trying to help.
bdstx4

#3 User is offline   bdstx4 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 19-January 12

Posted 08 February 2012 - 07:34 PM

For me, the proof that this malware is gone will be for the computer to stay in daily use, heavy internet use, for another 7 days with lots of scans. Then I trust it to be gone.
Passing that, I will still end up low level forming the HDD with the HDD manufacturers utility. That passing, I will reuse the HDD. Otherwise the HDD gets taken apart and becomes a cool paper weight.

I have been in IT since 1984. I do not trust anything.
bdstx4

#4 User is offline   bdstx4 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 4
  • Joined: 19-January 12

Posted 17 February 2012 - 12:54 AM

Update 2/16/2012 - This Pup.Bitminer is definitely gone. I have been using the computer with the previously infected hardisk daily heavy internet. All scans are clear

#5 User is offline   quietman7 

  • Bleepin' Janitor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 25,518
  • Joined: 09-July 05
  • Gender:Male
  • Location:Virginia, USA

Posted 17 February 2012 - 08:42 AM

Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the threat without knowing more information about the actually file(s) involved. Names with Generic or Patched are a very broad category. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is. See Understanding virus names and Microsoft Malware Protection Center Naming Standards.

A Potentially Unwanted Program (PUP) is a very broad threat category which can include any number of different programs to include those which are benign as well as malicious. They may also be defined somewhat differently by various security vendors.
PUP.BitMiner is often seen with Google search redirects which is indicative of the ZeroAccess Rootkit or TDL4 botnet / TDL4 variants.
Microsoft MVP - Consumer Security 2007-2012 Posted Image
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users