Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pup.Bitminer successfully removed 2/06/2012


  • Please log in to reply
4 replies to this topic

#1 bdstx4

bdstx4

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 08 February 2012 - 04:13 PM

I have successfully permanently removed PUP.BITMINER on 2/06/2012

I discovered it on a computer back in early December. Latest Malwarebytes would remove everything but PUP.BITMINER kept coming back the next time I rebooted then opened a browser. Even
with the latest Malwarebytes. Things like Kasperky TDSS and Norton power eraser detected nothing.

The Pup.Bitminer file malwarebytes kept detecting coming back was C:\Windows\assembly\temp\kwrd.dll. So after a pass of mwbytes removing this without rebooting I
installed Webroot Secure Anywhere Complete. It is a cloud based scanner. It detected 2 files and a registry key within a few seconds.

2 Files Removed-
c:\windows\system32\config\systemprofile\appdata\local\hretywa.dll
c:\windows\system32\consrv.dll

1 Registry Key Deleted-
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hretywa\DllName

Here is the actual webroot log-
Automated Cleanup Engine

Starting Routine> Removing c:\windows\system32\config\systemprofile\appdata\local\hretywa.dll...#(PX5: E276E87A0024F0C72CC800589ABB6A00C8275DB8 - MD5: 35B12F2AE9857CE6B6627AA0076A57D3)...
Deleting File> c:\windows\system32\config\systemprofile\appdata\local\hretywa.dll
Writing Registry Value> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hretywa - DllName
Deleting Registry Value> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hretywa - DllName
Starting Routine> Removing c:\windows\system32\consrv.dll...#(PX5: AFCDF21700FAD2B9D4A900653170EF001BC071B9 - MD5: 63E99B675A1337DB6D8430195EA3EFD2)...
Deleting File> c:\windows\system32\consrv.dll

Webroot did not give a name to the infection. Just the info above with MD5 sums. Webroot tech support told me they do not always give names to infections but use the MD5 sums
for identifying infections. Pup.bitminer has been gone now 2 days with heavy internet use by this computer.

I am not specifically endorsing Webroot software. It has worked in this case for me.

Heades Up- If you try the webroot secure anwhere product it installs a toolbar in your browsers that by default disables your browsers capability to remember
passwords. The webroot software has no problem with malwarebytes being installed or running.

Respectfully,
bdstx4

Edited by Budapest, 09 February 2012 - 05:17 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest


BC AdBot (Login to Remove)

 


#2 bdstx4

bdstx4
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 08 February 2012 - 07:11 PM

I made this same forum post on Malwarebytes.org consumer forums. It appears to have been removed already from their forums.

I am not trying to sell anybody anything. I am just sharing information.

If any of my posts help you. That is what I intended. If you try something else that is fine with me.
I was just trying to help.
bdstx4

#3 bdstx4

bdstx4
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 08 February 2012 - 07:34 PM

For me, the proof that this malware is gone will be for the computer to stay in daily use, heavy internet use, for another 7 days with lots of scans. Then I trust it to be gone.
Passing that, I will still end up low level forming the HDD with the HDD manufacturers utility. That passing, I will reuse the HDD. Otherwise the HDD gets taken apart and becomes a cool paper weight.

I have been in IT since 1984. I do not trust anything.
bdstx4

#4 bdstx4

bdstx4
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 17 February 2012 - 12:54 AM

Update 2/16/2012 - This Pup.Bitminer is definitely gone. I have been using the computer with the previously infected hardisk daily heavy internet. All scans are clear

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:57 PM

Posted 17 February 2012 - 08:42 AM

Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the threat without knowing more information about the actually file(s) involved. Names with Generic or Patched are a very broad category. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is. See Understanding virus names and Microsoft Malware Protection Center Naming Standards.

A Potentially Unwanted Program (PUP) is a very broad threat category which can include any number of different programs to include those which are benign as well as malicious. They may also be defined somewhat differently by various security vendors.PUP.BitMiner is often seen with Google search redirects which is indicative of the ZeroAccess Rootkit or TDL4 botnet / TDL4 variants.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users