LordWarbo

Pup.BitMiner infection

14 posts in this topic

Hello,

I seem to be yet another user infected by Pup.BitMiner. Malware keeps finding it and removing but it is still on my computer.

I also seem to be infected by the google search virus (not sure if it's the same thing or different)

I see it is often located in c:windows/assembly/temp yet whenever I got to windows/assembly there is no temp file available.

Also having a little trouble finding c: documents and settings on my Windows 7 computer and the area where you can look up Hotkeys

Any assistance is appreciated.

I am fairly good with computers but this virus is just plain nasty!

Thanks!

-LordWarbo

Share this post


Link to post
Share on other sites

Just so you know. PUP. Means potentially unwanted program. Its not a virus. Can you please post the scan log please. This may be a false positive.

Share this post


Link to post
Share on other sites

Hi Shadowwar,

I have posted three scan logs below from various times today. The first shows the BitMiner program, the second shows some other type of .exe file. The third is the most recent scan which could not find anything.

Before the 3rd scan, I was able to delete the PING.EXE file showing in my task manager that many other websites/forums I had researched claimed was related to the PUP.BitMiner issue.

I also downloaded and ran ComboFix (another suggestion by many sites/forums). Unfortunately, after ComboFix ran and restarted my computer for me, my computer screen was black for about an entire hour.

I manually restarted and ComboFix was not able to run a complete log for me.

Here are the 3 scan logs: (let me know if I have provided them correctly)

Scan log at 1pm today:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8367

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

12/18/2011 1:10:16 PM

mbam-log-2011-12-18 (13-10-16).txt

Scan type: Full scan (C:\|D:\|)

Objects scanned: 313676

Time elapsed: 26 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Windows\assembly\temp\kwrd.dll (PUP.BitMiner) -> Quarantined and deleted successfully.

>>>>>>>>>

Scan log at 2:41 today

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8367

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

12/18/2011 2:41:36 PM

mbam-log-2011-12-18 (14-41-36).txt

Scan type: Full scan (C:\|)

Objects scanned: 314416

Time elapsed: 20 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\Warbo\downloads\uSeRiNiT.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

>>>>>>>>>>>

Scan log at 7pm today

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

12/18/2011 6:57:57 PM

mbam-log-2011-12-18 (18-57-57).txt

Scan type: Full scan (C:\|)

Objects scanned: 296841

Time elapsed: 20 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

Is this file still in quaritine?

c:\Windows\assembly\temp\kwrd.dll

I would like to take a look at it if possible.

Share this post


Link to post
Share on other sites

Yes, the file is still in quarantine. Is there a way for you to view it besides remotely?

I have a number of files in quarantine from when the issues first started on 12/14.

I received the usual spam popups pretending to be windows virus protection software.

Malware found most of it and killed them.

Share this post


Link to post
Share on other sites

You can go into quaritine and select only that file. The run entry should be with it so as long as you dont restore that it wont run anymore.

Then please zip the file. It will be located here:

c:\Windows\assembly\temp\kwrd.dll

Then please start a new post in the false positives forum here and attach that file please.

http://forums.malwarebytes.org/index.php?showforum=42

After you zip and everything you can right click scan the file and remove it. it will go back to quarintine.

I would like to check this isnt a false positive. If it is you may have to restore if from quarintine.

Share this post


Link to post
Share on other sites

Unfortunately, I cannot seem to find this file when I go into the Windows\assembly folder.

There are a few hundred Assembly Names but no folders or files that have "temp" in the name

Share this post


Link to post
Share on other sites

I have a suspicion this file was part of the zeroaccess rootkit that was bundled with the fake av. Which would explain why its not removed as the rootkit reinstalls the file after reboot after mbam removed it.

Ok thanks for trying!

Were you helped somewhere to remove this infection?

Share this post


Link to post
Share on other sites

I believe somehow I fixed it through a variety of MalwareBytes scans, deleting the PING.EXE file in TaskManager and running ComboFix (although I am not really sure

if I ran it right). Most of this help I got from looking at other similar topics in Malware Forums and 1 or 2 other websites I researched.

My computer appears to be working fine for now with no random google search pop ups in IE or FF that I was getting most of yesterday.

I really appreciate your time in responding to my topic and educating me.

Share this post


Link to post
Share on other sites

i have same exact problem (pup.bitminer) and even combofix could not clean it..

so what should i do now? and im sorry if i had to start a new topic

Share this post


Link to post
Share on other sites

i have same exact problem (pup.bitminer) and even combofix could not clean it..

so what should i do now? and im sorry if i had to start a new topic

Hello kmerdal and welcome to Malwarebytes

You should follow the instructions below....

If you think you are infected, here are the steps needed to get your computer cleaned....

Please read the following so that you can begin the cleaning process:

Don't use any temporary file cleaners unless requested - this can cause data loss and make recovery difficult

You have 3 Options that you can choose from as listed below:


  • Option 1 —— Free Expert advice in the Malware Removal Forum
  • Option 2 —— Paying customer -- Contact Support via email
  • Option 3 —— Premium, Fee-Based Support

OPTION 1

As we don't deal with malware removal in the
General Malwarebytes' Anti-Malware Forum
, you need to start a topic in the

Malware Removal forum
so a qualified helper can help you fix any malware related problems/infections you may have.


  • Please read and follow the
    , skipping any steps you are unable to complete.

  • After posting your new post, make sure under
    options
    , you select
    Track this topic
    and choose
    Immediate Email Notification
    ,

    so that you're alerted when someone has replied to your post.

NOTE:
Please do not post back to (bump) your topic within the first 48 hours.

Replying to your own posts changes the post count and helpers are looking for topics with zero replies.

If you reply to your own post helpers may think that you're already being helped and thus overlook your post.

    • If there is no reply from any experts after 48 hours, you can reply to the topic, asking for help again.

      Or

    • You may send a Private Message to a Moderator asking for assistance.


OPTION 2

Alternatively, as a paying customer, you can contact the help desk at
or
.

OPTION 3

If you would like to use our
Malwarebytes Premium Services
, Comprehensive solutions to all your computer support needs—from installation and set-up to troubleshooting and tune-ups go to our
support site.

Please be patient, someone will assist you as soon as possible.

PS: Please use the "Add Reply" Add-Reply.png button not the Reply button when you start replying.

Share this post


Link to post
Share on other sites

"patience" is my middle name :P thank you for your assistance ;)

Your quite welcome....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.