PUP.BitMiner help please

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by NDAPUPR, Jan 3, 2012.

  1. NDAPUPR

    NDAPUPR Private E-2

    I am having problems with getting rid of PUP.BitMiner. I have read the "REA&RUN ME FIRST" and I will list what I have done and attach the necessarily logs. Any help will be greatly appreciated. :)

    I first came here because I'm having browser redirect problems. So I followed that link first and followed each instruction step by step.

    I followed the house cleaning step and updated java and uninstalled old versions

    I followed the configuration and setup step. I have a 64 bit system. Windows 7.

    I did the work through for step 5

    Disk emulations software is currently disabled using defogger

    I have downloaded and ran all the tools except RootRepeal and disabled UAC.

    After this I am still having problems. Malwarebytes is still detecting PUP.BitMiner. Might take a few posts to attach all of the logs. Again, any help would be appreciated.

    Also, I got an error while running mgtool. I will attach a pic of the error.

    Another note, sometimes in my processes in my task manager there will be 4 or 5 instances of javaw.exe eating up a lot of memory.

    Not sure if this is needed info, but my C drive are two solid state drives in RAID 0

    I've also ran tdsskiller and MBRCHeck. I will have to attach these logs in my next post.
     

    Attached Files:

  2. NDAPUPR

    NDAPUPR Private E-2

    TDSSKiller and MBRCheck logs
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    What about ComboFix? We need this log.

    Hold down the Windows logo key and press the 'e' key at the same time to open up Windows Explorer. Naviagte to the C:\MGtools folder. Locate the below registry patch files ( one at a time ) and right click on it and select Run As Administrator and allow these to be added to the registry if you get prompted

    FixW7FW.reg
    FixW7BFE.reg

    Then reboot your PC and continue with the below after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:

    C:\MGlogs.zip
     
  4. NDAPUPR

    NDAPUPR Private E-2

    Oops sorry, I actually had combofix installed. I have attached the log below.

    As for the reg files, when I right click there isn't an option to run as administrator. Just "Merge". When I try to do that I get an error saying error accessing registry.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's do this a different way.


    Let's try running the Windows Registry Editor as Administrator and see what happens. Click Start and in the search box just type regedit do not hit enter. In the area above you should see a regedit.exe icon appear when it is found. Right click on it and select Run As Administrator.
    • Then in the Registry Editor click File, Import.
    • Navigate your way to the C:\MGtools folder and locate the fixW7BFE.reg key and select it.
    • Then click the Open button and allow this to be added into your registry
    • The do the same for the FixW7BFE.reg file.
    Tell me what happend exactly. Like do you get any error messages or do you get a success message? I expect you may get an error thta indicates at least some of it worked but some part may have failed.

    After doing the above, make sure to get me the new MGlogs.zip file per the instructions.
     
  6. NDAPUPR

    NDAPUPR Private E-2

    I am getting the same error message. I took screen shots so you could see. I also attached the logs.

    I do thank you for taking the time to help me. I appreciate it very much.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Actually contrary to what the error messages say, some parts of the registry patches did work. We just have to get the other parts to work. This will require some ownership and permissions changes to a few registry keys. In my next post, I will give you instructions on how to do this.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please click Start, and type notepad into the search box.
    • You should see a notepad.exe and icon appear in the Programs area of the Start Menu.
    • Click on the icon to run Notepad.
    • Copy the bold text below to notepad. Save it as fixserv.reg to your desktop. Be sure the "Save as" type is set to "all files". Once you have saved it don't do anything else with it right now. Just move on to the next instructions.


    Now we will attempt to fix the permissions issue with various registry keys that is stopping some data from being imported and allowing the services to run.
    • Please click Start, and type regedit into the search box.
    • You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
    • Right click on regedit.exe and select Run As Administrator
    Now follow the below instructions for changing permissions for various registry keys using Regedit.
    • Now follow the below instructions for changing permissions for registry keys using Regedit.
      • First navigate to the below registry key and have it selected
        • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Enum
      • Then right click on this key and select Permissions
      • Then on the Permissions for Enum for click the Add button
      • In the Enter the object names to select box type Everyone and click the Check Names button which should cause the Everyone text to be approved and underlined
      • Then click the OK button which returns you to the Permissions for Enum form
      • Make sure you select Everyone from the upper list, and then in the Permissions form Everyone box, select Full Control and see if it allows you to click the Apply button.
      • Then click OK to close this Permissions for Enum form
      • Now repeat the above for the below keys ( one at a time )
        • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE
        • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE\0000
        • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC
        • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC\0000
      • Now on the Registry Editor menu, click File and select Import.
      • Navigate to the fixserv.reg file we saved to your Desktop and select it and click OK ( double clicking on the file should also auto select it to import )
      • Did it import without an error message?
        • If not, then stop and tell me
        • If yes, then continue.
    Reboot your PC and after reboot continue.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • C:\MGlogs.zip
     
  9. NDAPUPR

    NDAPUPR Private E-2

    I was able to change the permissions for

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE\Enum

    But these keys are not in my registry at all. I stopped here and did not import the file yet.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE\0000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC\0000
     

    Attached Files:

  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then select the below key and take ownership of it for Everyone and also set permissions to Full for Everyone.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

    If that works, then just continue on with all steps.
     
  11. NDAPUPR

    NDAPUPR Private E-2

    I get "Access is denied" when I try to do that
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you run regedit.exe as administrator? And exactly when are you getting access denied?
     
  13. NDAPUPR

    NDAPUPR Private E-2

    I did run it as admin, and I get that error when I hit apply to add the permission.
     

    Attached Files:

    • reg.jpg
      reg.jpg
      File size:
      87.6 KB
      Views:
      4
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did setting Ownership to Everyone work?
     
  15. NDAPUPR

    NDAPUPR Private E-2

    yes it did
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then let's check a couple things because this means you are not the owner so somethings is not getting setup correctly.
    • Please click Start, and type regedit into the search box.
    • You should see a regedit.exe and icon appear in the Programs area of the Start Menu.
    • Right click on regedit.exe and select Run As Administrator
    • Now navigate to the below key and right click on it and select Permissions
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    • Then click the Advanced button
    • The next form is the Advanced Security Settings for Root form. Click the Owner tab
    • Exactly what do you see in the Current owner: box
    • Also exactly what do you see in under/in the Change owner to: box.
     
  17. NDAPUPR

    NDAPUPR Private E-2

    Please see screen shot
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Notice that what I requesed earlier to have Everyone the owner is not what happened as you told me. The owner is Administrators (Dan-PC\Administrators).

    Go back to the Advanced Security Settings for Root form and on the Owner tab select Dan(Dan-PC\Dan) and then click Apply and
    then OK.

    Now on the Permissions for Root form and select Owner. Then see if you can change to Full permissions for Owner with out getting an error message.
     
    Last edited: Jan 6, 2012
  19. NDAPUPR

    NDAPUPR Private E-2


    I'm very sorry. I thought I was doing everything correctly. I apologize for the frustration.

    I was able to change the permissions and I imported fixserv.reg without any error. I restarted my comp and re downloaded MGtools to my root folder and overwrote the previous one. I have attached the logs.
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's okay. I understand this is all unknown and possibly difficult for you to do.

    That's looking better but we still have more registry entries to get fixed now.

    Click Start and in the search box just type regedit do not hit enter. In the area above you should see a regedit.exe icon appear when it is found. Right click on it and select Run As Administrator.
    • Then in the Registry Editor click File, Import.
    • Navigate your way to the C:\MGtools folder and locate the fixW7BFE.reg key and select it.
    • Then click the Open button and allow this to be added into your registry
    • The do the same for the FixW7BFE.reg file.
    Tell me what happend exactly. Like do you get any error messages or do you get a success message?

    After doing the above, make sure to get me the new MGlogs.zip file per the instructions.
     
  21. NDAPUPR

    NDAPUPR Private E-2


    I was able to do this successfully. But I might have misunderstood, isn't the second key you said to do this with the same as the first? I restarted my comp and ran MGtools after though.
     

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes that was my fault doing a copy and paste and I forgot to edit the string. The second one I wanted to import was FixW7FW.reg. You can do that now and tell me what happens later, but continue on to the below anyway.


    Now please click Start, Run and type services.msc into the Run box and click OK. This will open up the Services form. Scroll down to the Computer Browser Service service and double click on it. If the Service status: shows Stopped or Disabled, click the Start button. Does it Start? Make sure that the Startup type is set to Manual.

    Now locate the FDResPub service and set the Startup type to Automatic, Did this Start?

    Now locate the Base Filtering Engine service and Start it and set the Startup type to Automatic, Did this work?

    Now locate the Windows Firewallservice and Start it and set the Startup type to automatic, Did this Start?

    Now locate the IKE and AuthIP IPsec Keying Modules service and Start it and set the Startup type to Automatic, Did this Start?

    Now locate the IPsec Policy Agent service and Start it and set the Startup type to Manual, Did this Start?

    Now locate the Windows Time service andset the Startup type to Automatic, Did this work?

    Now locate the Windows Modules Installer service and Start it and set the Startup type to Manual, Did this Start?

    Now close the above services forms and reboot your PC.


    After reboot, tell me your answers to what happened while trying to start all the above services.

    Also run the below tools.


    Now download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now open Repair_Windows.exe
    • Go to Start Repairs tab.
    • Choose "Custom Mode" and press "Start".
    • Create a System Restore point if prompted.
    • In the Custom Mode window, select the following repair options:
      • Reset Registry Permissions
      • Register System Files
      • Repair WMI
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • If asked to reboot the computer for the changes to take affect, make sure other tasks in the program are not still running before accepting to restart.
    Please download Farbar Service Scanner and run it on the computer with the issue. ​
    • Make sure to put a check in each of the check boxes for
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach this log to your next reply.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    FSS.txt
    C:\MGlogs.zip
     
  23. NDAPUPR

    NDAPUPR Private E-2

    computer browser - started

    FDResPub - Not listed

    Base Filtering Engine - Error 1083: The executable program that this service is configured to run in does not implement the service.

    Windows Firewall - Error 1068: The dependency service or group failed to start

    IKE and AuthIP - Error 1068

    IPsec - Error 1068

    Windows Time - started

    Windows Modules Installer - started

    Ran Windows Repair, FSS, and MGtools.
     

    Attached Files:

  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now download SubInACL.msi from Microsoft.
    • Now double click on SubInACL.msi to run the installer. Accept any prompts you get about installing this.
    • Now download the below file and save it to your Desktop:
    • Now right click onresetperm.cmd and select Run As Administrator to run this script. Be patient as this may take awhile to run. Also it is imperative that you Run As Administrator. This is not the same thing as your user account having administrator priviledges.
    Once it finishes, reboot your PC.

    Click Start and in the search box just type regedit do not hit enter. In the area above you should see a regedit.exe icon appear when it is found. Right click on it and select Run As Administrator.
    • Then in the Registry Editor click File, Import.
    • Navigate your way to the C:\MGtools folder and locate the fixW7BFE.reg key and select it.
    • Then click the Open button and allow this to be added into your registry
    • The do the same for the FixW7FW.reg file.
    Tell me what happend exactly. Like do you get any error messages or do you get a success message?

    After doing the above, reboot your PC once again.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
     
  25. NDAPUPR

    NDAPUPR Private E-2

    I was able to do the first part no problem

    But after I rebooted and tried to add the new keys, I got an error for both saying it couldn't be written because the key was being used by another process. I went through my processes and tried to end any program that didn't need to be used, and then tried again with no success. I've attached a picture of the error, as well as all of the processes in my task manager in case you needed this.
     

    Attached Files:

    • MGlogs.zip
      File size:
      253.4 KB
      Views:
      2
    • a.jpg
      a.jpg
      File size:
      89.8 KB
      Views:
      5
    • b.jpg
      b.jpg
      File size:
      89.9 KB
      Views:
      4
    • c.jpg
      c.jpg
      File size:
      61.6 KB
      Views:
      4
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It has nothing to do with processes you can end. They are system processes required by windows and it is just locking some registry keys. This was why I had you take ownership and change permissions of various keys earlier. Also the resetperm-x64.cmd command was trying to expand upon that.

    Let's do the below again


    Now please click Start, Run and type services.msc into the Run box and click OK. This will open up the Services form. Scroll down to the Computer Browser Service service and double click on it. If the Service status: shows Stopped or Disabled, click the Start button. Does it Start? Make sure that the Startup type is set to Manual.

    Now locate the Base Filtering Engine service and Start it and set the Startup type to Automatic, Did this work?

    Now locate the Windows Firewall service and Start it and set the Startup type to automatic, Did this Start?

    Now locate the IPsec Policy Agent service and Start it and set the Startup type to Manual, Did this Start?

    Now locate the IKE and AuthIP IPsec Keying Modules service and Start it and set the Startup type to Automatic, Did this Start?


    Now close the above services forms and reboot your PC. Then go back and see how many of these are really in the state you changed them to?
     
  27. NDAPUPR

    NDAPUPR Private E-2

    Ok a few things.

    Computer Browser-started
    Base Filtering - error 1083
    Windows Firewall - error 1068
    Ipsec - error 1068
    IKE - error 1068

    I then restarted my comp and Computer Browser was stopped again.

    I then went back to regedit and noticed it changed back to the previous settings. So I did the following part again successfully.

    I then tried to start the services again, but got the same error messages.


    I know this is frustrating and I am grateful for your help. Do you happen to have a donations page? I feel guilty for getting your help for free.
     
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O4 - HKUS\S-1-5-21-2428290023-183047856-1791644598-1005\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
    O4 - HKUS\S-1-5-18\..\Run: [soopm] rundll32.exe "C:\Windows\System32\config\systemprofile\AppData\Local\App\soopm.dll",wmain (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [soopm] rundll32.exe "C:\Windows\System32\config\systemprofile\AppData\Local\App\soopm.dll",wmain (User 'Default user')

    After clicking Fix, exit HJT.

    Now save the new version of combofix.exe to your Desktop so that we can use it in the below fix.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Jan 10, 2012

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds