Riskware BitcoinMiner

[PoolManBaby]

Greetings,

I have 4 PCs in the house but only 1 that is infected with Riskware BitcoinMiner.  Googling about I learned it may have come from Folder Colorizer 2, which makes sense, since I recently installed that on that 1 PC but not the others.  (If it helps I believe I downloaded it from here --

https://softorino.com/foldercolorizer2/

)

Malwarebytes readily finds and quarantines the rmx_oc.dll file.  The problem is it quickly returns after a reboot or within 24 hours.   I want it GONE.

Your help is most appreciated.
 

 

 

 

 

Edited March 29, 2018 by AdvancedSetup

[AdvancedSetup]

Hello @PoolManBaby and

Please restart the computer and then run the following.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Clean.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

[PoolManBaby]

Thanks Ron. 

All went as expected but for step 2.  I'm mentioning minor difference from your instructions.  The logfile you spoke of appeared immediately before the reboot.  And so I saved it and attached it below.
 

 

 

 

Edited March 29, 2018 by AdvancedSetup

[AdvancedSetup]

How is the computer running now?

Are there still any signs of an infection?

I'm heading out but will check back on you again sometime tomorrow.

Thanks

Ron

 

[PoolManBaby]

I gave it a reboot and the scan found and quarantined the same .dll file.

 

 

Edited March 29, 2018 by AdvancedSetup

[PoolManBaby]

So this morning no activity.  The scan found nothing.  But I'll bet something will happen with a few hours or less based upon prior activity.  (See attachment).

By the way I watched other people go thru your process and normally you folks ask us to hit the 'fix' button.  But you didn't ask me to do that.  You merely asked how things were running.  Did you skip a step?

In case this helps:  I believe this malware has a 'tell'.  My PC has been doing two weird keyboard things recently.  Which are there when the malware is there but gone when it isn't.

1.  When I boot and get to my lock screen, any key is supposed to make it go away and allow me to open my pin.  I believe when this malware is present I cannot use my numeric keypad to dismiss the lock screen.  Where normally I can.

2.  When the malware is present and I've been using my computer for at least an hour, keys on the keyboard begin triggering incorrect functions.  Like the other day I couldn't type '@' into a field on the net. It just wouldn't work.  At a different time if I hit ANY key the settings window or the start menu would simply open.  The only way to fix this issue was a reboot.

 

 

 

[AdvancedSetup]

On 3/28/2018 at 2:10 AM, PoolManBaby said:

I gave it a reboot and the scan found and quarantined the same .dll file.

 

 

 

This log does not show any detection. Perhaps it was one prior to this one?

Edited March 29, 2018 by AdvancedSetup

[AdvancedSetup]

1 hour ago, PoolManBaby said:

By the way I watched other people go thru your process and normally you folks ask us to hit the 'fix' button.  But you didn't ask me to do that.  You merely asked how things were running.  Did you skip a step?

 

 

1

No step skipped. The logs did not show any obvious items to remove. It doesn't mean that there is not possibly still something there, but it may be a bit deeper.

 

Create an Autoruns Log:

• Please download Sysinternals Autoruns from here.
• Save Autoruns.exe to your desktop and double-click it to run it.
• Once it starts, please press the Esc key on your keyboard.
• Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures
• Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
• When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
• Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
• Attach the Autoruns.zip folder you just created to your next reply

Thanks

Ron

 

Edited March 28, 2018 by AdvancedSetup
corrected typo

[PoolManBaby]

Thanks Ron.  I wanted to show you this first.  I did a scan this morning and found nothing.  I rebooted at 12:30 PM my time and did another scan.  It found nothing and I've attached it below.  But then I looked in the MWB log and something had slipped in and had been quar'd minutes before the reboot.  See pic.

 

 

Edited March 29, 2018 by AdvancedSetup

[PoolManBaby]

By the way the instructions you folks offer are excellent.  This last set, however, comes off as mildly inaccurate.  I'm offering these suggested edits for further clarity.

Create an Autoruns Log:

• Please download Sysinternals Autoruns from here.
• Save Autoruns.exe to your desktop and double-click it to run it.  Accept terms.
• Once it starts, please press the Esc key on your keyboard to stop scan.
• Cick on the Options button at the top of the program.  Select Scan Options and then check Verify Code Signatures.
• If offered to Rescan do so.  Or press the F5 key on your keyboard, this will start the scan again, this time let it finish.  It takes under a minute.***
• When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
• Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
• Attach the Autoruns.zip folder you just created to your next reply

*** I added this because the app does not indicate when it is finished. 

Edited March 28, 2018 by PoolManBaby

[AdvancedSetup]

What is this?

utilitiesservice.exe

c:\program files\utilities\utilitiesservice.exe    2/15/2018 9:39 AM   

Let's go ahead and run a minor fix from FRST and then reset the browsers back to factory default.

The AutoRuns log is not showing anything specific either.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

 

 

Then, once that's done and rebooted let's reset the browsers.

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Microsoft Edge
How to Reset Microsoft Edge in Windows 10

Firefox
Click on Help / Troubleshooting Information then click on the Refresh Firefox button.

Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

• First, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
• Scroll down until you see the   "reset sync" button to clear your data from the server and remove your passphrase.
• Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
• Press the Windows key + R at the same time, to bring up the run dialog box.
  • 
• Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\

1. Press Ctrl + A to select all the files and folders.
2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
4. Example of all files and folders selected, except Bookmarks

 

Restart your computer now and let me know if any detections come back again or not.

 

Thank you

Ron

 

 

[PoolManBaby]

1 hour ago, AdvancedSetup said:

What is this?

utilitiesservice.exe

c:\program files\utilities\utilitiesservice.exe    2/15/2018 9:39 AM

I'm new to PC as of last year.  Decades of Mac use.  Remember this if you feel like I'm missing something painfully obvious to a seasoned PC user.

To answer your question I have absolutely no idea what that is.  But --

1.  -- it lives in the same folder that the BitCoinMiner keeps reappearing within.  Even worse --
2.  -- this folder only exists on one of my three PCs.  Which I set up almost identically.  That is:  the troubled PC has a Utilities folder that the other PCs do not have.

So I would ask you, Ron:  what do you make of the other contents of this folder?  And that all almost all were installed on the same day?


 

Hey Rom -- I Googled each .dll and got nowhere.  But then suddenly I got lucky and found the link below.  Someone in my exact situation but with a different symptom.  And I'll do what you said in a few minutes.  I had to share this before I lost it --

https://answers.microsoft.com/en-us/windows/forum/windows_10-power/after-restarting-my-desktop-from-hinbernate-or/5b8a5bf9-deb1-4aa3-9a9a-371bf2563d4d

Edited March 28, 2018 by PoolManBaby

[AdvancedSetup]

Can you zip up those files and upload them here so that we can take a look. If you need help let me know and I can write a script to do so.

Thanks

Ron

 

[PoolManBaby]

Sorry to trouble you so.  I was hoping this would be a quick fix for the both of us, right?  So let me update you --

1.  You made me a little nervous when you wanted to reset all my browsers.  I was afraid I could lose certain things I don't want to lose.  I felt it was a kitchen sink option and wanted to avoid it if I could.  So read the rest and you can decide if I should hold off or not.

2.  Based upon that thread above where the guy had the same folders with the same .dll files but a different issue -- I decided to borrow an idea of his.  To rename that utilityservice.exe something else.  For no reason I can explain I added 'BAK' to the name of this utility just like he did.  The result was that it didn't rename the .exe but the entire folder.  See pic below.  On a semi-desperate lark I attempted to erase said .exe file -- and I moved it (as admin) the recycle bin. There I erased it as admin there.. 

So far that file hasn't come back.  Neither has the related fix that keeps coming back. 

Question Ron -- what would you say if I tried to throw the others out while I'm at it?  The ones all with the same date?  Or would you say TRASH THEM ALL since none of your other PCs have these files anyway?

3.  I did run that specific FRST.  But the malware came right back upon reboot.  And by the way -- I can tell if it's come back upon reboot because, like I said, the number keys cannot 'lift' the boot lockscreen.  When the numeric keys do work the malware isn't there.

Here's the log --

 

 

Edited March 29, 2018 by AdvancedSetup

[PoolManBaby]

Just found the article online that connects that Folder Colorizer program to this malware --
 

http://www.thewindowsclub.com/color-customize-windows-folders

Edited March 28, 2018 by PoolManBaby

[PoolManBaby]

I've been rebooting my brains out and believe the malware is gone, Ron.  I can't tell if your recent fix did the trick or me icing that utility folder.  Oh, and yeah, I iced the entire thing.  Putting the pieces together it is now confirmed that Folder Colorizer installs malware.  The malware IS that 'Utilities' folder and its contents.

I'm not going to start your browser cleansing plan unless it comes back at this point.

I want to THANK YOU for all your help Ron. 

Edited March 29, 2018 by AdvancedSetup
Logs removed per request

[AdvancedSetup]

Good job. Yeah, that was the only folder that looked out of place in the logs but I didn't have any information about it. Just delete the folder then and be done with it.

Still, nothing wrong with cleaning out the browsers. I know it's a PITA but sometimes it's worth it as they do operate much better after a good cleaning. No problem though, I do understand how time-consuming it is to customize them. 

Unless something else comes up, we should be done here then. :-)

Thank you

Ron

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks