Jump to content

Riskware found in a Malwarebytes folder?


Go to solution Solved by kevinf80,

Recommended Posts

Yesterday, I tried attempting a full scan; after realizing it takes way longer than I thought it would, I stopped the scan.

However, the scan did detect a RiskWare.BitCoinMiner...in the ProgramData directory for Malwarebytes.


The file also came back when I scanned again even though I removed it via restart.


What is going on here and how do I resolve this?

Link to post
Share on other sites

Hello rumptybum and welcome to Malwarebytes,

Run the following:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...

If English is not your mother tongue Right click on FRST or FRST64 and rename FRSTEnglish or FRST64English
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Link to post
Share on other sites

3 minutes ago, kevinf80 said:

The identifier shows it is your account, that account seems to have a proxy enabled. Do you use a VPN maybe...

RyanSil (S-1-5-21-3817556961-1636447349-2730863138-1001 - Administrator - Enabled) => C:\Users\RyanSil

The proxy option seems enabled in my settings, but I don't have an address or port filled in.

I do know the Tutturu app uses a proxy you can switch on, though, for making streaming things like Netflix easier to manage in the app.

Link to post
Share on other sites

Thanks for the update, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.


Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply...

Thank you,



Link to post
Share on other sites

Hiya rumptybum,

Thanks for those logs. FRST fix did not complete, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image
How is your PC responding now, any remaining issues or concerns..?
Thank you,


Link to post
Share on other sites

I have done the fix, and I've done further scans through the other programs.

The logs for them are attached.


The computer seems to be fine. I did notice AdwCleaner still identified two pre-installed HP items, but I decided to leave them alone since they're from HP.

However, in the first place, I found that riskware detection by trying to do a full scan with Malwarebytes. I think I will try doing a full scan (or as full as I can make it be) tomorrow to see if the detection would still pop up.

msertnew.log AdwCleaner[S02].txt NewMBscan.txt Fixlog.txt

Link to post
Share on other sites

Hiya rumptybum,

Thanks for those logs and information update. As you still have concerns run the following AV scanner please...

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....

The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Thank you,


Link to post
Share on other sites

The detection came up again. All that, and it came up again.

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Cancelled
Objects Scanned: 331739
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 3 hr, 49 min, 58 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)



I did not download Sophos yet. I am skeptical of what it's supposed to do compared to what Malwarebytes does. But for some reason, this RiskWare.BitCoinMiner keeps coming back. Is it due to it residing in the TMP folder?

Link to post
Share on other sites

As in matter of fact, wouldn't it be possible this is a false positive?

This detection is for a file found in MBamservice's TMP folder, which I imagine is for temporary files relating to Malwarebytes. That would explain why it leaves quarantine upon rebooting the system.

The file ends in .dll-k.mbram, after all

Link to post
Share on other sites

The following was present in the tmp folder when we ran the first FRST fix...


========================= Folder: C:\Programdata\Malwarebytes\MBAMService\tmp ========================

2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\307ad040760911ebbc85c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000020071 ____A [D015B2C7811F677F3C7BEADCCCD42B0D] () C:\Programdata\Malwarebytes\MBAMService\tmp\307ad040760911ebbc85c8d3ff95769f\307ad040760911ebbc85c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\308f6ae6760911ebbde8c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000026462 ____A [67A61787B387266B3083E6AB6212BEC6] () C:\Programdata\Malwarebytes\MBAMService\tmp\308f6ae6760911ebbde8c8d3ff95769f\308f6ae6760911ebbde8c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\30a40992760911ebb2ebc8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000084864 ____A [78E7ED654E24B284D9A75D7AC85314D8] () C:\Programdata\Malwarebytes\MBAMService\tmp\30a40992760911ebb2ebc8d3ff95769f\30a40992760911ebb2ebc8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\30f1c72c760911ebbeb3c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000018331 ____A [F316F93DF5D29B8425E814066420BE48] () C:\Programdata\Malwarebytes\MBAMService\tmp\30f1c72c760911ebbeb3c8d3ff95769f\30f1c72c760911ebbeb3c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\327db542760911eba8d5c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000018428 ____A [1E105892C2B718563F8B0A97A9574655] () C:\Programdata\Malwarebytes\MBAMService\tmp\327db542760911eba8d5c8d3ff95769f\327db542760911eba8d5c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\3372b6be760911eb8ebdc8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000020028 ____A [D8D41482004BFCBCCC095FA8A43AC519] () C:\Programdata\Malwarebytes\MBAMService\tmp\3372b6be760911eb8ebdc8d3ff95769f\3372b6be760911eb8ebdc8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\33c796e8760911eb8d73c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000024497 ____A [3A8EC45F3AB34737CB3C7D04A1BD64AF] () C:\Programdata\Malwarebytes\MBAMService\tmp\33c796e8760911eb8d73c8d3ff95769f\33c796e8760911eb8d73c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\34286a22760911eb8856c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000018940 ____A [46620F63FD6EEF06001AE8F316C8CD36] () C:\Programdata\Malwarebytes\MBAMService\tmp\34286a22760911eb8856c8d3ff95769f\34286a22760911eb8856c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\34fe80e4760911ebb8e5c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000032917 ____A [580B59295505966FF34FFEC4A7B2D6D1] () C:\Programdata\Malwarebytes\MBAMService\tmp\34fe80e4760911ebb8e5c8d3ff95769f\34fe80e4760911ebb8e5c8d3ff95769f.zip
2021-02-23 01:02 - 2021-02-23 01:02 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\aff2c110759c11eba488c8d3ff95769f
2021-02-23 01:02 - 2021-02-23 01:02 - 000046795 ____A [A1453F07671C8623FADF3EE565F83AB4] () C:\Programdata\Malwarebytes\MBAMService\tmp\aff2c110759c11eba488c8d3ff95769f\aff2c110759c11eba488c8d3ff95769f.zip

If you open that folder now is it actually empty...

Link to post
Share on other sites

Can you open Malwarebytes,from the main interface select "History" in the new window select the entry for the file you identified from the tmp folder then select "restore"

Once that file is restored can you upload to VirusTotal and have it checked out...

Go to http://www.virustotal.com/
  • Click the Choose file button
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.



Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.