Riskware found in a Malwarebytes folder?

[rumptybum]

Yesterday, I tried attempting a full scan; after realizing it takes way longer than I thought it would, I stopped the scan.

However, the scan did detect a RiskWare.BitCoinMiner...in the ProgramData directory for Malwarebytes.

The file also came back when I scanned again even though I removed it via restart.

What is going on here and how do I resolve this?

[kevinf80]

Hello rumptybum and welcome to Malwarebytes, Run the following: Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... If English is not your mother tongue Right click on FRST or FRST64 and rename FRSTEnglish or FRST64English   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Thank you, Kevin

[rumptybum]

Is there anything else I can do? I'm not sure I would want to download more programs.

[kevinf80]

We need the logs from FRST to see what is happening with your system, no changes are made with the initial scan...

[rumptybum]

58 minutes ago, kevinf80 said:

We need the logs from FRST to see what is happening with your system, no changes are made with the initial scan...

Ok. Here they are.

Addition.txt FRST.txt

[kevinf80]

Is this setting known to you...

ProxyEnable: [S-1-5-21-3817556961-1636447349-2730863138-1001] => Proxy is enabled.

 

[rumptybum]

1 minute ago, kevinf80 said:

Is this setting known to you...

ProxyEnable: [S-1-5-21-3817556961-1636447349-2730863138-1001] => Proxy is enabled.

 

I'm not technical enough to know the significance of this.

[kevinf80]

The identifier shows it is your account, that account seems to have a proxy enabled. Do you use a VPN maybe...

RyanSil (S-1-5-21-3817556961-1636447349-2730863138-1001 - Administrator - Enabled) => C:\Users\RyanSil

[rumptybum]

3 minutes ago, kevinf80 said:

The identifier shows it is your account, that account seems to have a proxy enabled. Do you use a VPN maybe...

RyanSil (S-1-5-21-3817556961-1636447349-2730863138-1001 - Administrator - Enabled) => C:\Users\RyanSil

The proxy option seems enabled in my settings, but I don't have an address or port filled in.

I do know the Tutturu app uses a proxy you can switch on, though, for making streaming things like Netflix easier to manage in the app.

[rumptybum]

That isn't to say the proxy is flipped on by default since the first time, though; I would always have to enable it when I use Tutturu.

[kevinf80]

Thanks for the update, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied:   Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab. Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following:   Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system.... https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply... Thank you, Kevin.

fixlist.txt

[rumptybum]

Here is what I've got

MBscan.txt Fixlog.txt Cleaner.txt msert.log

[kevinf80]

Hiya rumptybum,

Thanks for those logs. FRST fix did not complete, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.   How is your PC responding now, any remaining issues or concerns..?   Thank you,   Kevin..

fixlist.txt

[rumptybum]

I have done the fix, and I've done further scans through the other programs.

The logs for them are attached.

 

The computer seems to be fine. I did notice AdwCleaner still identified two pre-installed HP items, but I decided to leave them alone since they're from HP.

However, in the first place, I found that riskware detection by trying to do a full scan with Malwarebytes. I think I will try doing a full scan (or as full as I can make it be) tomorrow to see if the detection would still pop up.

msertnew.log AdwCleaner[S02].txt NewMBscan.txt Fixlog.txt

[kevinf80]

Hiya rumptybum,

Thanks for those logs and information update. As you still have concerns run the following AV scanner please...

Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Thank you, Kevin..

[rumptybum]

The detection came up again. All that, and it came up again.

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Cancelled
Objects Scanned: 331739
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 3 hr, 49 min, 58 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
RiskWare.BitCoinMiner, C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\TMP\MICROSOFT.VISUALSTUDIO.CONTEXTMANAGEMENT.PACKAGE.RESOURCES.DLL-K.MBAM, Delete-on-Reboot, 1710, 906113, 0.0.0, , ame, , , 

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

 

I did not download Sophos yet. I am skeptical of what it's supposed to do compared to what Malwarebytes does. But for some reason, this RiskWare.BitCoinMiner keeps coming back. Is it due to it residing in the TMP folder?

[rumptybum]

As in matter of fact, wouldn't it be possible this is a false positive?

This detection is for a file found in MBamservice's TMP folder, which I imagine is for temporary files relating to Malwarebytes. That would explain why it leaves quarantine upon rebooting the system.

The file ends in .dll-k.mbram, after all

[kevinf80]

I have that same folder on my system, in my case the folder is empty. In your case there are several files, not really sure what they are for... Can you zip up the tmp folder and attach to your reply please...

C:\Programdata\Malwarebytes\MBAMService\tmp

[rumptybum]

Thing is, that detection may be from a file that only shows up as Malwarebytes was scanning. I tried zipping the tmp folder now, but the computer claims nothing is in there, so it can't.

[kevinf80]

The following was present in the tmp folder when we ran the first FRST fix...

Quote

========================= Folder: C:\Programdata\Malwarebytes\MBAMService\tmp ========================

2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\307ad040760911ebbc85c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000020071 ____A [D015B2C7811F677F3C7BEADCCCD42B0D] () C:\Programdata\Malwarebytes\MBAMService\tmp\307ad040760911ebbc85c8d3ff95769f\307ad040760911ebbc85c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\308f6ae6760911ebbde8c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000026462 ____A [67A61787B387266B3083E6AB6212BEC6] () C:\Programdata\Malwarebytes\MBAMService\tmp\308f6ae6760911ebbde8c8d3ff95769f\308f6ae6760911ebbde8c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\30a40992760911ebb2ebc8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000084864 ____A [78E7ED654E24B284D9A75D7AC85314D8] () C:\Programdata\Malwarebytes\MBAMService\tmp\30a40992760911ebb2ebc8d3ff95769f\30a40992760911ebb2ebc8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\30f1c72c760911ebbeb3c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000018331 ____A [F316F93DF5D29B8425E814066420BE48] () C:\Programdata\Malwarebytes\MBAMService\tmp\30f1c72c760911ebbeb3c8d3ff95769f\30f1c72c760911ebbeb3c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\327db542760911eba8d5c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000018428 ____A [1E105892C2B718563F8B0A97A9574655] () C:\Programdata\Malwarebytes\MBAMService\tmp\327db542760911eba8d5c8d3ff95769f\327db542760911eba8d5c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\3372b6be760911eb8ebdc8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000020028 ____A [D8D41482004BFCBCCC095FA8A43AC519] () C:\Programdata\Malwarebytes\MBAMService\tmp\3372b6be760911eb8ebdc8d3ff95769f\3372b6be760911eb8ebdc8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\33c796e8760911eb8d73c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000024497 ____A [3A8EC45F3AB34737CB3C7D04A1BD64AF] () C:\Programdata\Malwarebytes\MBAMService\tmp\33c796e8760911eb8d73c8d3ff95769f\33c796e8760911eb8d73c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\34286a22760911eb8856c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000018940 ____A [46620F63FD6EEF06001AE8F316C8CD36] () C:\Programdata\Malwarebytes\MBAMService\tmp\34286a22760911eb8856c8d3ff95769f\34286a22760911eb8856c8d3ff95769f.zip
2021-02-23 13:59 - 2021-02-23 13:59 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\34fe80e4760911ebb8e5c8d3ff95769f
2021-02-23 13:59 - 2021-02-23 13:59 - 000032917 ____A [580B59295505966FF34FFEC4A7B2D6D1] () C:\Programdata\Malwarebytes\MBAMService\tmp\34fe80e4760911ebb8e5c8d3ff95769f\34fe80e4760911ebb8e5c8d3ff95769f.zip
2021-02-23 01:02 - 2021-02-23 01:02 - 000000000 ____D [00000000000000000000000000000000] () C:\Programdata\Malwarebytes\MBAMService\tmp\aff2c110759c11eba488c8d3ff95769f
2021-02-23 01:02 - 2021-02-23 01:02 - 000046795 ____A [A1453F07671C8623FADF3EE565F83AB4] () C:\Programdata\Malwarebytes\MBAMService\tmp\aff2c110759c11eba488c8d3ff95769f\aff2c110759c11eba488c8d3ff95769f.zip

If you open that folder now is it actually empty...

[rumptybum]

Yes, I open the folder and there's nothing in it. Hence the zip error message.

[kevinf80]

Can you open Malwarebytes,from the main interface select "History" in the new window select the entry for the file you identified from the tmp folder then select "restore"

Once that file is restored can you upload to VirusTotal and have it checked out...

Go to http://www.virustotal.com/   Click the Choose file button Navigate to the file C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\TMP\MICROSOFT.VISUALSTUDIO.CONTEXTMANAGEMENT.PACKAGE.RESOURCES.DLL-K.MBAM Click the Scan it tab If you get a message saying File has already been analyzed: click Reanalyze file now Copy and paste the URL address back here please.

 

[rumptybum]

How do I restore?

[kevinf80]

Select "Quarantined items" the list will be the same, you can now select and choose restore....

[rumptybum]

It's not in Quarantined Items.

I think I'll just run the scan again to catch it.