RiskWare.BitCoinMiner cant be deleted

[Bradl3y]

Hi

 

I have a usb corrupted with the above mentioned virus. It turned the usb to Read-Only mode and i cant get to remove it. I have tried many ways including CMD  and even tried gparted on linux with no luck. The anti-virus detects the virus disguised as mymusic.exe but cannot remove it. Below is the log file.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/14/21
Scan Time: 4:06 AM
Log File: fa0cca2a-9cc5-11eb-a6b7-001fe26969d5.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.519
Update Package Version: 1.0.8702
License: Premium

-System Information-
OS: Windows 10 (Build 19041.928)
CPU: x64
File System: NTFS
User: DESKTOP-T5G519C\Bradley

-Scan Summary-
Scan Type: Custom Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 120012
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 0 min, 51 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
RiskWare.BitCoinMiner, F:\MY MUSIC.EXE, Delete-on-Reboot, [715], [354575],1.0.8702

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[AdvancedSetup]

Hello @Bradl3y

Please do the following.

Please click on Start menu and type in CMD.EXE and when it shows on the menu right-click and select "Run as administrator"

Then, with the USB thumb drive still connected as the F: drive issue the following command.

CHKDSK F: /F

After that then run the following command for me.

DIR /A /S F:\

Post back the results of both of those commands please.

Thanks

 

[Bradl3y]

On the first command it says "Windows cannot run disk checking on this volume because it is write protected." I have run attributes disk clear readonly, it says success but still readonly when trying to use the USB. I created a policy in regedit and set the value to 0 for readonly state but also no luck. 

[AdvancedSetup]

How big is this USB disk?

What is the Manufacture name?

Model number of the drive?

I'll check back on you tomorrow

 

[Bradl3y]

8GB SanDisk Cruzer Blade SDCZ50-008G or D33724 it's small but this is not the first stick that this happened to

[AdvancedSetup]

Please check the following and see if this enable Read/Write access

How to enable or disable write-protection on a USB flash drive
https://www.computerhope.com/issues/ch001617.htm

 

[Bradl3y]

Still no luck. I have attached the results. Current state is read-only but read-only states "No" 😐 is it possible to prevent the virus from running when the USB is mounted? I get a feeling it's the virus preventing all these things. 

[AdvancedSetup]

See if there is a policy on this computer and if there is remove it and restart the computer and try again

https://www.windowscentral.com/how-enable-write-protection-usb-devices-windows-10

 

[Bradl3y]

I already created that policy and set the value to 0 which I mentioned in my second comment but it does not help

[AdvancedSetup]

Have you tried to read/write this disk in another computer?

 

[Bradl3y]

Yes and I get the same error. I even tried a different operating system with no luck

[AdvancedSetup]

We can scan this computer to make sure it's not infected but if this keeps happening the question is does in only happen on this computer? Is the file listed always the same name?

Please run the following

 

[Bradl3y]

It's always listed as mymusic.exe. My pc is not infected only the USB. The usb came from from a friend when I noticed this problem. I will try the root kit out and get back to you tomorrow. Thanks so much for the help so far👍

[AdvancedSetup]

You said it happens on "other" USB disks too. It's not magic.

Hardware problem on your friends computer or infected. Nothing like this should be repeating unless there is a root cause on the other computer.

 

[Bradl3y]

No this is only the 2nd case of a usb that has been corrupted like this I have received and the time period between these 2 instances are years

[AdvancedSetup]

Could just be faulty hardware.

Sorry, wish I could be of more help but if you can't remove it from a Linux booted Live CD then something else is going on as no malware would be able to run to protect or cause an issue.

Why I suggested a disk check in the first place because sometimes the volume bitmap or MFT is corrupted and a disk check will fix that and then you can delete a file.

 

[Bradl3y]

I see. Well I haven't tested from I live CD yet I actually have a pc running Linux. I'll give this a shot if no luck I'll just have to chuck it in the bin. I will post results tomorrow 

[AdvancedSetup]

Well, another computer running Linux is the same thing as running a Live CD off of Windows in that it's a completely different OS not tied to Windows operations.

No harm in trying though

Good luck

 

[AdvancedSetup]

USB Disk Storage Format Tool Download
https://www.bleepingcomputer.com/download/usb-disk-storage-format-tool/

 

[Bradl3y]

When I try to check the disk with the tool it says error and when I try to format it with the tool it says "A volume label is required to format this disk" but when I try to add a label I get told the disk is write protected 😔

[AdvancedSetup]

Yeah, sounding more like just bad hardware. Toss and move on. 😔

 

[Bradl3y]

Yea thanks so much for the assistance 👍

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you