Possibly infected with a Bitcoin farmer malware

[Dyav]

Hi!! So some days ago my computer started acting really weird, there was a constant use of the CPU in the task manager (30% more or less) and my internet just seemed to stopped working, or at least it worked for some minutes after start and then it just kept loading pages indefinitely, I thought it to be a internet problem, but on my other devices it was just fine.. So I did a quickscan with Malwarebytes and it detected ASKTOOLBARINSTALLER-ORJ-SPE[1].7Z and [2].7Z and MicrosoftRuntimeUpdate.vbe in Appdata/Roaming/libraries, looking it up I found people saying it was a bitcoin miner malware, which made sense for how my PC was behaving, anyway I quarantined it and restarted, but the problem was still there, CPU used without anything running and no internet (nothing was showing up in Task Manager either). There were also two processes that autoran on start called 'Microsoft Runtime' and 'Microsoft Runtime Update' starting from that file, that I found in CCleaner.
Anyway I started panicing and tried to use RogueKiller, ComboFix and AdwCleaner in that order, the problem seemed to be fixed after RogueKiller, but I ran the other ones too, I'll leave the logs

I'm asking here to know how I could have get infected and if there may be still something left on my PC, if it can help I think I had this for a long time and only recently it started to completely stop my internet connection, indeed I used to see a chrome.exe process using a lot of CPU in the background even tho I didn't even start it (I use Firefox), I thought it was Chrome trying to update and kept closing the process manually, eventually I tried uninstalling and reinstalling Chrome but nothing changed, after some time this stopped happening with chrome.exe and the same thing was happening with firefox.exe and if I tried to kill the process my Firefox would still run normally, which was really suspicious.
Let me know!! Bye (:

[Curson]

Hi Dyav,

Welcome to Adlice.com Forum.
If you do not use Teamviewer, please uninstall it.

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
  
• Please attach log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
  

Regards.

[Dyav]

Here they are

[Curson]

Hi Dyav,

The main part of the infection was already removed.
However, we will now get rid of some leftovers.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is your computer running ?

Regards.

[Dyav]

Thanks, that's good to know! Do you have any idea of where this may have originated from or what it actually was? I'm really curious and wanna know where I got it, was I right to think it started with the MicrosoftRuntimeUpdate.vbe?
By the way since I used RogueKiller the first time it all went back to normal, I just wanted to make sure it was all ok, especially because my anti-virus progams (avast and malwarebytes) didn't detect anything...

Also I would like to ask you to check another issue of mine (even if i don't think it's virus-related) since you look full of resources
I don't know if I have to create another post for this but I may have an issue with my disk space, it basically shows more full space than it should, since if i try to select all the folders in C: they weigh way less than it shows on Computer tab (something like 15-20 GB less), also my Windows folder is reaaally big, it almost hits 40 GB of space, I already tried reducing it by disabilitating the hibernate mode and using the disk cleaning tool, which reduced some space cleaning the Windows Update folder, freeing 8 gb (i think it is winsxs, but it's still really big), the biggest files/folders in Windows are pagefile.sys (15GB) and winsxs folder (15GB), I used WinDirStat to check it. I don't really think it is a virus causing this, but it's still really strange, I don't think it is supposed to be like that, if you can help I would really appreciate!

[Curson]

Hi Dyav,

The source for this type of infection is cracks.
I saw suspicious tasks linked to Life Is Strange game. If you cracked it, it may be the source of the infection and should be removed altogether.

The difference between the disk space usage report must be because hidden system files are not counted when using the "select all the folders" method. As for the big size of the Windows folder, this is normal. The winsxs folder will grow in size when new system updates are applied. The pagefile.sys is used for disk-write memory caching. You can disable this behaviour to recover the space used by the file, but I strongly advise you to keep it this way, since this can cause issues with the system.

Regards.

[Dyav]

I think you are right! I indeed downloaded a cracked version of the game from a website called Ocean of Games, I'm kinda disappointed because I've been using that website for years and never got anything bad from it.. When I searched 'Ocean of Games' and 'malware' the first thing to pop up was a bitcoin malware

It would be a bummer removing it, but I will do it if necessary.. Do you think that if I open the game the malware will appear again?
I could leave you the files from the game ZIP I downloaded so you can analyze it and see what it did (i wont include the big files), to install it I had to open a Setup.vbe which I definetely think is where it started, then I would get an .ISO to create the virtual disk and install the game. Let me know.
Also I guess I'll just live with the big Windows folder, I thought it to be abnormally big
Thanks, bye!!

[Curson]

Hi Dyav,

I'm sorry, but I can't do this. If you do not want to uninstall the game, please scan the following file for malware using VirusTotal :

I:\ (x86)\Life is Strange\Binaries\Win32\LifeIsStrange.exe

Please keep in mind that a clean result won't guarantee that the file is harmless, but it's a good indicator.

Do not execute this Setup.vbe again, this is probably the malware installation file.

Regards.