Jump to content

Powershell.exe Detections


Crystelium

Recommended Posts

Hey, I'd like to start by saying I'm new here; therefore, if this is in the wrong place on the forum, I'm sorry.

 

Anyway, this has been going on ever since I've got malwarebytes - I'm currently still on the trial version of the real-time protection malwarebytes, and it's been detecting powershell.exe outbound connections. (I assume it's blocking them as well.)

I'd like to get it sorted before the trial runs out, because I'm not sure what it'll do to my system when the real-time protection runs out.

 

After checking the logs, I've found they seem to come in pairs, or sometimes 3 in a row. Here's the entry that repeats from the protection log xml file:

<record severity="debug" process="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" LoggingEventType="0" datetime="2016-02-27T01:37:14.610691+00:00" source="Protection" type="Detection" username="SYSTEM" systemname="MY-PC" last_modified_tag="ef7d740d-5cec-44d7-a4ab-fe2a134f88c4" subtype="Malicious Website Protection" direction="Outbound" domain="sunlongo.info" ip="185.17.184.11" malwaretype="Domain" port="19977"></record>

After doing some research, the website it's communicating with seems to be a bit suspicious. As a result, I have also just made an entry in my windows firewall to block all inbound and outbound connections from the IP. 

 

I'm running Windows 10 Education x64, so I assume the powershell installation is 5.0 (which seems to be included with Windows 10) and I assume it's fully up-to-date. I've never used Powershell before, despite having some technical background, so I don't know it very well.

I'd also like to add that at first I thought the easiest solution would be to uninstall Powershell (as it's trying to communicate via the .exe) and went to uninstall it from "Programs and Features" - only to find it wasn't on the list of programs or installed updates. Is this unusual? The powershell.exe file does have Microsoft's certificate, though.

 

Can anyone elaborate on what's actually happening here?

 

Thanks in advance for any help.

Link to post
Share on other sites

Hello Crystelium and :welcome:

If you believe MBAM has falsely alerted to an IP address, please carefully read Important: Please Read Before Reporting A False Positive and then begin your own topic at False Positives -> Website Blocking for a thorough re-analysis.

Additionally, if you are convinced that the Netherlands IP address is absolutely safe, you may wish to enter a temporary exclusion in MBAM - entirely at your own risk:

Reference: Malwarebytes Anti-Malware Users Guide - Web Exclusions

Thank you.

Link to post
Share on other sites

Hello, and thanks for the welcome!  :)  

 

I think you've misread my post. I said that I thought the IP address was suspicious - I did some research and searched up the domains that share the IP / etc. and it has been reported elsewhere that they're a set of scam websites. As a result, I blocked the IP addresses from inbound and outbound connections using windows firewall. I would not recommend excluding it from my experience.

 

However, I'd still like some answers as to why my powershell.exe is trying to communicate with this IP. This computer is pretty much brand new (Christmas, 2015) and I'm generally very careful at what I download, so it's very odd.

I'd be particularly happy if I found the root of the problem.  ^_^

Link to post
Share on other sites

Hello Crystelium:

The system could be infected and malware removal actions are not permitted in this sub-forum.

I recommend following the advice from the topic: Available Assistance for Possibly Infected Computers and have one of the Malware Removal Experts assist you with your issue.

If, as recommended, you do open a topic in Malware Removal Help, please make reference to this thread.

If you would like to get off to a very fast start, the Malware Removal Experts would appreciate it if you would also attach (not copy/paste) both the FRST.txt and the Addition.txt output diagnostic reports from only Log Set 1 into your new topic. Please do not tick, nor untick, any pre-configured FRST categories.

Thank you.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.