Jump to content

Powershell Running Malware/Virus Commands


Recommended Posts

kevinf80, I also have this exact same problem. I've been following the directions to get the .txt files. I've run Roguekiller twice and unfortunately have had to leave before it was finished, and when I came back both times the computer had rebooted and there was no log file. I'll run it tonight and watch it to see what it's doing. Do you have any idea?

Can you help me if I post the .txt files? I've been using MWBAM for a while and it finds the virus and deletes it but it keeps coming back. Obviously it's not getting the whole thing.

thanks

wilhouse

Edited by wilhouse
Link to post
Share on other sites

Thanks for those logs, continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Clean install Malwarebytes from version 2 to version 3...

Please download MBAM-clean and save it to your desktop.
 
  • Right-click on mbam-clean.exe icon and select user posted image Run as Administrator to start the tool.
  • It will ask you to reboot the machine - please do so.
  • Run the cleaner tool again, re-boot when complete. <<<---do not miss this step


If you have lost the activation licence key information it can be located here: http://www.cleverbridge.com/342/?scope=cusecolp

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes and is updated do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

let me see those logs, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Hello wilhouse,

Thanks for the logs and update on PC status. The main crux of the infection was removed with FRST fix, primarily this infection was designed to infect a system in an office environment to steal data/information...

Have a read at the folowing link: http://blog.trendmicro.com/trendlabs-security-intelligence/word-and-excel-files-infected-using-windows-powershell/

I`m not 100% sure your system is clean even though present logs are looking good.... I want you to run RogueKiller and post a fresh log, one of the DNS server domains used by the malware writer is 8.8.8.8, that is recognized as Google open DNs address so can be easily overlooked....

Next,

Download and save RogueKiller to your Desktop from this link:

https://www.fosshub.com/RogueKiller.html/setup.exe

Right click setup.exe and select Run as Administrator to start installing RogueKiller.

At the next window Checkmark "Install 32 and 64 bit versions, then select "Next"

user posted image

In the next window skip Licence I.D. and Licence Key, select "Next"

user posted image

In the next window make no changes and select "Next"

user posted image

In the next window leave both "Additional Shortcuts" checkmarked, then select "Next"

user posted image

In the next window make no changes and select "Install"

user posted image

RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish.

user posted image

RogueKiller will launch. Accept UAC, then read and accept "User Agreements"

user posted image

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes select "Open Report"

user posted image

In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply

user posted image
 
Thank you,
 
Kevin...

 

Link to post
Share on other sites

Kevin, well that was frustrating.

I ran RK twice, once normally as admin and once in compatibility mode. Every time I have run RK it has crashed, and I get a page fault error and the computer reboots. It generally crashes at about 70% (based on the bar).  Each time it found the same 9 items that it found in the RK.txt file I sent you, minus the ones that got deleted in the fix. In compatibility mode it ran so slow it took 5 hours before it crashed.

I can stop it just before it crashes (based on the bar) and then export a .txt file. That's what I did last time. As it was running when I went to bed last night (and had crashed when I got up), I don't have a file to post, but I'll run it tonight and stop it before it crashes to get a file.

Note that it finds the 9 files fairly early in the scan (around 25%) and hasn't found any others before it crashes.

Do you have any suggestions on how to run RK without making my computer crash?

wilhouse

Link to post
Share on other sites

Kevin, I ran RK in safe mode, with security turned off, and in safe mode with security turned off.

I each case it failed at the same point.

I stopped it before it failed. I've attached two files. RK.txt is run in normal mode and RK1.txt is run in safe mode.

For your info I took a photo of the error and posted it.

What's next?

regards

wilhouse

RK.txt

RK1.txt

58cb5140dca28_FatalError.thumb.jpg.2da7e450d0bdf8ddf85fb6608c8dc023.jpg

RK.txt

Link to post
Share on other sites

Looking at the logs it seems RogueKiller might be failing at MBR check. The BSOD shows "what failed" at the bottom, I cannot read that, i`ve tried expanding but it is then too blurred. Can you tell me what it says..?

Also run this please:

.Download Malwarebytes Anti-Rootkit from this link:

http://www.malwarebytes.org/products/mbar/

2. Unzip the File to a convenient location. (Recommend the Desktop)
3. Open the folder where the contents were unzipped to run mbar.exe

user posted image

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

user posted image

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

6. The following image opens, select Next.

user posted image

7. The following image opens, select Update

user posted image

8. When the update completes select Next.

user posted image

9. In the following window ensure "Targets" are ticked. Then select "Scan"

user posted image

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

user posted image

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.
12. If no threats were found you will see the following image, Select Exit:

user posted image

13. Verify that your system is now running normally, making sure that the following items are functional:
 
  • Internet access
  • Windows Update
  • Windows Firewall


14. If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

15. Select "Y" from your Keyboard, tap Enter.

16. The fix will be applied, select any key to Exit.

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

System - log
Mbar - log Date and time of scan will also be shown

Thanks,

Kevin...
Link to post
Share on other sites

Kevin, the name of the file is RIMSSN64.SYS. Checking the net, it appears to be a RICOH joystick device driver and I found it under my windows drivers.

I isolated it (put it in the trash) and am running RK again. I'll let you know what happens.

When that's done I'll do what you suggest above.

regards

wilhouse

Link to post
Share on other sites

Uninstall RogueKiller http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Next,

Delete MBAR folder..

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted… When complete re-boot your PC

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.