Jump to content
frogg35

Lingering Powershell infection?

Recommended Posts

Back on August 17, I installed Malwarebytes on my machine since I was having performance issues. The scan found 16 threats on my PC, and removed them as such. Even after this scan though, and several others, Windows Powershell is still performing some suspicious activity. Malwarebytes will occasionally notify me of an outbound connection to "wentz.pw" that Powershell keeps attempting to make. This is classified as "riskware", but I'm concerned since I can't get rid of it. Attached is the log for the most recent connection attempt.

blocklog.txt

Share this post


Link to post
Share on other sites

Hi frogg35 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below, and provide me both FRST logs (FRST.txt and Addition.txt) and the Malwarebytes log. You can attach them in your next post, or copy/paste their content.

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

Share this post


Link to post
Share on other sites

Hi frogg35,

Are you still with me?

Share this post


Link to post
Share on other sites

Can you upload that file to VirusTotal and post the report URL here?

C:\windows\wmsvc.exe

 

Share this post


Link to post
Share on other sites

Looks like we found it. Here.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Copy/paste the following inside the text area:
    Start::
    Task: {1DB2760D-709C-4C80-80C7-CC90C76BE1CF} - System32\Tasks\WindowsMediaService => C:\windows\wmsvc.exe [2018-07-30] (Microsoft Corporation)
    C:\windows\wmsvc.exe
    End::
    
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Share this post


Link to post
Share on other sites

Here is this log

Quote

Fix result of Farbar Recovery Scan Tool (x64) Version: 23.08.2018
Ran by Kira (30-08-2018 15:03:42) Run:1
Running from C:\Users\Kira\Downloads
Loaded Profiles: Kira (Available Profiles: Kira & Classic .NET AppPool & .NET v4.5 & DefaultAppPool & .NET v2.0 & .NET v4.5 Classic & .NET v2.0 Classic)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Task: {1DB2760D-709C-4C80-80C7-CC90C76BE1CF} - System32\Tasks\WindowsMediaService => C:\windows\wmsvc.exe [2018-07-30] (Microsoft Corporation)
C:\windows\wmsvc.exe

*****************

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1DB2760D-709C-4C80-80C7-CC90C76BE1CF}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1DB2760D-709C-4C80-80C7-CC90C76BE1CF}" => removed successfully
C:\WINDOWS\System32\Tasks\WindowsMediaService => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WindowsMediaService" => removed successfully
C:\windows\wmsvc.exe => moved successfully


The system needed a reboot.

==== End of Fixlog 15:03:42 ====

 

Share this post


Link to post
Share on other sites

Alright. Are you still getting blocks from Malwarebytes now?

Share this post


Link to post
Share on other sites

Coincidentaly, the last block I recieved from MB was on the 26th, however, all the previous blocks have illustrated a pattern of attempting to connect at the 57th minute of the hour they were executed:

image.png.2e4452cd00ca43222468fb26365c981c.png

If this happens again, I will be sure to note this here. I intend to purchase a malwarebytes license soon (on my next payroll), which means I will not have realtime protection until sometime during the middle of next week. Would it be wise to add an IP block for the address associated with wentz.pw in my router's settings?

Share this post


Link to post
Share on other sites

You could, but I'm pretty sure that we removed the infection :) On a side note, what you were infected with was simply a downloader (Powershell-based). The website Malwarebytes is blocking hosts the PowerShell script that writes the main payload to the disk and executes it. I tested it on app.any.run and in my VM, and it fails to run due to a missing resource, so it looks botched. You should be safe at this point.

Share this post


Link to post
Share on other sites

Alright, I'll add it anyways; thank you for your assistance in removing this infection, as I'm pretty sure it had initially placed a cryptocurrency miner  (and possibly a keylogger) on my PC (based on what my first Malwarebytes scan found before I considered posting here). Is there any way to report the domain associated with these activities though, possibly to have it shut down or flagged?

Edited by frogg35
typo

Share this post


Link to post
Share on other sites

The domain would need to be reported to the web host. However, this is always a delicate matter. Some hosts will take action and bring down the website, some will just leave it be, with not a care in the world. That domain is flagged by a lot of security products on VirusTotal, so I'm sure it was either reported to the web host by one of them, and it'll be soon.

Share this post


Link to post
Share on other sites

Hi frogg35,

Are you still with me?

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.