Jump to content

mshta - application behaviour protection - exploit payload/process blocked

uplink

By uplink
in Resolved Malware Removal Logs

 Share

Recommended Posts

uplink

uplink

Posted
Posted

Hey there guys,

I have some nasty miner in my system, any clue how I get a rid of him?

This is the log from malwarebytes:
Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 10/1/18
Protection Event Time: 9:42 PM
Log File: 2d380506-c5b2-11e8-b6f9-107b44948975.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.463
Update Package Version: 1.0.7107
License: Trial

-System Information-
OS: Windows 10 (Build 17134.285)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: mshta
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -ep bypass -nop -c $e=(Get-ItemProperty HKLM:\Software\WOW6432Node\a);Select-Object -ExpandProperty Shell;Invoke-Expression $e
URL: 

(end)

Please advise

With kind regards

uplink

Link to post
Share on other sites
uplink

uplink

Posted
  • Author
Posted

I have no edit yet so, the malware was firstly detected by Eset Internet Security, but he couldn't delete the source, nor find it, only found it in memory. So I tried malwarebytes trial [am thinking of purchasing, if it proves useful]. And it also finds the malware in memory, blocks it, but I'm unable to find the source of the problem. Also tried some rootkit removers, but without luck.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
Hello uplink and welcome to Malwarebytes,

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Report tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites
uplink

uplink

Posted
  • Author
Posted

Wow, what a comprehensive reply! I'm sure to try all You wrote/suggested to me sir, as soon as I'm at home back from work. Thank You so much for Your time and effort! I'll report back as soon as I have some relevant results.

With kind regards

uplink

Link to post
Share on other sites
uplink

uplink

Posted
  • Author
Posted

Greetings sir kevinf80

Hope this'll be all the files You require. Anyway, each time the computer restarts, the mbam successfully stops the threat, but nothing seems to be able to identify it :(

I hope the logs will be at least of some use to You,

Thank You for Your time, upon successful healing of my PC, I'll be sure to use Your PayPal url with some thanking tip for You for Your time & effort.

With kind regards

uplink

rootkit-mbam.JPG

AdwCleaner[C00].txt

FRST.txt

Addition.txt

after-restart-mbam.JPG

detection-mbam.JPG

AdwCleaner[S00].txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Run the following:

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.


Do not use the Remove Selected option until i`ve had a look at the log..

 

Link to post
Share on other sites
uplink

uplink

Posted
  • Author
Posted

Running the Rogue Killer now, will update the thread with log from the scan as soon as it's done with scanning. Btw. should I also use the #PE something option on the next scan? It says it's in beta and it could flag tons of false positives, so I left it unchecked for the time being.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Thanks for that log, run RogueKiller again, this time remove all found entries... Post that log.

Next,

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Thank you,

Kevin

 

Link to post
Share on other sites
uplink

uplink

Posted
  • Author
Posted

Today I managed to run only the Zemana solution, and the Sophos is taking a lot of time. I'm going to bed, but I'll run it again tomorrow, right according to Your plan sir kevinf80. Thank You once more for Your time. I'm attaching log from Zemana AntiSpyware software & the same thing from Mbam. Btw. the rootkit Miner or whatever the worm is, is back at it again. Was blocked today, as I turned of my PC again :(.

2018.10.06-02.39.01-i0-t92-d7.txt

mbam-again.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
user posted image
Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop.
 
  • The file will be randomly named
  • Reboot to safe mode <<<<<------------ http://www.computerhope.com/issues/chsafe.htm
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning
    user posted image
     
  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats

    user posted image
     
  • Press start scan
  • The scan will now commence

    user posted image

     
  • Once the scan has finished click open report <<<--- Do not miss this step

    user posted image

     
  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop


This log will be excessive, Please attach it to your next reply…
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.