Exploit blocked

[neak07]

is this a false positive, my computer was in hibernate/offline but on when it happened. hence now just noticing it. 

I have  updated Malwarebytes and ran a scan nothings, also the adwcleaner and rootkit cleaner and nothing.

Thanks!

 

-Log Details-
Protection Event Date: 3/10/19
Protection Event Time: 10:25 AM
Log File: 45a93c17-4340-11e9-af14-8cec4b7a3885.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.538
Update Package Version: 1.0.9616
License: Premium

-System Information-
OS: Windows 10 (Build 17763.316)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\Sysnative\cscript.exe C:\WINDOWS\Sysnative\cscript \nologo Sierra_Inv.vbs ..\Sierra_multiPNP.xml
URL: 

 

[neak07]

Just wanted to add that I have not seen this notice since.

[AdvancedSetup]

Hello @neak07

Let's get some logs and other scans to see what's going on.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan Now.
• When finished, please click Clean & Repair.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

[AdvancedSetup]

Are you still with us @neak07

[neak07]

Yes I'm sorry. working on the last one. 

 

 

Malwarebytes scan.txt adw.txt

[neak07]

FRST.txt Addition.txt

[neak07]

ran again as administrator.  sorry for all the posts. 

 

FRST admin.txt Addition admin.txt

[AdvancedSetup]

The logs look good. This is what triggered the detection I thought, but looking at it closer this one is a different name and location.

Task: {2549FB6E-DD48-49C8-9022-1C3AFA7AEC5C} - System32\Tasks\USER_ESRV_SVC_QUEENCREEK => "C:\WINDOWS\System32\Wscript.exe" //B //NoLogo "C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.vbs"

Let me try something else and I'll get back to you shortly.

 

 

 

[AdvancedSetup]

Please run FRST again. In the top area of the program please type in:  *.VBS

 

Then click on the "Search Files" button.

Once it's completed it will create a file called Search.txt in the same folder it was run from. Please attach that log on your next reply.

 

[neak07]

OK Thank you! and here you go.

Search.txt

[AdvancedSetup]

Well, that VBS script file does not appear to be on your system anymore.

Please keep an eye on it and if you get the block again let us know. Currently not finding anything in the logs to validate it.

Ron

 

[neak07]

I will let you know if I see it again. 

would you say my computer is safe to use then? 

thanks again for your help.

[AdvancedSetup]

It should be, but let's go ahead and use one more scanner just to make sure.

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

[neak07]

it found this

MEM:Trojan.Script.AngryPower.gen

 

However when i tried to cure it it comes back.

I am not computer savvy but a quick search online said this could be a false positive and related to Norton. (which I have)

 

[neak07]

https://forum.kaspersky.com/index.php?/topic/390799-trojan-angrypower-not-being-removed/

apparently this has happened to others and they (Kaspersky Support) haven't been able to resolve it. 

I just wanted to say my computer is performing normally and I have no obvious reason to believe I have an infection but I do use this computer for sensitive purposes and finding this was concerning. 

[AdvancedSetup]

It looks like it might have come from Dell as an inventory process.

Please run FRST again as before and in the top of the box type in   InvCol.exe

Then click on the "Search Files" button.

Once it's completed it will create a file called Search.txt in the same folder it was run from. Please attach that log on your next reply.

[neak07]

ok. here it is.

 

Search.txt

[neak07]

I would also like to add when I logged into admin. account Kapsersky auto ran (or finished running?)  and is no longer finding any objects. 

[neak07]

[AdvancedSetup]

Well, that's good then. Please restart the computer and run things as you would normally and let me know if any other alerts.

 

[neak07]

No alerts from Malwarebytes after restart.

The last scan from Kaspersky did show a red exclamation mark with many Chrome processes listed in the report. but no detection.

I greatly appreciate the time you gave to help me, thank you!

 

[AdvancedSetup]

You're quite welcome @neak07

Let me have you reset Google Chrome. Please follow the directions from the following topic.

 

Once you have Chrome reset then review the information below to add and Ad blocker.

 

Help Secure your browsers

Please install uBlock Origin for your browsers to better protect your system

FireFox, Chrome, Opera , Safari, Microsoft Edge
AdBlock for Internet Explorer

Follow-up Reading

Everything you need to know about cybercrime
10 easy ways to prevent malware infection 
Keep your data backed up

 

Thank you for choosing Malwarebytes
 

Ron

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks