Jump to content

Recommended Posts

Hi, since a few days ago, the program powershell.exe popped out in my task manager consuming 50% CPU, i can supress it, but every 30 min- 1 hour it starts again. Can you guys help me?

Share this post


Link to post
Share on other sites

Hi,  @r0mb0   :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.


We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

[ 2 ]

Go ahead and do this too.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
 

Thank you.

Share this post


Link to post
Share on other sites
15 hours ago, Maurice Naggar said:

Hi,  @r0mb0   :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.


We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

[ 2 ]

Go ahead and do this too.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
 

Thank you.

Hi maurice, thank you for your assistance, the anti-rootkit program deleted 2 trojans, but powershell.exe is still up on my task manager. Here are the logs you asked for.

mbar-log-2019-07-17 (15-12-47).txt mbst-grab-results.zip

Share this post


Link to post
Share on other sites

Thank you for the mbar log & the support zip file.   Just by the way....there is no need to click on the "Quote" button.  You and I are the only participants on this case.  and I automatically get all replies to this case.

Next time, just simply type in the white reply box.  Do what you need  & then just click on the "Submit Reply" button at the bottom.

The MBAR run was especially beneficial.  It found and removed 2 trojan files.  Note they were in the user TEMP area

C:\Users\MAQUINA\AppData\Local\Temp\9e1f47eb.exe         (Trojan.Agent.Powershell) -> Delete on reboot.
C:\Users\MAQUINA\AppData\Local\Temp\systeminfo.exe     (Trojan.Agent.AutoIt) -> Delete on reboot.

Thanks to the other reports, I found 3 questionable "tasks" in this Windows that invoked powershell & make some claim of being "update runs".

These will be removed on this next fix run below.   There is a a few more checks that I would like you to do later on.  So do not go away  & try not to do anything major on this machine.

I am listing below 2 tasks.   Please do both.   Just go down the list and do both.

[ 1 ]

This  is for r0mb0  only.

 

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the Downloads folder

The tool named FRSTENGLISH.exe  is already on the Downloads folder.

Start the Windows Explorer and then, open the Downloads folder.


Double click FRSTENGLISH

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Kindly attach the Fixlog.txt with your next reply

 

[ 2 ]

Let's have you run the Microsoft Malicious Software Removal Tool   (  MS  MSRT ).

This tool is a limited one.  It targets some specific "common" malicious threats.  It is a tool run typically once a month when your Windows does a Windows Update check.

I would just like a one time on demand run.

Point your browser to this MS website link    https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx

Look to see it matches your language & your version of Windows in terms of 64-bit or 32-bit

Download and save the tool.   Then go to the folder where saved  ( should be the Downloads folder).  

Double click the tool   and allow it to Run.   It should not take more than 12 - 15 minutes.

 

[ 3 ]

I am going ahead and also adding this run.  This one should be run on its own.  Meaning, clear the number of running open applications.

Close and save any work you are doing on your programs.

This run may take over an hour or two, depending on how many files and executable programs are on this machine.

The aim here is to scan the whole C drive of this machine.  I would like to insure no other malware is laying about.

 

Open Malwarebytes

Click the Settings menu followed by the Protection tab.

Scroll down to Scan Options and turn the Scan for rootkits setting on.

 

Next, click the icon button at left marked SCAN

 

Then, from the 3 panel choices, click on the middle one marked CUSTOM

( IF you see a summary white screen with a green check, click on the Close X spot on the right side so you get to that out of the way & then click Scan button on the left & then Custom scan on the middle selected .)

 

 

Then click on Configure Scan button

 

be sure the Scan for rootkit on left is ticked

 

Be sure to click on the box marked C on the right.

You want to scan the whole C drive.

 

Then click Scan Now button.

 

Then see what the result is.   After it completes, kindly provide a copy of that Scan run log-report.

also,  Do let me know about the "Powershell" / Task Manager situation at that point.

Sincerely,

Maurice

 

 

Fixlist.txt

Share this post


Link to post
Share on other sites

Hi!, i ran all the scans, the microsoft software remove tool detected nothing, but malwarebytes did. here are the logs.(i made the malware scan on all disks)

I just started my computer and powershell is not open, at least for now.

Fixlog.txt MalwarebytesLOG.txt

Share this post


Link to post
Share on other sites

Thanks for the reports.  The Fix run has squashed ( removed ) the abuse of powershell by 3  tasks.

The Malwarebytes scan run has removed some additional threats.   Your pc should be in better overall shape.

Next, I would suggest a special scan.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.  Let me know if you need other help.

Sincerely,

Share this post


Link to post
Share on other sites

It turned out all right. 0 problems, also powershell is no longer opening every 30 min or so. thank you for your help Maurice!

Share this post


Link to post
Share on other sites

You are very welcome.  You may delete the FIXLIST.txt file and anything I had you download.

I am happy to have helped.   My best to you.

 

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.