Jump to content

Powershell Browser Trojan

nivedx

By nivedx
in Resolved Malware Removal Logs

 Share

Recommended Posts

Maurice Naggar

Maurice Naggar

Posted
Posted

Hi,    :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 

Let’s start by doing a new thorough scan with Malwarebytes for Windows.   The goal is to see whether there is an infection or P U P.

 

Let's do one new run with Malwarebytes for Windows.

Start Malwarebytes.

Click Settings. Click Protection tab & scroll down to Scan options.

On the section "Potential Threat Protection"
look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to
"Always detect PUPS ".

and

look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to
"Always detect PUM ".



Then once all set there, click on SCAN button
Then insure Threat scan has a check mark. Then click Start scan.
Review the results list.
Then I would suggest you make sure all lines have a check mark

To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected)  to be selected for removal. Be sure each line is checked.

image.png.67da9ae08ea6a1671badfa91ddb8df3b.png

 

 

Then you can proceed to click on the blue button Quarantine selected.


In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your next reply 

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

ok.  That is a good run.  Let's do some follow up.

Using Chrome browser,   need you to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".


 [ 2  ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

 

[  3   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[  4  ]

I suggest you install the Malwarebytes Browser guard on to Chrome browser.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

[  5  ]   For FIREFOX browser

To get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser  

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Sorry,  I cant tell what you mean " threat of compromised accounts I logged into ".

What I see here is a add-on that needs to be removed.

I appreciate knowing you have done my last suggestions.  Let's do what follows here, just to insure that the prior mis-use of powershell is all gone.

[   A   ]

There is a add-on called Browser Assistant   & it needs to be Uninstalled.

1. Type the Windows key+R to open the Run command.
2. Type control appwiz.cpl and hit Enter.
The Programs and Features window will appear.

3. Locate    Browser Assistant     and click once to select it, then click the Uninstall button.

For uninstall help, you may also refer to these links:
Windows 10:
https://www.cnet.com/how-to/how-to-uninstall-an-app-or-program-in-windows-10/

 

[   B   ]

Close and save any open work files before starting this procedure.  I am sending a custom fix script to do some cleanups.

This custom script is for Nivedex  only.

 

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the D:\Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder.

Start the Windows Explorer and then, open the D:\Downloads folder.


Double click FRST64

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply.

 

Let me know how this goes.  We can do other steps, later, as needed.

Cheers,

Fixlist.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks for the log report.

Windows indicates that "Browser Assistant" is installed.  

Browser Assistant (HKLM-x32\...\{DFAA6F11-C27B-4EC0-83AE-3AC5B124A899}) (Version: 1.32.7106.16145 - Realistic Media Inc.)

We need to see what traces there are for it.   We will use FRST64  to search for it.

 

FRST64  is on the D:\Downloads folder.

Start FRST64.
Type the following ( better yet, use COPY  then Paste)   into the search box exactly as show then press the Search Files button

SearchAll: Browser Assistant

Please wait while the program searches for all entries relating to this program, when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.

Sincerely.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

I have a new custom fix.   Please first delete the file I had you save before named FIXLIST.txt

I have attached a new one.  This custom script is to cleanout remains of "browser assistant".

 

Close and save any open work files before starting this procedure.  I am sending a custom fix script to do some cleanups.

This custom script is for Nivedex  only.

 

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the D:\Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder.

Start the Windows Explorer and then, open the D:\Downloads folder.


Double click FRST64

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply.

Let me know how this goes.

Sincerely,

Maurice

Fixlist.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks.   What is reported is a P U P    ....   PUP.Optional.ASK   ....it is associated to to Chrome's   "sync  data"

This last run indicates all  items were quarantined.   Please re-do a new scan  & lets see the next report.    Thanks.   Hopefully the next one will be zero items tagged.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

You SHOULD  quarantine.   Please read all of this   & apply the tips.

Let’s start by doing a new thorough scan with Malwarebytes for Windows.   The goal is to see whether there is an infection or P U P.

 

Let's do one new run with Malwarebytes for Windows.

Start Malwarebytes.

Click Settings. Click Protection tab & scroll down to Scan options.

On the section "Potential Threat Protection"
look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to
"Always detect PUPS ".

and

look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to
"Always detect PUM ".

and
scroll all the way down to the section Automatic Quarantine
On the line "Automatically quarantine detected malware" be sure it is ON



Then once all set there, click on SCAN button
Then insure Threat scan has a check mark. Then click Start scan.
Review the results list.
Then I would suggest you make sure all lines have a check mark

To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected)  to be selected for removal. Be sure each line is checked.

 

image.png.82f82ffe64722c50d26815dddb6f4e90.png

 

Then you can proceed to click on the blue button Quarantine selected.


In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your next reply 

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

We just need to do one other very quick cleanup for Chrome.

First, delete the FIXLIST.txt   I had you save before.    I am sending a new one with this.  It is attached.

Close and save any open work files before starting this procedure.  I am sending a custom fix script to do some cleanups.

This custom script is for Nivedex  only.

 

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the D:\Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder.

Start the Windows Explorer and then, open the D:\Downloads folder.


Double click FRST64

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply.

 

Let me know how this goes

Fixlist.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.