Jump to content

Powershell Trojan Removal


Recommended Posts

Hello,

My in-laws have MalwareBytes Premuim, and have an infection from a Powershell Trojan virus.  Maywarebytes seems to be blocking the outbound communications, but I'm having a hard time removing it.

So far I've run RKILL, a full MWB scan (with root kit detection), I've run adwcleaner, FARBAR recovery scan, and Sophos scan ... but the infection is still active. 

Here is the log from the MWB block notifcation, and I've also attached log files from the other scans.

Any help would be greatly appreciated!

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/26/19
Protection Event Time: 7:54 AM
Log File: 388e96e8-1054-11ea-b907-484d7eb8a0a5.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.750
Update Package Version: 1.0.15436
License: Premium

-System Information-
OS: Windows 10 (Build 17763.615)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0

-Website Data-
Category: Trojan
Domain:
IP Address: 185.243.114.53
Port: 54036
Type: Outbound
File: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

 

(end)

Addition.txt FRST.txt Rkill.txt

Link to post
Share on other sites

Oh, and here is the most recent adwcleaner log ... the 1st time I ran it, it did clean up 17 items though.

# -------------------------------
# Malwarebytes AdwCleaner 7.4.2.0
# -------------------------------
# Build:    10-21-2019
# Database: 2019-11-20.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    11-26-2019
# Duration: 00:00:18
# OS:       Windows 10 Pro
# Scanned:  35226
# Detected: 0


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.


AdwCleaner_Debug.log - [53572 octets] - [25/11/2019 20:14:45]
AdwCleaner[S00].txt - [2699 octets] - [25/11/2019 20:16:04]
AdwCleaner[C00].txt - [2583 octets] - [25/11/2019 20:18:26]
AdwCleaner[S01].txt - [1510 octets] - [25/11/2019 20:24:09]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S02].txt ##########

 

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.