Jump to content

Powershell Trojan Removal

Recommended Posts


My in-laws have MalwareBytes Premuim, and have an infection from a Powershell Trojan virus.  Maywarebytes seems to be blocking the outbound communications, but I'm having a hard time removing it.

So far I've run RKILL, a full MWB scan (with root kit detection), I've run adwcleaner, FARBAR recovery scan, and Sophos scan ... but the infection is still active. 

Here is the log from the MWB block notifcation, and I've also attached log files from the other scans.

Any help would be greatly appreciated!


-Log Details-
Protection Event Date: 11/26/19
Protection Event Time: 7:54 AM
Log File: 388e96e8-1054-11ea-b907-484d7eb8a0a5.json

-Software Information-
Components Version: 1.0.750
Update Package Version: 1.0.15436
License: Premium

-System Information-
OS: Windows 10 (Build 17763.615)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0

-Website Data-
Category: Trojan
IP Address:
Port: 54036
Type: Outbound
File: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe



Addition.txt FRST.txt Rkill.txt

Share this post

Link to post
Share on other sites

Oh, and here is the most recent adwcleaner log ... the 1st time I ran it, it did clean up 17 items though.

# -------------------------------
# Malwarebytes AdwCleaner
# -------------------------------
# Build:    10-21-2019
# Database: 2019-11-20.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    11-26-2019
# Duration: 00:00:18
# OS:       Windows 10 Pro
# Scanned:  35226
# Detected: 0

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.

AdwCleaner_Debug.log - [53572 octets] - [25/11/2019 20:14:45]
AdwCleaner[S00].txt - [2699 octets] - [25/11/2019 20:16:04]
AdwCleaner[C00].txt - [2583 octets] - [25/11/2019 20:18:26]
AdwCleaner[S01].txt - [1510 octets] - [25/11/2019 20:24:09]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S02].txt ##########


Share this post

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.

Please post the Fixlog.txt and let me know what problem persists.


Share this post

Link to post
Share on other sites

Thanks for the quick reply.  Here is the log result.  I won't know if the issue is still present for a while though, as it seems to phone home at random intervals. 


Share this post

Link to post
Share on other sites

Will do.  I've since driven home, but will check in with them to see if the infection is gone.  If not, I'll be back around Christmas to finish it up.

Thanks again for your help, it is greatly appreciated!

Share this post

Link to post
Share on other sites

@nasdaq I just contacted them to check the history, and there hasn't been another log entry of powershell.exe trying to send outbound comms in over 24 hours.  So I believe the issue has been resolved.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.