Jump to content

Trojan.BrowserAssistant.Powershell / browser assistant rogue


RAIVAIN

Recommended Posts

Hello,

I am new to this site. I believe I have a virus on PowerShell windows 10. I have no idea how to remove it and my antivirus is not picking it up. When I start cmd and PowerShell there are multiple processes for the same thing. My internet browser keeps restarting(as I type this for the 5th time) when I try to search for a solution on the internet. Then my pc runs super high on processes and CPU 100%, memory 69% and disk 16%. I have a gaming pc that I put together so nothing standard. I have been looking for a way to remove this thing for over a week now and I am super frustrated. I know nothing about Powershell or even that there were viruses directly affecting it. 

1.jpg

2.jpg

Link to post
Share on other sites

Hi,     :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.

Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.5.4.760.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.


 

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,

Sincerely.

 

Link to post
Share on other sites

Thanks for the report.   Lets start with the last thing you sent a screen grab on - - the Virus & threat protection readout in Windows Settings - that one is for Windows Defender..

This pc does have Webroot SecureAnywhere   and thus would be ( and is ) the resident antivirus.

You should be able to use that to scan your system.   When a system has a 3rd-party antivirus like Webroot, the Windows 10 ' Windows Defender antivirus is set to be off.

You only need one active antivirus program.

The reports confirm :     AV: Webroot SecureAnywhere (Enabled - Up to date)

.

The reports show a very suspicious task named "BA Scheduler"  that makes use of Powershell. That is from something called "browser assistant' ...hence 'BA'.  And a startup link named Updater.lnk that also uses Powershell.

These will be removed by the custom script below.

 

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for   Raivain   only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

[  2  ]

I suggest you run a new scan with WEBROOT.

Let me know how things are, after.

Cheers.

 

Edited by Maurice Naggar
Link to post
Share on other sites

Here is the other file.

I have to mention that my computer had cut access to the internet. Once I got back in I had a really hard time keeping the browser from closing and opening again. Once I got the txt file, the computer froze and I had to restart the program. Then all the processes were ramped up and I killed a few to be able to run the program. After the program ended and pc restarted, I ran the Webroot and it did not detect anything. I opened the browser and the first thing it did was close and open back up after some desktop flickering happened.

Fixlog.txt

Link to post
Share on other sites

Hello.   No, do not run the fix script ( again).

Please advise if the machine was Restarted today ?   If not, then do a Shutdown >> RESTART   so that there is a new Windows startup.

 

Which web browser do you typically use?    and then, I would like for you to use the EDGE browser instead for a while.   Let us see if EDGE is steady and stable.

 

Now, then, this machine does not have Malwarebytes for Windows.  You can get it for free and use it to do a scan.   Lets do that.

First the install.

see the how-to-article at support  https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows-v4

 

Once Malwarebytes is installed, now do a Scan.

Please do a new Scan on this machine, using Malwarebytes for Windows.

To run a Threat Scan, open Malwarebytes for Windows and click the blue Scan button.

Have patience during the run.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

 
 

"Please advise if the machine was Restarted today ?"  Yes several times by now, trying to get back on the internet.

 

"Which web browser do you typically use?"  Internet Explorer / Edge  Both Edge and Internet Explorer are the ones giving me issues. It is also the only browser I have installed.

"Now, then, this machine does not have Malwarebytes for Windows.  You can get it for free and use it to do a scan.   Lets do that." I have installed the software and am currently running the scan.

I have included the image of the popup that does not go away and cannot click off from the browser. It started the powershell when the machine is first turned on and then the desktop flickers like every 5 to 10 minutes and the CPU runs really high during this.

The scan is still running.

 

Image-1.png

Link to post
Share on other sites

Do not panic, nor be spooked out, please.   One program named "Browser assistant" was the one rogue program that accounted for 99.9 % of the issue.

Forget the mention of 2,193.   It was one program.   We can discount the dozens and dozens of line entries in the registry

That 1 "program" is identified as Trojan.BrowserAssistant.Generic

Trojan.BrowserAssistant.PS

Trojan.BrowserAssistant.Powershell

The Malwarebytes removing ( quarantining)  all of it.   Malwarebytes for Windows did a awesome job of getting rid of it.

I would like to do a custom-script follow-up.

 

Please delete the prior FIXLIST.txt   that I had you save before.

 

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

 

This custom script is for   Raivain   only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder

Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

[    2    ]

You can  manage the notifications on a site-by-site basis in Edge  itself:

 

Start Edge browser

 

Click the three dots button ( icon )  in the top-right corner and select Settings.

Scroll down and click on View advanced settings.

Under Website permissions, click on Manage Permissions.

Here, you can switch notifications off for a specific website.

You can set notifications off on a site by site basis.

 

You may press Clear all to get the whole list removed, if you so wish.

 

 

 

You should also do this, in Edge.   Click the Privacy & Security section.   ( the padlock icon)

 

Look under Security.   Click to the right ( to turn On)  Block pop-ups.

 

[     3    ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

 

Fixlist.txt

Link to post
Share on other sites

  • AdvancedSetup changed the title to Trojan.BrowserAssistant.Powershell / browser assistant rogue

That is all excellent.   The Adwcleaner cleaned up some browser history traces.   No malware here.  NO P U P

 

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

 

Link to post
Share on other sites

Everything seems to be better as far as internet browser and I have not seen it flicker the desktop. I may venture to say that it has been fixed. I greatly appreciate all the help with everything.

The PC does not seem to be running as hard as before and everything looks pretty normal now. I am very happy you have helped me with this. THANK YOU SO MUCH!!

I will be buying the Malwarebytes license since my son will continue using the pc for "homework". I think he learned his lesson and will stop clicking on things just to get them out of the way. At least I hope so. He had to sit here with me and see what takes to clean a pc from viruses and malware.

Again I want to thank you since I would have not been able to clean it out.

If there are any issues for this particular problem I will let you know.

Thank you again.

Raivain 

Link to post
Share on other sites

Hi.   I am very happy to have helped.  Remember that backup is your best friend.  Do a backup of this system to offline removable media.  Make that a regular thing to do on a periodic basis.

As to your son ( and all at your household ) have them follow best practices below.

 

First some small cleanups.  

To remove the FRSTENGLISH tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.

Then run that ( double click on it)  to begin the cleanup process.

You may delete the file mb-support-1.5.4.760.exe 

Any other file I had you download, you may delete.

Adwcleaner you should keep.   That can be run on-demand to check for adwares.

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

I wish you all the best.

Sincerely,

Maurice

Link to post
Share on other sites

One more thing for Chrome or Firefox browsers:

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

Also suggested for Chrome or Brave browser, the NoScript add-on extension for added protection from script exploits 

https://chrome.google.com/webstore/detail/noscript/doojmbjmlfjjnbmnoijecmcbfeoakpjm

 

.

If the pc has Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser:   

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.