Jump to content
lehieu1603

Powershell dns change and cpu 100

Recommended Posts

Hi all,

      I got an issue that dns keep auto change 8.8.8.8 and 9.9.9.9, when I open task manager, it show a lot of powershell so CPU become 100%. This affect to our job because dns domain was changed.

       Please help me with many thanks!

 

Share this post


Link to post
Share on other sites

Hello @lehieu1603

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Share this post


Link to post
Share on other sites

Hi, 

Thanks for quickly reply.

Please see the attach file. When the powershell  in execution, I found out that hosts file was modified to IP 66.42.43.37 jp

Sometimes, the computer is working well, but after several hours, dns will be changed, powershell.exe run and CPU come to 100%

We are using sophos but it didn't detect anything

 

Addition.txt AdwCleaner[C00].txt AdwCleaner[S00].txt FRST.txt Log.txt

Share this post


Link to post
Share on other sites

You have old compromised Java on the computer. Please go to Control Panel, Programs, Add / Remove and uninstall Java

Windows Firewall is disabled. Are you using a Firewall from Sophos?

Is this a Work computer that was taken home?

You're using an old version of CCleaner but that said many Experts in the industry no longer recommend the tool

https://helpdeskgeek.com/free-tools-review/why-you-shouldnt-download-ccleaner-for-windows-anymore/

https://www.howtogeek.com/361112/heres-what-you-should-use-instead-of-ccleaner/

Do I need a Windows Registry Cleaner?

 

 

Please temporarily disable your Sophos antivirus and run the following fix

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Share this post


Link to post
Share on other sites

Hi AdvancedSetup,

     We are using Sophos Enterprise Console but it didn''t detect this powershell. I removed Sophos temporarily and enable window defender. 

     This is work computer in our domain. There are 4 - 5 computer get this problem and user can''t work.

     Please see the Fixlog.txt as attach file. 

Fixlog.txt

Share this post


Link to post
Share on other sites
Posted (edited)

How is this computer running now?

Does it seem to be okay now?

Can  you please attach the following file on your next reply

C:\Users\itadmin.orsn\Desktop\02.04.2020_16.37.10.zip

 

Edited by AdvancedSetup
updated information

Share this post


Link to post
Share on other sites

Hi, 

    I am monitoring from this morning and I will feedback soon. Please see the attach file, I also send you host file when the dns changed.

    There are also some another computer get a same issue so how can I fix it? 

02.04.2020_16.37.10.zip hosts.zip

Share this post


Link to post
Share on other sites

Hi, 

      The computer which I run fixlist.txt is seem to be fine until now. But I need to monitor it more time.

      Beside that, there are more 2 computer get the same issue, at that time, I do check step 1, 2 as your request and I noted that we got trojan Lemonduck.powershell. 

      Please see the attachment of logs file for this computer. 

Addition.txt AdwCleaner[C00].txt AdwCleaner[S00].txt FRST.txt log_malware.txt

Share this post


Link to post
Share on other sites

Can you please run the scans in the exact provided order for the other systems. Then add the names of the computers involved to the file names.

Example:  computer1_FRST.txt  computer1_additions.txt    computer1_adwcleaner[C00].txt     computer1_malwarebytes.txt

That way we know which computer we're working with.

 

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Share this post


Link to post
Share on other sites

Computer CE shows that the user did not have Malwarebytes remove what it found.

Trojan.LemonDuck.Powershell, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\kEDVTuem\eKrko1R, No Action By User, 14980, 789238, , , ,

Please run Malwarebytes again and this time have it remove anything it finds. Then reboot and get both new logs from FRST

 

The same issue with computer ENG
Please run Malwarebytes again and this time have it remove anything it finds. Then reboot and get both new logs from FRST

Thank you @lehieu1603

 

Share this post


Link to post
Share on other sites

Hi, 

    After I run quarantine on computer CE and computer ENG, it seem to be ok. DNS wasn't change during the day. But there are also others computer get the same problem, however, malwarebyte couldn''t detect. I removed task by manual. 

    Please see the virus file with the code to change dns as attached file.

hynFcf.txt

Share this post


Link to post
Share on other sites

Thank you. I will submit to our Research Team.

Do you still need help with cleaning any of these systems?

 

Share this post


Link to post
Share on other sites

Hi, 

    Thanks very much for your quickly support. It seem to be ok. Can I ask if you have free or trial malwarebyte for window server?

Share this post


Link to post
Share on other sites

It does show a Free Trial on the business section of the website. They do request user information naturally but we do offer a Free Trial

https://www.malwarebytes.com/business/

Thank you again for using Malwarebytes and if you do need further assistance please don't hesitate to ask.

Take care and have great week. Stay safe out there

 

Share this post


Link to post
Share on other sites

Hi, 

  Great! Thank so much! I will check email from your sales team. Thank you again. Everything is seem to be normal.

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.