Jump to content

Possible security breach through powershell script


Recommended Posts

Malwarebytes did not but AdwCleaner did.

Here are some of the files.

After I check to show all hidden files it seems some files such as WindowsApps I was deny of access.

rasphone app is in one of the file without it being installed.

Also found a MpCmdRun.txt that I did not make or do.

Addition.txt FRST.txt AdwCleaner[C00].txt AdwCleaner[S00].txt MpCmdRun.log

Link to post
Share on other sites

34 minutes ago, Maurice Naggar said:

Hello.

Where and what are you looking at ?

Has Malwarebytes for Windows or any other security scan tool reported or flagged some thing ?

Why exactly are you presuming that there is some thing ?

Sorry, Forgot to quote. Please see attachment above.

Link to post
Share on other sites

You should make one adjustment.

There is one setting in Malwarebytes that needs to be off.   So that the Microsoft Windows Defender is all enabled.   The Premium ( or trial ) protections of Malwarebytes will still be on.
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center
Click the Security Tab. Scroll down to
"Windows Security Center"
Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

{  Off position is all the way to the left-hand side. }

Click the small X   to exit out  & return to the main window of Malwarebytes.
NEXT

 

Please do a new Scan on this machine, using Malwarebytes for Windows.

click the blue Scan button.
Have patience during the run.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

 

 

Link to post
Share on other sites

11 minutes ago, Maurice Naggar said:

Please be not so hasty on making presumptions.   Mpcmdrun is a component of the Windows Defender antivirus that is build in with Windows.

My question remains:   what security program has reported a actual real malware ?

I'm not sure, My game was hacked. So I restore my device, after that I see a bunch of services and when I open task manager the CPU always max out for a quick few seconds.

I have a work device at home that is connecting to VPN and is connecting to the same WiFi as this device, so I'm not sure if I am currently being kept on watch, but this is my personal device so I would like to see if there's anyway I can have everything cleared out from the services added on to remote or listen to.

I am the owner of my own device yet there are few files that I have no access to like WindowsApp.

On Event Viewer in security services, many local group membership was enumerated.

 

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
 and APPID
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
 to the user TAU\Andy SID (S-1-5-21-3789947632-3642281732-580142537-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

 

Or

A service was installed in the system.

Service Name:  Malwarebytes Anti-Exploit
Service File Name:  C:\Windows\system32\drivers\mbae64.sys
Service Type:  kernel mode driver
Service Start Type:  system start
Service Account: 

Link to post
Share on other sites

After system restore and re-imaging the windows, it seems that registry still updating.

The access history in hive \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT was cleared updating 571 keys and creating 33 modified pages.

The access history in hive \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT was cleared updating 571 keys and creating 33 modified pages.

The access history in hive \SystemRoot\System32\Config\SOFTWARE was cleared updating 233319 keys and creating 15548 modified pages.

The access history in hive \SystemRoot\System32\Config\DEFAULT was cleared updating 64 keys and creating 6 modified pages.

The access history in hive \Device\HarddiskVolume1\EFI\Microsoft\Boot\BCD was cleared updating 103 keys and creating 4 modified pages.

The access history in hive \SystemRoot\System32\config\DRIVERS was cleared updating 20310 keys and creating 896 modified pages.

File System Filter 'npsvctrig' (10.0, ‎2025‎-‎01‎-‎05T19:41:12.000000000Z) has successfully loaded and registered with Filter Manager.

Link to post
Share on other sites

To Rootcanal.

Please stop hunting around.   The Farbar F R S T  reports looked fine  and it looks like Windows 10 operating system was just freshly installed.

I do not see any signs of infection.   and I have to be frank with you,  I only use known security tools to make any judgement about potential or actual infection.

I do not see any such things here.

Task manager will always show a high % use when you first start it.   You have to let Task Manager to settle in for a couple of minutes.

and, most everyday users are not trained as to what to look for.   again, we only use security scanners that are known and reputable to make a determination.

There are no infections here.  It is normal for Windows to have certain system folders hidden.  That is why you've seen the ccess issues.

That is normal.   & the C:\Windows\system32\drivers\mbae64.sys   belongs to Malwarebytes for Windows.

That is not any suspicious thing.  and I do not now where it was you dug up those last set of logged events.

Please stop hunting on your own.   I want us to only do scans with known tools.

.

I have asked that you do one scan run with the Malwarebytes for windows   and then attach the report from that scan.

 

Link to post
Share on other sites

5 minutes ago, Maurice Naggar said:

To Rootcanal.

Please stop hunting around.   The Farbar F R S T  reports looked fine  and it looks like Windows 10 operating system was just freshly installed.

I do not see any signs of infection.   and I have to be frank with you,  I only use known security tools to make any judgement about potential or actual infection.

I do not see any such things here.

Task manager will always show a high % use when you first start it.   You have to let Task Manager to settle in for a couple of minutes.

and, most everyday users are not trained as to what to look for.   again, we only use security scanners that are known and reputable to make a determination.

There are no infections here.  It is normal for Windows to have certain system folders hidden.  That is why you've seen the ccess issues.

That is normal.   & the C:\Windows\system32\drivers\mbae64.sys   belongs to Malwarebytes for Windows.

That is not any suspicious thing.  and I do not now where it was you dug up those last set of logged events.

Please stop hunting on your own.   I want us to only do scans with known tools.

.

I have asked that you do one scan run with the Malwarebytes for windows   and then attach the report from that scan.

 

My apologies, here's the scan from Malwarebytes.

malwarebytes.txt

Link to post
Share on other sites

Both scans report NO malware  & no P U P.    by the way, there is no need to click the "quote" line.   Just start typing in the white box at the bottom when you start a reply.   It is just you and I on this topic.

I can have you do a new scan with a different scan tool using a trusted scanner.

 

Do a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

Go to the saved file, and double click it to get it started.

 

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

 

Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

 

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

 

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

Link to post
Share on other sites

12 hours ago, Maurice Naggar said:

Both scans report NO malware  & no P U P.    by the way, there is no need to click the "quote" line.   Just start typing in the white box at the bottom when you start a reply.   It is just you and I on this topic.

I can have you do a new scan with a different scan tool using a trusted scanner.

 

Do a free scan with the ESET Online Scanner

 

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

 

 

It will start a download of "esetonlinescanner.exe"

 

Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

 

 

Go to the saved file, and double click it to get it started.

 

 

 

When presented with the initial ESET options, click on "Computer Scan".

 

Next, when prompted by Windows, allow it to start by clicking Yes

 

When prompted for scan type, Click on Full scan

 

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

 

 

Have patience.  The entire process may take an hour or more. There is an initial update download.

 

There is a progress window display.

 

 

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

 

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

 

Click The blue “Save scan log” to save the log.

 

 

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

 

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

 

 

 

Nothing was found.
 

Link to post
Share on other sites

I am glad to read of that result.   That makes yet another confirmation that there is no malware / no virus / no infection on this system.

The fact that you had done a new Windows setup had done away with any prior issue that you may have had before that action.

I believe this system is good to go.

I just have a few suggestions regarding the web browsers.

   

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.  

Scroll down to the tips section "How do I disable them".

 

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.  

To get & install the Malwarebytes Browser Guard extension for Chrome,  

   

Open this link in your Chrome   browser:  

   

Then proceed with the setup. 

 

If the pc has Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.  

Open this link in your Firefox browser:     

Then proceed with the setup.  

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down. 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.