Jump to content

Recommended Posts

Every hour or so powershell.exe tries to connect to a russian domain and is blocked by MB. I have scanned and not found any malware; have also run Farbar and have the frst.txt and addition.txt files; and have run the adware cleaner (log attached).

What steps do I take next to identify what is using poershell.exe?

 

FRST.txt Addition.txt AdwCleaner[C00].txt

Link to post
Share on other sites

Hello    :welcome:

My name is Maurice.  Let me know what name you prefer to go by.

 

Please know that the real-time web protection of the Malwarebytes for Windows is keeping the system safe from harm. It would truly help to see the logs from the block events kept by Malwarebytes as well as other details.    For example, it would help to know what IP is being blocked  & whether it is a Inbound or Outbound attempt.

 

I would appreciate  getting some key details from this machine.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
  
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Sincerely,

Maurice

Link to post
Share on other sites

Thank you.  I have a question for you.   I noticed 2 Windows tasks on this system that make mention of Powershell.

Did you set a task to do a Windows backup ?    Let me know.

I also notice that this system ( Windows ) has been up for 5 and one-half days.   I urge you to do one Windows RESTART.

Link to post
Share on other sites

I noticed that the Firefox version on this machine,   Mozilla Firefox 64.0.2   ,  is out of date.

I would urge you to make sure to get the very latest release Version .   Start Firefox.  Click Settings icon.   Slect Help >>> About Firefox

Be sure to get latest version 80.0.1

.

[     2    ]

I suspect  2 scheduled tasks as likely being  ( perhaps)  the source of the issue.   I am sending a script to list out those 2 task-scripts  & to remove the 2 tasks, and to insure the Winodws Winsock is good.

I am sending here a custom fix script.

The system will be rebooted after the script has run.

.

This custom script is for  Dzseti  only / for this machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRSTENGLISH  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH .exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

We will do more after this round.

Sincerely.

Fixlist.txt

Link to post
Share on other sites

Good morning.     

I would like you to do a special Update & then do a special scan.

Start Malwarebytes.    Then click on the Settings icon  at top right.

Then look on the GENERAL tab.    Scroll down to " Beta Updates "  ( aggiornamento beta  )      and click that to the Right side   (  ON  ) .

Then scroll back up to the top at "Application Updates"   and click on the button " Check for Updates ".  ( ricerca aggiornamenti  )     Have patience   & follow all the prompts.

The latest Beta is Version 4.2.1.89

.

Once the update is completed,  we want to go to the main screen of the Malwarebytes program.

Now do a SCAN   in this way

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color
Now click the small X  to get back to the main menu window.

Click the SCAN button.
Select a Threat Scan ( which should be the default).
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.

Be sure all items were removed.       Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

We will do more after this.

Link to post
Share on other sites

The scan report from Malwarebytes for Windows reports no malware ;   no P U P.   That is obviously a good result.

If there are still "block" event notices by Malwarebytes, is the IP address still 109.234.34.30   ?

and if so, is the domain shown still  hldns.ru ?

Let me know that, along with doing these 2 next steps as well.   Kindly do all this  & after, you can provide reply +  the 2 reports.

[     1     ]

I would like you to do a  special search.

There is the FRSTENGLISH  tool on the Downloads folder.   We will use that to do a search.

Find &   then start FRSTENGLISH
Type the following ( better yet, use COPY  then Paste)   into the search box exactly as show then press the Search Files button 
 

SearchAll: 109.234.34.30;hldns.ru;.ru


 
Please wait while the program searches for all entries relating to this program, when done a  search.txt    log will be saved to the desktop. Please attach this log to your next reply. 

Thanks for your patience.

[     2     ]

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

  •  
  • Save the file first,
  • Close any running programs that you started on your own ( if any).
  • Please disconnect any USB or external drives from the computer before you run this scan!

 

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

 

In the HOME tab, click Scan button

Next, on the Quick scan pane, click om the Start button to proceed.

.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

Link to post
Share on other sites

Thanks for the report file from Roguekiller.    I did not see any result from the FRST special search.

I would like you to do a  special search.

There is the FRSTENGLISH  tool on the Downloads folder.   We will use that to do a search.

Find &   then start FRSTENGLISH
Type the following ( better yet, use COPY  then Paste)   into the search box exactly as show then press the Search Files button 
 

SearchAll: 109.234.34.30;hldns.ru;.ru


 
Please wait while the program searches for all entries relating to this program, when done a  search.txt    log will be saved to the desktop. Please attach this log to your next reply. 

Thanks for your patience.

Link to post
Share on other sites

Thank you for the reports.   There is one registry entry ( seemingly related to Notepad )  that is not needed & is atypical.

I do not believe the entry itself poses any sort of potential harm.

This next procedure is to remove that registry line.   You should delete the old file saved named Fixlist.txt   on the Downloads folder.

I am sending a new one here.

This custom script is for  Dzseti  only / for this machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRSTENGLISH  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH .exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start.
The tool will complete its run fairly quickly.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Let me know how the system does after this.

Sincerely.

Fixlist.txt

Link to post
Share on other sites

Very good.    That one entry is now gone.    Monitor the system over the rest of the day & tomorrow.   I want to know if the block notices have ceased.

If they have not, I need to have the IP   address   & the domain   ( if that is shown )

Those can be retrieved from the Malwarebytes logs

  1. Open Malwarebytes for Windows.
  2. Click the Detection History card.
  3. Click the History tab.
  4. Hover your cursor over the report you want to view and click the eye icon 2020-08-03_8-25-11.jpg ).
  5. A Summary window displays to show the threat details, the protection date and time, and the action executed.
  6. click the Advanced tab in this window.
  7.  click Export, then click either Copy to Clipboard or Text File (*.txt).
  8. Attach a copy with next reply
Link to post
Share on other sites

Here are the details:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 18/09/2020
Protection Event Time: 19:39
Log File: da6e94ac-f9d5-11ea-8512-acfdce966891.json

-Software Information-
Version: 4.2.1.89
Components Version: 1.0.1045
Update Package Version: 1.0.30039
Licence: Premium

-System Information-
OS: Windows 10 (Build 19041.508)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Malware
Domain: m0m09983.hldns.ru
IP Address: 109.234.34.30
Port: 21
Type: Outbound
File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe



(end)

 

Link to post
Share on other sites

Thanks.   Lets see if you can set a Outbound rule  for the Windows Firewall  to Block  the IP   address  109.234.34.30

 

Open an elevated command prompt window i.e. run Command Prompt as an administrator .
It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )
On that command prompt,  Copy & Paste this command

 

netsh advfirewall firewall add rule name="BLOCKED IP" interface=any dir=in action=block remoteip=109.234.34.30

then press Enter-key to apply that rule.

Next one other rule  for the Outbound.     Copy & Paste this command

netsh advfirewall firewall add rule name="BLOCKED IP" interface=any dir=out action=block remoteip=109.234.34.30

then press Enter-key to apply that rule.

Let me know how all this goes.   When completed, you can close the Command prompt window.

 

Link to post
Share on other sites

That's good to know.   How is it going today ?

Here are tips on keeping your web browsers safer.   Make time  and read all of this.     apply the tips.

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

.

For    Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser:   

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

Link to post
Share on other sites

Hello.   Lets please get fresh reports.

[    1     ]

open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

[      2      ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 
  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.
 

[      3       ]

Let’s  please try to get and run a special  report  tool from Microsoft. 
It does not make changes. It will be just a report.

Please download Sysinternals Autoruns from here and save it to your desktop.

Note: you also need to do the following:
Right-click on Autoruns.exe and select Properties
Click on the Compatibility tab
Under Privilege Level check the box next to Run this program as an administrator
Click on Apply then click OK

Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...
In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:
Include empty locations
Hide Microsoft entries
Hide Windows entries

Verify that the following is checked, if it is unchecked, check it:
Verify code signatures

Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.

Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

Thank you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.