Jump to content

Infected Workstation with C:\Windows\System32\WindowsPowerShell\v1.0\power


Go to solution Solved by TwinHeadedEagle,

Recommended Posts

Hello. My name is Maurice. I will be guiding you.

If you have Malwarebytes for Teams be sure you say so & in which case, be sure you know that MBT entitled you to have Priority support with Malwarebytes Support thru their ticket / online portal.

It is imperative to get the detection log from the last Block event.  Go to detection history.  2nd half of link.  Get the Advanced one from detection history.  And attach 

 

https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows

 

 

 

Link to post
Share on other sites

Hi,

I will step in until Maurice gets back. We will need a MBST tool to be run so we can see what was removed and what possibly remains that causes those blocks to happen.

You can find the tool on this link: https://downloads.malwarebytes.com/file/mbst

Simply start it, click Advanced and Gather logs. Upload the archive here once tool finishes.

Link to post
Share on other sites

We have faced this problem before where other software (Emsisoft in last case) improperly removed the scheduled task so that MalwareBytes couldn't remove it properly.

On this machine where you run MBST on you need to remove these keys:
 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5CC81276-AEF2-401B-A111-A5492B5D47C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5CC81276-AEF2-401B-A111-A5492B5D47C6}

If you check under TaskCache\Tasks\{5CC81276-AEF2-401B-A111-A5492B5D47C6} you will see that there is a value named Path with \Winnet data. This belongs to malware. 

After you remove the keys above, restart the endpoint. 

Edited by TwinHeadedEagle
  • Thanks 1
Link to post
Share on other sites

will try now and restart.

Unfortunately, we have around 8 more machines infected and i cant see the a value Path with \Winnet  data in the registery for these!

Would it be possible to let me know how to found the value or do you need the support logs for each device? thanks.

Link to post
Share on other sites

You can search registry on each endpoint manually in Registry Editor.

  • Open Regedit.exe 
  • Ctrl + F to open search

image.thumb.png.b9469ffca2a5a1e41f62c2213a683bde.png

  • Make sure that you copy GUID as it needs to also be removed under \TaskCache\Plain. In my case it was {33E1EAF7-83D9-4470-95A6-6DF9639E04E6}
  • It means that I would delete these keys:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{33E1EAF7-83D9-4470-95A6-6DF9639E04E6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{33E1EAF7-83D9-4470-95A6-6DF9639E04E6}
  • Reboot every endpoint after you delete keys.

 

Let me know if you need any additional help.

  • Like 1
Link to post
Share on other sites

@Shvanf That randomly named file on the last image is actually a legitimate Powershell executable renamed probably to avoid behavioral blockers. It is however misused/misplaced so that will be taken care of in our next update. Malicious web blocks you are getting are related to LemonDuck miner, we have a database update ongoing that should remove those as well. Database update should be completed in next couple of hours.

Link to post
Share on other sites

Be sure that you did delete the 2 registry keys related to Taskcache that were cited before by TwinHeadedEagle before 

https://forums.malwarebytes.com/topic/272004-infected-workstation-with-cwindowssystem32windowspowershellv10power/?do=findComment&comment=1446288

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.