Jump to content

sysWOW64 Powershell Trojan Help Needed


Go to solution Solved by Maurice Naggar,

Recommended Posts

I will guide you as we go along.

Please always just only attach any reports I ask for.

The next thing I suggest is:

To Close all web browsers.

Close any apps of yours that you now have open on-screen.

Then do a Full scan with the AVG antivirus.

Link to post
Share on other sites

Okay, so in AVG quarantine was IDP.HEUR.23 file name startmenufix.vbs Location System32\oem and HTML:EvilCursor-B file name This computer is BLOCKED.html Location was in Downloads folder.

Since doing the Deep scan 3 Adw named Win32:Mobiame-C was moved from the Recycling Bin to quarantine.

 

Link to post
Share on other sites

Thank you for that.

Now let's do this scan next.

In Malwarebytes for Windows program, we want to do a special scan.

 

Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.

 

Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈

Click it to get it ON if it does not show a blue-color

.

Next, click the small x on the Settings line to go to the main Malwarebytes Window.

 

Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

 

You can actually click ( tick ) the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈

🔻

Then click on Quarantine selected.

 

Then, locate the Scan run report; export out a copy; & then attach in with your reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

We will do more, later. 

Link to post
Share on other sites

Thank you. Today's Malwarebytes scan result is reassuring.

A different scan now.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Link to post
Share on other sites

ESET tagged that 1 EXE file as a potentially unwanted app. ( P U A ).  It is deleted.

.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

You may select Quick scan from scan option.

Let me know the result of this.

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

Link to post
Share on other sites

I went to Add/Remove Apps and I see "Browser Assistant" 21.7MB. This is the app flagged by MB the first time, iirc, or at least 'browser assistant' and 'BA' were in the name. I do not know what this is, and I'm almost sure this is where the trojan came from. Should I just click uninstall or do I need to do something else?

Link to post
Share on other sites

Next steps after the last post.

Let me suggest you do one scan with Adwcleaner to check for adwares.

 

First download & save it 

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then do a scan with Adwcleaner 

 

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

Link to post
Share on other sites

I knew it. I had a feeling this would happen. That’s why I asked you if I should just click uninstall. It released it.

I got the “please wait while Windows configured Browser Assistant”, and it took a few mins, then AVG pops up saying “ Threat Blocked We’ve blocked pssEC0B.ps1 because it was infected with IDP.ALEXA.53”

Right before that, I had already disconnected from the internet, because it was lagging on that uninstall window. I’m sending this from my phone.

I quarantined with AVG.

Link to post
Share on other sites

No, you misunderstood. I hadn't tried to run Adwcleaner yet. I tried uninstalling "Browser Assistant", and it released the Powershell trojan again. For reference, there were a total of 4 files, named pssxxxx.ps1. The X's being different for each file. I ran a deep scan with AVG, which came back clean. I also ran MB again, which also came back clean. And I ran Adwcleaner, which found 1 PUP. I attached the Adwcleaner logs.

AdwCleaner[C00].txt AdwCleaner[S00].txt

Link to post
Share on other sites

Hi. Thanks for the C Clean report from Adwcleaner.

Use Option One , or Two of this article to set Windows File Explorer to show all files

 

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

.

As a next step, to checkout your system a bit more, a scan with Sophos.

Download Sophos Free Virus Removal Tool and save it to your desktop.

 

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

 

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

 

Click Next

 

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

 

Once the virus database has been updated click Start Scanning

 

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

 

Close the Notepad document, close the Threat Details screen, then click Start cleanup

 

Click Exit to close the program

If no threats were found please confirm that result....

 

The Virus Removal Tool scans the following areas of your computer:

. Memory, including system memory on 32-bit (x86) versions of Windows

. The Windows registry

. All local hard drives, fixed and removable

. Mapped network drives are not scanned.

 

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

 

Please be sure to attach that log.

Cheers.

Edited by Maurice Naggar
Link to post
Share on other sites

Here are tips on keeping your web browsers safer.   Please make time  and read all of this.     apply the tips.

 

See this article on our Malwarebytes Blog

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

 

Scroll down to the tips section "How do I disable them".

.

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.

 

To get & install the Malwarebytes Browser Guard extension for Chrome,

Open this link in your Chrome   browser

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

Then proceed with the setup.

.

For the Windows EDGE browser, use it to go to that same link above, & install that Browser Guard onto it, too.

.

For    Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser:   

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

 

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

Link to post
Share on other sites

  • Solution

You are very welcome. :D

I have a small custom script for this pc, with main goal to run the Windows System File Checker tool to test for integrity , & also to remove 2 traces of McAfee app.

.

Fixlist.txt

 

The script Fixlist.txt  needs to be saved to the same folder that contains FRST64.exe   /  you have yours saved on Downloads

 

The custom script on this post is ONLY for this machine and NO other.   

 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

 

The system will be rebooted after the script has run.

 

Please save the (attached file named) FIXLIST.txt   to the  Downloads folder

 

Start the Windows Explorer and then, to the Downloads folder.

RIGHT-Click on FRST64 & select Run as Administrator

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Link to post
Share on other sites

Thanks for the log.

The results of the Windows System File Checker & Windows DISM tools are all fine.

A good run, except for the 60 minutes of the time to run. It should have been a lot less.

.

Make very sure to do a full Backup of this system to offline local media, like a large size portable USB backup drive.

Do that real soon.

.

Is this a laptop / notebook ?

You noted it was dropped.

Your remark about HDD suspicions are of potential concern. Be cautious if you have reason to suspect a problem on HDD.

 

Review the scheduled tasks & all auto started apps that auto load at Windows startup.

I would suggest doing what we in the community call a "clean boot startup".  The goal being here to find which apps you do not need to autostart.

 

How to perform a clean boot in Windows

https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

.

On a separate factor, Please create a new System Restore point and then run the following

 

Open an Elevated Admin Command prompt and type in the following

 

 ECHO Y|CHKDSK C: /F

That will set a disk check to run on restart of the computer.

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.