Jump to content

Please help me with removal of MW-Powershell2.exe prompted by WebRoots,WD


Recommended Posts

Hello! My name is anton and I have a ongoing problem with my computers which started as I now know over a year ago and has been on going since then on all my devices and computers. I have a desktop which I got in august of last year and a fairly new laptop which I got 8 months ago and has had the same exact problems as the desktop. Today about an hour ago I turned on my laptop since my desktop is completely unusable, and did my usual webroots malware scan which is configured for maximum security with every option turned on to max out safety overall for my laptop. Did the scan and came to 35 thousand files and no infections. I then go to optimize my computer with webroots built in optimizer and cleaned 360mb of files. 2 days ago it cleaned out 3.2gb of "temporary windows internet explorer" files and even prompted a warning saying that I have an unusually high amount of temporary saved files on my laptop. I went ahead and cleared those out and used my laptop like normal. The only issue that I was seeing for the past week was that some files were being monitored by a local remote IP addresses and a lot of them too on a few different .EXE files and folders but I just blocked them and blocked the files as well which came up as two copies of on webroots running services... one copy of the files had listeners and up to 10 of them on some and another which had no listeners.. so I'm guessing that the real legit files got copied to mask the  malicious ones that are used in the malware, because they were copied word for word and no difference in the name what so ever except that one set had a bunch of listeners and remote and local IPs that I have taken note of as well, and the other set had none. So getting back to my laptop, after I optimized and cleared the files within webroots that was installed by a geek squad agent after I got my computer back last week from getting completely wiped and reformatted and cleaned from all the corrupt files that were on it, from this same exact malware.. I notice that my internet connection has been switched off.. or just the ability to access my network because I was still connected to my Wi-Fi address but just didn't have any internet feed to actually use the network. This has been an ongoing problem as well with this malware or set of malware's as I'm sure there's a lot more of them on my computers. Or the files just have different names.. I don't know but anyways right after noticing that I have no connection..webroots pops up with a pop up saying that I have two malware files that are being run and that webroots has blocked them. I check what they are and am able to only see one which was powershell2.exe malware but it was on the quarantined section and the bubble option for "block" was filled. I thought I was safe so I went to a different tab and literarily right after 5 seconds my screen flashes and I get a system warning notification saying that both my webroots antivirus/anti malware (which was actually the first and only malware scanner to be able to have my computer work for a certain amount of time and show me that it found files and blocked malicious activity... and I've tried all of them as of now) and my windows defender anti virus are turned off together at the same time. I right away check webroots to try and delete the earlier malware file which only one showed up but intially had two of them pop up as a warning for webroots, but was too late because my webroots which had the premium access key account logged in and installed was completely erased and turned off and all of its features were completely unusable since it was asking me to put in a new webroots premium key and blocked my original one that was supposed to have a lifetime access period and shouldn't of been disabled like that on its own. I actually don't even know where to disable it or log out of the account nor would I of ever wanted to since my computer was finally useable for a week after it was installed. As of now my computer doesn't connect to the internet once again and when checking windows defender firewall rules, about 80% of the active rules were not rules that I previously saw or put in there let alone activated to bypass and connect through the firewalls defence, some examples being "neighbor proximity sharing, neighbor network discovery, teredo,windows host and file sharing protocols, mDNS, windows programmable application interrupt, app host and embedded app control... and many many more which i have tried to block but either come turned on again or just work without popping up in the background. Please help me figure out a fix for this because I just can't live anymore like this. I have had my identity stolen from this and all my accounts and banks hacked and money stolen and so on.. I would really like to get my life back. I am currently on my mobile phone since no computer connects to the internet so I can't post the logs that are needed. Also my phone completely stops working when I'm near my computers and mostly noticed it with my laptop.. and when this was all happening my phone was right next to the laptop and it lost all service and all signal and data as if the phone had no SIM card in it to begin with... which has been an ongoing problem as well. Is there a way to maybe use my phone to post the scans after using them on my computers? I am just not sure of a way but very open to any suggestions and guidance :)  I am very stuck and any work around for a fix would be a life saving fix for me... I will be forever greatful! Thank you so much in advance to whoever takes on this insanely torturous problem for me. I will be checking my phone every 5 minutes and will do my best to provide everything needed to my best ability. 

Link to post
Share on other sites

Hello LostCause123 and welcome to Malwarebytes,

Run the following scan, lets see if anything shows up:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The tool will also make a log named (Addition.txt) Please also attach that log to your reply.



If necessary:

Disable smart screen ONLY if it interferes with software we may have to use:

https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8

Please remember to enable when we are finished....

Next,

Disable any Anti-virus software you have installed ONLY if it stops software we may use from working:

https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please remember to enable AV software when we are finished running scans....

If your internet is still down you will have to d/l FRST on another PC, save to USB stick and run on sick PC.

Thank you,

Kevin

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.