Jump to content

powershell.exe "trojan" - ?


Go to solution Solved by MKDB,

Recommended Posts

Dear Team,

For several days now, after booting up, I have been getting this message about a blocked website, which is apparently supposed to be started via some script.
I don't remember installing anything except Red Dead Redemption via Steam.

Please help me clear this up!

Kind regards

malwarebytes.png

Link to post
Share on other sites

Hello @r14v8 and :welcome:

 

My name is MKDB and I will assist you.

 

  • Please follow the steps in the given order and post back the logs as an attachment when ready. Thank you very much for your cooperation.
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
  • As English is not my native language, please do not use slang or idoms. It may be hard for me to understand.

 

 

Step 1

Please download the suitable version of Farbar Recovery Scan Tool (FRST) and save it to your desktop: 32bit | 64bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Check the box in front of Shortcut.txt.
  • Press the Scan button.
  • FRST will create three logs (FRST.txt + Addition.txt + Shortcut.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.

 

 

Edited by MKDB
  • Like 1
Link to post
Share on other sites

1 hour ago, r14v8 said:

But before I upload this here: Who is able to download it? Because there is pretty much private info in it that I do not want to share with anyone but you...

I understand your desire for privacy @r14v8. The log files are only used to detect/remove malware and/or repair the system. Private information will not be shared.

 

Edit:

Thank you for those logfiles. I will have look on it now.

Edited by MKDB
  • Like 1
Link to post
Share on other sites

3 minutes ago, AdvancedSetup said:

Actually  I misspoke, this forum does allow download so that members can  download files from Helpers to work on their computer.

We can delete your logs when done if you like though @r14v8

 

Please do so! :) Thank you very much for your support! Much appreciated!

Link to post
Share on other sites

  • Solution

Did Malwarebytes' Anti-Malware find anything in the past @r14v8? If so, can you attach those logfiles as well for me, please?

 

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( Desktop ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the Fix button only once and wait. Please be patient.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

 

Step 2

  • If you already have Malwarebytes installed, then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed or if you don't run the newest version yet, please download it from here and install it.
  • Once the MBAM dashboard opens, click on Settings (gear icon).
  • Click on Security tab and make sure that all four Scan options are enabled.
  • Close Settings and click on the Scan button on the dashboard.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.
  • If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run, then please skip to the next step and let me know in your next reply that the scanner would not run.

 

 

 

Step 3

Please download AdwCleaner and save it to your desktop.

  • Double-click to run it.
  • Accept the End User License Agreement.
  • Click Scan Now.
  • When finished, if items are found please click Next / Quarantine.
  • Maybe your PC will be rebooted, AdwCleaner will be opened automatically.
  • Click View Log File.
  • AdwCleaner will open one log (AdwCleaner[Cxx].txt).

Please attach the log to your next reply.

 

 

 

 

fixlist.txt

Edited by MKDB
  • Like 1
Link to post
Share on other sites

20 hours ago, MKDB said:

Did Malwarebytes' Anti-Malware find anything in the past @r14v8? If so, can you attach those logfiles as well for me, please?

Thank you for your quick and thorough turnaround! It's not that Malwarebytes has never found ewtas (my first post in this forum was the last find), but that there was something really dangerous I can't remember. Especially not in the last half year.

Unfortunately, I have been getting a lot of spam mails for quite some time, of course I have not downloaded/opened any PDF or other file, but I once fell for an image where "Unsubscribe Newsletter" was integrated, but I was redirected to an ominous page via the image hyperlink, which I quickly closed. But I was sure that MB would have warned me if there was something fishy. Well, it has to come from somewhere. But I'm also not the only one using the PC, so...

 

Edited by AdvancedSetup
Logs removed
  • Thanks 1
Link to post
Share on other sites

Thank you for your feedback @r14v8. Good job! 👍

Can you confirm that Malwarebytes realtime-protection does not block powershell.exe anymore?

 

Now I would like to check your windows system files. Damaged files can be repaired this way as well (Step 1). Please note: This may take some time (>10 min), so please be patient.

 

A last scan with FRST would be great as well (Step 2).

Thank you again!

 

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( xxx ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the Fix button only once and wait. Please be patient.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

 

Step 2

  • Run FRST again.
  • Do not change any settings.
  • Press the Scan button.
  • FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.

 

 

 

 

 

fixlist.txt

  • Thanks 1
Link to post
Share on other sites

4 hours ago, MKDB said:

Thank you for your feedback @r14v8. Good job! 👍

Can you confirm that Malwarebytes realtime-protection does not block powershell.exe anymore?

Yes, I can confirm that! Thank you very much for your time and effort - some programms didn't work as usual after the fix (I had to reinstall discord - wouldn't have to I guess when I read this earlier - and the autostart was corrupted) but now everything is fine and working like charm!

Thank you!! :)

 

Edited by AdvancedSetup
Logs removed
  • Haha 1
Link to post
Share on other sites

Thank you again for those logfiles @r14v8.

 

 

 

Thank you for your cooperation, we're done. 😉

 

Step 1

  • Right-Click on FRST64 and choose Rename.
  • Rename FRST64 into Uninstall.
  • Run Uninstall.
  • FRST and it’s files/folders will be deleted.
  • If the tool needs a restart, please make sure you let the system restarts normally.

 

 

I'm pretty sure that @AdvancedSetup will delete those logfiles after your next reply. I do not need them anymore.

 

 

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection.

Thank you.

 

  • Like 1
Link to post
Share on other sites

  • Root Admin
  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  3. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  4. Install a content blocker for your browser. Malwarebytes Browser Guard (Free)
    Firefoxhttps://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/  
    Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee 
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.