Jump to content

RiskWare.ScheduledTask.Runner.Generic / Trojan-scrypt.DYU /scrypt trojans


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello,

I have recently had my PC run sluggish because of two apps in particular: Powershell.exe and Windows Update. After running Malwarebytes today, it found a trojan in Powershell.exe which is being constantly quanrantined and blocked as an outgoing connection. The windows update issue is not being reported however, even though i suspect it might be maliciuos.

How do I remove the script running the trojan constantly in Powershell.exe and how do I fix the windows update GPU issue?

Thank you in advance

Windows Installer GPU.jpg

Quarantine.txt

Link to post
Share on other sites

Hello.      :welcome:

My name is Maurice.  I will guide you.  Let me know what name you prefer to go by. 

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • ...things can go very wrong!
  • Backup
  • any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a USB-storage drive or flash/thumb drive
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Please stick with me until I give you the "all clear".

Your topic will be closed if you haven't replied within 4 days!
If I have not replied to your last post after 36 hours, please then send me a P M.

 

The first thing I need is to get a set of  these reports & logs.

 

That is the first step.  I will then review and use that to guide us along.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 [   2    ]

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.

To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

_mb_attach.jpg

 

The set of data from the report will provide much needed information.

Please always attach reports as we go along. 

There will be lots more to do after this. Stick with me.

Link to post
Share on other sites

1 minute ago, Maurice Naggar said:

This is about a IP block
on URL link  sakivivjasiv8cozo3.cn
IP Address: 95.179.130.232
The Malwarebytes web protection is keeping your pc safe from potential harm

Malwarebytes continously notified me about it. I attempted to click on the quarantine list but accidentally added it to my "allow list"... After removing it, Malwarebytes can no longer seem to detect the issue. This all happened before your reply. I apologize if I made the situation harder to resolve. Attached is the image of the continous notifications.

Notifications.jpg

Link to post
Share on other sites

  • Solution

Next, a custom script to do  checks & some  cleanups. 

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Joachim_MK  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will run the Windows DISM tool to check the system. It will reset the Winsock.  

NOTE-2: As part of run it will attempt to remove 2 Tasks with 2 scripts that most likely are the source to trigger the IP blocks. This will also run 2 MS Defender antivirus scans.

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt               <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.


RIGHT click on FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.  

Link to post
Share on other sites

The full scan was completed with no detections. I trust that the 9 detections the first scan originally found that I deleted from quarantine are also actually deleted from the computer and not just unflagged as detections? The Powershell.exe and Windows Update processes are no longer running in the background, taking up memory and GPU power, so it atleast seems to have worked out!

Full report.txt

Link to post
Share on other sites

Hello. Thank you for the MB report. The rogue scripts are gone. The prior custom script-run (fixlist run) took care of that. It is great that Malwarebytes reports no malware. 
NOTE: There was no need for you yesterday to have deleted the Qurantined items. Items there cannot 'jump the fence'. Quarantine is permanent lockup.
I do believe the threats that were there at the beginning are now gone.
>
The next steps are more like housekeeping.
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>
I would like you to insure that Microsoft Defender antivirus is ON for real-time monitoring. Is able to be updated. And run a scan with it.

[  2   Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

  • Like 1
Link to post
Share on other sites

Hi. Excellent result. All clear here from malware. 

I would recommend getting a readout report as to update status of some key apps.

 

  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

  • AdvancedSetup changed the title to RiskWare.ScheduledTask.Runner.Generic / Trojan-scrypt.DYU /scrypt trojans

Which web browser did you use to do the tool download? If you used Chrome, look on the folder D:\joach for SecurityCheck.exe ( and no, the tool would not create those folders}
You are looking for a file named "securitycheck.exe"

Link to post
Share on other sites

I very much regret that you have run into all the trouble. This report-tool is entirely optional.  It is not one that we have to do. The log-report, if it made any, would be  in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt  If not there, that is OK too.  we can cancel that suggestion.

This case is nearly done.  There is no infection now.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.