RiskWare.ScheduledTask.Runner.Generic / Trojan-scrypt.DYU /scrypt trojans

[Joachim_MK]

Hello,

I have recently had my PC run sluggish because of two apps in particular: Powershell.exe and Windows Update. After running Malwarebytes today, it found a trojan in Powershell.exe which is being constantly quanrantined and blocked as an outgoing connection. The windows update issue is not being reported however, even though i suspect it might be maliciuos.

How do I remove the script running the trojan constantly in Powershell.exe and how do I fix the windows update GPU issue?

Thank you in advance

Quarantine.txt

[Maurice Naggar]

Hello.      

My name is Maurice.  I will guide you.  Let me know what name you prefer to go by. 

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• ...things can go very wrong!
• Backup
• any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a USB-storage drive or flash/thumb drive
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Please stick with me until I give you the "all clear".

Your topic will be closed if you haven't replied within 4 days!
If I have not replied to your last post after 36 hours, please then send me a P M.

 

The first thing I need is to get a set of  these reports & logs.

 

That is the first step.  I will then review and use that to guide us along.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 [   2    ]

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply , like displayed here.

To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

 

The set of data from the report will provide much needed information.

Please always attach reports as we go along. 

There will be lots more to do after this. Stick with me.

[Maurice Naggar]

This is about a IP block
on URL link  sakivivjasiv8cozo3.cn
IP Address: 95.179.130.232
The Malwarebytes web protection is keeping your pc safe from potential harm

[Joachim_MK]

Hello Maurice,

I go by my first name, Joachim. Attached is the report. I have followed the instructions as directed.

 

Thank you,

Joachim

mbst-grab-results.zip

[Joachim_MK]

1 minute ago, Maurice Naggar said:

This is about a IP block
on URL link  sakivivjasiv8cozo3.cn
IP Address: 95.179.130.232
The Malwarebytes web protection is keeping your pc safe from potential harm

Malwarebytes continously notified me about it. I attempted to click on the quarantine list but accidentally added it to my "allow list"... After removing it, Malwarebytes can no longer seem to detect the issue. This all happened before your reply. I apologize if I made the situation harder to resolve. Attached is the image of the continous notifications.

[Maurice Naggar]

You can close the notification windows. I will look deep into the reports & get back to you later, soon. I do not need screen grabs. 

[Joachim_MK]

Thank you. If it is any help, I did attempt to scan again several times after the first finding found 9 items. I deleted the items from quarantine believeing they deleted the virus / infected items as well, but I am afraid I have made a big mistake. Here is the attached log for the first scan:

First scan findings.txt

[Maurice Naggar]

Please stop running any scans on your own. I will guide you. Please do not make changes on your own.

[Maurice Naggar]

Next, a custom script to do  checks & some  cleanups. 

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Joachim_MK  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will run the Windows DISM tool to check the system. It will reset the Winsock.  

NOTE-2: As part of run it will attempt to remove 2 Tasks with 2 scripts that most likely are the source to trigger the IP blocks. This will also run 2 MS Defender antivirus scans.

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

•  
• Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

• If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt               <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.

RIGHT click on FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.  

[Joachim_MK]

Where could I find the FRSTENGLISH.exe?

 

Kind regards,

Joachim

[Maurice Naggar]

It should be on the Downloads folder.  If not there, then find FRST64.exe  & if not in Downloads, copy it there. Use FRST64.exe with the procedure as listed above.

[Joachim_MK]

Alright, thank you. I will run it as instructed and write back asap.

[Maurice Naggar]

Take your time. No rushing.

[Joachim_MK]

The tool finished quite quickly but seemed to do everything you mentioned. The fixlog is attached below.

Fixlog.txt

[Maurice Naggar]

Thank you. Alright. Do a new scan with Malwarebytes. Lets see what the result is.

[Joachim_MK]

The full scan was completed with no detections. I trust that the 9 detections the first scan originally found that I deleted from quarantine are also actually deleted from the computer and not just unflagged as detections? The Powershell.exe and Windows Update processes are no longer running in the background, taking up memory and GPU power, so it atleast seems to have worked out!

Full report.txt

[Maurice Naggar]

Hello. Thank you for the MB report. The rogue scripts are gone. The prior custom script-run (fixlist run) took care of that. It is great that Malwarebytes reports no malware. 
NOTE: There was no need for you yesterday to have deleted the Qurantined items. Items there cannot 'jump the fence'. Quarantine is permanent lockup.
I do believe the threats that were there at the beginning are now gone.
>
The next steps are more like housekeeping.
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>
I would like you to insure that Microsoft Defender antivirus is ON for real-time monitoring. Is able to be updated. And run a scan with it.

[  2   Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

[Joachim_MK]

Hi Maurice,

Scan completed with no threats.

[Maurice Naggar]

Hi. Excellent result. All clear here from malware. 

I would recommend getting a readout report as to update status of some key apps.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[Joachim_MK]

Hi Maurice,

I ran the exe as instructed but have no folder named SecurityCheck in C. Instead I have some new folders that look very odd. They appeared right at the time I ran the exe. Are they related?

[Maurice Naggar]

Which web browser did you use to do the tool download? If you used Chrome, look on the folder D:\joach for SecurityCheck.exe ( and no, the tool would not create those folders}
You are looking for a file named "securitycheck.exe"

[Joachim_MK]

I use Chrome, yes. I have the tool downloaded and on the desktop alright, but when I run it as administrator it does nothing. It does not make any log files or give any indication that it is running.

[Joachim_MK]

Where is the log file supposed to be generated? It is not to be found anywhere in C:\

[Maurice Naggar]

I very much regret that you have run into all the trouble. This report-tool is entirely optional.  It is not one that we have to do. The log-report, if it made any, would be  in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt  If not there, that is OK too.  we can cancel that suggestion.

This case is nearly done.  There is no infection now.

[Joachim_MK]

Alright. Thank you a lot for your help. I am a bit nervous about not getting any log files after running the exe. Why would it not work? Is it entirely trustworthy?