Jump to content

Malwarebytes Reporting Riskware through Powershell Every Minute


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello!

 

First time poster so please be gentle on me. My Malwarebytes has been telling me that multiple times every minute there appears to be an RTP detection riskware on my PC. Currently running scans with Malwarebytes and Zemana. I was hoping someone could help me with a fixlist for Farbar Recovery Scan Tool. Can someone please tell me what is going on?

 

I've attached my FRST files below as well

 

Here is the malwarebytes report:

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Protection Event Date: 5/10/22
Protection Event Time: 8:58 AM
Log File: 0b7cca56-d07a-11ec-81bc-c8b29bddcdc6.json
 
-Software Information-
Version: 4.5.8.191
Components Version: 1.0.1666
Update Package Version: 1.0.54792
License: Premium
 
-System Information-
OS: Windows 10 (Build 19044.1682)
CPU: x64
File System: NTFS
User: System
 
-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, , 
 
-Website Data-
Category: RiskWare
Domain: wmail-service.com
IP Address: 104.21.4.86
Port: 80
Type: Outbound
File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
 
 
 
(end)

Addition.txt FRST.txt

Link to post
Share on other sites

Hello :welcome: My name is Maurice. I will guide you. 

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

Gotta have history and all logs from Malwarebytes for Windows. 

 [   2   ]

  • I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply 
  • Like 1
Link to post
Share on other sites

First step, which relates to integrity & security & system DNS lookup. I need you to make adjustments. DNS (domain name service) is what allows user computers to connect to websites using domain names instead of IP addresses
This machine is configured to use DNS servers: 192.168.50.1  ( which points to your hardware router). we do not want that.
This must change
Please consider changing your default DNS server settings. Please choose only one supplier.

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

AND then do a Windows RESTART.

Let me know when that has been completed. I will then relay to you a custom fix script.

  • Like 1
Link to post
Share on other sites

  • Solution
Posted (edited)

@loyalsnoopdoge Next to do after the DNS Nameserver has been adjusted. This machine has a rogue scheduled task. 

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware (if present)  isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".

It appears that ( by whatever cause) a full run of Windows setup was in-progress at your local 18:24 hours.

This custom script is for  Loyalsnoopdoge  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekkeping.

We will use FRSTENGLISH  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .It will also run the Windows tool DISM to check Windows integrity.  It will rebuild the Winsock. It will remove the rogue scheduled task.

NOTE-2: This should run a quick scan with MS Defender antivirus and remove outstanding action items, if any.

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt          <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

NOTE: For me, it is late night-time. I will check on your case in the morning.

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

Thank you for the Fixlog. The rogue scheduled task is gone. Plus the run also placed that rogue IP address into the Windows firewall Block list. I believe that your machine is in better condition at this point.
^
Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

  • Like 1
Link to post
Share on other sites

Lets see if we can see any log entries ( possibly) that may be logged by Windows. 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Minidump Files


Click Go and post the result (MTB.txt). A copy of MTB.txt will be saved in the same directory the tool is run.

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.