Jump to content

Trojan blocked which is opened through Powershell.exe?


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello, since like 2 weeks my antivirus (bitdefender and now malwarebytes) keeps notifying me that there is a trojan that wants to be opeend through powershell. I dont know how I got that trojan anyway.. And when my Pc starts i see 2 cmds popping up and then disappearing and in my task manager i see 2 windows powershell apps running. Here is the log from Malwarebytes. This is not the only Trojan or Script that wants to open through powershell. how could i get that virus? and can you help me with that. t hanks.

log.txt

Link to post
Share on other sites

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply
  • The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
  • We do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.
  • Like 1
Link to post
Share on other sites

@Belminho The very first things that need attention are that this machine has too many antivirus security programs. There is Kaspersky VPN & there is Bitdefender Total Security. Whichever one or if both are not paid-licenses ....then right now be sure to Uninstall. Having more than one of these definitely leads to deadlocks and conflicts. Once you have cleaned that up, Restart Windows and let me know !

  • Like 1
Link to post
Share on other sites

  • Solution

The "block notices" from Malwarebytes are actually protecting the machine from potential harm. Just close the warning window. Do not freak.

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

[ 2 ]

NOW download this tool and be certain to SAVE to either the DESKTOP or else to the DOWNLOADS folder. download & save a  copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

[ 3 ]

This custom script is for  Belminho  only / for this machine only.

There is one suspicious XML file associated to a RunOnceEx run-key which will be removed.
There are quite a few suspicious sub-folders with odd names.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. 

We will use FRST64   to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .It will also run the Windows tool DISM to check Windows integrity.  It will rebuild the Winsock. 

NOTE-2: This should run  scans with MS Defender antivirus and remove outstanding action items, if any.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   same  folder as where you saved FRST64. The script & FRST64 have to be in same folder. They work together.

Fixlist.txt          <<< - - - - -

Then, Start the Windows Explorer and then, go  to the   folder with the FRST64.


RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Edited by Maurice Naggar
  • Thanks 1
Link to post
Share on other sites

That is a good run. Please understand that I am helping you as a volunteer. Glad to help out. We need to run other scans to insure there are no other 'potential threats'. 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

  • Thanks 1
Link to post
Share on other sites

Hello I finished the microsoft tool, here is the log. Also removed some infections! Thank you so much for the volunteering, sadly I wish someone paid you for the work you do here on Malwarebytes Forum. God bless you for your help. Definitely will be a malwarebyte user as off now.

Link to post
Share on other sites

Hello. God bless you for your work done. I did a scan of C and D, and they're both clean! The system is working perfect! I recommend you and the Farbar tool and your support on it! Thanks so much. Here are the files! Fixed at the first reply! It only found UT Web Installer. Everything else clean! Thank you for taking your time to help other people.

log1.txt log2.txt

  • Like 1
Link to post
Share on other sites

Thanks for the logs. Now, you want to be sure that the PUP.Optional.BundleInstaller  ( the D:\SVEE\UTWEB_INSTALLER.EXE ) is deleted. Go to that folder & if it is still there, then delete that EXE.

I would recommend getting a report on the update status of some key apps.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

  • Thanks 1
Link to post
Share on other sites

Some housekeeping:  Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center.  Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

These need action / further attention. 

Git v.2.35.1.2  Warning! Download Update
TeamViewer v.15.28.5  Warning! Download Update
Node.js v.16.14.2  Warning! Download Update
Oracle VM VirtualBox 6.1.32 v.6.1.32  Warning! Download Update
Python 3.10.4 (64-bit) v.3.10.4150.0  Warning! Download Update

------------------------------ [ ArchAndFM ] ------------------------------
7-Zip 21.06 (x64) v.21.06  Warning! Download Update
Uninstall old version and install new one.

-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.1.0.9003  Warning! Download Update

Slack v.4.25.2  Warning! Download Update

Microsoft Teams v.1.5.00.8070  Warning! Download Update

--------------------------------- [ P2P ] ---------------------------------
NOTE: "torrent"-type apps can be avenues to spread potential harmful threats.
µTorrent v.3.5.5.46248  Warning! Ad-supported P2P-client.
uTorrent Web v.1.2.8  Warning! Ad-supported P2P-client.

---------------------------- [ UnwantedApps ] -----------------------------
CCleaner v.6.01 Warning! Suspected demo version of anti-spyware, driver updater 
CCleaner is no longer recommended by most of the security colleagues ever since it was sold by Piriform to another party.

Driver Easy 5.7.1 v.5.7.1 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall 

Bonjour v.3.1.0.1  Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended.
You do not need it. Uninstall Bonjour.

  • Thanks 1
Link to post
Share on other sites

Thank you  :D  I do on occasion participate at the Bleepingcomputer forum

A request please 

I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. 

  • Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents.
  • Right click on Quarantine > Send to > Compressed (zipped) folder
  • Upload the archive in your next reply
  • If archive is too big you can upload here > https://wetransfer.com/

Also, Let me know how the situation is at this point as to any new "block" notices, or some other active security issue.
Also, please do one new Scan with Malwarebytes.

Thank you!

  • Thanks 1
Link to post
Share on other sites

Thank you so much for the zip-file collection. 

This here is for tools cleanup. 

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

 

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

I wish you all the best.

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

SAFETY TIPS:

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.


Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

Stay safe.

  • Thanks 1
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.