Trojan.Tasker.Powershell

[jsquizz]

Hi there,

I'm having the same issue as a couple others on this forum, with the constant powershell.exe popup. It happens about 1-2 times every minute.

I attempted to follow instructions from other forum posts but noticed the instructions were quite specific to each user, and for example the "fixlist" file was unavailable for download.

My actions so far:

• Malwarebytes scan (attached) - no results
• Downloaded FRST64 and created Addition, FRST & Shortcut text logs (attached)
• Downloaded AdwCleaner and ran a scan (attached) - no results
• Downloaded PatchMyPC - updated everything mentioned (I think it was just Malwarebytes and 1 other program that needed an update)

Thanks in advance for your help!

 

Addition_23-06-2022 10.21.58.txt FRST_23-06-2022 10.21.58.txt Shortcut_23-06-2022 10.21.58.txt AdwCleaner[S01].txt malwarebytes-scan-23-6-2022.txt

[Maurice Naggar]

Hello @jsquizz I will guide you. Allow me some time to review your reports. I will make reply to you. Just do not do things on your own.😃

[Maurice Naggar]

Here are first 2 steps  ( more will follow, later):

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

[  2  ]

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

[jsquizz]

Hi Maurice - thanks for the quick response. I've followed the steps mentioned and the windows security center option is now turned off :)

[Maurice Naggar]

Please do not make changes or deletions on your own. Please do not run tools or apps on your own ( except for Malwarebytes & Microsoft Defender antivirus.) Also please do not delete FRST or anything related to it. It is important to not delete FRST until when I guide you to tools cleanup at the end, when I give the all clear. !

This custom script is for  JSQUIZZ  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. 

We will use FRST64  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .It will also run the Windows tool DISM to check Windows integrity.  It will rebuild the Winsock. 

NOTE-2: This should run a quick scan with MS Defender antivirus and remove outstanding action items, if any. This custom script will also cleanup  the 2 script trojans that are on this machine, which also use ( mis-use / abuse) Windows scheduled tasks.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

• If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt        <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me. This is not the end-all.

AFTER completion of this run, you should do One new Scan with Malwarebytes.

[jsquizz]

Thanks Maurice - I've followed the steps and attached logs for the FRST application, and then the scan results (after FRST was complete and computer restarted).

Fixlog_23-06-2022 15.13.16.txt malwarebytes-scan-23-6-2022-2.txt

[Maurice Naggar]

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

• At screen "Detections occured and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[jsquizz]

Thanks - File is attached 👍

eset-scan-results.txt

[Maurice Naggar]

Thank you very much for the report. I would like you to continue with what follows.
[ 1 ]
Do as much as possible of all the steps on this one linked-post of mine. Just keep going down the liast & do as much as you can.

https://forums.malwarebytes.com/topic/280326-roshur-has-omnatuorcom-block-notice/?do=findComment&comment=1485972
[  2  ]

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

I expect that the original issue is now gone. However, do keep a sharp eye out for any "block message" from Malwarebytes that mentions any form of "wmail" as part of a blocked website address.  As well as looking out for any flagging of a "trojan".

ALSO:

 

Let's pause and make time and just get a set of fresh reports to see what is running, what is active. Your machine has the FRST64 report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRST64 and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

•  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
• Press the Scan button.

• It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
• Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
• Close Notepad IF those show up on Notepad.
• Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.

[jsquizz]

Thanks for this - I followed all the steps and have attached the 3 files.

Addition_24-06-2022 10.51.05.txt FRST_24-06-2022 10.51.05.txt malwarebytes-scan-24-6-2022.txt

[Maurice Naggar]

Hello. Thanks. Next thing, let us be sure that the Windows O S is up-to-date. I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

[ 2 ]

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

[ 3 ]

General questions: Have there been any new "blocked website" notices from Malwarebytes in the past 24 hours?

You had created this help-thread last Wednesday. Prior to that, and just in the days preceding the 1st "website block" event ....Had you maybe downloaded some game "mod" from a source that was not from the game-publishers official site?

or else in general, had you downloaded or opened some recent download?

[jsquizz]

Hi Maurice,

Thanks for this - Have followed the steps and attached the clean log. One thing to note was the windows update failed to install, as per the screenshot below:

To answer your questions - I haven't received any new website blocked notifications after following the steps. Prior to this happening, I hadn't downloaded any game mods, although I think it may have come from the Bittorrent application. This was picked up and removed from one of the scans and I haven't had any notifications since.

AdwCleaner[S02].txt

[Maurice Naggar]

Great to know that the website blocks have ceased. The Adwcleaner report is excellent. The failed MS Windows update is un-related to original case issue. Anyhow, this next script ought to help out on the Windows Update issue. First, be sure to DELETE the old Fixlist.txt on Downloads.

This custom script is for  JSQUIZZ  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. . 

We will use FRST64  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt        <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me. This is not the end-all.

AFTER completion of this run, you should go ahead and do a new run for Microsoft Windows Update.

[Maurice Naggar]

Hello @jsquizz Have you any update status ? Have you completed the run that I last provided?

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks