Jump to content

misplaced.legit.powershell


Recommended Posts

Every time I reboot my machine I get this message from Malwarebytes and the misplaced file is quarantined.  However, that suggests that I have some malware that creates that file at boot time.  I have scanned with Malwarebytes, Microsoft MSERT, and Windows Defender offline and no malware is detected.  Suggestions???

Link to post
Share on other sites

  • Root Admin

Hello @rloeb

Please run the following and post back the logs as an attachment.

 

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

Logs, as requested. 

When I rebooted to run FRST, MWB did NOT notify me of the misplaced.legit.powershell.  However, something changed my startup program & process list and disabled many of the entries.  I changed them all back to "enabled" and rebooted again and they are all back to disabled.  This is even more concerning that my original post.

Rog

MWB Scan 07202022 1755.txt AdwCleaner[S02].txt FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

Please go to Control Panel, Programs, Programs and Features and uninstall the following

 

Bonjour
CCleaner
(computer experts no longer recommend this program)
Java 8 Update 311

 

 

Controlled Folder Access is blocking Malwarebytes from doing its job. This can be a great addition to Windows Defender but it can also cause problems when it's not setup and managed properly.

You need to either add exclusions for Malwarebytes and keep an eye on Controlled Folder Access or disable it.

How to Enable or Disable Controlled Folder Access in Windows 10
https://www.tenforums.com/tutorials/113380-how-enable-disable-controlled-folder-access-windows-10-a.html

Add or Remove Protected Folders for Controlled Folder Access in Windows 11
https://www.elevenforum.com/t/add-or-remove-protected-folders-for-controlled-folder-access-in-windows-11.4015/

 

You have a Restriction on Windows Update. That should be removed and allow Windows to stay up to date.

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION

 

You're also using both new and old policy settings from d7xTech - overall good solutions but it too can potentially block valid items. You'll need to keep an eye on them to see if they need adjusting or not.
Preventing ransomware attacks via policies alone today is not quite as effective as it was years ago, but generally no harm in running it as long as all works as expected.

 

Please post back the Malwarebytes Protection and Scan logs from the past couple of days showing this alert.

 

 

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

 

Link to post
Share on other sites

Bonjour removed.  CCleaner removed.  Don't have Java 8 Update 311, but removed most current Java 8 update.  Turned off Controlled Folder Access.  Removed restriction on Windows Update (generally delay updates for a couple of weeks to avoid problems).  Attached a couple of protection logs from earlier today showing the message I reported initially; all the others are the same.  Have no idea how to deal with policy settings from d7xTech.  They don't appear in gpedit.

Will now reboot and see what happens...

Thanks!

Rog

MWB quarantine_1.txt MWB quarantine_2.txt

Link to post
Share on other sites

  • Root Admin

No need to change or do anything about the d7xTech stuff. If all is working well that's good.

Let me have you run the following please.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites

Have been running eset online scanner since early this morning.  For the past 90 minutes it's been stuck scanning autostart locations (after scanning close to 1.4 million files and detecting 10 objects).  The log says "CmlLineScanner cannot load dll:C:\Users\Roger\AppData\Local\ESET\ESETOnlineScanner\esets_apiW The specified module could not be found."  The directory does not exist!  Not sure what to do.

Meanwhile, the original topic of this string re-occurred early this morning.  I ran a MWB scan last night after everything was done and found nothing, but early this morning got the alert regarding powershell_copy.exe (see attached).

 

MWB quarantine_07212022.txt

Link to post
Share on other sites

Moments after I sent the previous message eset scanner completed.  Log attached.  Found and deleted some stuff, one of which was an old nmap installer.  I had a newer version of nmap but uninstalled it anyway.  This was a good reminder to go through my Downloads folder and dump everything that isn't current.  Duh.

Rog

eset_online_scanner 07212022.txt

Link to post
Share on other sites

  • Root Admin

Please do the following

STEP 1

Make a new folder at the top of your C: drive named Transcripts
So it will be:  C:\Transcripts

 

STEP 2

Click on START and type in GPEDIT  and you should see something like this. Run it.

image.png

 

STEP 3

Then drill down to the following path

Computer Configuration --> Administrative Templates --> Windows Components --> Windows PowerShell

 

STEP 4

We'll set the following policies

image.png

  • Turn on Module Logging

Click on the Show... button

image.png

Enter an asterisk * into the table and press the Enter key, then click the OK button

image.png

 

  • Turn on PowerShell Script Block Logging

Click on the "Log script block invocation start / stop events:

image.png

 

  • Turn on PowerShell Transcription

Type in the name of the folder we created in STEP 1

C:\Transcripts

Place a checkmark in the "Include invocation headers:"

image.png

 

Restart the computer

Watch the C:\Transcripts folder for entries being created

This should probably be enough to help us track this down. If not, then we'll look at enabling further Auditing

 

 

Link to post
Share on other sites

  • Root Admin

Next, after setting up the auditing, let me have you run this scanner. @rloeb

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

Odd, but okay. Let me have you run something else. @rloeb

Please save the attached file FIXLIST.TXT to the same folder as the Farbar program which I believe is here:  D:\Downloads

 

Then run the Farbar program with Admin rights and click on the FIX button. When done, please attach the FIXLOG.TXT file.

fixlist.txt

Thanks

 

 

Link to post
Share on other sites

When I ran this, MWB immediately blocked as malware the "Misplaced.Legit.Powershell," the original problem. 

Fixlog.txt attached.  Nothing appeared in C:\Transcripts. 

I'm learning a lot from this process and I'm very impressed by the knowledge and skill required to attack this problem.

Rog

Fixlog.txt

Link to post
Share on other sites

Fixlog doesn't look any different.  I do, however, have 3 files from C:\Transcript.  Each time I rebooted I got the malware detection message.  I presume these files relate to those events.  I also noticed, maybe, that if I ran any program installer, I also got the realtime malware detection message.  Might be something in that...or not. 

Fixlog.txt PowerShell_transcript.ROGER-P520.ljUlRh5b.20220721164810.txt PowerShell_transcript.ROGER-P520.Q5i0yKwo.20220721164810.txt PowerShell_transcript.ROGER-P520.xS0DBeiQ.20220721161116.txt

Link to post
Share on other sites

  • Root Admin

Yes, the first two are from Farbar launching PowerShell to run the command I gave it.

What is odd is that it should have returned something. There should have been a Workplace Join schedule at minimum that should have been triggered.

The last one is the diagnostic one we're aware of

Have you seen any other signs of this PowerShell window or alert or blocking lately though?

 

Link to post
Share on other sites

  • Root Admin

Please exit out of Malwarebytes again temporarily and run the following fix.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Will do, but first...

Finally got KVRT to run, after a clean boot and removal of numerous apps I don't need.  It'll take a while to scan entire system.  Turned off MWB, but that caused Windows Defender to start up.

Tidbit: last night Acronis True Image 2021 failed unexpectedly -- lost connection to NAS.  This has run faithfully for about two years.  Interestingly, moments after the failure RTP popped up with the misplaced legit powershell alert.  This morning TrueImage "protection" warned me about numerous potential/suspicious threats, providing a CVE reference for each.  Unfortunately, that list doesn't seem to appear in a file (or I haven't found the file), so all I have is a series of screen grabs.  (I'm looking for an alternative to TrueImage; I want a reliable backup system.  I don't want bundled malware protection!)

Will run FRST when KVRT completes.  (Note: FRST's check for update fails, probably because of our firewall --pfsense with pfblockerng.  Wants to go to a site that is very suspicious.  FRST does, however, appear to be the latest version.)

Very much appreciate your very generous and kind assistance and the excellent education I'm receiving in the process!  Been in the computer game for over 60 years, quit writing code 20 years ago, hate Windows because of its insecure foundation, but still need to run apps that only work on Windows.  Typing this on a new Macbook :-)

Rog

Link to post
Share on other sites

  • Root Admin

We have backup software listed here:  https://forums.malwarebytes.com/topic/136226-backup-software/

Macrium Reflect so far has been a pretty good replacement. I used Acronis for years too but the bloat got out of hand. Then I've seen a few restore failures posted by others, so made it difficult to keep recommending them.

Not sure how complex of an installation you have but instead of fighting the system, perhaps try a full system restore to before this happened?

I have a new pfsense device to install myself, but too busy to get to it as it will take downtime, and good Lord the rest of the house being without Internet for a few hours will drive them crazy.

 

How to make clean install of Windows 11
https://answers.microsoft.com/en-us/windows/forum/all/how-to-make-clean-install-of-windows-11/789f6891-7261-4c40-a632-6a44e53a3e30

or for Windows 10

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

Please let me know what link to the Farbar update you think is suspicious, you can send me a Private Message.

 

Link to post
Share on other sites

Initial pfsemse setup is pretty easy and doesn't take much time, and you can do most of it without disrupting your Internet access.  Where it gets complicated is in creating rules for your specific situation, e.g., open external ports.  Ours is also the DHCP server, and we have a lot of devices to which we assign static ip addresses by MAC using the pfsense DHCP server.  We also run Snort and pfblockerng-devel, which we highly recommend IF you have the time and patience to configure both properly.  One of the things that has helped a lot is to capture all DNS queries and route them to a safe server.  This does not capture DNS over TLS or HTTPS, but it stops a lot of IoT junk.  We also block almost all domains outside the U.S.  Every once in a while someone complains and we then have to consult the logs to find out whether we blocked the outbound or inbound and why.  Unfortunately, when you do a lookup of an IP address to find the domain, way too many queries come back as "unable to resolve."  Then you end up doing an Internet search to see who owns the whole block of addresses and then decide whether to allow the connection.  That's getting increasingly difficult because malware seems to be hosted on too many cloud services.  

TrueImage has become too flakey and I'm reluctant to use it to restore the system, but may be forced to do so.  I'm also unsure how far back I would have to go.  More than anything, I'm curious as to what causes the misplaced Powershell, which is really freaky. 

KVRT has been running about three hours and is only about 33% complete, based on the number of files it has scanned.  It has, however, detected four objects.  Of course, when I run MSERT, it detects about two dozen suspects along the way, but finishes with no problems being found!  Huh?

Clean install?  Hah.  That would take me weeks!  

Rog

P.S.  Don't know how to send a private message.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.