Windows Powershell - Blocked Website

garysl · September 9, 2022

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 09/09/2022
Protection Event Time: 17:40
Log File: adc478fa-3055-11ed-9f3e-000000000000.json

-Software Information-
Version: 4.5.13.208

Hi,

I'm receiving constant notifications that Malwarebytes is blocking an outbound connection, from my laptop. Scans on Malwarebytes have not detected any threats, however, I downloaded and used MBAR rootkit, which did discover some issues. After "cleaning" the system, I rebooted, as required, but the notifications still persist. Are you able to help? I've attached the MBAR logs and the notification log.

Thanks

t

Components Version: 1.0.1740
Update Package Version: 1.0.59845
Licence: Premium

-System Information-
OS: Windows 11 (Build 22000.856)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Malware
Domain:
IP Address: 103.212.182.45
Port: 1177
Type: Outbound
File: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

(end)

mbar-log-2022-09-09 (15-49-14).txt mbar-log-2022-09-09 (17-19-20).txt

1PW · September 9, 2022

Hello @garysl and :welcome: :

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following:

I'm infected - What do I do now?

Also, please consider updating the Malwarebytes for Windows app and databases to the current release versions.

Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic.

Thank you.

Edited September 9, 2022 by 1PW

garysl · September 9, 2022

Hi,

Logs from Farbar and Malwarebytes scan attached.

Addition_09-09-2022 18.57.09.txt FRST_09-09-2022 18.57.09.txt mbytes.txt

AdvancedSetup · September 9, 2022

Hello and :welcome: @garysl

My screen name is AdvancedSetup and I will assist you with your system issues.

Let's keep these principles as we proceed. Make sure to read the entire post below first.

Please follow all steps in the provided order and post back all requested logs
Please attach all log files to your post, unless otherwise requested
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
If your system is running Discord, please be sure to Exit it while this case is ongoing.

I see you have McAfee antivirus. Please close all Web browsers, chat programs, etc. and update McAfee and run a FULL system scan. Let me know if it finds anything or not.

garysl · September 9, 2022

Hi,

Thanks for your reply. I don't have McAfee. The only anti-virus software that I'm running is Malwarebytes premium. It isn't detecting anything. I downloaded the Malwarebytes Anti-Rootkit software and that discovered 7 pieces of malware, which it then cleaned. I rebooted but continued to receive the same notification about Windows Powershell attempting to contact a blocked website. I have rerun MBAR and it is now saying everything is clean (despite the ongoing notifications) I have attached the logs from the anti-rootkit scan with the detection and subsequent run, where it detected nothing, in my first message. The log from Malwarebytes premium is in the second message, I have also run Microsoft's windows malware removal tool and that hasn't detected anything either.

Thanks

AdvancedSetup · September 9, 2022

Ah... okay. Interesting as these show up in your logs. Give me a moment to review further.

AV: McAfee VirusScan (Enabled - Up to date) {F682A51C-4EAD-6A3A-F460-B9C1D4A2DB09}
FW: McAfee Firewall (Enabled) {CEB92439-04C2-6B62-DF3F-10F42A719C72}

(C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe ->) (McAfee, Inc. -> McAfee, LLC) C:\Windows\System32\mfevtps.exe
(services.exe ->) (McAfee, Inc. -> McAfee, LLC) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe

AdvancedSetup · September 9, 2022

@garysl

If this is a document that you created, please move it to a safe location. It does not belong in the root of this folder. One should also not be saving secret or private information in a text file. Using a password management program would be a much better choice.

C:\Users\garys\AppData\Roaming\credentials_12022022_012203.txt

Please run the following fix. Once the fix has completed, please attach the FIXLOG.TXT file to your next reply.

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

Windows Temp
Users Temp folders
Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
Recently opened files cache
Discord cache
Java cache
Steam HTML cache
Explorer thumbnail and icon cache
BITS transfer queue (qmgr*.dat files)
Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

garysl · September 10, 2022

Hi,

I didn't create that file C:\Users\garys\AppData\Roaming\credentials_12022022_012203.txt and I've deleted it. When I checked, I noticed another file, created on the same date, in the same folder, named Lazagne.exe. This appears to be a password collecting programme and I've deleted that as well. I've run the fix that you provided and it seems to have worked. I'm no longer getting any notifications from Malwarebyes. The log is attached. Thank you very much for your help.

Fixlog.txt

AdvancedSetup · September 10, 2022

Great, that looks to have been a really good run and many items removed and fixed.

Let me have you run the following please @garysl

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.
Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on the Start scan button.
Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at the bottom).
Press Continue when all done. You should click to off the offer for “periodic scanning”.

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

garysl · September 10, 2022

Hi,

I've run Eset, as you suggested. It's detected two items. One is something within a free version of Avast anti-virus that it sees as unsafe (I don't use the programme) and the other is something linked to Windows Defender. I've attached the log. Thanks again.

eset.txt

AdvancedSetup · September 10, 2022

Please run the Farbar program again and get me new, fresh logs

FRST.TXT
ADDITION.TXT

Thanks

garysl · September 10, 2022

Logs attached.

Thanks

Addition.txt FRST.txt

AdvancedSetup · September 10, 2022

Thank you, please run this updated fix. Save the attached file as before and run Farbar.

Once the fix has completed, please attach the FIXLOG.TXT file to your next reply. @garysl