Jump to content

How to remove Exploit:W32/PowerShellStager.B!DeepGuard


Go to solution Solved by Maurice Naggar,

Recommended Posts

I recently started having this problem were powershell pops for a second and then close because of my security suite I've done 2 deep scan on 2 different programs  and I cant find any problem files. when I look up the exploitw32 on google it doesn't proved me with a for sure answer if it is a false positive or malware.

I really don't want to format my laptop just to make this go away I appreciate all the help  

Link to post
Share on other sites

Hello @apachewolf956 and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following:

I'm infected - What do I do now?

Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic.

Thank you.

Link to post
Share on other sites

Hello @apachewolf956
Please do as suggested above. And following that, also do this antivirus/anti-malware scan.
 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  FULL scan  .

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

Edited by Maurice Naggar
Link to post
Share on other sites

Much thanks for the reports. The Microsoft Safety Scanner found no virus, no trojan, no malware

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Sun Oct 23 18:25:36 2022

As to the message-window about "powershell block" is from the Security Suite by F-Secure. Something which I have no experience with.

But anyhow, IF you did not pay for a license for IObit Malware Fighter then I would like for you to Uninstall it.  Then do a Windows Restart. I will have more for you  to do later.

Link to post
Share on other sites

Found the malware that is triggering the "powershell"  alarm by F-Secure. It is a obscure and highly obfuscated scheduled task. These procedures below will remove it, plus, the custom fix-run will do some checks of the system for integrity and for malware remnants.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use this Guide
 
Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRST64.exe  on the Downloads folder to run a custom script.    

This custom script is for  Apachewolf956  machine  only / for this Windows 10 Pro machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt  <<< - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.


RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.  👈

Look on Downloads folder for FIXLOG.txt.  ATTACH that file with next reply for my review.

Link to post
Share on other sites

  • Solution

That run is most beneficial. We've removed more threats. Now, a new scan. Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

Link to post
Share on other sites

Hello. That is a very good cleanup by Adwcleaner. Tell me, How is the situation at this point ?

I would recommend getting a readout report as to update status of some key apps.

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

and save the tool on the desktop.

                                    If Windows's  SmartScreen block that with a message-window, then
                                           Click on the MORE INFO spot and over-ride that and allow it to proceed.

                                    This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

That is good to now. Still, run that tool so I can review its report. 

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

and save the tool on the desktop.

                                    If Windows's  SmartScreen block that with a message-window, then
                                           Click on the MORE INFO spot and over-ride that and allow it to proceed.

                                    This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

  • 1 month later...

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.