armyvet590 Posted October 30, 2022 ID:1539896 Share Posted October 30, 2022 Hello, I keep getting a pop-up every few seconds that started a few days ago? The pop-up is telling me that powershell.exe is being blocked which is odd because I don't think I've ever used PowerShell? So like every skilled Windows 10 user I googled how to fix it and I followed a step-by-step guide which took me to uninstall programs/turn windows features on or off and unticked Windows PowerShell 2.0/ save and restart pc. This guide did nothing!! And I was about to start another guide until I realized I didn't understand any of it. And so my journey brought me here. I'm starting to think whatever is happening? It's starting to slow down my computer and i humbly request for your help please. malware powershell.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 30, 2022 ID:1539902 Share Posted October 30, 2022 Hello I will guide you along on looking for remaining malware. Lets keep these principles as we go along. Removing malware can be unpredictable Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. I would like a report set for review. This is a report only. Please download MALWAREBYTES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 30, 2022 ID:1539903 Share Posted October 30, 2022 NOTE: The Malwarebytes Real-time Exploit protection is keeping your pc safe from potential harm. Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 30, 2022 ID:1539904 Share Posted October 30, 2022 1 hour ago, armyvet590 said: ....I followed a step-by-step guide which took me to uninstall programs/turn windows features on or off and unticked Windows PowerShell 2.0/ save and restart pc. This guide did nothing!! And I was about to start another guide until I realized I didn't understand any of it. Powershell is a component of Windows. Please do not mess with it. Please do not make any changes or modifications to your system on your own. Do provide me some detail on just what "change" you made so we can undo it. Link to post Share on other sites More sharing options...
armyvet590 Posted October 30, 2022 Author ID:1539909 Share Posted October 30, 2022 48 minutes ago, Maurice Naggar said: Powershell is a component of Windows. Please do not mess with it. Please do not make any changes or modifications to your system on your own. Do provide me some detail on just what "change" you made so we can undo it. Hi, no need to worry, I've reversed the guide, so it's like I've never done anything. Link to post Share on other sites More sharing options...
armyvet590 Posted October 30, 2022 Author ID:1539910 Share Posted October 30, 2022 1 hour ago, Maurice Naggar said: Hello I will guide you along on looking for remaining malware. Lets keep these principles as we go along. Removing malware can be unpredictable Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. I would like a report set for review. This is a report only. Please download MALWAREBYTES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply Great, thank you for offering to help. I'll follow your instructions kind sir. Since our time zones are vast please know I won't be able to respond right away. Link to post Share on other sites More sharing options...
armyvet590 Posted October 30, 2022 Author ID:1539913 Share Posted October 30, 2022 1 hour ago, Maurice Naggar said: Hello I will guide you along on looking for remaining malware. Lets keep these principles as we go along. Removing malware can be unpredictable Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. I would like a report set for review. This is a report only. Please download MALWAREBYTES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply As requested, please find the attached zip file. i believe this is correct? mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 31, 2022 ID:1539928 Share Posted October 31, 2022 The "powershell exploits" are on 2 scheduled tasks, each with its own script. These will be removed. The Microsoft Windows Update seems to have a restriction of some kind. That will be removed. The MS Defender antivirus seems to be disabled. It will be re-enabled for side-by-side protection along with Malwarebytes. The fix-script below will also check the system with SFC & Dism system-applets. This will also attempt a MS Defender Quickscan. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article Please use this Guide Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Close Malwarebytes. > Please be sure to Close any open work files, documents, any apps you started yourself before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app. We will use FRSTENGLISH.exe on the Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Armyvet590 machine only / for this machine only. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience. Please attach the Fixlog.txt with your next reply. Link to post Share on other sites More sharing options...
armyvet590 Posted November 1, 2022 Author ID:1540121 Share Posted November 1, 2022 On 10/31/2022 at 1:08 AM, Maurice Naggar said: The "powershell exploits" are on 2 scheduled tasks, each with its own script. These will be removed. The Microsoft Windows Update seems to have a restriction of some kind. That will be removed. The MS Defender antivirus seems to be disabled. It will be re-enabled for side-by-side protection along with Malwarebytes. The fix-script below will also check the system with SFC & Dism system-applets. This will also attempt a MS Defender Quickscan. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article Please use this Guide Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Close Malwarebytes. > Please be sure to Close any open work files, documents, any apps you started yourself before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app. We will use FRSTENGLISH.exe on the Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script is for Armyvet590 machine only / for this machine only. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt 14.79 kB · 0 downloads <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience. Please attach the Fixlog.txt with your next reply. Hi, sorry for delay. I've downloaded the text file, but I can't find FRSTENGLISH.exe anywhere? I even tried to open link on the name and nothing opens?? Please advise what to do because I don't want to randomly start downloaded things I'm unsure about ! Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 1, 2022 ID:1540200 Share Posted November 1, 2022 (edited) The tool was placed on your system as part of what I asked from before. The tool is safe. It is on your pc at this folder ( your Downloads folder ) C:\Users\a_bea\Downloads\FRSTEnglish.exe And just by the way, no need to click the "QUOTE" when you go start a reply. I automatically get notified of all your posts in any event. Just start typing normally in the reply box at the bottom of this topic-thread here to initiate a reply. Edited November 1, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
armyvet590 Posted November 1, 2022 Author ID:1540242 Share Posted November 1, 2022 ok ill stop quoting. Here is the requested file after I ran the program Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 2, 2022 ID:1540270 Share Posted November 2, 2022 Hello. That run is very good. [ Do a custom scan with Microsoft Defender Antivirus ] Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan. From the Windows Start menu, select Settings, then select Update and Security. Next, look at the left-side menu & select Windows Security Next, In Windows Security section: Click on the grey button Open Windows Security Now, click on the shield Virus and threat protection Look to see that Microsoft Defender is shown & available for use. On the next display, look at all the options. Look down the list and see "Check for Updates" . You should click on that to have the system check for updates for Windows Defender. Watch & wait for that to complete. Please also note that the Scan options (all) can be displayed by clicking on Scan options. Click that & select CUSTOM scan & then pick the C drive & have it go forward. Once it has started the scan phase, you can go take a long break. Let me know the results. Link to post Share on other sites More sharing options...
armyvet590 Posted November 7, 2022 Author ID:1540944 Share Posted November 7, 2022 Hi sorry for delay, scan complete and the only thing found is on the screenshot. This software gives me access to my phone's software. For the purpose of this event I allowed MS Defender to remove the detected problem then ran MS Defender again and nothing was detected. Link to post Share on other sites More sharing options...
armyvet590 Posted November 7, 2022 Author ID:1540946 Share Posted November 7, 2022 Ohh my mistake !! I set the selected problem "to remove" then pressed start action. I even located the file and removed it and emptied the recycle bin, but my re-scan keeps showing the threat and I keep selecting remove over and over?? What is happening? Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted November 7, 2022 Solution ID:1540971 Share Posted November 7, 2022 Regret your trouble. What follows is 2 runs to get 2 reports. These are reports only. We will use FRSTENGLISH.exe on the Downloads folder to run a report. This custom script is for Armyvet590 machine only / for this machine only. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. This should be a rather short run. Something less than 10 or so minutes. ( 2 ) Your machine has the FRSTENGLISH report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRSTENGLISH and select Run as Administrator and tap ENTER. And reply YES to allow to proceed. When the tool opens click Yes to the disclaimer. And be very sure to TICK the box for Addition.txt Press the Scan button. It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run Have patience since the run may take something like 10 or so minutes (less depending on your hardware speed) Close Notepad IF those show up on Notepad. Just please Attach the 2 files FRST.txt +Addition.txt with your next reply. Link to post Share on other sites More sharing options...
armyvet590 Posted November 14, 2022 Author ID:1541833 Share Posted November 14, 2022 Hi, so sorry for the delay. Here are the 2 files you requested. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 15, 2022 ID:1541906 Share Posted November 15, 2022 (edited) Hello. I must ask a important question. Did you run the FIXLIST / Fix run like I listed under the first part of my prior post ?? If you did, then I would like you to attach the Fixlog.txt and, if you did not do that, to be sure to run the FIX like I listed before. Edited November 15, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
armyvet590 Posted November 17, 2022 Author ID:1542178 Share Posted November 17, 2022 I'm sure I ran it? I followed your instructions exactly. Here is the Fixlog.txt file, if I didn't follow your instructions, then maybe I didn't understand it? Please let me know? Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 17, 2022 ID:1542202 Share Posted November 17, 2022 Thank you, that is the report-log I had been wanting to review. It confirms that the Microsoft Defender antivirus is in a very good state. Now the, question to you is, Today, are there any loose ( un-expected) "powershell" "sightings" ? ? + Do a new scan with Malwarebytes for Windows. Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Let me know how that goes. Next, the Malwarebytes scan. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Link to post Share on other sites More sharing options...
armyvet590 Posted November 17, 2022 Author ID:1542261 Share Posted November 17, 2022 I haven't seen anymore pop-ups whatsoever. Does that mean I've followed the process to completion? If I start getting the PowerShell pop-ups, can I just follow this guide again or start anew? Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 18, 2022 ID:1542352 Share Posted November 18, 2022 Glad to hear the latest status news. In future, you can do scans with applications like Malwarebytes and Microsoft Defender antivirus. But not the custom fixes ! Those are not intended to be used without personal guidance of a trained expert. I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Link to post Share on other sites More sharing options...
armyvet590 Posted November 20, 2022 Author ID:1542590 Share Posted November 20, 2022 As requested, SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 20, 2022 ID:1542638 Share Posted November 20, 2022 Per the SecurityCheck report, here are what need your actions and follow-up. The elevation prompt for administrators disabled^It is recommended to enable (default): Win+R typing UserAccountControlSettings and Enter^ Microsoft Office Professional Plus 2010 v.14.0.4763.1000 Warning! This software is no longer supported. Please use latest Microsift Office, Office Online or LibreOffice Microsoft OneDrive v.22.225.1026.0001 Warning! Download Update WinRAR 5.80 (64-bit) v.5.80.0 Warning! Download Update Discord v.0.0.310 Warning! Download Update K-Lite Codec Pack 16.0.9 Basic v.16.0.9 Warning! Download Update Bonjour You do not need & you should Uninstall. Wondershare Video Converter Ultimate is not recommended. + Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. I am marking the case for closure. Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. SAFETY TIPS: Backup is your best friend. Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/ It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use. Best practices & malware prevention: Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources. First rule of internet safety: slow down & think before you "click". Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). Free games & free programs are like "candy". We do not accept them from "strangers". Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing. Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program. Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next". Use a Standard user account rather than an administrator-rights account when "surfing" the web. See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine. Don't remove ( or change ) your current login. Just use the new Standard-user-level one for everyday use while on the internet. Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. For other added tips, read "10 easy ways to prevent malware infection" Stay safe. Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 20, 2022 ID:1542639 Share Posted November 20, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts