Jump to content

Malwarebytes finds & removes RiskWare.Script.Powershell.Generic


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi everyone, hope you'all doing well. I have Powershell that uses way too much memory. When I game Warzone, it crashes every time. At some point, PowerShell was using 3.7 Gb or ram. I think it is due to a virus/Malware. I have the FRST and Addition text file, can anyone make a Fixlist.txt for me so I can resolve the issue? 

I have jointed the FRST and Addiont file, and also the commend line on Task Manager of the PowerShell.

Thank you very much for the help!

Screenshot (83).png

FRST3.txt Addition3.txt

Link to post
Share on other sites

Hello @DraculaTheSecond and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions below.

In addition to the already posted FRST scan reports, please download, install, and run the free trial version of Malwarebytes for Windows followed by a manual Threat Scan with default settings.

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location:

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged.

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

Please attach (not Cut/Paste) the report's .txt file to your next reply to this topic.

Thank you.

Link to post
Share on other sites

Hello @DraculaTheSecond I will guide you forward. Malwarebytes has done a very good cleanup. These are just next first steps

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time, But do read all of this write-up first so that you fully understand the concept of this special run.

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.
Reply YES at the Windows prompt to allow the program to proceed and make changes. That is the usual Windows security prompt.

Take your time and go careful. There are some preliminary selections to be set ....before pressing any 'scan' button.

When AdwCleaner starts, on the left side of the window, click on “Settings” and then enable these repair actions on that tab-window
by clicking their button to the far-right for ON status

Delete IFEO keys
Delete tracing keys
Delete Prefetch files
Reset Proxy
Reset IE Policies
Reset Chrome policies
Reset Winsock

Now On the left side of the AdwCleaner window, click on “Dashboard” and then click “Scan” to perform a computer scan.

This can take several minutes.
When the AdwCleaner scan is completed it will display all of the items it has found. Click on the “Quarantine” button To remove what it found.

AdwCleaner will now prompt you to save any open files or data as the program will need to close any open programs before it starts to clean. 
Click on the “Continue” button to finish the removal process.

Guide article

Attach the clean log from Adwcleaner when all completed.

Link to post
Share on other sites

Hi @Maurice Naggar! (just a parenthesis, I read another topic where you helped someone, so good to see you helping me to hehehe). I did everything you said, it said no items were detected as you can see from the image, I guess Malwarebytes did a pretty good job? Anyway, here is the scan log file. Thank you for your help Captain.

Screenshot (85).png

AdwCleaner.txt

Link to post
Share on other sites

Your last scan with Malwarebytes found -and- removed 4 riskware threats that were parts of scheduled Tasks. Classified as RiskWare.Script.Powershell.Generic

We will do more procedures. Just do not do anything else on your own. Have patience till my next guidance.

Link to post
Share on other sites

  • Solution

Hello. This is the next procedure.  There are a handful of scheduled tasks folders that we will look for & if found, remove them.
This script will also clear all Cache, history, and temporary files in Edge, Brave, Chrome web browsers. It will do some scans with MS Defender antivirus. It will rebuild the Winsock.
 

Please run the following custom script. Read all of this before you start. Please Close all open work.

Once the script-run has been completed, please attach the file FIXLOG.TXT to your next reply

 

Farbar program location:   C:\Users\aumar\Downloads\FRST64.exe

 

Please download the attached fixlist.txt file and save it to C:\Users\aumar\Downloads

Fixlist.txt

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run  FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  Depending on the speed of your computer this fix may take 30 - 40 minutes or more.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

ALSO, A request please 

I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. 

  • Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents.
  • Right click on Quarantine > Send to > Compressed (zipped) folder
  • Upload the archive in your next reply
  • If archive is too big you can upload here > https://wetransfer.com/

Also, Let me know how the situation is at this point , or some other active security issue.
I notice that you have run on your own a ESET Onlinescanner scan. What else?

Thank you!

 

Link to post
Share on other sites

Thank you for the log-report & the ZIP file.

Windows Resource Protection found corrupt files and successfully repaired them.
 
 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

Do a custom scan with Microsoft Defender Antivirus 

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

Link to post
Share on other sites

  • AdvancedSetup changed the title to Malwarebytes finds & removes RiskWare.Script.Powershell.Generic

On the 1st screen-grab, notice what MS Defender reports !
NO current threats.
Last scan 2023-01-04  15:59 local time
0 threats found

As to the 2nd screen-grab of Protection History
You see 4 old detections from December 22 & January 3 that were dealt with.

There appears to be a advisory message that one protection option is turned off --for potentially unwanted application protection.
You should be able to get that turned on on your own, if you drill thru the settings.

However, before doing that, let us get a pair of reports.
 

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

 

 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

The FSS report is good. It indicates that MS Defender is good. The SecurityCheck report also shows that MS Defender is on and in good state.
The following apps need your follow-up to insure they are up-to-date.

NVIDIA GeForce Experience 3.26.0.154 v.3.26.0.154  Warning! Download 

Zoom v.5.11.11 (8425)  Warning! Download Update
  
µTorrent v.3.6.0.46590  Warning! Ad-supported P2P-client. You will be safer without using "torrents".

VLC media player v.3.0.17.4  Warning! Download Update

This machine is free of the riskwares that had been mis-using powershell. You should do a new Malwarebytes scan to re-check.
 

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.954dd31097351eba2c305a1321a445d6.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.99b8d9b73d90d347577ae0826ac406b1.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 333570
Threats Detected: 0
Threats Quarantined: 0


Yes, indeed the result is very very good. As I noted before, the 4 riskwares and their container sub-folders had been removed ( earlier).
Now, I suggest a different scan to get a secondary check.

 TrendMicro HouseCall scan

https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Link to post
Share on other sites

It flagged 1 .RAR file & 1 .ZIP file. You should have clicked on "Fix now" button. and it should have proceeded to "3. Review Results". I am looking for a report

.LOG

file. Look under folder C:\Program Files\Trend Micro\Housecall\log for a file

history.log

Kindly attach that.

You should delete the 2 files tagged by the TrendMicro Housecall
 

Link to post
Share on other sites

Thank you. I believe your system is good-to-go.

Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_2.10.0.exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • You may attach that file to your next reply. (not compulsory)


Sincerely.

Edited by Maurice Naggar
Link to post
Share on other sites

You are very welcome !
As far as the Trendmicro download, if you still see the downloaded file

Housecalllauncher64.exe

then Delete it.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.