kribye Posted May 19, 2023 ID:1568207 Share Posted May 19, 2023 I keep getting a desktop notification that says Security Suite closed Powershell.exe and when i click on it to get more information it just says Exploit:W32/PowerShellStager.B!DeepGuard. When this happens, it brings up a new window that goes away right away and tabs me to a different window. I tried running a scan and a malware removal tool, but this is still happening. What do I do to get this to stop? Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 19, 2023 ID:1568211 Share Posted May 19, 2023 Hello. @PJzinc My name is Maurice. I will guide you. Let me know what name you prefer to go by. I will guide you along on looking for potential malware. Lets keep these principles as we go along. Removing malware can be unpredictable ...things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a USB-storage drive or flash/thumb drive Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Please stick with me until I give you the "all clear". Your topic will be closed if you haven't replied within 4 days! Download the Malwarebytes Support Tool. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file. In the User Account Control pop-up window, click Yes to continue the installation. Run the MBST Support Tool. In the left navigation pane of the Malwarebytes Support Tool, click Advanced. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply to this topic. Link to post Share on other sites More sharing options...
kribye Posted May 19, 2023 Author ID:1568212 Share Posted May 19, 2023 mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 19, 2023 ID:1568222 Share Posted May 19, 2023 The infection has a cluster of rogue scheduled tasks. Those will take more rounds & fixes for later. Take these actions so that Windows 11 is set to show all hidden files and folders. Open File Explorer from the taskbar. Select View > Show > Hidden items. Select View → Show → File name extensions Please run the following custom script. Read all of this before you start. Please Close all open work. FRSTENGLISH.exe is already on this machine on Downloads lease download the attached fixlist.txt file and save it to Downloads folder Fixlist.txt <-- - - - - NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Use File Explorer to go to the Downloads folder RIGHT-Click on FRSTENGLISH and select RUN as Administrator and reply YES to allow it to go forward to start. That is important so that this run has Elevated Administrator rights !! NEXT press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will rebuild the Winsock. It will attempt to run scans with MS Defender. Depending on the speed of your computer this fix may take 50-55 minutes or more. The system will be rebooted after the script has finished. Attach FIXLOG.txt with next reply. This is not a one-shot cure-all. Stick with me. There is much more work later. Link to post Share on other sites More sharing options...
kribye Posted May 19, 2023 Author ID:1568227 Share Posted May 19, 2023 Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 20, 2023 ID:1568295 Share Posted May 20, 2023 (edited) The Windows System File Checker ( SFC ) has made corrections. Windows Resource Protection found corrupt files and successfully repaired them. The rogue schedules tasks were removed by the custom script.Let's get & install Malwarebytes & do a scan with it.Malwarebytes can detect and remove most malware with no further actions required for free. Please download, install, update Malwarebyteshttps://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows and do a Threat Scan with Malwarebytes https://support.malwarebytes.com/hc/en-us/articles/360038984773 and post back the log as shown below. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Edited May 20, 2023 by Maurice Naggar Link to post Share on other sites More sharing options...
kribye Posted May 20, 2023 Author ID:1568313 Share Posted May 20, 2023 scan.txt Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted May 20, 2023 Solution ID:1568315 Share Posted May 20, 2023 Do a new scan with Malwarebytes for Windows. Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Let me know how that goes. Next, the Malwarebytes sca Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 22, 2023 ID:1568540 Share Posted May 22, 2023 Hello @kribye One other additional request A request please I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents. Right click on Quarantine > Send to > Compressed (zipped) folder Upload the archive in your next reply If archive is too big you can upload here > https://wetransfer.com/ Thank you! 1 Link to post Share on other sites More sharing options...
kribye Posted May 22, 2023 Author ID:1568547 Share Posted May 22, 2023 Quarantine.zipreport2.txtreport1.txtSorry for the late response, report1 is the report i ran on my first scan before updating (the quarantine items are from that scan) and report 2 is a scan from today after updating.. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 22, 2023 ID:1568553 Share Posted May 22, 2023 -Log Details- Scan Date: 5/20/23 Scan Time: 10:59 AM Log File: 58b41eb2-f727-11ed-aa7e-04421ad02b31.json -Software Information- Version: 4.5.29.268 Components Version: 1.0.2022 Update Package Version: 1.0.69730 License: Trial -System Information- OS: Windows 11 (Build 22621.1702) CPU: x64 File System: NTFS User: LoganLaptop\logma -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 327888 Threats Detected: 43070 Threats Quarantined: 43070 Time Elapsed: 17 min, 12 sec The bulk of the line items were classified as Adware.Bloom Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save itguide & download link Then be sure to close all web browsers after the download & before launching the tool. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner Guide article Attach the clean log from Adwcleaner when all completed. Thank you for the reports. 😃 Link to post Share on other sites More sharing options...
kribye Posted May 22, 2023 Author ID:1568555 Share Posted May 22, 2023 AdwCleaner[C00].txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 22, 2023 ID:1568561 Share Posted May 22, 2023 Thank you. 😀 As a next step, I suggest the following: This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on CUSTOM scan and select C drive to be scanned Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occurred and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 30, 2023 Root Admin ID:1569946 Share Posted May 30, 2023 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Tips to help protect from infection Thanks Link to post Share on other sites More sharing options...
Recommended Posts