Jump to content

Persistent Issue with PowerShell Window Opening and External Access Blockin


Go to solution Solved by Maurice Naggar,

Recommended Posts

Dear all,

Good morning.

A few days ago, a PowerShell window started opening after system startup, and every time I closed it, it would reopen. I found it strange and decided to run Defender, but it didn't change the situation. After installing Malwarebytes, it found some threats that I removed, but it still didn't eliminate whoever is opening the PowerShell window. However, it seems to be blocking an external access attempt that this PowerShell window is making, as Malwarebytes keeps notifying me of blocking a website.

Could you please assist me with this issue?

Thank you very much in advance.
Anderson A.

P.S. Attached are files for better understanding and analysis.

SnapCrab_28-05-2023_12-56-21.png

SnapCrab_28-05-2023_13-02-07.png

Addition.txt FRST.txt log_mb.txt

Link to post
Share on other sites

Hello @Andersants and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have posted.

Thank you.

Link to post
Share on other sites

Hello :welcome: @Andersants

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Kindly have patience while I review your report. I will get back to you. Thanks for the report collection. 😀
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.
Link to post
Share on other sites

Hello Anderson. 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

( 2 )


Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select View → Show → File name extensions

( 3 )


Next first step, is to "Turn OFF ( to DISABLE) the "fast starup" of Windows 11
See https://www.windowscentral.com/software-apps/windows-11/how-to-enable-or-disable-fast-startup-on-windows-11

When that is done, be sure to do ( from Start menu) one Power >> Shutdown >> Restart.
Having "fast startup" can complicate our efforts to fix problems.

( 4 )


Now we have to insure that a FRST tool by the name of FRSTENGLISH.exe is on a folder that can be easily found & seen.
On the Taskbar Search box, type in
cmd.exe
click the line for "run as administrator"


It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that Command prompt,  Copy & Paste this command (be very sure to copy the whole entire line. ALL of it)

copy C:\Users\ander\AppData\Local\Temp\mwbC825.tmp\FRSTEnglish.exe C:\Users\Public\Desktop\FRSTEnglish.exe


press Enter-key on keyboard   and watch to see that it completes.
Then Close the command-prompt window.

Link to post
Share on other sites

NEXT

Please run the following custom script. Read all of this before you start. Please Close all open work.

FRSTENGLISH.exe should be on the public DESKTOP . If not, then Stop & let me know

Please download the attached fixlist.txt file and save it to Desktop folder

Fixlist.txt <-- - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Desktop folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run scans with MS Defender antivirus. Depending on the speed of your computer this fix may take 50-55 minutes or more.

NOTE-2: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

Important:  If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. After this completion, I expect the rogue to be gone.

Link to post
Share on other sites

Hio. Good morning. I am glad to read the good news. Thank you for the report. Do stick around with me. I have few more things for you.

A request please 

I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. 

  • Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents.
  • Right click on Quarantine > Send to > Compressed (zipped) folder
  • Upload the archive in your next reply
  • If archive is too big you can upload here > https://wetransfer.com/

Also, Let me know how the situation is at this point as to any new "block" notices, or some other active security issue.
Also, please do one new Scan with Malwarebytes.

Thank you!

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed. We will do a few more things, later.

 

Link to post
Share on other sites

Dear @Maurice Naggar, good morning.

So far, there have been no further reports of blockages. The system is running smoothly, and the PowerShell window has not reappeared. I ran Malwarebytes AdwCleaner and it detected 3 infections, which were removed. I ran Malwarebytes again, which detected and deleted additional infections.

Attached are all the logs.

Thank you very much,
Anderson A.

AdwCleaner[C00].txt AdwCleaner[S00].txt mbst-grab-results.zip Quarantine.7z

Link to post
Share on other sites

Up to the time that the first custom-fix-script was completed, there was no protection of any sort by Microsoft Defender antivirus because every drive was excluded from monitoring by Microsoft Defender. To that point, effectively there was no antivirus or antispyware protection. So, if you want to consider to Stop and rebuild the Windows system from scratch, and re-install your programs from scratch, please then stop and let me know. That set of steps is a good way to have peace of mind for the future.

The last custom script-fix-run did knee cap (remove) the rogue. But there is just a bit some cleanup to do.

Please run the following custom script. Read all of this before you start. Please Close all open work.

FRSTENGLISH.exe should be on the public DESKTOP . If not, then Stop & let me know

Please download the attached fixlist.txt file and save it to Desktop folder

Fixlist.txt<-- - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Desktop folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also a Quick scan with MS Defender antivirus. The main goal here is to remove 1 trace of the rogue trojan that is left. 

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. Stick around with me.

Link to post
Share on other sites

  • Solution

Thank you for the Fixlog. I would like for you to advise me whether the block-message-window about "homesecuritypc(.)com" has re-appeared ? My assumption is that it no longer happens. Matter of fact, you did mention before that it has not re-appeared.

As a next step, I suggest the following:

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review


 

Link to post
Share on other sites

  • 2 weeks later...

Dear @Maurice Naggar,

I would like to apologize for the delay in my response, but it seems that my Internet IP has been blocked on the Malware forum, as every time I try to access the forum from home, I receive a page indicating that it's blocked.

The initial problem seems to have been resolved, as the PowerShell warning no longer appears. The computer experienced some slowness and errors after the virus removal, but after a few restarts, everything is working fine now.

I was unable to perform the last request, as I couldn't access the forum from my PC, so I couldn't follow the step-by-step instructions.

I will try to perform the procedure as soon as possible and provide you with a better update.

Thank you very much in advance.

Anderson A.

Link to post
Share on other sites

Dear all,

Good morning.

I apologize for the delay in responding. I feel bad about this entire delay.

Regarding the use of ESET Online, please find attached the report after the scan.
Regarding the access block to the website, on the same day as my last message, I tried to access it from my computer and the block message did not appear again (I didn't take a screenshot when it first appeared). The only thing I did differently was to uninstall the test MBAM that I had installed at the beginning of the process.
I greatly appreciate everyone's attention and care throughout this process.

Best regards,
Anderson A.

esetonline.txt

Link to post
Share on other sites

Thanks. The ESET Onlinescanner flagged & remove 2 "utorrent" executables. It is best to not use "torrent" type add-ons at all.
ESET also removed 1 extension on the Chrome browser, plus 1 riskware, plus some Cache leftovers of Edge browser.
I suggest you do the following scan with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\ander\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add
-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\ander\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.

user posted image

That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

In the new window select "Change Parameters"

user posted image

 
  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230622_103000.klr

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.