Jump to content

Windows Powershell sending Outbound connection to spam site constantly


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello I have problem my computer maybe infect by malware and It keep showing Windows powershell running at the background and I get a notification from Malwarebytes that a 'website was blocked due to riskware'. Malwarebytes identifies this as malware but it is not a program I can remove and I have never visited that website. I'm looking to sort out whatever the issue may be here is the log file: 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/2/23
Protection Event Time: 10:35 PM
Log File: 39fd4d42-314a-11ee-9525-d85ed387505b.json

-Software Information-
Version: 4.5.34.275
Components Version: 1.0.2089
Update Package Version: 1.0.73363
License: Trial

-System Information-
OS: Windows 11 (Build 22621.2070)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: RiskWare
Domain: privatproxy-blog.xyz
IP Address: 104.18.24.172
Port: 80
Type: Outbound
File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

(end)

It keep alert that outbound connection to many different websites. 

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

  • Solution

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • These are IP blocks. The Malwarebytes real-time web protection is keeping your pc safe from potential harm.
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

Link to post
Share on other sites

After sending the report above, Please do this next quick procedure. The goal here is to help on the IP block events. 

First, please be sure to EXIT out / Close any open work you may have open at this point, so that you have a unobstructed view to Desktop.

This powershell scripted-run will make a log file on the Desktop named Klearemlog.txt

Save the attached zip file to your system. If possible save it to the Desktop.

Klearem.zip
Then with File Explorer find the Klearem.zip

Next, with that zip file, Extract all content to the Desktop

Then with File Explorer, go to Klearem.txt and do a RIGHT-click with the mouse & select

Rename


and rename it to

Klearem.ps1

Once that is confirmed, then do a RIGHT-click on

Klearem.ps1

& select the option

Run with Powershell

.
It will / should display as the 2nd choice on the option menu. Pick "Run with Powershell" and tap Enter.

Next, you may be questioned with "Execution Policy Change" prompt. If so, respond with/ type  

Y

and tap Enter.
From then on, the script will automatically run.
When it has finished you should see a on-screen display

End of run.  Press Enter to exit

When all done, let me know. Sincerely.

Edited by Maurice Naggar
Link to post
Share on other sites

Hello Maurice,

thank for your support. I have done the report you need as it is in the attached file. But for the next step, i have already downloaded the Klearem.txt and renamed it to Klearem.ps1 and follow the step to run it with Powershell and just appear a black window for a blink and disappear with no such option to continue as you mentioned here: 

It will / should display as the 2nd choice on the option menu. Pick "Run with Powershell" and tap Enter.

Next, you may be questioned with "Execution Policy Change" prompt. If so, respond with/ type  

Y

and tap Enter.
From then on, the script will automatically run.
When it has finished you should see a on-screen display

End of run.  Press Enter to exit

I have tried to run the file with Powershell many time but it is still the same.

What should I do next.?

  

mbst-grab-results.zip

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

This machine has multiple well-entrenched Trojans. If this machine is just a home, game machine with nothing on it that you cannot do without, stop and consider to wipe the system ( erase) and rebuilding it from scratch, as far as Windows Operating system, and newly installing programs.Let me know if you want to do that.

We can try to hunt for malware and remove them. The run below is a first run, to attempt to remove some 6 malicious scheduled tasks & associated folders, with also some 5 registry entries. It also attempts to re-enable Microsoft Defender antivirus and to do some scans.
All this is provided "AS-IS". No guarantee that all the malware would be fully gone.
As I note, this is just Round 1.  We would need to do more passes, more scans later.

The Malwarebytes real-time web-protection has been keeping the machine safe from harm.

Please run the following custom script. Read all of this before you start. Please Close all open work before you actually do begin this run.

Farbar  FRSTENGLISH program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administraor" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

A request please 

I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. 

  • Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents.
  • Right click on Quarantine > Send to > Compressed (zipped) folder
  • Upload the archive in your next reply
  • If archive is too big you can upload here > https://wetransfer.com/

Also, Let me know how the situation is at this point as to any new "block" notices, or some other active security issue.
Also, please do one new Scan with Malwarebytes.

Also, you should find on the Desktop a ZIP file that is named with today's date & current time, like 2023-08-03

Please see about attaching that also in your reply.

Thank you!

Edited by Maurice Naggar
amended
Link to post
Share on other sites

Hello Maurice, 

I have done all the step as you instructed and every went as you told. For the situation at the point before I ran the FRSTENGLISH, and fixlist.txt, I still see the block notices appear like it is earlier. And now I had completed the steps you told me to do and I don't see any block notices appear again. But if later on anything appear I will update you here.

I also attached the files you need. Thank for you support. 

 

Fixlog.txt Quarantine.rar 03.08.2023_23.04.56.zip

Link to post
Share on other sites

I also do the new scan with Malwarebytes and here is the result: 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 8/3/23
Scan Time: 11:17 PM
Log File: 39b85e42-3219-11ee-bb4d-d85ed387505b.json

-Software Information-
Version: 4.5.34.275
Components Version: 1.0.2089
Update Package Version: 1.0.73419
License: Trial

-System Information-
OS: Windows 11 (Build 22621.2070)
CPU: x64
File System: NTFS
User: DESKTOP-U5SJ7I2\Sann

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 287623
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 3 min, 46 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Let me know, does the name or acronym 

KHVshort

sound familiar to you ?  and, form where did you recently get a MP3 & or a MP4 converter ?  I need details on that. I really suspect that is one big source of the infections. Media converter tools are known to be ( along with hack / cracked games ) a big avenue for spread of malicious infections. Kindly advise.  And do not go away, there is a lot more scans and work to do. The infections had essentially set drive C to be entirely not protected by Microsoft Defender antivirus.

Edited by Maurice Naggar
Link to post
Share on other sites

Hello Maurice,

KHVshort is software I purchased from a trusted seller, it would not be the problem with that software. I recently installed a software call Wondershare Uniconverter from a website. probably malware from that program. I also uninstalled it few days after I don't know how to use it.

 

Link to post
Share on other sites

Can you advise me what to do next? If it is so complicated, I probably just need to wipe the system and reinstall new Windows. But can you clarify me if I reinstall new Windows without wiping data from my drive D disk and I want to copy some data that I stored on drive C, will the malware still infect on my new Windows?

thank so much for your great support.

Link to post
Share on other sites

As I noted, there are much more scans & checks to do on this system. I will be sending those directions as we go along.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.
  • Then, keep going and do the next procedure below.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites

Before you think of copying any of your files & other documents off this system, you should truly Scan the whole drive that has those files.

That can be done with ESET Onlinescanner tool, and selecting to scan ( for sure) drive D , and any other drive where you have your files.

 https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

Please ensure you  do a CLEAN install of Windows properly which includes removing ALL partitions from the installation drive.

Clean Install Windows 10 & 11 (2023)
https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587

  • Like 1
Link to post
Share on other sites

You are welcome. If you have other questions, do ask. As far as by best advice, it is to always be super-cautious where and what you 'download'. Do all sorts of checking about reputation of where you get any download. As well as scanning those 'downloads' with antivirus before you open, before you even 'install' or 'run'. Please review the following to help you better protect your computer and privacy Tips to help protect from infection

I would urge you ( as soon after you have rebuilt Windows) to get and setup Premium Malwarebytes as the very first thing. Premium Malwarebytes would have helped to stop the malware right at the beginning.

  • Like 1
Link to post
Share on other sites

I wish you well. I am marking this for closure. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.