Powershell running in the Background (Trojan)

[Rader010]

Hello, Im opening a new topic, since noone seem to answer my last post.

I noticed that Powershell has been running in the Background. 

Here are my scans with Malwarebytes, adwarescan and FRST. (I removed the Trojan with Malwarebytes)

Is my PC safe now? Or what do I do after running FRST on my PC? Can someone please help me out?

MalwarebytesScan.txt FRST.txt Addition.txt

[Rader010]

I also found this in my control panel. Is this supposed to be installed? (Remote Desktop connection)

[JSntgRvr]

A Remote Desktop Connection is a way to remotely access a computer's desktop. Application programs are executed on one computer (server) and displayed and operated on another computer (client). 1. A remote desktop is a separate program or function that can be found in most operating systems and gives a user access to the Desktop of a computer system enables 1. There are many use cases for remote desktop connections, such as remote maintenance, file transfer and much more .

I don't believe is available in Windows 10 Home Edition. If you do find that setting, uncheck it. That should disable Remote Desktop.

Malwarebytes Antimalware took care of the Powershell Trojan.

 

• Download the enclosed file  Fixlist.txt
• Save it in the same location FRST64.exe is saved.
• Start FRST (FRST64) with Administrator privileges
• This time around Press the Fix button and wait
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
• You can rename FRST64.exe to its original name

Please attach this file in your next reply.

Download AdwCleaner and save it to your desktop.

• Double click AdwCleaner.exe to run it.

When AdwCleaner starts, on the left side of the window, click on “Settings” and then enable these repair actions on that tab-window
by clicking their button to the far-right for ON status

• Delete IFEO keys
• Delete tracing keys
• Delete Prefetch files
• Reset Proxy
• Reset IE Policies
• Reset Chrome policies
• Reset Winsock
• Reset HOSTS file
• Click Scan Now ...
• When the scan has finished a Scan Results window will open.
• Click Cancel (at this point do not attempt to Quarantine anything that is found)
• Now click the Log Files tab ...
• Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
• A Notepad file will open containing the results of the scan.

Please attach the file in your next reply.

[AdvancedSetup]

@JSntgRvr The user was blocked from posting. I've removed the block so the user should be able to post now

 

[Rader010]

Hey, thanks!

Here are the files.

I hope you can see them now?

MalwarebytesScan.txt Addition.txt FRST.txt

[Rader010]

7 minutes ago, Rader010 said:

Hey, thanks!

Here are the files.

I hope you can see them now?

MalwarebytesScan.txt 2.17 kB · 0 downloads Addition.txt 162.12 kB · 0 downloads FRST.txt 58.35 kB · 0 downloads

Oh, I guess you were able to see those 3 files?

Alright, Ill follow the steps now! @JSntgRvr

Thanks.

[Rader010]

 

Me again, the green bar suddenly stopped moving and nothing is happening. Is the program stuck? Or do I just wait longer?

[Rader010]

22 minutes ago, Rader010 said:

 

Me again, the green bar suddenly stopped moving and nothing is happening. Is the program stuck? Or do I just wait longer?

I guess, I was being impatient. The Fix was completed after a while :D.

Both files are attached below. The Fixlog is in german, although I renamed FRST.exe to FRSTEnglish.exe. Is that alright?

AdwCleaner[S03].txt Fixlog.txt

[AdvancedSetup]

All good. @JSntgRvr may be in a different time zone than you. Please give them time to respond. It's also almost the weekend

Cheers

 

[Rader010]

@AdvancedSetup Oh, yeah. Sorry, for the spam. Have a nice weekend!

[JSntgRvr]

All issues seem to be taken care off. How is thew computer doing?

[Rader010]

Hi,

powershell isnt running in the background anymore :), which weirdly used to use up 20% of my RAM. 

Is there a chance that someone might have stolen my login data on chrome? And can adding a extension cause this? I cant remember downloading something that might have downloaded a virus on my PC... 

 

[Rader010]

Also I have this chrome extension "google sheets" which comes back everytime I restart chrome, although I deleted it.

[JSntgRvr]

Not too savvy on Chrome, but you can restore the browser to default values.

 

• Download the enclosed file  Fixlist.txt
• Save it in the same location FRST64.exe is saved.
• Start FRST (FRST64) with Administrator privileges
• This time around Press the Fix button and wait
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
• You can rename FRST64.exe to its original name

Please attach this file in your next reply.

 

Please rescan with FRST and post new logs.

[Rader010]

Done. New logs are attached.

Fixlog.txt Addition.txt FRST.txt

[JSntgRvr]

Open FRST. Copy and paste the following on the search window and click on Search files:

 

Searchall: efaidnbmnnnibpcajpcglclefindmkaj

 

A log will be produced. Attach it to a reply.

[Rader010]

Done. 

Search.txt

[JSntgRvr]

• Download the enclosed file  Fixlist.txt
• Save it in the same location FRST64.exe is saved.
• Start FRST (FRST64) with Administrator privileges
• This time around Press the Fix button and wait
• When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
• You can rename FRST64.exe to its original name

Please attach this file in your next reply.

 

Let me know how it is doing.

[Rader010]

Fixlog.txt

[JSntgRvr]

How is the computer doing?

[Rader010]

Everything seems fine! Also the extension doesnt keep coming back now. 

I hope noone yoinked my passwords and stuff. 🙃

Thank you for taking the time to help me out! 

Wish you a great weekend. 

[JSntgRvr]

Congratulations.
 
Use this application to remove tools used and their quarantined items:
 
Please download KpRm by Kernel-panik and save to your Desktop.

• Click on KpRm.exe to run the tool.

Vista/Windows 7/8/10 users right-click and select Run As Administrator.

• Put a check mark next to these items:

- Delete tools

- Create Restore Point

- Delete now

• Click the "Run" button.

• When the tool has finished, it will create and open a log report and  delete itself.

A few final recommendations:

• Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
• Make sure you're backing up your files
• Keep all software up to date - PatchMyPC -
• Keep your Operating System up to date and current at all times -
• Further tips to help protect your computer data and improve your privacy:
• Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome:
•   Microsoft Edge:
•   Mozilla Firefox:

uBlock Origin

• Google Chrome:
• Microsoft Edge:
• Mozilla Firefox:

Further reading if you like to keep up on the malware threat scene:
 
Malwarebytes
 
Bleepingcomputer
 
Hopefully, we've been able to assist you with correcting your system issues.
 
Thank you for contacting Malwarebytes. Regards. 

[Rader010]

Hey,

I didnt notice before but everytime I start chrome this message pops up. After I press ok I can use chrome normally but its kinda bugging me. 

Sorry for bothering on a weekend :D

Its not urgent so take your time

[JSntgRvr]

Open FRST. Type the following on the search window on FRST:

 

Searchall: C:\Extension

 

Click on Search files. A report will popup. Attach it to a reply.

[Rader010]

Looks like nothing was found. 

Search.txt