Windows Powershell outbound connection

[liam8481]

hello i keep getting a message saying a website has been blocked and the file is Windows Powershell, how do i fix this?

[liam8481]

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/24/24
Protection Event Time: 10:37 PM
Log File: 3a0a822a-bb09-11ee-8cc5-04d9f5cf166c.json

-Software Information-
Version: 4.6.8.311
Components Version: 1.0.2242
Update Package Version: 1.0.79970
License: Trial

-System Information-
OS: Windows 10 (Build 19045.3930)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Malware
Domain: 
IP Address: 194.26.135.180
Port: 15647
Type: Outbound
File: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

(end)

[Porthos]

@liam8481

Let's get the info to get the process started.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply
  
  Then be patient for the next expert to take your case.

Thank you

[liam8481]

mbst-grab-results.zip

[Maurice Naggar]

Hello @liam8481 .  My name is Maurice. I will guide you.

• Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going
• Allow me a few minutes to review your reports.

[Maurice Naggar]

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

NOTE-1:  This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  There is a rogue scheduled task that is the source of the trouble. It will be removed.. It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

FRSTENGLISH program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt<- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

[liam8481]

hello ive attached tFixlog.txthe FIXLOG.txt file below

[Maurice Naggar]

The custom run result is excellent. I expect that the original problem has been squashed, 

As a next step, I suggest the following:
This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

If upon launching the Esetonlinescanner, there is a windows-message box displaying

A driver cannot load on this device. Driver ehdrv.sys

then, please, TICK the check-box

"Don't show this message again"

and then, click the Close button on that window-box. The ESET scan will proceed forward.

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[liam8481]

Fixlog.txtscanlog.txt

[liam8481]

woops i did not mean to put the fixlog there, the scan is complete and i put the result

[Maurice Naggar]

The ESET found a lot of P U P / P U A    potentially unwanted application Dlls and exe

One other scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.
The "Summary" at the end at "Review Results" is what matters.

[Maurice Naggar]

Hello. Kindly send status update. Sincerely.

[liam8481]

hello sir,

something happened in my personal life for me to not be able to reply and i still can’t for a few days 

 

my apologies 

[Maurice Naggar]

Please take care of yourself,that is the top priority. I am sorry to learn of the trouble.

[liam8481]

hello sir, thank you for your patientce 

the housecall scan is complete with no threats found with 6785MB of junk files detected

[Maurice Naggar]

Alright, we are done with TrendMicro Housecall.  Tell me, Today, was there a Block notice by Malwarebytes about IP Address: 194.26.135.180   ???

 

First some housekeeping, and then one Scan. 
Start Malwarebytes. Click Settings ( gear ) icon. Next, let us make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

• now Click the General tab.
• Under Application updates, click the Check for updates button.

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[liam8481]

hello, my free trial ran out not too long ago and i cant turn off Windows Security Center also in the free verison of malwarebytes real time protection is off so i wouldnt get a notification for the IP address i did a scan either way and a powershell trojan detection was found

 malwarebytes scan.txt

[Maurice Naggar]

I had you run scans with ESET Onlinescanner and with Trendmicro Housecall.

Malwarebytes detected and removed one file named PROFESSIONALSINGLELANGUAGE.DAT

Now a different scan with another security scanner. 

You should first Close as many of your open-user app-screens as possible. That is to say, Exit all that you do not need to have open.

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



C:\Users\liams\DESKTOP\KVRT.exe will now show in the run box.



add

-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\liams\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.



That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



Go slow & careful on this part.  In the new window select "Change Parameters"

 

• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive

• Then select "OK" and "Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else.. you

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20240202_203000.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply
• Have lots of patience, as this will most likely run for many hours.
• Also, be aware I am a volunteer here. I help here as personal time permits. I am not on all the time.

Edited February 1 by Maurice Naggar

[liam8481]

report_2024.02.07_00.37.43.txt

[Maurice Naggar]

Hello. Thank you for the report. The Kaspersky did not find an actual new threat. The item tagged was already offline, in the FRST Quarantine.
Tell me, How is the system doing at this point?

[AdvancedSetup]

Good day @liam8481

How is the computer running now? Are there still any signs of infection or other unresolved issues?

Please post a status update when you have a moment.

Thank you

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks