Jump to content

Powershell.exe Flagged Abnormal Behavior


Go to solution Solved by AdvancedSetup,

Recommended Posts

Hi all, first of all thank you for your assistance here. Norton AV recently flagged a $sxr-powershell.exe program. When I open up the windows location folder, it just brings me to the (C:) windows folder but nothing shows up even when view hidden folders is on. I ended up downloading malwarebytes to double check and then malwarebytes started constantly flagging the same threat ($sxr-powershell.exe) that I've attached under Malwarebytes Threats.txt file. It looks like it was flagged as a trojan so I went ahead and ran a scan, the scan caught some items under registry keys but the notification for the trojan $sxr-powershell.exe threat is still constantly popping up under malwarebytes. Was wondering if anyone could recommend next steps to getting rid of this virus?

image.png

Malwarebytes Scan Results.txt Malwarebytes Threat.txt Norton Scan Report.txt

Link to post
Share on other sites

  • Root Admin

Hello @asuKW and :welcome:

Please go ahead and restart the computer and then run the following. If Norton attempts to block any of it, please temporarily disable the Norton real-time protection and when done re-enable it.

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans:

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes 
       RESTART the computer
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 
     

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

 

Thank you

 

Link to post
Share on other sites

  • Root Admin

Please temporarily disable the Norton real-time protection and run the following

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

 

Link to post
Share on other sites

  • Root Admin

Dr. Web Cureit did not find any infections.

Let's go ahead and see what Microsoft finds.

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

[ 2 ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

Link to post
Share on other sites

I am not, I stopped getting the powershell outbound notifications after I ran a scan/fix with malwarebytes and restarted my pc. In the logs after it shows that it detected Trojans under registry keys and quaratined them. Im not sure if thats the extent of the virus.

Link to post
Share on other sites

  • Root Admin

Thank you for the log.

Please uninstall, update, or otherwise address the following as appropriate for your system.


Adobe Acrobat (64-bit) v.23.008.20421 Warning! Download Update | ^Please run Acrobat Reader DC and go Help - Check for updates...^
Adobe Creative Cloud v.6.0.0.571 Warning! Download Update
Discord v.1.0.9004 Warning! Download Update
Google Chrome v.120.0.6099.225 Warning! Download Update
HandBrake 1.3.3 v.1.3.3 Warning! Download Update
iTunes v.12.12.9.4 Warning! Download Update | ^Please use Apple Software Update tool.^
Java 8 Update 391 (64-bit) v.8.0.3910.13 Warning! Download Update | Uninstall old version and install new one (jre-8u401-windows-x64.exe).
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
Spotify v.1.2.24.756.g7a7fc7f0 Warning! Download Update
VLC media player v.3.0.19 Warning! Download Update
WinRAR 5.90 (64-bit) v.5.90.0 Warning! Download Update
Zoom v.5.13.3 (11494) Warning! Download Update


Please uninstall the following

---------------------------- [ UnwantedApps ] -----------------------------
Bonjour v.3.1.0.1 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. This program is well known to cause networking issues on Windows
TWINKLE STAR SPRITES Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it

 

 

Link to post
Share on other sites

  • Root Admin

How are things going @asuKW

I have a FIX log I'd like you to run to clear up some issues found on the system to try to fix them.

Please temporarily turn off the Norton real-time protection as it will prevent the fix from running.

https://support.norton.com/sp/en/us/home/current/solutions/v116457581

 

 

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\Kenneth\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

I'll run this fix log tomorrow, I just finished updating all the programs and running another full scan. Nothing was detected or reported in the scans from Norton or Malwarebytes. Thank you again for your help!

Link to post
Share on other sites

  • Root Admin

Thank you for the log. The log found and fixed multiple items but it also found some unresolved issues.

Are you comfortable running REGEDIT and removing some entries on your own? @asuKW

 

In the following Regsitry key you appear to have 3 entries we need to remove.

 

Please run REGEDIT.EXE and browse to the following KEY

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Look for the following 3 values and remove all 3 of them.

$sxr-TAwESwNbfxywTXQdJiBZ4312
$sxr-TAwESwNbfxywTXQdJiBZ1234
$sxr-TAwESwNbfxywTXQdJiBZ4321

 

Let me know if you're able to do that and we'll move on from there.

 

 

Link to post
Share on other sites

  • Root Admin

Yes, that's actually good. I asked the Research Team to add those entries the other day. @asuKW

Please go ahead and restart the computer one more time. Then run the Farbar scanner again and get me a new fresh set of logs.

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

Link to post
Share on other sites

  • Root Admin

Thank you for the logs.

Is this NIKKE program something you run from an external drive that is not always attached to the system? Are you aware of this program?

 

Application errors:
==================
Error: (02/05/2024 04:03:23 AM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file  for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program NIKKE because of this error.

Program: NIKKE
File:

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
    - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
    - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: C0000098
Disk type: 0

Error: (02/05/2024 04:03:23 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: nikke_launcher.exe, version: 0.0.6.363, time stamp: 0x65977690
Faulting module name: base.dll, version: 0.0.0.0, time stamp: 0x6597765a
Exception code: 0xc0000006
Fault offset: 0x00070339
Faulting process id: 0x3668
Faulting application start time: 0x01da581a4d6235f3
Faulting application path: H:\NIKKE\Launcher\nikke_launcher.exe
Faulting module path: H:\NIKKE\Launcher\base.dll
Report Id: c53b2c23-7910-428f-9e7d-b019e1d44ac4
Faulting package full name:
Faulting package-relative application ID:

 

 

System errors:
=============
Error: (02/05/2024 04:34:26 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Microsoft Defender Antivirus Service service terminated with the following error:
General access denied error

 

Please do the following and restart the computer.

 

Please make the following change in Malwarebytes if you're using the Premium or Trial version

  • Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab.
  • Then turn off "Always register Malwarebytes in the Windows Security Center"
  • Restart the computer

image.png.ced4aa64af4718ab767f579cc39014

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Defender

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

Then run the following for me

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

Link to post
Share on other sites

I recognize that program, its on an external HDD which has a bad cable which is probably why that popped up. Thank you for the patience here. I've been having issues with window defender and been trying to diagnosis the issue. Windows defender virus and threat protection always stops a few minutes after I start up the PC, I've tried the above fixes with Malwarebytes and added windows defender to the exclusions list but it just doesn't seem to want to turn on. I hit restart and the service just says unexpected error. I've uninstalled the Norton AV program and it still shuts itself off. Logs from Microsoft Safety Scanner look clean, I imagine I might just have some deeper underlying issue with Windows Defender. 

msert.log

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.