asuKW Posted January 26 ID:1613842 Share Posted January 26 Hi all, first of all thank you for your assistance here. Norton AV recently flagged a $sxr-powershell.exe program. When I open up the windows location folder, it just brings me to the (C:) windows folder but nothing shows up even when view hidden folders is on. I ended up downloading malwarebytes to double check and then malwarebytes started constantly flagging the same threat ($sxr-powershell.exe) that I've attached under Malwarebytes Threats.txt file. It looks like it was flagged as a trojan so I went ahead and ran a scan, the scan caught some items under registry keys but the notification for the trojan $sxr-powershell.exe threat is still constantly popping up under malwarebytes. Was wondering if anyone could recommend next steps to getting rid of this virus? Malwarebytes Scan Results.txt Malwarebytes Threat.txt Norton Scan Report.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 26 Root Admin ID:1613845 Share Posted January 26 Hello @asuKW and Please go ahead and restart the computer and then run the following. If Norton attempts to block any of it, please temporarily disable the Norton real-time protection and when done re-enable it. Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process Then follow each step in the order provided. Unless otherwise asked, please attach all logs Please make the following system changes: If you have not done so already - Enable System Protection and create a NEW System Restore Point Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed Disable-Fast-Startup Show-Hidden-Folders-Files-Extensions Please run the following scans: Click the following link and run a Scan with AdwCleaner Click the following link and run a Scan with Malwarebytes RESTART the computer Click the following link and run a Scan with Farbar Recovery Scan Tool Example image of where to click to attach files when posting your reply Thank you Link to post Share on other sites More sharing options...
asuKW Posted January 26 Author ID:1613917 Share Posted January 26 Thank you for your quick response! Attached are the files for AdwCleaner, Malwarebytes and Farbar Recovery Scan Tool. I did want to note that the $sxr-powershell pop-up from malwarebytes has stopped after I restarted by PC. AdwCleaner[C00].txt Malwarebytes Scan Report.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 26 Root Admin ID:1613925 Share Posted January 26 Please temporarily disable the Norton real-time protection and run the following Dr.Web CureIt! Please download the Dr.Web CureIt! anti-virus utility https://free.drweb.com/ You will need to send them an email to obtain a link to download the scanner, please do so The downloaded file will normally have a unique name such as: q7a9tr4p.exe Close all open applications and locate the downloaded file and double-click to run it The program will take a moment to launch and bring up the License and Update screen Place a check mark to agree to the terms and then click on the Continue button Click the underlined link Select objects for scanning On the top left click the Scanning objects that should automatically check all objects Click the small wrench and make sure there is a check on Automatically apply actions to threats Then click the large button on bottom right Start scanning Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad The log is saved in the folder named Doctor Web in the top of your user profile folders Please attach that log on your next reply Link to post Share on other sites More sharing options...
asuKW Posted January 26 Author ID:1613929 Share Posted January 26 Temporarily disabled Norton and ran the Dr.Web AV program. Attached is the log. cureit.log Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 26 Root Admin ID:1614056 Share Posted January 26 Dr. Web Cureit did not find any infections. Let's go ahead and see what Microsoft finds. Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process [ 1 ] Please make the following system changes. Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed. Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed. Disable-Fast-Startup Show-Hidden-Folders-Files-Extensions [ 2 ] I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on the Scan Options & select the FULL scan. Then start the scan. Have lots of patience. It may take several hours. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on the screen display. The only things that count are the End result at the end of the run. The scan will take several hours. Leave it alone. It will remove any other remaining threats as it goes along. Take a very long break, do your normal personal errands .....just do not use the computer during this scan. This is likely to run for many hours as previously mentioned ( depending on the number of files on your machine & the speed of the hardware.) The log is named MSERT.log and the log will be at C:\Windows\debug\msert.log Please attach that log with your next reply. It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection. That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not. Then it writes into the log on your computer what it found. Thank you Link to post Share on other sites More sharing options...
asuKW Posted January 27 Author ID:1614092 Share Posted January 27 Attached is the msert.log from the microsoft safety scan. msert.log Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 27 Root Admin ID:1614095 Share Posted January 27 No real infection found. Are you still getting an alert? Link to post Share on other sites More sharing options...
asuKW Posted January 27 Author ID:1614099 Share Posted January 27 I am not, I stopped getting the powershell outbound notifications after I ran a scan/fix with malwarebytes and restarted my pc. In the logs after it shows that it detected Trojans under registry keys and quaratined them. Im not sure if thats the extent of the virus. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 27 Root Admin ID:1614111 Share Posted January 27 Great, glad to hear. Let me have you run the following, please. Scan with SecurityCheck by glax24 Link to post Share on other sites More sharing options...
asuKW Posted January 27 Author ID:1614126 Share Posted January 27 Here is the scan from securitycheck. Is there a possibility the powershell trojan may have gone dormant? Is that still possible to detect? SecurityCheck.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 29 Root Admin ID:1614551 Share Posted January 29 Thank you for the log. Please uninstall, update, or otherwise address the following as appropriate for your system. Adobe Acrobat (64-bit) v.23.008.20421 Warning! Download Update | ^Please run Acrobat Reader DC and go Help - Check for updates...^ Adobe Creative Cloud v.6.0.0.571 Warning! Download Update Discord v.1.0.9004 Warning! Download Update Google Chrome v.120.0.6099.225 Warning! Download Update HandBrake 1.3.3 v.1.3.3 Warning! Download Update iTunes v.12.12.9.4 Warning! Download Update | ^Please use Apple Software Update tool.^ Java 8 Update 391 (64-bit) v.8.0.3910.13 Warning! Download Update | Uninstall old version and install new one (jre-8u401-windows-x64.exe). Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 v.14.36.32532.0 Warning! Download Update Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 v.14.36.32532.0 Warning! Download Update Spotify v.1.2.24.756.g7a7fc7f0 Warning! Download Update VLC media player v.3.0.19 Warning! Download Update WinRAR 5.90 (64-bit) v.5.90.0 Warning! Download Update Zoom v.5.13.3 (11494) Warning! Download Update Please uninstall the following ---------------------------- [ UnwantedApps ] ----------------------------- Bonjour v.3.1.0.1 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. This program is well known to cause networking issues on Windows TWINKLE STAR SPRITES Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 29 Root Admin ID:1614569 Share Posted January 29 Once you're all done, please RESTART the computer. Then check for Windows Updates and install any security updates found. Then scan with Norton again and let me know if you're still seeing any issues. Link to post Share on other sites More sharing options...
asuKW Posted January 30 Author ID:1614707 Share Posted January 30 Sorry I have been busy but I am still slowly working through the updates! I will come back to this in another day or two at most! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 31 Root Admin ID:1614954 Share Posted January 31 Hello @asuKW Once all has been completed, please restart the computer one more time. Then open Norton and check for updates. Then do a FULL system scan and let me know if it's still finding any issues or not Thank you Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 31 Root Admin ID:1615106 Share Posted January 31 How are things going @asuKW I have a FIX log I'd like you to run to clear up some issues found on the system to try to fix them. Please temporarily turn off the Norton real-time protection as it will prevent the fix from running. https://support.norton.com/sp/en/us/home/current/solutions/v116457581 Please run the following fix NOTE: Please read all of the information below before running this fix. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply Farbar program: FRSTEnglish.exe Save the attached file: FIXLIST.TXT to this folder C:\Users\Kenneth\Downloads\ NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it. Run the Farbar program with Admin rights and press the Fix button just once and wait. The fix may possibly take up to 60 minutes to complete If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply. NOTE: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Discord cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks Link to post Share on other sites More sharing options...
asuKW Posted February 1 Author ID:1615262 Share Posted February 1 I'll run this fix log tomorrow, I just finished updating all the programs and running another full scan. Nothing was detected or reported in the scans from Norton or Malwarebytes. Thank you again for your help! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 1 Root Admin ID:1615348 Share Posted February 1 Great, thank you for the update @asuKW Link to post Share on other sites More sharing options...
asuKW Posted February 2 Author ID:1615427 Share Posted February 2 Thank you for bearing with me through this process! Attached is the fixlog. Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 2 Root Admin ID:1615460 Share Posted February 2 Thank you for the log. The log found and fixed multiple items but it also found some unresolved issues. Are you comfortable running REGEDIT and removing some entries on your own? @asuKW In the following Regsitry key you appear to have 3 entries we need to remove. Please run REGEDIT.EXE and browse to the following KEY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment Look for the following 3 values and remove all 3 of them. $sxr-TAwESwNbfxywTXQdJiBZ4312 $sxr-TAwESwNbfxywTXQdJiBZ1234 $sxr-TAwESwNbfxywTXQdJiBZ4321 Let me know if you're able to do that and we'll move on from there. Link to post Share on other sites More sharing options...
asuKW Posted February 4 Author ID:1615706 Share Posted February 4 I have deleted the 3 registries. The malwarebytes AV did a scan today and it flagged 3 malicious files again relating to powershell. Attached the report below. 2.4.24 AV report.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 5 Root Admin ID:1615773 Share Posted February 5 Yes, that's actually good. I asked the Research Team to add those entries the other day. @asuKW Please go ahead and restart the computer one more time. Then run the Farbar scanner again and get me a new fresh set of logs. Scan with Farbar Recovery Scan Tool https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/ Link to post Share on other sites More sharing options...
asuKW Posted February 6 Author ID:1615928 Share Posted February 6 Gotcha, ran the scan again, here are the logs! FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted February 6 Root Admin ID:1616029 Share Posted February 6 Thank you for the logs. Is this NIKKE program something you run from an external drive that is not always attached to the system? Are you aware of this program? Application errors: ================== Error: (02/05/2024 04:03:23 AM) (Source: Application Error) (EventID: 1005) (User: ) Description: Windows cannot access the file for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program NIKKE because of this error. Program: NIKKE File: The error value is listed in the Additional Data section. User Action 1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again. 2. If the file still cannot be accessed and - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted. - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer. 3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER. 4. If the problem persists, restore the file from a backup copy. 5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance. Additional Data Error value: C0000098 Disk type: 0 Error: (02/05/2024 04:03:23 AM) (Source: Application Error) (EventID: 1000) (User: ) Description: Faulting application name: nikke_launcher.exe, version: 0.0.6.363, time stamp: 0x65977690 Faulting module name: base.dll, version: 0.0.0.0, time stamp: 0x6597765a Exception code: 0xc0000006 Fault offset: 0x00070339 Faulting process id: 0x3668 Faulting application start time: 0x01da581a4d6235f3 Faulting application path: H:\NIKKE\Launcher\nikke_launcher.exe Faulting module path: H:\NIKKE\Launcher\base.dll Report Id: c53b2c23-7910-428f-9e7d-b019e1d44ac4 Faulting package full name: Faulting package-relative application ID: System errors: ============= Error: (02/05/2024 04:34:26 AM) (Source: Service Control Manager) (EventID: 7023) (User: ) Description: The Microsoft Defender Antivirus Service service terminated with the following error: General access denied error Please do the following and restart the computer. Please make the following change in Malwarebytes if you're using the Premium or Trial version Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab. Then turn off "Always register Malwarebytes in the Windows Security Center" Restart the computer It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions between Malwarebytes and Windows Defender Malwarebytes for Windows antivirus exclusions list https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list Then run the following for me I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on the Scan Options & select the FULL scan. Then start the scan. Have lots of patience. It may take several hours. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on the screen display. The only things that count are the End result at the end of the run. The scan will take several hours. Leave it alone. It will remove any other remaining threats as it goes along. Take a very long break, do your normal personal errands .....just do not use the computer during this scan. This is likely to run for many hours as previously mentioned ( depending on the number of files on your machine & the speed of the hardware.) The log is named MSERT.log and the log will be at C:\Windows\debug\msert.log Please attach that log with your next reply. It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection. That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not. Then it writes into the log on your computer what it found. Thank you Link to post Share on other sites More sharing options...
asuKW Posted February 9 Author ID:1616526 Share Posted February 9 I recognize that program, its on an external HDD which has a bad cable which is probably why that popped up. Thank you for the patience here. I've been having issues with window defender and been trying to diagnosis the issue. Windows defender virus and threat protection always stops a few minutes after I start up the PC, I've tried the above fixes with Malwarebytes and added windows defender to the exclusions list but it just doesn't seem to want to turn on. I hit restart and the service just says unexpected error. I've uninstalled the Norton AV program and it still shuts itself off. Logs from Microsoft Safety Scanner look clean, I imagine I might just have some deeper underlying issue with Windows Defender. msert.log Link to post Share on other sites More sharing options...
Recommended Posts