Jump to content

Blocked outbound powershell connections.

Olav
 Share

Recommended Posts

Olav

Olav

Posted
Posted

Hello!

At irregular intervals, Malwarebytes blocks outbound powershell connections in category 'Riskware' going to 'imonews.net', with the IP-address: 172.67.190.202 on port: 443.
It also blocks outbound powershell connections in category 'Riskware' going to the IP-address: 135.181.231.130 on port: 80.

This has been going on for a few months now, but neither Malwarebytes nor Symantec Endpoint Protection (14.3 RU9) find anything when doing a full scan of the computer. Both apps are updated to the latest version.

At one time, Symantec Endpoint Protection also terminated a powershell process with the risk name: 'CL.Downloader!gen96'.

I'm on a Windows 11 23H2 PC, and I've tried to disable powershell as outlined here: https://www.thewindowsclub.com/how-to-disable-powershell-windows-10, but it did not fix the problem. FYI, I've enabled powershell in the OS again.

Can someone please help me look into and hopefully solve this?

Link to post
Share on other sites
1PW

1PW

Posted
Posted (edited)

Hello @Olav and :welcome:

 

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:  Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans:  Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes 
       RESTART the computer
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 
     

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

 

Thank you

 

Edited by AdvancedSetup
Corrected font issue
  • Thanks 1
Link to post
Share on other sites
Olav

Olav

Posted
  • Author
Posted

Hello, and thank you for your answers!

Yes, I'm definitely still here, I just got caught up in some other urgent paperwork that needed to be finished, and I'm so sorry for the late reply.

Let me get started on the procedure, and I'll be right back with the answers to the instructions.

Thank you!

  • Like 1
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The logs indicate this computer is being used to download and run pirated software.

In order to best assist you, please uninstall or otherwise remove all cracked, pirated software.

Piracy Guidelines
Malwarebytes does not condone nor support piracy in any shape or form. Any discussion topics that ask for help with pirating software, circumventing copy protection, or any other illegal activities related to copy righted content in any form will be closed and locked. If you feel this is ever done in error, please report the post or PM an Administrator.
 
As a reminder, using pirated software or utilities that allows one to pirate software (e.g. cracks, key generators, registration/license removal, redirection, or workaround utilities, etc.) is not a safe practice and can lead to malware infection, ransomware attack, or even legal action. Because of these risks, we always recommend that you remove any pirated software or pirating utilities before asking for support on our forums in order to improve our ability to best support you and to help protect yourself and your data from malware or other piracy related consequences.

https://forums.malwarebytes.com/terms/

 

Then restart the computer and get me the following new, fresh logs

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/


Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/


Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Thank you

 

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.