Jump to content

Please HELP ME remove Malware from my computer trying to use powershell


Go to solution Solved by AdvancedSetup,

Recommended Posts

Hello!,

Firstly, I want to say that Malwarebytes has been keeping my computer squeaky-clean from threats! Anywho,

I am currently having trouble in finding out what is causing my computer to try downloading from powershell.exe (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).

If one wishes to see the advanced report on this detection from Malwarebytes, here it is!

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/25/2024
Protection Event Time: 4:45 PM
Log File: 0f24d2ae-7b7f-11ef-9eb7-04c05ba19c79.json

-Software Information-
Version: 5.1.10.127
Components Version: 1.0.5021
Update Package Version: 1.0.89687
License: Trial

-System Information-
OS: Windows 11 (Build 22631.4169)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Blocked, -1, -1, 0.0.0, 9D8E30DAF21108092D5980C931876B7E, 3247BCFD60F6DD25F34CB74B5889AB10EF1B3EC72B4D4B3D95B5B25B534560B8

-Website Data-
Category: Trojan
Domain: 
IP Address: 154.29.72.62
Port: 7000
Type: Outbound
File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

(end)

Link to post
Share on other sites

  • Root Admin

Hello @Jinx11111  and :welcome:

 

 

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes:  Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans:  Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes 
       RESTART the computer
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 
     

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

 

Thank you

 

Link to post
Share on other sites

  • Root Admin
  • Solution

Thank you for the logs @Jinx11111

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\aryen\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

We are not done. We need to do some final checks to ensure things are clean

Please post back the FIXLOG.TXT file @Jinx11111

 

Then run the following scans and get me NEW, fresh logs

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/


Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/


Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

Thank you

 

 

 

 

Link to post
Share on other sites

  • Root Admin

Thank you for the logs. @Jinx11111

Please follow the steps below

[ 1 ]

Please make the following change in Malwarebytes if you're using the Premium or Trial version

  • Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the General tab.
  • Then turn off "Always register Malwarebytes in the Windows Security Center"
  • Restart the computer

 

[ 2 ]

Please save the attached FIXLIST.TXT file as before and save it to the following folder where the Farbar program should also be saved.

C:\Users\aryen\OneDrive\Desktop\gyatt\

Then run the Farbar program with Admin rights and it will zip up some files and make a zip file on your Desktop of the quarantine and a batch file that caused the issue if it's still there.

fixlist.txt

The zip file will have the Date_Time.zip naming convention. Please attach that file on your next reply

 

[ 3 ]

Please Uninstall, Update, or otherwise address the following as appropriate for your computer

 

  1. 7-Zip 22.01 v.22.01 Warning! Download Update | Uninstall old version and install new one.
  2. Adobe Creative Cloud v.6.2.0.554 Warning! Download Update
  3. Google Drive v.1.0 Warning! Download Update
  4. Microsoft OneDrive v.24.132.0701.0002 Warning! Download Update
  5. Node.js v.18.20.4 Warning! Download Update
  6. qBittorrent v.4.6.5 Warning! Download Update


Please Uninstall the following

---------------------------- [ UnwantedApps ] -----------------------------
Razer Cortex v.10.15.5.0 Warning! Suspected demo version of anti-spyware, driver updater or optimizer.


Then RESTART the computer and check for Windows Updates and install any found

 

[ 4 ]

The FSS log indicates you may be missing a Windows update that could be causing this. Please make sure you check for updates from Windows more than once and get all updates installed.

 

MDCoreSvc Service is not running. Checking service configuration:
Checking Start type of MDCoreSvc: ATTENTION!=====> Unable to open MDCoreSvc registry key. The service key does not exist.

 

 

 

 

 

Link to post
Share on other sites

3 hours ago, Jinx11111 said:

Also some cmd and terminals keep popping up quickly once my computer starts up

I was able to disable the cmds, also there is a powershell that keeps running trying to start and hide C:\WINDOWS\$rbx-onmai2\$rbx-CO2.bat

I have also tried checking for updates for the MDCoreSvc, but it says that I am up to date.

Link to post
Share on other sites

  • Root Admin

How big is that zip file @Jinx11111

Let me have you try the following. Then send me a Private Message with the link to the file.

Have Wetransfer send the Date_Time.zip file

 

Upload File(s) to WeTransfer:

  • Visit WeTransfer.com
  • Click on I Agree

    image.png
     
  • Click on Manage Cookies

    image.png
     
  • Uncheck all the cookies and other Ad settings

    image.png
     
  • Click the triple dots for more options

    image.png
     
  • Select the Link option "Get transfer link" - then click the Message and enter a message.

    image.png
     
  • Click on +Add Files - Browse to the location of the file and double-click on it or click once on it and select Open

    image.png
     
  • Click on Get a link to send the file and get the link to post back

    image.png
     
  • Once the transfer completes, click on Copy link

    image.png

     
  • Once you receive the Copied! message please save in notepad so you can post the link into your next reply in Private Message

 

 

 

Link to post
Share on other sites

Just now, Jinx11111 said:

The Date_Time.zip file is a bit old I have already deleted the $nya-onimai folder(s), disabled all $rbx and $nya cmds/shells with autoruns, and these logs are fresh.

If you wanted a new a new Date_Time.zip I ran the fixlist with the Farbar Recovery Scan Tool.
Also fixlog is attached if needed.

https://we.tl/t-NRgYPwWyu8

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @Jinx11111

Let's go ahead and do another FIXLIST clean up with Farbar

 

 

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\<user>\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Please also run the following AFTER the new FIXLIST has been run

 

Scan with Malwarebytes
https://forums.malwarebytes.com/topic/304827-scan-with-malwarebytes/


Scan with AdwCleaner
https://forums.malwarebytes.com/topic/304822-scan-with-adwcleaner/

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

 

Link to post
Share on other sites

  • Root Admin

Great, according to that log the last time PowerShell ran unexpectedly was on 9/27/2024 12:42:53 PM

There were no more unwanted tasks found either.

 

How is the computer running now?

Are there still any signs of infection or any other unresolved issues at this time @Jinx11111

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.