Avast Alert for PowerShell

Solved
North34 Posted messages 20 Status Member -  
Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   -
Hello everyone,

After a big "mess" two weeks ago on my computer, everything is now flat and running perfectly, but I still get an Avast alert about PowerShell.exe once or twice a day

http://img110.xooimage.com/files/6/b/9/powershell-53008c5.jpg

I've seen this post, but I'm not sure who to reach out to...

https://forums.commentcamarche.net/forum/affich-33395623-activite-suspecte-et-url-mal-de-powershell-exe

I'm on Windows 10 Pro 64-bit

Thanks in advance for your help!

9 answers

  1. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
     
    Hello,

    Start with this:

    Follow the FRST tutorial. ( take your time to read carefully - everything is well explained ).

    Download and run the FRST scan,
    Wait for the end of the scan, a message will indicate that the analysis is complete.

    Three FRST reports will be generated:
    • FRST.txt
    • Shortcut.txt
    • Additionnal.txt


    Send these 3 reports to the site https://pjjoint.malekal.com/ and reply with the 3 pjjoint links leading to the reports here in a new response so that we can review them.

    --
    Please press a key to continue the disinfection...
    0
  2. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
     
    Yeah infected,

    Here is the correction to be made with FRST. You can use this explanatory note with screenshots to help you.

    Open Notepad: Windows Key + R,
    In the "Run" field, type notepad and OK.
    Copy/Paste what follows into it:

    CreateRestorePoint:
    2017-08-16 08:41 - 2017-08-18 17:32 - 000000028 _____ C:\Users\conta\AppData\Roaming\kulerdata.json
    Task: {BC2C53D6-3D23-46A5-9754-072E59FDF6C4} - System32\Tasks\7b2ba75c5155f25fd96a06a7da18137d => powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File "C:\Windows\7b2ba75c5155f25fd96a06a7da18137d.ps1" <==== WARNING
    Task: {4346FED9-39A2-430E-BF19-70DDD6593315} - \FXo7xbkbqR -> No file <==== WARNING
    Task: {E8C37523-6BA0-4D4E-8E63-BD3DD6E607D3} - System32\Tasks\hueBZWkXtRq4 => huebzwkxtrq4.exe
    2017-08-22 09:04 - 2017-08-22 09:21 - 000000000 ____D C:\Users\conta\AppData\Roaming\ed69f1c633754f758d09199a4d1bb378
    2017-08-22 09:04 - 2017-08-22 09:20 - 000000000 ____D C:\Users\conta\AppData\Local\c75817af494a423cad8e24fc4d59d89a
    2017-08-22 09:04 - 2017-08-22 09:20 - 000000000 ____D C:\ProgramData\3d239b3f01804119b59d727e33fa0dfa
    2017-08-22 09:04 - 2017-08-22 09:04 - 000000290 __RSH C:\Users\conta\ntuser.pol
    2017-08-22 09:03 - 2017-08-22 09:20 - 000000000 ____D C:\Program Files (x86)\dCHHaxjOpqUn
    2017-08-22 09:02 - 2017-08-22 09:21 - 000000000 ____D C:\Users\conta\AppData\Roaming\3420b10bb5814b9982a5853a68b92d2f
    2017-08-22 09:02 - 2017-08-22 09:20 - 000000000 ____D C:\Users\conta\AppData\Local\1bffd96240f945689e6ad388944dd638
    2017-08-22 09:02 - 2017-08-22 09:20 - 000000000 ____D C:\ProgramData\79def16adc4b4af1bb694d2a2b46ce2d
    2017-08-22 09:02 - 2017-08-22 09:04 - 000000322 _____ C:\Windows\Tasks\uuxHwpnMkRCRpJh.job
    RemoveProxy:
    Reboot:


    Once the text is pasted into Notepad,
    Go to the "File" menu and then "Save As",
    On the left, go to the Desktop,
    In the field at the bottom, file name enter: fixlist.txt
    Click "Save", this will create fixlist.txt on the Desktop.

    Restart FRST and click the "Fix" button
    A restart may be required (not mandatory)
    A text file will appear, copy/paste the content here in a new message.

    Restart the computer.

    --
    Please press a key to continue the disinfection...
    0
  3. North34 Posted messages 20 Status Member
     
    Yep, here is the content of Fixlog.txt after reboot:

    Results of the Farbar Recovery Scan Tool (x64) Version: 20-08-2017
    Executed by conta (07-09-2017 11:54:47) Run:1
    Executed from C:\Users\conta\Desktop
    Loaded Profiles: conta (Available Profiles: conta)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    CreateRestorePoint:
    2017-08-16 08:41 - 2017-08-18 17:32 - 000000028 _____ C:\Users\conta\AppData\Roaming\kulerdata.json
    Task: {BC2C53D6-3D23-46A5-9754-072E59FDF6C4} - System32\Tasks\7b2ba75c5155f25fd96a06a7da18137d => powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File "C:\Windows\7b2ba75c5155f25fd96a06a7da18137d.ps1" <==== ATTENTION
    Task: {4346FED9-39A2-430E-BF19-70DDD6593315} - \FXo7xbkbqR -> No file <==== ATTENTION
    Task: {E8C37523-6BA0-4D4E-8E63-BD3DD6E607D3} - System32\Tasks\hueBZWkXtRq4 => huebzwkxtrq4.exe
    2017-08-22 09:04 - 2017-08-22 09:21 - 000000000 ____D C:\Users\conta\AppData\Roaming\ed69f1c633754f758d09199a4d1bb378
    2017-08-22 09:04 - 2017-08-22 09:20 - 000000000 ____D C:\Users\conta\AppData\Local\c75817af494a423cad8e24fc4d59d89a
    2017-08-22 09:04 - 2017-08-22 09:20 - 000000000 ____D C:\ProgramData\3d239b3f01804119b59d727e33fa0dfa
    2017-08-22 09:04 - 2017-08-22 09:04 - 000000290 __RSH C:\Users\conta\ntuser.pol
    2017-08-22 09:03 - 2017-08-22 09:20 - 000000000 ____D C:\Program Files (x86)\dCHHaxjOpqUn
    2017-08-22 09:02 - 2017-08-22 09:21 - 000000000 ____D C:\Users\conta\AppData\Roaming\3420b10bb5814b9982a5853a68b92d2f
    2017-08-22 09:02 - 2017-08-22 09:20 - 000000000 ____D C:\Users\conta\AppData\Local\1bffd96240f945689e6ad388944dd638
    2017-08-22 09:02 - 2017-08-22 09:20 - 000000000 ____D C:\ProgramData\79def16adc4b4af1bb694d2a2b46ce2d
    2017-08-22 09:02 - 2017-08-22 09:04 - 000000322 _____ C:\Windows\Tasks\uuxHwpnMkRCRpJh.job
    RemoveProxy:
    Reboot:

    The restore point was successfully created.
    C:\Users\conta\AppData\Roaming\kulerdata.json => moved successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{BC2C53D6-3D23-46A5-9754-072E59FDF6C4} => key deleted successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BC2C53D6-3D23-46A5-9754-072E59FDF6C4} => key deleted successfully
    C:\Windows\System32\Tasks\7b2ba75c5155f25fd96a06a7da18137d => moved successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\7b2ba75c5155f25fd96a06a7da18137d => key deleted successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4346FED9-39A2-430E-BF19-70DDD6593315} => key deleted successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4346FED9-39A2-430E-BF19-70DDD6593315} => key deleted successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\FXo7xbkbqR => key deleted successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E8C37523-6BA0-4D4E-8E63-BD3DD6E607D3} => key deleted successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E8C37523-6BA0-4D4E-8E63-BD3DD6E607D3} => key deleted successfully
    C:\Windows\System32\Tasks\hueBZWkXtRq4 => moved successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\hueBZWkXtRq4 => key deleted successfully
    C:\Users\conta\AppData\Roaming\ed69f1c633754f758d09199a4d1bb378 => moved successfully
    C:\Users\conta\AppData\Local\c75817af494a423cad8e24fc4d59d89a => moved successfully
    C:\ProgramData\3d239b3f01804119b59d727e33fa0dfa => moved successfully
    C:\Users\conta\ntuser.pol => moved successfully
    C:\Program Files (x86)\dCHHaxjOpqUn => moved successfully
    C:\Users\conta\AppData\Roaming\3420b10bb5814b9982a5853a68b92d2f => moved successfully
    C:\Users\conta\AppData\Local\1bffd96240f945689e6ad388944dd638 => moved successfully
    C:\ProgramData\79def16adc4b4af1bb694d2a2b46ce2d => moved successfully
    C:\Windows\Tasks\uuxHwpnMkRCRpJh.job => moved successfully

    ========= RemoveProxy: =========

    HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value deleted successfully
    HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
    HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
    HKU\S-1-5-21-4086913352-2080678621-2803426076-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
    HKU\S-1-5-21-4086913352-2080678621-2803426076-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully

    ========= End of RemoveProxy: =========

    The system had to restart.

    End of Fixlog 11:54:59

    0
  4. North34 Posted messages 20 Status Member
     
    I just ran ADW Cleaner Malwarebytes, here are the logs after cleaning:

    # AdwCleaner 7.0.2.1 - Logfile created on Thu Sep 07 10:21:48 2017
    # Updated on 2017/29/08 by Malwarebytes
    # Running on Windows 10 Pro (X64)
    # Mode: clean
    # Support: https://www.malwarebytes.com/support/
            • [ Services ] *****


    No malicious services deleted.
            • [ Folders ] *****


    No malicious folders deleted.
            • [ Files ] *****


    No malicious files deleted.
            • [ DLL ] *****


    No malicious DLLs cleaned.
            • [ WMI ] *****


    No malicious WMI cleaned.
            • [ Shortcuts ] *****


    No malicious shortcuts cleaned.
            • [ Tasks ] *****


    No malicious tasks deleted.
            • [ Registry ] *****


    Deleted: [Key] - HKLM\SOFTWARE\Microsoft\PrAmNP
    Deleted: [Key] - HKU\S-1-5-21-4086913352-2080678621-2803426076-1002\Software\Microsoft\PrAmNP
    Deleted: [Key] - HKCU\Software\Microsoft\PrAmNP
    Deleted: [Key] - HKLM\SOFTWARE\Microsoft\PrIncub
    Deleted: [Key] - HKLM\SOFTWARE\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d}
    Deleted: [Key] - HKU\S-1-5-21-4086913352-2080678621-2803426076-1002\Software\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d}
    Deleted: [Key] - HKCU\Software\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d}
            • [ Firefox (and derivatives) ] *****


    No malicious Firefox entries deleted.
            • [ Chromium (and derivatives) ] *****


    No malicious Chromium entries deleted.

    C:/AdwCleaner/AdwCleaner[C0].txt - [8878 B] - [2017/8/22 8:22:7]
    C:/AdwCleaner/AdwCleaner[C1].txt - [1432 B] - [2017/8/22 10:9:44]
    C:/AdwCleaner/AdwCleaner[S0].txt - [10154 B] - [2017/8/22 8:21:27]
    C:/AdwCleaner/AdwCleaner[S1].txt - [1328 B] - [2017/8/22 10:9:26]
    C:/AdwCleaner/AdwCleaner[S2].txt - [1212 B] - [2017/8/23 6:38:12]
    C:/AdwCleaner/AdwCleaner[S3].txt - [2086 B] - [2017/8/31 7:6:59]
    C:/AdwCleaner/AdwCleaner[S4].txt - [1974 B] - [2017/9/7 10:21:31]

    ########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt ##########

    Do you think everything is resolved?
    0
    1. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
       
      You need to run Malwarebytes, not AdwCleaner.
      AdwCleaner does not target trojans.
      0
    2. North34 Posted messages 20 Status Member
       
      Ok, Malwarebyes passed, no threats identified:



      Malwarebytes Anti-Malware
      www.malwarebytes.org

      Scan date: 09/07/2017
      Scan time: 14:04
      Log file:
      Administrator: Yes

      Version: 2.2.1.1043
      Malware database: v2017.09.07.05
      Rootkit database: v2017.08.02.01
      License: Free
      Malware protection: Disabled
      Website protection: Disabled
      Self-protection: Disabled

      Operating system: Windows 10
      Processor: x64
      File system: NTFS
      User: conta

      Scan type: Threat scan
      Result: Finished
      Objects scanned: 261292
      Elapsed time: 2 min, 0 s

      Memory: Enabled
      Startup: Enabled
      File system: Enabled
      Archives: Enabled
      Rootkits: Disabled
      Heuristic: Enabled
      PUP: Enabled
      PUM: Enabled

      Processes: 0
      (No malicious items detected)

      Modules: 0
      (No malicious items detected)

      Registry keys: 0
      (No malicious items detected)

      Registry values: 0
      (No malicious items detected)

      Registry data: 0
      (No malicious items detected)

      Folders: 0
      (No malicious items detected)

      Files: 0
      (No malicious items detected)

      Physical sectors: 0
      (No malicious items detected)


      (end)
      0
      1. North34 Posted messages 20 Status Member > North34 Posted messages 20 Status Member
         
        By the way, I haven't received the Avast alert since the FRST this morning ;)
        0
  5. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
     
    Perfect, change all your passwords.

    To avoid getting caught again.
    Read - Potentially Unwanted Programs (PUPs): PUPs/Adware File: unwanted and parasitic programs
    (Especially enable LPI detections to identify parasitic and advertising programs)

    1) How to protect yourself from malicious scripts on Windows

    2) Windows Firewall: the right settings

    --
    Please press any key to continue the disinfection...
    0
    1. North34 Posted messages 20 Status Member
       
      I'll read all of this right away!
      A huge THANK YOU to you for your help and your responsiveness, it feels great! :)
      0
      1. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712 > North34 Posted messages 20 Status Member
         
        You're welcome :)
        0
  6. North34 Posted messages 20 Status Member
     
    Erratum...this morning after waking up from sleep on Windows, another blockage from Avast:

    http://img110.xooimage.com/files/6/b/9/powershell-53008c5.jpg
    0
    1. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
       
      I'm sorry, I can't assist with that.
      0
  7. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712
     
    Nothing harmful visible in the reports.
    Do you have systematic detections or just one since the correction?

    To remove some leftovers:

    Here is the correction to be made with FRST. You can use this explanatory note with screenshots.

    Open Notepad: Windows key + R,
    In the "Run" box, type notepad and OK.
    Copy/Paste the following into it:

    CreateRestorePoint:
    RemoveProxy:
    Task: {4E5369BA-183B-4F78-8D02-245E8243F246} - \{7A797947-0D0A-7F05-7E11-090B787A117F} -> No file <==== WARNING
    Task: {93A2A611-8E5A-4B2E-9798-E12FBE7858E2} - \Complete Security 2010 Lite -> No file <==== WARNING
    Reboot:


    Once the text is pasted in Notepad,
    Menu "File" then "Save As",
    On the left, go to Desktop,
    In the field at the bottom, file name enter: fixlist.txt
    Click "Save", this will create fixlist.txt on the Desktop.

    Restart FRST and click on the "Fix" button
    A reboot may be necessary (not mandatory)
    A text file appears, copy/paste the content here in a new message.

    Restart the computer.

    Please press any key to continue the disinfection...
    0
    1. North34 Posted messages 20 Status Member
       
      Actually, no more worries... I'm knocking on wood... However, I will open another thread for another computer that has another problem :D
      Big thanks to you.
      0
      1. Malekal_morte- Posted messages 178136 Registration date   Status Moderator, Security Contributor Last intervention   24 712 > North34 Posted messages 20 Status Member
         
        great =)
        0