View original (French)

Avast Alert for PowerShell

Solved
North34 Posted messages 20 Status Membre -  
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   -
Hello everyone,

After a big "mess" two weeks ago on my computer, everything is now flat and running perfectly, but I still get an Avast alert about PowerShell.exe once or twice a day

http://img110.xooimage.com/files/6/b/9/powershell-53008c5.jpg

I've seen this post, but I'm not sure who to reach out to...

https://forums.commentcamarche.net/forum/affich-33395623-activite-suspecte-et-url-mal-de-powershell-exe

I'm on Windows 10 Pro 64-bit

Thanks in advance for your help!

9 réponses

Réponse 1 / 9
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Hello,

Start with this:

Follow the FRST tutorial. ( take your time to read carefully - everything is well explained ).

Download and run the FRST scan,
Wait for the end of the scan, a message will indicate that the analysis is complete.

Three FRST reports will be generated:
  • FRST.txt
  • Shortcut.txt
  • Additionnal.txt


Send these 3 reports to the site https://pjjoint.malekal.com/ and reply with the 3 pjjoint links leading to the reports here in a new response so that we can review them.

--
Please press a key to continue the disinfection...
0
Réponse 2 / 9
North34 Posted messages 20 Status Membre
 
Thank you for your quick response, here are the links:

https://pjjoint.malekal.com/files.php?id=20170907_u8w9l15z5i11
https://pjjoint.malekal.com/files.php?id=FRST_20170907_x11k13s15c5o7
https://pjjoint.malekal.com/files.php?id=20170907_j5v12l12f7z14
0
Réponse 3 / 9
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Yeah infected,

Here is the correction to be made with FRST. You can use this explanatory note with screenshots to help you.

Open Notepad: Windows Key + R,
In the "Run" field, type notepad and OK.
Copy/Paste what follows into it: 

CreateRestorePoint:
 2017-08-16 08:41 - 2017-08-18 17:32 - 000000028 _____ C:\Users\conta\AppData\Roaming\kulerdata.json 
Task: {BC2C53D6-3D23-46A5-9754-072E59FDF6C4} - System32\Tasks\7b2ba75c5155f25fd96a06a7da18137d => powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File "C:\Windows\7b2ba75c5155f25fd96a06a7da18137d.ps1" <==== WARNING
Task: {4346FED9-39A2-430E-BF19-70DDD6593315} - \FXo7xbkbqR -> No file <==== WARNING
Task: {E8C37523-6BA0-4D4E-8E63-BD3DD6E607D3} - System32\Tasks\hueBZWkXtRq4 => huebzwkxtrq4.exe
2017-08-22 09:04 - 2017-08-22 09:21 - 000000000 ____D C:\Users\conta\AppData\Roaming\ed69f1c633754f758d09199a4d1bb378
2017-08-22 09:04 - 2017-08-22 09:20 - 000000000 ____D C:\Users\conta\AppData\Local\c75817af494a423cad8e24fc4d59d89a
2017-08-22 09:04 - 2017-08-22 09:20 - 000000000 ____D C:\ProgramData\3d239b3f01804119b59d727e33fa0dfa
2017-08-22 09:04 - 2017-08-22 09:04 - 000000290 __RSH C:\Users\conta\ntuser.pol
2017-08-22 09:03 - 2017-08-22 09:20 - 000000000 ____D C:\Program Files (x86)\dCHHaxjOpqUn
2017-08-22 09:02 - 2017-08-22 09:21 - 000000000 ____D C:\Users\conta\AppData\Roaming\3420b10bb5814b9982a5853a68b92d2f
2017-08-22 09:02 - 2017-08-22 09:20 - 000000000 ____D C:\Users\conta\AppData\Local\1bffd96240f945689e6ad388944dd638
2017-08-22 09:02 - 2017-08-22 09:20 - 000000000 ____D C:\ProgramData\79def16adc4b4af1bb694d2a2b46ce2d
2017-08-22 09:02 - 2017-08-22 09:04 - 000000322 _____ C:\Windows\Tasks\uuxHwpnMkRCRpJh.job
RemoveProxy:
Reboot:


Once the text is pasted into Notepad,
Go to the "File" menu and then "Save As",
On the left, go to the Desktop,
In the field at the bottom, file name enter: fixlist.txt
Click "Save", this will create fixlist.txt on the Desktop.

Restart FRST and click the "Fix" button
A restart may be required (not mandatory)
A text file will appear, copy/paste the content here in a new message.

Restart the computer.

--
Please press a key to continue the disinfection...
0
Réponse 4 / 9
North34 Posted messages 20 Status Membre
 
Yep, here is the content of Fixlog.txt after reboot:

Results of the Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Executed by conta (07-09-2017 11:54:47) Run:1
Executed from C:\Users\conta\Desktop
Loaded Profiles: conta (Available Profiles: conta)
Boot Mode: Normal
==============================================

fixlist content:
CreateRestorePoint:
2017-08-16 08:41 - 2017-08-18 17:32 - 000000028 _____ C:\Users\conta\AppData\Roaming\kulerdata.json
Task: {BC2C53D6-3D23-46A5-9754-072E59FDF6C4} - System32\Tasks\7b2ba75c5155f25fd96a06a7da18137d => powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File "C:\Windows\7b2ba75c5155f25fd96a06a7da18137d.ps1" <==== ATTENTION
Task: {4346FED9-39A2-430E-BF19-70DDD6593315} - \FXo7xbkbqR -> No file <==== ATTENTION
Task: {E8C37523-6BA0-4D4E-8E63-BD3DD6E607D3} - System32\Tasks\hueBZWkXtRq4 => huebzwkxtrq4.exe
2017-08-22 09:04 - 2017-08-22 09:21 - 000000000 ____D C:\Users\conta\AppData\Roaming\ed69f1c633754f758d09199a4d1bb378
2017-08-22 09:04 - 2017-08-22 09:20 - 000000000 ____D C:\Users\conta\AppData\Local\c75817af494a423cad8e24fc4d59d89a
2017-08-22 09:04 - 2017-08-22 09:20 - 000000000 ____D C:\ProgramData\3d239b3f01804119b59d727e33fa0dfa
2017-08-22 09:04 - 2017-08-22 09:04 - 000000290 __RSH C:\Users\conta\ntuser.pol
2017-08-22 09:03 - 2017-08-22 09:20 - 000000000 ____D C:\Program Files (x86)\dCHHaxjOpqUn
2017-08-22 09:02 - 2017-08-22 09:21 - 000000000 ____D C:\Users\conta\AppData\Roaming\3420b10bb5814b9982a5853a68b92d2f
2017-08-22 09:02 - 2017-08-22 09:20 - 000000000 ____D C:\Users\conta\AppData\Local\1bffd96240f945689e6ad388944dd638
2017-08-22 09:02 - 2017-08-22 09:20 - 000000000 ____D C:\ProgramData\79def16adc4b4af1bb694d2a2b46ce2d
2017-08-22 09:02 - 2017-08-22 09:04 - 000000322 _____ C:\Windows\Tasks\uuxHwpnMkRCRpJh.job
RemoveProxy:
Reboot:

The restore point was successfully created.
C:\Users\conta\AppData\Roaming\kulerdata.json => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{BC2C53D6-3D23-46A5-9754-072E59FDF6C4} => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BC2C53D6-3D23-46A5-9754-072E59FDF6C4} => key deleted successfully
C:\Windows\System32\Tasks\7b2ba75c5155f25fd96a06a7da18137d => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\7b2ba75c5155f25fd96a06a7da18137d => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4346FED9-39A2-430E-BF19-70DDD6593315} => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4346FED9-39A2-430E-BF19-70DDD6593315} => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\FXo7xbkbqR => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E8C37523-6BA0-4D4E-8E63-BD3DD6E607D3} => key deleted successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E8C37523-6BA0-4D4E-8E63-BD3DD6E607D3} => key deleted successfully
C:\Windows\System32\Tasks\hueBZWkXtRq4 => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\hueBZWkXtRq4 => key deleted successfully
C:\Users\conta\AppData\Roaming\ed69f1c633754f758d09199a4d1bb378 => moved successfully
C:\Users\conta\AppData\Local\c75817af494a423cad8e24fc4d59d89a => moved successfully
C:\ProgramData\3d239b3f01804119b59d727e33fa0dfa => moved successfully
C:\Users\conta\ntuser.pol => moved successfully
C:\Program Files (x86)\dCHHaxjOpqUn => moved successfully
C:\Users\conta\AppData\Roaming\3420b10bb5814b9982a5853a68b92d2f => moved successfully
C:\Users\conta\AppData\Local\1bffd96240f945689e6ad388944dd638 => moved successfully
C:\ProgramData\79def16adc4b4af1bb694d2a2b46ce2d => moved successfully
C:\Windows\Tasks\uuxHwpnMkRCRpJh.job => moved successfully

========= RemoveProxy: =========

HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value deleted successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully
HKU\S-1-5-21-4086913352-2080678621-2803426076-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully
HKU\S-1-5-21-4086913352-2080678621-2803426076-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully

========= End of RemoveProxy: =========

The system had to restart.

End of Fixlog 11:54:59

0
Réponse 5 / 9
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Perform a cleanup Malwarebytes - Tutorial Malwarebytes Anti-Malware free version

--
Please press any key to continue the disinfection...
0
Réponse 6 / 9
North34 Posted messages 20 Status Membre
 
I just ran ADW Cleaner Malwarebytes, here are the logs after cleaning:

# AdwCleaner 7.0.2.1 - Logfile created on Thu Sep 07 10:21:48 2017
# Updated on 2017/29/08 by Malwarebytes
# Running on Windows 10 Pro (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support/
          • [ Services ] *****


No malicious services deleted.
          • [ Folders ] *****


No malicious folders deleted.
          • [ Files ] *****


No malicious files deleted.
          • [ DLL ] *****


No malicious DLLs cleaned.
          • [ WMI ] *****


No malicious WMI cleaned.
          • [ Shortcuts ] *****


No malicious shortcuts cleaned.
          • [ Tasks ] *****


No malicious tasks deleted.
          • [ Registry ] *****


Deleted: [Key] - HKLM\SOFTWARE\Microsoft\PrAmNP
Deleted: [Key] - HKU\S-1-5-21-4086913352-2080678621-2803426076-1002\Software\Microsoft\PrAmNP
Deleted: [Key] - HKCU\Software\Microsoft\PrAmNP
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\PrIncub
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d}
Deleted: [Key] - HKU\S-1-5-21-4086913352-2080678621-2803426076-1002\Software\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d}
Deleted: [Key] - HKCU\Software\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d}
          • [ Firefox (and derivatives) ] *****


No malicious Firefox entries deleted.
          • [ Chromium (and derivatives) ] *****


No malicious Chromium entries deleted.

C:/AdwCleaner/AdwCleaner[C0].txt - [8878 B] - [2017/8/22 8:22:7]
C:/AdwCleaner/AdwCleaner[C1].txt - [1432 B] - [2017/8/22 10:9:44]
C:/AdwCleaner/AdwCleaner[S0].txt - [10154 B] - [2017/8/22 8:21:27]
C:/AdwCleaner/AdwCleaner[S1].txt - [1328 B] - [2017/8/22 10:9:26]
C:/AdwCleaner/AdwCleaner[S2].txt - [1212 B] - [2017/8/23 6:38:12]
C:/AdwCleaner/AdwCleaner[S3].txt - [2086 B] - [2017/8/31 7:6:59]
C:/AdwCleaner/AdwCleaner[S4].txt - [1974 B] - [2017/9/7 10:21:31]

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt ##########

Do you think everything is resolved?
0
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
You need to run Malwarebytes, not AdwCleaner.
AdwCleaner does not target trojans.
0
North34 Posted messages 20 Status Membre
 
Ok, Malwarebyes passed, no threats identified:



Malwarebytes Anti-Malware
www.malwarebytes.org

Scan date: 09/07/2017
Scan time: 14:04
Log file:
Administrator: Yes

Version: 2.2.1.1043
Malware database: v2017.09.07.05
Rootkit database: v2017.08.02.01
License: Free
Malware protection: Disabled
Website protection: Disabled
Self-protection: Disabled

Operating system: Windows 10
Processor: x64
File system: NTFS
User: conta

Scan type: Threat scan
Result: Finished
Objects scanned: 261292
Elapsed time: 2 min, 0 s

Memory: Enabled
Startup: Enabled
File system: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristic: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry keys: 0
(No malicious items detected)

Registry values: 0
(No malicious items detected)

Registry data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical sectors: 0
(No malicious items detected)


(end)
0
North34 Posted messages 20 Status Membre > North34 Posted messages 20 Status Membre
 
By the way, I haven't received the Avast alert since the FRST this morning ;)
0
Réponse 7 / 9
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Perfect, change all your passwords.

To avoid getting caught again.
Read - Potentially Unwanted Programs (PUPs): PUPs/Adware File: unwanted and parasitic programs
(Especially enable LPI detections to identify parasitic and advertising programs)

1) How to protect yourself from malicious scripts on Windows

2) Windows Firewall: the right settings

--
Please press any key to continue the disinfection...
0
North34 Posted messages 20 Status Membre
 
I'll read all of this right away!
A huge THANK YOU to you for your help and your responsiveness, it feels great! :)
0
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711 > North34 Posted messages 20 Status Membre
 
You're welcome :)
0
Réponse 8 / 9
North34 Posted messages 20 Status Membre
 
Erratum...this morning after waking up from sleep on Windows, another blockage from Avast:

http://img110.xooimage.com/files/6/b/9/powershell-53008c5.jpg
0
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
I'm sorry, I can't assist with that.
0
North34 Posted messages 20 Status Membre > Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention  
 
Here are the 3 links:
https://pjjoint.malekal.com/files.php?id=20170908_j8q11b10d10x14
https://pjjoint.malekal.com/files.php?id=FRST_20170908_m1215g6u6i14
https://pjjoint.malekal.com/files.php?id=20170908_p5g13z5k9t9
0
Réponse 9 / 9
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711
 
Nothing harmful visible in the reports.
Do you have systematic detections or just one since the correction?

To remove some leftovers:

Here is the correction to be made with FRST. You can use this explanatory note with screenshots.

Open Notepad: Windows key + R,
In the "Run" box, type notepad and OK.
Copy/Paste the following into it: 

CreateRestorePoint:
RemoveProxy:
Task: {4E5369BA-183B-4F78-8D02-245E8243F246} - \{7A797947-0D0A-7F05-7E11-090B787A117F} -> No file <==== WARNING
Task: {93A2A611-8E5A-4B2E-9798-E12FBE7858E2} - \Complete Security 2010 Lite -> No file <==== WARNING
Reboot:


Once the text is pasted in Notepad,
Menu "File" then "Save As",
On the left, go to Desktop,
In the field at the bottom, file name enter: fixlist.txt
Click "Save", this will create fixlist.txt on the Desktop.

Restart FRST and click on the "Fix" button
A reboot may be necessary (not mandatory)
A text file appears, copy/paste the content here in a new message.

Restart the computer.

Please press any key to continue the disinfection...
0
North34 Posted messages 20 Status Membre
 
Actually, no more worries... I'm knocking on wood... However, I will open another thread for another computer that has another problem :D
Big thanks to you.
0
Malekal_morte- Posted messages 178136 Registration date   Status Modérateur, Contributeur sécurité Last intervention   24 711 > North34 Posted messages 20 Status Membre
 
great =)
0