Powershell.exe And Re-occuring Malware

Dynex · Dec 8, 2018

Sadly I cleared what the antivirus programs found originally, but the virus/problem came back. However I do have the antivirus log from the previous clearing, and all programs were finding PUP variants. I attached the dated log labeled as malware.txt.. whereas Malwareantibytes.txt is the new log.

My current problem is that a CMD is starting with my startup, and a blue window appears quickly after that. I could not use a screenshot program to screenshot these windows even at 1 millisecond, so i used a video capturing software afterward. Through the video I can see the CMD is on the path: C:\Windows\System32\wbem\WMIC.exe and the blue windows is on the path: c:\windows\system32\windowspowershell\v.1.0\powershell.exe I can only assume someone is using these windows programs to install Trojans? So the virus keeps coming back?

With that said I don't really see anything malicious in ALT-CTRL-DEL, and when I went to the registry to delete the startup of powershell, it still came back. As well I saw something there called Yandex, deleted that too. Anyway I think I have some russian rootkit or something, I was installing a free powerpoint plugin for art/photowork and it was small in size but that's normally how big plugins are, and it installed all these programs even though I exited out of the installer. A lot of them might have been removed but it's clear something is lingering... and I did go to add/remove programs and uninstall them almost instantly too.

Also do you think I need to change my online passwords? Is there a keylogger here? Thanks.

dr.moriarty · Dec 8, 2018

*You are leaving your PC quite vulnerable by using the Administrator's hidden account rather than an account with elevated priviledges, which can help protect against and limit the damage from infection.

Rerun RogueKiller and delete this entry:
¤¤¤ Tasks ¤¤¤
[Suspicious.Path (Potentially Malicious)] C:\WINDOWS\Tasks\Test Task17.job -- C:\ProgramData\gagrak\qmaj.exe -> Found

Do the same using Malwarebytes' -
File: 3
Trojan.Agent, C:\WINDOWS\TASKS\TEST TASK17.JOB, No Action By User, [403], [584333],1.0.8223
MachineLearning/Anomalous.94%, C:\PROGRAMDATA\GAGRAK\QMAJ.EXE, No Action By User, [0], [392687],1.0.8223
MachineLearning/Anomalous.94%, C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\6181078.EXE, No Action By User, [0], [392687],1.0.8223

Then rerun Hitmanpro and remove all detections.

After doing the above, reb00t and re-scan with all three programs... upload the updated logs. *Also, include the log from running AdwCleaner.

Additionally -
Please go here: https://www.zemana.com/Download
Scroll all the way down to the bottom of the page and listed last at the bottom of column 2 you will find "FREE AntiMalware". Click on it and download Zemana to your Desktop and run it. After the appl auto-updates, click on Scan. When it has finished, click on the icon that looks like Cell phone strength bars. High-light the report (by date the log was produced) and click on the "Open Report" icon. (looks like a folder). That notepad.txt can then be copied/pasted into another .txt doc and saved. Upload that log, please.

dr.moriarty · Dec 8, 2018

One more thing and then I'll review your new log uploads when they are ready.

Now copy the bold text below to notepad. (Do not include any space above the word "REGEDIT4"). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" . Once you have saved it double-click it and allow it to merge with the registry.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"AudiTVID"=-
Click to expand...

Make sure that you tell me whether or not you receive a success message about adding the above to the registry. If you do not get a success message, it definitely did not work.

Dynex · Dec 8, 2018

Hi Dr. Moriarty,

Thank you for helping me, the majorgeeks team has been awesome through the years keeping peoples pc's safe.

Sorry about using the admin account, it was something i set up ages ago (maybe six or more years ago, back when i first installed win 7) and i have all my files and preferences set up on it, i wouldn't even know how to convert back at this point... but i do plan to buy a new PC next Christmas so this one is definitely getting a reformat then.

i did as you instructed, and the 1 millisecond appearance of the CMD and the blue window powershell.exe still appear on startup. this never happened before all this malware got installed... Maybe i should remove malware disconnected from the internet?

(EDIT: though maybe the reg-edit you just provided is a fix for that)

As well upon restart after deleting all the malware, my desktop had appearances of files that i created that are mine, that were originally located in my documents in their own folder. Except these files were all transparent, and have tildes besides the name? example: ~mypowerpresentation.ppt what on earth would cause them to magically appear on my desktop? could be something unrelated but thought i should report it.

Also i'm getting things like this a lot: https://ibb.co/4Zh5CyQ
i assume the very first time the trojans got installed was because i exited out of malwareantibytes at some point the very first time i cleaned everything? Anyway if something keeps sending my browser places it means it must not be fully removed? despite all the logs coming back clean. as well i get ransomware blocked popups from malwareantibytes.

It's interesting i thought Adwcleaner was Malwareantibytes, so i was like why would there be two versions of the same program? guess they are different because Adwcleaner found something Malwareantibytes didn't detect.

Here is an example of weird files appearing in random places: https://ibb.co/Sd53Rnr

The pictures and folders are all mine, but the files in red circles are new appearances and all have the tildes.

I'll do the regedit stuff now... it says it was successfully added to the registry.

dr.moriarty · Dec 8, 2018

Those "weird files" appearing are from normally hidden system files & folders set to be viewed during our cleaning.

There should have be an improvement with your system... how is it running now?

Dynex · Dec 8, 2018

Should I clean the viruses found using Zemana? I didn't press clean yet.

I'm still getting those pop windows CMD and Powershell. And I'm re-running all the scans again now.

dr.moriarty · Dec 8, 2018

Please perform the tasks in the order that I gave them, then re-boot. And perform the recommended actions suggested by Zemana AntiMalware.

Dynex · Dec 8, 2018

I performed all the tasks in the order you gave them... including running the scanners in the order you wrote them down... i added the registry key and it said it was successful, and i restarted the computer. But because CMD and powershell keep popping up on restart/startup, i ran all the scanners again and they don't come up with any threats (and this is technically what happened the first time i removed the malware, no threats detected)... it was a day later when NEW malware came back... and i didn't do anything in between.

Malware antibytes keep blocking things? i didn't go to any websites, and my browser doesn't suffer from popups... https://ibb.co/0ySchJP

Anyway it's hard to explain the CMD and blue window that happens on start up but they last 1 millisecond, i was only able to read what they say because i made a video of my screen. Here is a link to the zipped video: https://ufile.io/in47t the event happens at 26-27 seconds in.

According to the scanners my PC is clean now, which is great if it lasts, but i want to get rid of the CMD and powershell thing too if at all possible...

dr.moriarty · Dec 8, 2018

Please download ZHPCleaner to your desktop.

Close all applications (including your web browsers and antivirus)

If you are using Windows Vista, 7/8/10; right-mouse click ZHPCleaner.exe and select "Run as Administrator".

Please click the "J'accepte/I agree" button.

First press the "Scanner" button. Be patient, the scan may take some time.

Do NOT fix/repair anything yet! Please upload that logfile also with your next reply.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.

Double-click to run it. When the tool opens click Yes to disclaimer.

Press the Scan button.

It will make a log (FRST.txt) in the same directory the tool is run from.

The first time the tool is run, it also makes another log (Addition.txt).

Upload both logfiles to your next reply.

Dynex · Dec 8, 2018

Alright completed, here are the logs, also I don't use internet explorer, and i opened it to check it, and it has russian writing, so obviously something from the russian malware i downloaded got in there. Here is a screenshot. https://ibb.co/LQMXM2s

dr.moriarty · Dec 9, 2018

The issues of a CMD prompt window and a Powershell pop-up on startup are problems better suited for our Software Forum.

NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.

Save the attached (fixlist.txt) to your desktop.

Right-click FRST and run it as admin.

Click the FIX button.

A report should pop up named Fixlog.txt, please upload it here in your next reply.

*One additional scan that I would recommend trying - Using ESET's Online Scanner. Upon completion of the scan, upload its report also.

Dynex · Dec 9, 2018

Attached fixlist.txt?

Hey since you said it might be a software issue, i googled the issue, and i found this website.
http://www.tomshardware.com/answers/id-2858821/windows-powershell-appears-startup.html

At first I went to windows 10 startup section and i didn't see anything there. But then i re-read the thread and it said to do this in ccleaner, so i did, and this was what i found.

https://ibb.co/PTF0kyZ

So AudiTVID is definitely a malware right? I've never seen this before, and it doesn't ring a bell for anything, as well when i did track down the registry entries for this and deleted it, it was also listed as AudiTVID.... what is this?

dr.moriarty · Dec 9, 2018

I've corrected the posting error.

Dynex · Dec 9, 2018

Okay finally, the eset scan took 4 hours...

Dynex · Dec 10, 2018

Anyway, thank you. I think my PC is clear of malware except this AudiTVID thing... do you know if there is anyone who can help remove it? Even when I delete the registry entry it comes back every restart.

https://ibb.co/b3wBCSx

maybe I should have run this? I was infected with PUPS...

Junkware Removal Tool is a security utility that searches for and removes common adware, toolbars, and potentially unwanted programs (PUPs) from your computer. A common tactics among freeware publishers is to offer their products for free, but bundle them with PUPs in order to earn revenue.Nov 15, 2018

dr.moriarty · Dec 10, 2018

We've already done a far more thorough cleaning than what JRT alone would have accomplished.

This tutorial link provides training on the use of Process Explorer which would aid in tracking the process tree generating the recurring pop-up. There are several members in the Software forum who can guide you through the troubleshooting.

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.

Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it - just move on to the next step.

If running Vista or Win 7/8/10, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Powershell.exe And Re-occuring Malware

Dynex Private E-2

Attached Files:

Malwareantibytes.txt

malware.txt

HitmanPro_20181208_1335.log

changelog.txt

MGlogsR.zip

dr.moriarty Malware Super Sleuth Staff Member

dr.moriarty Malware Super Sleuth Staff Member

Dynex Private E-2

Attached Files:

changelog.txt

malwarebytes.txt

HitmanPro_20181208_1659.log

AdwCleaner[S00].txt

2018.12.08-17.10.14-i0-t92-d3.txt

dr.moriarty Malware Super Sleuth Staff Member

Dynex Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Dynex Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Dynex Private E-2

Attached Files:

Addition.txt

FRST.txt

ZHPCleaner-[S]-08122018-21_38_23.txt

dr.moriarty Malware Super Sleuth Staff Member

Attached Files:

fixlist.txt

Dynex Private E-2

dr.moriarty Malware Super Sleuth Staff Member

Dynex Private E-2

Attached Files:

Fixlog.txt

eset.txt

Dynex Private E-2

dr.moriarty Malware Super Sleuth Staff Member