Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Powershell Opening in Win. 10 Randomly.. Virus?


  • Please log in to reply
5 replies to this topic

#1 Gumball3k

Gumball3k

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 11 July 2017 - 08:40 PM

I have had Win. 10 for about 3-4 months now, and I somehow got a few viruses. I cleaned them up with Malwarebytes, however, one thing remained. Windows Powershell opens randomly now. Sometimes I'll be watching YouTube and it will pop up, and it is completely blank. I have to close it manually. It's kind of annoying, so I would like to know how to get rid of it. I have done multiple scans of MB and nothing came up. I also completely deleted everthing that came up on MB from the first scan. Please reply with any info you may have. Thanks!



BC AdBot (Login to Remove)

 


#2 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 6,846 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:09:22 AM

Posted 11 July 2017 - 08:59 PM

This does sound like the vestiges of an infection.  So, I'm going to escort you over to the "Am I Infected?  What Should I Do?" forum, where you can get more specific guidance.


Brian  AKA  Bri the Tech Guy (my website address is in my profile) Windows 10 Home, 64-bit, Version 1709, Build 16299

       

    Here is a test to find out whether your mission in life is complete.  If you’re alive, it isn’t.
             ~ Lauren Bacall
              

 


#3 jwoods301

jwoods301

  • Members
  • 1,489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 AM

Posted 11 July 2017 - 09:09 PM

Do the following malware checks and post the logs...

Download and run AdwCleaner -

https://www.bleepingcomputer.com/download/adwcleaner/

Download and run the portable version of Zemana Anti-Malware

https://www.zemana.com/en-US/Download

Download and run Junkware Removal Tool -

https://www.bleepingcomputer.com/download/junkware-removal-tool/

Create a System Restore point first.


 



#4 Gumball3k

Gumball3k
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 12 July 2017 - 08:00 AM

Thanks guys.



#5 Gumball3k

Gumball3k
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 12 July 2017 - 08:45 AM

ADW Logfile:

 

# AdwCleaner v6.047 - Logfile created 12/07/2017 at 09:33:56

# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-07-11.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : gumba - DESKTOP-EEOBAQV
# Running from : B:\Downloads\AdwCleaner.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\gumba\AppData\Local\AdvinstAnalytics
Folder Found:  C:\Program Files (x86)\ProxyGate
Folder Found:  C:\Users\gumba\AppData\Roaming\AGData
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKU\S-1-5-21-39537264-1387816561-519867752-1001\Software\FastDataX
Key Found:  HKU\S-1-5-21-39537264-1387816561-519867752-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\AdVPN
Key Found:  HKCU\Software\FastDataX
Key Found:  HKLM\SOFTWARE\WebDiscoverBrowser
Key Found:  HKLM\SOFTWARE\PCAcceleratePro
Key Found:  HKLM\SOFTWARE\Microleaves
Key Found:  HKLM\SOFTWARE\SavingsCool
Key Found:  HKLM\SOFTWARE\betterads
Key Found:  HKLM\SOFTWARE\Soci2Sear Browser Enhancer
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AdVPN
Key Found:  [x64] HKCU\Software\FastDataX
Key Found:  [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AdVPN
Key Found:  HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
Key Found:  HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
Key Found:  [x64] HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
Key Found:  [x64] HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
Data Found:  HKU\S-1-5-21-39537264-1387816561-519867752-1001\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=86311257&param1=y6bdVFVIsvuYs
Data Found:  HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=86311257&param1=y6bdVFVIsvuYsgEClQfz8HyFH9tZCHsOZFHNP%2BYwJC2T6M%2FX%2FM
Data Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=86311257&param1=y6bdVFVIsvuYsgEClQfz8HyFH9tZCHsOZFHNP%2BYwJC2T6M%2FX%2
Key Found:  HKU\S-1-5-21-39537264-1387816561-519867752-1001\Software\Microsoft\Internet Explorer\SearchScopes\{1711FC25-F05A-40CE-B859-A0C1CF01FD18}
Data Found:  HKU\S-1-5-21-39537264-1387816561-519867752-1001\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - 
Key Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1711FC25-F05A-40CE-B859-A0C1CF01FD18}
Data Found:  HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - 
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1711FC25-F05A-40CE-B859-A0C1CF01FD18}
Data Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] - 
Key Found:  HKCU\Software\Microsoft\Internet Explorer\DOMStorage\itibitiphone.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\itibitiphone.com
Value Found:  HKU\S-1-5-21-39537264-1387816561-519867752-1001\Software\Microsoft\Windows\CurrentVersion\Run [Itibiti.exe]
Value Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Itibiti.exe]
Value Found:  [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Itibiti.exe]
Key Found:  HKCU\Software\Classes\Applications\interstatnogui.exe
Key Found:  HKCU\Software\Google\Chrome\Extensions\gkcffmoikcgfhagefelmhiakelnjihik
Key Found:  [x64] HKCU\Software\Google\Chrome\Extensions\gkcffmoikcgfhagefelmhiakelnjihik
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\gumba\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - gkcffmoikcgfhagefelmhiakelnjihik
Chrome pref Found:  [C:\Users\gumba\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - hxxp://us.hao123.com/?tn=sdks_inner_hp_01_hao123_us&guid=447e38db5fe60d7d2f9124d2fb9f46fc
 
[!] You may need to disable the Chrome synchronization from your Google account in order to fully remove the malicious preferences. Please consult this Google help: https://support.google.com/chrome/answer/3097271?hl=en [!]
 
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1160 Bytes] - [19/05/2017 15:56:31]
C:\AdwCleaner\AdwCleaner[C2].txt - [1307 Bytes] - [26/05/2017 22:05:50]
C:\AdwCleaner\AdwCleaner[S0].txt - [1525 Bytes] - [19/05/2017 15:56:09]
C:\AdwCleaner\AdwCleaner[S1].txt - [1671 Bytes] - [26/05/2017 22:05:39]
C:\AdwCleaner\AdwCleaner[S2].txt - [5196 Bytes] - [12/07/2017 09:33:56]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [5269 Bytes] ##########


#6 Gumball3k

Gumball3k
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 12 July 2017 - 09:03 AM

Zemana logfile:

 

Zemana AntiMalware 2.74.2.76 (Portable)
 
-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/7/12
Operating System       : Windows 10 64-bit
Processor              : 4X Intel® Core™ i3-2120 CPU @ 3.30GHz
BIOS Mode              : Legacy
CUID                   : 129EAF8C73BFDC0093A19B
Scan Type              : System Scan
Duration               : 11m 24s
Scanned Objects        : 64523
Detected Objects       : 5
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2
 
Detected Objects
-------------------------------------------------------
 
Chrome Startup Url
Status             : Scanned
Object             : http://roblox.com/
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Startup Url
 
Chrome Homepage
Status             : Scanned
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Suspicious Browser Setting
Cleaning Action    : Repair
Related Objects    :
                Browser Setting - Chrome Homepage
 
Hide Most Visited Pages Reloaded
Status             : Scanned
Object             : %localappdata%\google\chrome\user data\default\extensions\dhphmpoekpoecdbjeionimpiceigkeil
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA.ChromeExt!Gr
Cleaning Action    : Repair
Related Objects    :
                Browser Extension - Hide Most Visited Pages Reloaded
 
ic-0.9090699df97bd.exe
Status             : Scanned
Object             : NE->c:\users\gumba\appdata\local\temp\282841906\ic-0.9090699df97bd.exe
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Adware:Win32/Itibiti!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
 
winrescheck.wrc
Status             : Scanned
Object             : NE->c:\users\gumba\appdata\roaming\microsoft\protect\winrescheck.wrc
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : Trojan:Win32/Blocrypt.C!Neng
Cleaning Action    : Quarantine
Related Objects    :
                (null) - (null)
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 5
Reported as safe      : 0
Failed                : 0

Junkware logfile:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Pro x64 
Ran by gumba (Administrator) on Wed 07/12/2017 at  9:57:10.14
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 3 
 
Successfully deleted: C:\ProgramData\productdata (Folder) 
Successfully deleted: C:\Windows\system32\Tasks\Driver Booster SkipUAC (gumba) (Task)
Successfully deleted: C:\Windows\system32\Tasks\ebb1cf3c3a27023b8cf3415a781b19ba (Task)
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 07/12/2017 at  9:59:35.77
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by Gumball3k, 12 July 2017 - 09:02 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users