Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Powershell Trying to connect to malicious sites

Started by Twitchi , Jul 11 2017 06:51 AM

  • Please log in to reply

#1
Twitchi
Posted 11 July 2017 - 06:51 AM

Twitchi

    Member

  • Member
  • PipPip
  • 16 posts

So I was given a piece of software from a friend who I thought knew what they where doing.. long story short I clicked on things I should of not and got my PC riddled with Trojans and such..

I started an extensive cleaning process and will some day soon wipe everything that is connected to the PC but right now I need to use it for work and con not, things seem to be OK, malwarebytes finds no malware and Avira finds no viruses now.. but every 6 hours or so I get a notification from Malwarebytes that it is blocking powershell form visiting various sites
 

As requested in the guide here is FRST.txt
 

Spoiler


and Addition.txt

 

Spoiler


thank you so much for any help you canb provide :D


  • 0

Advertisements

#2
RKinner
Posted 13 July 2017 - 08:59 AM

RKinner

    Malware Expert

  • Expert
  • 24,734 posts
  • MVP
 
Download the attached fixlist.txt to the same location as FRST
 
[attachment=85514:fixlist.txt]
 
Run FRST and press Fix
A fix log will be generated please post that 
 
 

 
Download : ADWCleaner to your desktop.  Make sure you get the correct Download button.  Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @BleepingComputer
 
NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on the warning and allow the download to complete.
 
Close  all programs, pause your anti-virus and run AdwCleaner (Vista or Win 7 => right click and Run As Administrator).
 
scan-results.jpg
 
Click on Scan  and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.
 
The report will be saved in the C:\AdwCleaner folder.
 
 
 
Junkware-Removal-Tool
 
Please download Junkware Removal Tool to your desktop.  Make sure you get the correct Download button.  Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @Author's site
  • Pause your anti-virus.  Close all browsers.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
    •  
     
     
    Run FRST again as before.  Make sure Addition.txt is checked and hit Scan.  Post both logs.
     

    • 0

    #3
    Twitchi
    Posted 13 July 2017 - 04:36 PM

    Twitchi

      Member

    • Topic Starter
    • Member
    • PipPip
    • 16 posts

    Hey RK, thanks so much for taking the time to guide me through this..

    I am back after the first restart and as requested here is the log copy paste

    Spoiler


    I shall return shortly with the next log


    • 0

    #4
    Twitchi
    Posted 13 July 2017 - 04:50 PM

    Twitchi

      Member

    • Topic Starter
    • Member
    • PipPip
    • 16 posts

    Second Down Here's the report

    Spoiler


    • 0

    #5
    Twitchi
    Posted 13 July 2017 - 05:00 PM

    Twitchi

      Member

    • Topic Starter
    • Member
    • PipPip
    • 16 posts

    I am having trouble running the junkware tool, every time I try to run the program I get an error saying "This app cannot run on your PC... to find a version for your pc, check with publishers"

    Double click, run as admin, double checked antivirus is off and made sure browsers where closed


    • 0

    #6
    Twitchi
    Posted 13 July 2017 - 05:16 PM

    Twitchi

      Member

    • Topic Starter
    • Member
    • PipPip
    • 16 posts

    Sorry forgot to say I was using Windows 10 Pro 64

    also as there was no file changes involved I thought I would grab the frst report anyway as well

    FRST.TXT

    Spoiler

     

    And additions

    Spoiler



    Once again thank you for your time.. I await your apraisal
     


    • 0

    #7
    RKinner
    Posted 13 July 2017 - 06:44 PM

    RKinner

      Malware Expert

    • Expert
    • 24,734 posts
    • MVP

    Don't worry about JRT.  Not sure what went wrong ther.  Will look into it.

     

    Your FRST logs look pretty clean.  Let's run DISM and SFC and make sure no system files were compromised:

     

    Open an elevated command prompt:
     
     
    If you open an elevated command prompt it will by default open in c:\Windows\system32
     
    Once you have an elevated command prompt:
     
    Type:
     
     DISM  /Online  /Cleanup-Image  /RestoreHealth
     
     (I use two spaces so you can be sure to see where one space goes.)
    Hit Enter.  This will take a while (10-20 minutes) to complete.  Once the prompt returns:
     
    Reboot.  Open an elevated Command Prompt again and type (with an Enter after the line):
     
    sfc  /scannow
     
     
     
    This will also take a few minutes.  
     
    When it finishes it will say one of the following:
     
    Windows did not find any integrity violations (a good thing)
    Windows Resource Protection found corrupt files and repaired them (a good thing)
    Windows Resource Protection found corrupt files but was unable to fix some (or all) of them (not a good thing)
     
    If you get the last result then type:
     
    findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \junk.txt 
     
    Hit Enter.  Then type::
     
     
    notepad  \junk.txt 
     
    Hit Enter. 
     
     Copy the text from notepad and paste it into a reply.
     
     
    After you finish SFC, regardless of the result:
     
     
     
    1. Please download the Event Viewer Tool by Vino Rosso
    and save it to your Desktop:
    2. Right-click VEW.exe and Run AS Administrator
    3. Under 'Select log to query', select:
     
    * System
    4. Under 'Select type to list', select:
    * Error
    * Warning
     
     
    Then use the 'Number of events' as follows:
     
     
    1. Click the radio button for 'Number of events'
    Type 20 in the 1 to 20 box
    Then click the Run button.
    Notepad will open with the output log.
     
     
    Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)

    • 0

    #8
    Twitchi
    Posted 14 July 2017 - 06:11 AM

    Twitchi

      Member

    • Topic Starter
    • Member
    • PipPip
    • 16 posts

    OK so the first 2 programs came back good (Windows did not find any integrity violations)

    System Event Viewer

    Spoiler

     

    And the application

    Spoiler

     

    Thank you once again


    • 0

    #9
    RKinner
    Posted 14 July 2017 - 07:02 AM

    RKinner

      Malware Expert

    • Expert
    • 24,734 posts
    • MVP

    Just paste in a Reply - don't bother with the Spoiler stuff.  Just makes them harder to work on.

     

    Search for:

    services.msc

    hit Enter

     

    Find NetMsmqActivator

    right click and select Properties then change the Startup Type: to Disabled.  OK.

     

    repeat for

     

    NetPipeActivator

     

    Find 

     

    Windows Driver Foundation - User-mode Driver Framework

    right click and select Properties then change the Startup Type: to Automatic.  OK.

     

    While in services menu see if 

     

    Background Intelligent Transfer Service is running/started

     

    Close services menu

     

    Search for

     

    PC Settings

     

    hit Encer

     

    Change

    "Sync your Settings" section

     OneDrive\Sync Settings, turn off the switch, 

    (Hope that makes sense as my Win 10 tablet doesn't want to start up today.)

    Close PC Settings

     

     

     

    Then

     

    Copy the next 4 lines:

    dir /a /s \Users\Owner\AppData\Local\Microsoft\Windows\SettingSync > \junk.txt
    sc start luafy
    sc query luafv
    notepad \junk.txt
     
     
    Open an Elevated Command Prompt:
    Win 7: Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator
     
    Right click and Paste (or Edit then Paste) and the copied lines should appear.
    Hit Enter if notepad does not open.  Copy and paste the text from notepad into a reply. 
     
    Start up FRST as before.  
    Put
    luafv.sys
    in the Search Box
    then hit Search Files
     
    You should get a text file.  Copy and paste in to a reply.
     
     
     
     

    • 0

    #10
    Twitchi
    Posted 14 July 2017 - 08:04 AM

    Twitchi

      Member

    • Topic Starter
    • Member
    • PipPip
    • 16 posts

    So Net.msmq and net.pipe have been disabled

     

    Background Intelligent Transfer Service was not running..

    syncing was also off already

     

    had troubles from there in

    Microsoft Windows [Version 10.0.14393]
    © 2016 Microsoft Corporation. All rights reserved.

    C:\WINDOWS\system32>dir /a /s \Users\Owner\AppData\Local\Microsoft\Windows\SettingSync > \junk.txt
    The system cannot find the path specified.

    C:\WINDOWS\system32>sc start luafy
    [SC] StartService: OpenService FAILED 1060:

    The specified service does not exist as an installed service.


    C:\WINDOWS\system32>sc query luafv

    SERVICE_NAME: luafv
            TYPE               : 2  FILE_SYSTEM_DRIVER
            STATE              : 1  STOPPED
            WIN32_EXIT_CODE    : 1275  (0x4fb)
            SERVICE_EXIT_CODE  : 0  (0x0)
            CHECKPOINT         : 0x0
            WAIT_HINT          : 0x0

    C:\WINDOWS\system32>notepad \junk.txt  // did an enter

    C:\WINDOWS\system32>

    text file was blank


     


    • 0

    Advertisements

    #11
    Twitchi
    Posted 14 July 2017 - 08:07 AM

    Twitchi

      Member

    • Topic Starter
    • Member
    • PipPip
    • 16 posts

    being dangerous and using my initiative

     

    started Background Intelligent Transfer Service to try again, same errors


    • 0

    #12
    RKinner
    Posted 14 July 2017 - 08:12 AM

    RKinner

      Malware Expert

    • Expert
    • 24,734 posts
    • MVP

    oops forgot to change the Username from Owner to Twitchi

     

    Copy the next 2 lines:

    dir /a /s \Users\Twitchi\AppData\Local\Microsoft\Windows\SettingSync > \junk.txt
    notepad \junk.txt

    then open an elevated command prompt (admin) as before and right click and Paste.  Hit Enter if notepad does not open.  Copy and paste into a Reply.

     

     

    Start up FRST as before but do not hit SCAN.  
    Put
    luafv.sys
    in the Search Box
    then hit Search Files
     
    You should get a text file.  Copy and paste in to a reply.

    • 0

    #13
    Twitchi
    Posted 14 July 2017 - 08:21 AM

    Twitchi

      Member

    • Topic Starter
    • Member
    • PipPip
    • 16 posts

    Junk.txt

     Volume in drive C has no label.
     Volume Serial Number is 3E75-33F7

     Directory of C:\Users\Twitchi\AppData\Local\Microsoft\Windows\SettingSync

    26-Oct-16  10:23 PM    <DIR>          .
    26-Oct-16  10:23 PM    <DIR>          ..
    14-Jul-17  01:37 PM    <DIR>          metastore
    26-Oct-16  10:21 PM    <DIR>          remotemetastore
    29-Oct-16  01:59 PM             2,757 wininet-internet-explorer.metadata
                   1 File(s)          2,757 bytes

     Directory of C:\Users\Twitchi\AppData\Local\Microsoft\Windows\SettingSync\metastore

    14-Jul-17  01:37 PM    <DIR>          .
    14-Jul-17  01:37 PM    <DIR>          ..
    14-Jul-17  01:42 PM             8,192 edb.chk
    14-Jul-17  01:42 PM           524,288 edb.log
    14-Jul-17  01:37 PM           524,288 edb0041B.log
    14-Jul-17  01:37 PM           524,288 edb0041C.log
    14-Jul-17  01:37 PM           524,288 edb0041D.log
    14-Jul-17  01:37 PM           524,288 edb0041E.log
    26-Jul-16  03:23 PM           524,288 edbres00001.jrs
    26-Jul-16  03:23 PM           524,288 edbres00002.jrs
    14-Jul-17  01:42 PM           524,288 edbtmp.log
    14-Jul-17  01:42 PM         2,228,224 meta.edb
    14-Jul-17  01:42 PM            16,384 meta.jfm
                  11 File(s)      6,447,104 bytes

     Directory of C:\Users\Twitchi\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore

    26-Oct-16  10:21 PM    <DIR>          .
    26-Oct-16  10:21 PM    <DIR>          ..
    29-Oct-16  01:59 PM    <DIR>          v1
                   0 File(s)              0 bytes

     Directory of C:\Users\Twitchi\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore\v1

    29-Oct-16  01:59 PM    <DIR>          .
    29-Oct-16  01:59 PM    <DIR>          ..
    29-Oct-16  02:05 PM             8,192 edb.chk
    29-Oct-16  02:05 PM           524,288 edb.log
    28-Oct-16  01:06 PM           524,288 edb00007.log
    29-Oct-16  01:59 PM           524,288 edb00008.log
    29-Oct-16  01:59 PM           524,288 edb00009.log
    26-Oct-16  10:21 PM           524,288 edbres00001.jrs
    26-Oct-16  10:21 PM           524,288 edbres00002.jrs
    28-Oct-16  01:05 PM           524,288 edbtmp.log
    29-Oct-16  02:05 PM         1,441,792 meta.edb
    29-Oct-16  02:05 PM            16,384 meta.jfm
                  10 File(s)      5,136,384 bytes

         Total Files Listed:
                  22 File(s)     11,586,245 bytes
                  11 Dir(s)  300,233,785,344 bytes free
     


    • 0

    #14
    Twitchi
    Posted 14 July 2017 - 08:26 AM

    Twitchi

      Member

    • Topic Starter
    • Member
    • PipPip
    • 16 posts

    search.txt

    Farbar Recovery Scan Tool (x64) Version: 13-07-2017
    Ran by Twitchi (14-07-2017 15:22:02)
    Running from C:\Users\Twitchi\Desktop
    Boot Mode: Normal

    ================== Search Files: "luafv.sys" =============

    C:\Windows\WinSxS\amd64_microsoft-windows-lua-filevirtualization_31bf3856ad364e35_10.0.14393.0_none_9555904ebb4d4f93\luafv.sys
    [2016-07-16 12:42][2016-07-16 12:42] 0125952 _____ (Microsoft Corporation) C9579D32219E5B936AC3A48D470117EC [File is digitally signed]

    C:\Windows\System32\drivers\luafv.sys
    [2016-07-16 12:42][2016-07-16 12:42] 0125952 _____ (Microsoft Corporation) C9579D32219E5B936AC3A48D470117EC [File is digitally signed]

    ====== End of Search ======


    • 0

    #15
    RKinner
    Posted 14 July 2017 - 08:32 AM

    RKinner

      Malware Expert

    • Expert
    • 24,734 posts
    • MVP
    Copy the next 5 lines:
     
    FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
    Esentutl /r \Users\Owner\AppData\Local\Microsoft\Windows\SettingSync\metastore\meta.edb 
    Esentutl /p \Users\Owner\AppData\Local\Microsoft\Windows\SettingSync\metastore\meta.edb 
    Esentutl /r \Users\Owner\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore\v1\meta.edb
    Esentutl /p \Users\Owner\AppData\Local\Microsoft\Windows\SettingSync\remotemetastore\v1\meta.edb 
     
     
    Open an Elevated Command Prompt:
     
     
     
    Right click and Paste (or Edit then Paste) and the copied lines should appear.
    Hit Enter.
     
    Then reboot.  Run VEW again as before.
     
    I'm on my way out the door.  Be back in about 4 hours.
     
    You can run Windows All in One Repair.  It might fix the BITS problem.
     
     
     
    Download it and save it then run it.
     
    You can skip to step 4 or 5 where it gives you the same picture as in the above link.
     
    Make sure these are checked before hitting Start:
     
    Reset Registry Permissions
    Reset File Permissions
    Register System Files
    Repair WMI
     
     
     
    Remove Policies Set By Infections
     
     
    Remove Temp Files
     
    Unhide Non System Files
    Repair Windows Updates
     
     
    Reboot when done and run VEW again as before.
     
    The luafv.sys file appears to be the correct one.  Not sure why it won't work.  Perhaps things will work better after all in one runs.
     
     

    • 0
    Back to Virus, Spyware, Malware Removal · Next Unread Topic →




    Similar Topics

    1 user(s) are reading this topic

    0 members, 1 guests, 0 anonymous users

    1. Geeks to Go Community
    2. Security
    3. Virus, Spyware, Malware Removal

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP