Solved Windows Powershell randomly popping up, MBytes blocking outbound comm

G

Glockwork Orange

New Member
Thread author
Feb 20, 2017
3
Hi,

please see the info above. MBytes blocked communication marked as "macrosoftman[.]info" which I tracked to the following site: https://www.cybereason.com/the-dawn-of-sophisticated-powershell-adware-campaigns/

And also to another user's post that had a solution but it was marked as individual and potentially dangerous and/or not working for another system, so I am asking for help myself as well.

Thanks in advance.
 

Attachments

  • Addition.txt
    96.2 KB · Views: 3
  • FRST.txt
    41.3 KB · Views: 4
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hello,


Please download Zemana AntiMalware and save it to your Desktop.
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.
  • Open Zemana AntiMalware again.
  • Click on
    4zu6vb.jpg
    icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • The only left thing is to attach saved report in your next message.
 
G

Glockwork Orange

New Member
Thread author
Feb 20, 2017
3
Thanks Blondie.

I ran it, it found a whole bunch of stuff that the FRST report pointed out. Attaching the report of Zemana and I also ran a new report of FRST in case it's of any interest.

I cannot confirm right away if it had helped or not (the PowerShell popups are rather random).
 

Attachments

  • 2017.02.21-17.33.59-i0-t92-d35 - detected.txt
    14.3 KB · Views: 3
  • Addition.txt
    80.2 KB · Views: 1
  • FRST.txt
    36.8 KB · Views: 2
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Please remove this from your Control Panel:
DNS Unlocker (HKLM-x32\...\DNSUnlocker.ns) (Version: - ) <==== ATTENTION


And let me know if everything is okay now.
 
G

Glockwork Orange

New Member
Thread author
Feb 20, 2017
3
Hi again,

I seem to be unable to remove it from the Control Panel. I think I may have deleted it manually some time ago, so the files don't actually exist on my drive (when I try to click uninstall in CP, it says it could not find the uninstall.exe in a folder that well, does not exist anymore).

I suppose I should manually remove its entry in the registry?
 

Similar threads

SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
Harden Windows Security | Only with official documented methods | Always up to date
Replies
75
Views
10,541
Other security for Windows, Mac, Linux
Warencom
W
Bot
    • Like
    • +Reputation
Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities
Replies
1
Views
1,539
Microsoft Defender
SeriousHoax
SeriousHoax
Bot
    • Like
Analysis of a targeted attack exploiting the WinRar CVE-2018-20250 vulnerability
Replies
4
Views
1,624
Microsoft Defender
Andrew3000
Andrew3000

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top