Thanks AVAST

system · 2017-09-08T15:44:38.000Z

I was using AVIRA Anti-Virus FREE Edition from past 2 years. However that particular software somehow allowed powershell.exe virus enter into my system. It’s been residing on my system from past 3 or 4 months and Avira just watched silently. Did nothing about it! I always updated my virus definition to the latest version.

Whenever I restarted my computer. A small window (with no content) would pop-up whose name was “powershell” and after few seconds it would automatically disappear. Today I was browsing the web and suddenly my CPU usage went sky high. I am not sure what suddenly triggered this? And something was not right at all. It seems like some sort of software installation was taking place in the background.

I had to disconnect my internet and had to force shut down my computer. After restarting my system, I started Malwarebytes (which was fortunately there on my system), updated it and started FULL scan. After few minutes Malwarebytes was totally stuck at 81% for more than 30 minutes. I don’t know what happened?

But it’s auto protection kept on blocking “soplifan.ru” (C:\Windows\SysWOW64\msiexec.exe) from connecting to the internet. See attached screenshot.

Malwarebytes was stuck so I downloaded both superantispyware and Spybot S&D - Updated them. Ran full scan. No detection!

Now Avast came to my mind. I immediately downloaded and updated your software. And without any scan, your software’s auto-protection feature caught the malware within few seconds! See attached screenshots.

Thanks AVAST. I am impressed. Keep up the good work.

Eddy · 2017-09-08T15:48:34.000Z

https://forum.avast.com/index.php?topic=194892.0

PDI · 2017-09-09T11:32:13.000Z

Hi mrinmayb,

I’m not sure how to take this.

The detection is correct as we stopped the powershell from running. We haven’t removed the executable of the powershell.

The detection means that there is file-less malware which is using powershell and we report the process not the file itself.

I suggest you to use autoruns https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns to see if there is some information about the powershell and/or msiexec.

If you can share the output of the autoruns with me I can help you with the finding of the virus if we haven’t remove it completely.
You can share the download link with me via a PM.

Regards,
PDI

system · 2017-09-09T14:16:43.000Z

PDI post:3:

Hi mrinmayb,

I’m not sure how to take this.

The detection is correct as we stopped the powershell from running. We haven’t removed the executable of the powershell.

The detection means that there is file-less malware which is using powershell and we report the process not the file itself.

I suggest you to use autoruns https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns to see if there is some information about the powershell and/or msiexec.

If you can share the output of the autoruns with me I can help you with the finding of the virus if we haven’t remove it completely.
You can share the download link with me via a PM.

Regards,
PDI

Hello

I think you got me wrong.

I am praising AVAST and cursing AVIRA

Eddy · 2017-09-09T14:24:29.000Z

Yes, but the infection can still be present on your system.
I strongly suggest to follow the instructions in the link I gave you and have one of the malware removers have a look.

system · 2017-09-09T16:20:51.000Z

???

Ok I will be back with the logs ASAP

Thanks

system · 2017-09-09T17:19:53.000Z

Please see attached files

Thanks

Eddy · 2017-09-09T17:26:00.000Z

What is KMS doing on your system ?

system · 2017-09-09T18:02:37.000Z

Eddy post:8:

What is KMS doing on your system ?

Thanks for your help. I will get rid of this software. I am now able to understand from where the malware probably came from

Thanks

Announcements