[SOLVED] Powershell process seems to have tried uninstalling Avast?

[devplugin]

Hello,

I received the following threat warning earlier:

Given that I did not perform a scan myself, and that the following threat popped up while I was not actively at my computer, I assume Avast must have detected an action occurring in the background. While the warning above mentions the source being Windows' PowerShell, I did not have one actively open myself, which means that some other program must have tried to run it.

The file in question, "UNINSTALLEXCHANGE.PS1", seems to have been located in the /SETUP folder of my Avast installation, although I currently cannot find it in there anymore. Perhaps Avast deleted it from there upon issuing the warning? Given the name of the file, it sounds like some program tried to uninstall Avast, although I might of course be wrong.

I have, of course, tried to already search on Google to find further information on my situation, but unfortunately have not found much. The only relevant link I found is the following: https://discuss.elastic.co/t/kv-filter-dont-split-on-field-split-pattern-once/165431, where someone (suspiciously?) seems to want to run a certain command using PowerShell on the aforementioned file. However, given the short excerpt of their code, I cannot come to a conclusion on what exactly it is they tried to do.

I would perhaps have put it aside as a false positive, but the fact that something happened in the location Avast itself was installed in, without my knowledge, seems somewhat worrying.

I would really appreciate any help regarding this, as I am worried that my PC might have gotten infected.
Thank you very much!

 

[mdd1963]

Beyond an obligatory full MS Security scan , I'd certainly run some other 'second opinion' full scans with other antimalware tools, where Hitman Pro64 and Malwarebytes Antimalware both spring to mind. (I'd look at SysInternal's ProcessExplorer64 to make sure no mysterious processes (note VirusTotal results for all processes therein) are running...

Do NOT treat the detection as a false positive and allow it through..

 

[devplugin]

@mdd1963 Hi, thanks for answering. Of course, I don't want to just take the detection as a false positive and move on, but it's just that I don't seem to be able to get to the bottom of it.

I did the following scans:

• MS Security (Interestingly enough, it says the following:
  
  , however, if I click on protection history, there's nothing there:
  
  . So it seems like Defender found "something", but I can't see what it found?)
• MS Security Offline scan (Did not get any notifications on reboot though so I assume it didn't find anything)
• Avast Scan: Did not find anything
• Malwarebytes (Premium Trial) scan: Did not find anything.

So unfortunately, it doesn't seem like I'm any further than I was before...
And clearly, something must have happened otherwise I would not have received that message yesterday, but no idea how to find out what exactly caused it...
Thank you for your help.

 

[Deleted member 14196]

Wipe and reinstall

 

[devplugin]

@Mandark
You mean my whole Windows installation? I've thought about that too, but it's likely going to be a huge pain with the amount of files etc I have, which I first need to backup, and so on. And if the virus inconspicuously sits in one of my backed up files, then I'll be right back at where I was before the reinstall right away... So I'm hoping to really find out if it's actually malware or a false positive first.

 

[Deleted member 14196]

Look something just tried to run a power shell script to remove your antivirus. That’s proof enough that you have something crawling around

You really should’ve had a backup plan all along so that you don’t run into these problems.

It’s most likely something that you have installed that did this to you like a Codec pack or something like that

 

[devplugin]

Look something just tried to run a power shell script to remove your antivirus. That’s proof enough that you have something crawling around

I mean, to be fair, that's just my hypothesis. I'm not sure if that's what actually happened - It's just the way I chose to interpret the message. (And I was hoping someone here would be able to shed some more light on what it "actually" means)
Optimally, I would like to find out which process tried to run that Powershell script, but it's unfortunate since the Avast message did not specify that, and I don't think I have a way of reproducing the warning message.

Would it perhaps be possible to view PowerShell/cmd logs, in order to see which commands were being executed and from where? Or does Windows not log these?

 

[Ralston18]

Get-History

Perhaps:

http://woshub.com/powershell-commands-history/

https://blog.itpro.tv/get-history-taking-on-powershell-one-cmdlet-at-a-time-weekly-blog/

https://docs.microsoft.com/en-us/po....core/about/about_history?view=powershell-7.1

The results are dependent on "sessions".

And any complete absence of logs/history could be a taken as a sign of something is astray.

Especially if you know that you have run Powershell cmdlets and/or scripts within a session.

I.e., there is a Clear-History cmdlet and someone writing malicious script would certainly try to cover their tracks....

 

[devplugin]

@Ralston18
Thanks!
If the results are dependent on session, wouldn't it always be empty? Because indeed, I just ran the powershell manually and inputted Get-History, with no output. Inputting the same command again does show that I had just run Get-History. When I close and re-open it, the same happens, i.e. the session only exists for the duration of the process... The history .txt file itself was indeed empty previously though. Now here's the problem though: For my personal usage, I only ever use cmd, never the PowerShell (Even if it has far greater functionality). So technically, the history does have reason for being empty. The question therefore remains whether the message above is a false positive or not...

 

[Ralston18]

You may not use Powershell per se but it is certainly possible that a virus or malware could do so.

Avast determined that UNINSTALLEXCHANGE.PS1 contained IDA.ALEXA.53.

So indeed something else occurred that caused Avast to flag the activity. That something else being what called UNINSTALLEXCHANGE.PS1 to begin with.

Then UNINSTALLEXCHANGE.PS1 was then moved to the Virus chest. Either automatically or by the green button being clicked.

If the UNINSTALLEXCHANGE.PS1 script is hidden you may be able to find it and or some other hidden files left behind:

https://www.tutorialspoint.com/how-to-get-hidden-files-and-folders-using-powershell

You could try to find UNINSTALLEXCHANGE.PS1 and change the extension to .TXT.

Then the script could be opened and examined.

= = = =

I decided to poke about and look for scripts that were written to uninstall an Exchange server. Sort of reverse engineering to see what cmdlets, etc. such a script would/could include.

Found a few links but no real scripts per se.

For example:

https://www.thatlazyadmin.com/removing-exchange-2013-mailbox-server-exchange-organization/

Not really helpful other than by the surprising absence of such scripts. System admin folks are are always very busy and any tool/script that can make system maintenance easier and/or faster is likely to be published.

Could be I did not use the correct search criteria. May poke about a bit more as circumstances warrant.

= = = =

However, the immediate problem remained whether or not the Avast message was a false positive. Had a late thought to investigate IDA.ALEXA.53

From Avast:

https://forum.avast.com/index.php?topic=237825.0

Overall, I do not think that you should consider the warning as a false positive.

In agreement with @mdd1963 and @Mandark that you need to take other AV/malware actions to ensure the system is cleaned, wiped, and reinstalled.

Scan the backup files first as part of the process.