Concrete signature match: PUA for 32-bit Windows platform, family Presenoker
PUA:Win32/Presenoker is a Potentially Unwanted Application, typically adware, that injects unwanted advertisements and may modify browser settings. It establishes persistence by creating scheduled tasks and uses system tools like PowerShell and BITS to download additional components or ad-related content from command-and-control servers.
Relevant strings associated with this threat: - #http://adplus.chlbiz.com/adplus-api (PEHSTR) - http://pdapi.znyshurufa.com/city (PEHSTR) - Goooooooooogle.UserControl1 (PEHSTR) - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT) - rundll32 (PEHSTR_EXT) - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT) - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT) - !#HSTR:ExecutionGuardrails (PEHSTR_EXT) - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT) - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT) - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
86f257f7a37ebefcd51e76a9c8eb188e8834a1f6cacf0d7d61ebfa1fad3045bdQuarantine the detected file using your antivirus software. Review and remove any suspicious scheduled tasks in Task Scheduler. Check browser extensions and reset browser settings to default. Run a full system scan to find any related components.