Jump to content

Powershell.exe command running at startup


Recommended Posts

I noticed from CCleaner that I have two entries that execute a command from powershell when the PC starts up. In addition, for some time I have had a temporary loss of CPU efficiency as well as temporary connection drops (the provider says there are no network problems). 
I guess it's some kind of malware. 

Thanks for your time

Immagine 2021-06-23 155946.png

Link to post
Share on other sites

Hello eiger and welcome to Malwarebytes,

Disable smart screen if it interferes with software we may have to use:

https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8

Please remember to enable when we are finished....

Next,

Disable any Anti-virus software you have installed if it stops software we may use from working:

https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please remember to enable AV software when we are finished running scans....

Next,

Lets grab some logs and see whats going on, continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes version 4 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts.

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Open Malwarebytes
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

Hello eiger,

Did you also run AdwCleaner..? can I see that log please. Logs are saved here: C\:AdwCleaner\Logs

Continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....

The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Hello eiger,

Thanks for the update, there was no definite malware or infection showing in your FRST logs. Context menu section results are white listed in FRST, the ones you thought as suspicious did not show in your logs. Fix list was general system clean up and remnant clear out...

Thank you,

Kevin.

Link to post
Share on other sites

Hi Kevin,

So I've tested all day and the problem is still here. I have these random lag spikes during playing games, peaking 1180ms. There is no problem with my connection (i've already contacted the provider, the line is fine) and the wi-fi range is fine. So I think there is something inside the machine, like a cryptominer o something like that. 

Can we do something else?

Thanks 

Link to post
Share on other sites

Hiya eiger,

From the logs we`ve seen there are no indications of Malware or Infection, continue with the following indepth AV scan:

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Thank you,

Kevin...

 

 

Link to post
Share on other sites

Hi Kevin, sorry for the delay.

So, the sophos scan didn't find any threats, like the first one we did. 

I've done a scan using malwarebytes and here are the results (translated):

Malwarebytes
www.malwarebytes.com

-Log details
Scan date: 27/06/21
Scan time: 18:13
Log file: 8c78847c-d762-11eb-89fe-00000000.json

-Software information-
Version: 4.4.0.117
Component version: 1.0.1344
Update package version: 1.0.42331
License: Free

-System Info-
OS: Windows 10 (Build 19041.1052)
CPU: x64
File system: NTFS
User: Howitzer

-Scan Summary
Scan type: Scan for malicious items
Scan initiated by: Manual
Results: Completed
Items scanned: 344851
Threats detected: 1
Quarantined Threats: 1
Time taken: 5 min, 47 sec

-Scanning Options
Memory: Enabled
Automatic executions: Enabled
File System: Enabled
Compressed archives: Enabled
Rootkits: Enabled
Heuristic Analysis: Enabled
PUP: Detect
PUM (Potentially Unwanted Change): Detect

-Scan Details
Process: 0
(No malicious element detected)

Module: 0
(No harmful elements detected)

Register key: 0
(No harmful elements detected)

Register value: 0
(No harmful elements detected)

Log data: 0
(No harmful elements detected)

Data Stream: 0
(No harmful elements detected)

Folder: 0
(No harmful elements detected)

File: 1
Malware.Heuristic.1001, C:\USERS\EIGER\APPDATA\LOCAL\TEMP\4C4657DE-36FB-4DC1-A791-430F5E57770D.TMP.NODE, Quarantined, 1000001, 0, 1.0. 42331, 0000000000000003E9, dds, 01308373, 06B03BDE81EFAA9871D9EB1C87E008C4, 83ECC413E3078806FF3D6A112779BE1D4F6C67840E071A6EEDA857F38973A890

Physical sector: 0
(No harmful elements detected)

WMI: 0
(No harmful elements detected)


(end)

This isn't the first time i find this type of anomaly. 

Link to post
Share on other sites

Hiya eiger,

Do you know which software you open when Malwarebytes flags the entry you`ve listed, it may not be malicious. Open the following link:

https://forums.malwarebytes.com/topic/273935-detection-coming-from-tmpnode-files-from-appdatalocaltemp/

That issue seems to be linked to Unity hub. I`ve also seen Companion app listed and Brave browser listed creating such files...

Thanks,

Kevin..

Link to post
Share on other sites

<<remarks>>  If I may, @eiger  

If you would do this inquiry-run, it might help to see what the remaining "source-issue" is all about.

Farbar Recovery Scan Tool Inquiry
(  by whatever name you have for the FRST program, run it to do this Inquiry )

  • Right click on the FRSTENGLISH icon and select Run as administrator
  • Highlight ALL the lines below in the codebox ( AS-IS )  then hit the Ctrl + C keys at the same time and the text will be copied
  • There is no need to paste the information anywhere, FRST will do it for you 
  •  
start::
exportkey: hkcu\software\classes\ms-settings\shell\open\command
cmd: bitsadmin /list /allusers
end::

Next, press the FIX button on the FRST window.

Once it has completed, Attach the FIXLOG.txt  file with your next reply.

 

Link to post
Share on other sites

On 6/28/2021 at 3:13 AM, eiger said:

File: 1
Malware.Heuristic.1001, C:\USERS\EIGER\APPDATA\LOCAL\TEMP\4C4657DE-36FB-4DC1-A791-430F5E57770D.TMP.NODE, Quarantined, 1000001, 0, 1.0. 42331, 0000000000000003E9, dds, 01308373, 06B03BDE81EFAA9871D9EB1C87E008C4, 83ECC413E3078806FF3D6A112779BE1D4F6C67840E071A6EEDA857F38973A890

This item is a false positive more than likely.

Do you have "Use expert system algorithms to identify malicious files" enabled? It is located in Settings > Security> Scan option.

This is normally disabled by default.

FYI. This setting is in the experimental stage.

That setting is to detect malformed files but sometimes legit files use protection that make them malformed. Malwarebytes is still tweaking the algorithms that is why it’s off by default. If you switch it on it is assumed, you are able to tell the difference between a FP and a legit detection. 

And if you keep it on, I suggest also turn off auto quarantine. Gives you the time to report FP's and not go thru the extra step to have to restore from quarantine.

Please turn off "Use expert system algorithms to identify malicious files" enabled? It is located in Settings > Security> Scan option to avoid these detections

Edited by Porthos
  • Thanks 1
Link to post
Share on other sites

@miekiemoes will you comment on this thread please, the following file has been flagged by Malwarebytes:

Malware.Heuristic.1001, C:\USERS\EIGER\APPDATA\LOCAL\TEMP\4C4657DE-36FB-4DC1-A791-430F5E57770D.TMP.NODE, Quarantined, 1000001, 0, 1.0. 42331, 0000000000000003E9, dds, 01308373, 06B03BDE81EFAA9871D9EB1C87E008C4, 83ECC413E3078806FF3D6A112779BE1D4F6C67840E071A6EEDA857F38973A890

You made a comment to a similar thread intimating a false positive:

https://forums.malwarebytes.com/topic/273935-detection-coming-from-tmpnode-files-from-appdatalocaltemp/

It would seem a shame if the thread starter would make a format and reinstall of windows for want of an explanation...

Regards,

Kevin...

 

  • Like 1
Link to post
Share on other sites

On 6/29/2021 at 6:30 PM, Maurice Naggar said:

<<remarks>>  If I may, @eiger  

If you would do this inquiry-run, it might help to see what the remaining "source-issue" is all about.

Farbar Recovery Scan Tool Inquiry
(  by whatever name you have for the FRST program, run it to do this Inquiry )

  • Right click on the FRSTENGLISH icon and select Run as administrator
  • Highlight ALL the lines below in the codebox ( AS-IS )  then hit the Ctrl + C keys at the same time and the text will be copied
  • There is no need to paste the information anywhere, FRST will do it for you 
  •  

start::
exportkey: hkcu\software\classes\ms-settings\shell\open\command
cmd: bitsadmin /list /allusers
end::

Next, press the FIX button on the FRST window.

Once it has completed, Attach the FIXLOG.txt  file with your next reply.

 

Hi Maurice,

This is the result. 

On 6/29/2021 at 6:52 PM, Porthos said:

This item is a false positive more than likely.

Do you have "Use expert system algorithms to identify malicious files" enabled? It is located in Settings > Security> Scan option.

This is normally disabled by default.

FYI. This setting is in the experimental stage.

That setting is to detect malformed files but sometimes legit files use protection that make them malformed. Malwarebytes is still tweaking the algorithms that is why it’s off by default. If you switch it on it is assumed, you are able to tell the difference between a FP and a legit detection. 

And if you keep it on, I suggest also turn off auto quarantine. Gives you the time to report FP's and not go thru the extra step to have to restore from quarantine.

Please turn off "Use expert system algorithms to identify malicious files" enabled? It is located in Settings > Security> Scan option to avoid these detections

Yes, I have that option enabled. Now it's disabled.

Fixlog2.txt

Link to post
Share on other sites

  • 4 weeks later...

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.