Powershell blinks in Task Manager during startup. Event Viewer confuses me.

[AdvancedSetup]

Please do the following @somethingtechn and we should be able to use this method to track down when and what is calling PowerShell

 

Setting up Microsoft Sysmon to audit the system to look for unwanted or undesirable objects.

Please note that running SYSMON will have a small increase of system usage and small performance hit. Once done auditing for undesirable objects you may wish to uninstall Sysmon

 

[ 1 ]

Make a new folder at the top level of your computer named C:\MONITOR 
 

[ 2 ]

Download the latest version of Sysmon from the official Sysinternals website and save or copy it to the new folder C:\Monitor

Site:  https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
File: https://download.sysinternals.com/files/Sysmon.zip

[ 3 ]

Open the file Sysmon.zip and extract or copy all of the files inside the zip file to the C:\Monitor folder.

[ 4 ]

Click the link below and save the file: "sysmonconfig-export.zip" to the C:\Monitor folder as well

sysmonconfig-export.zip

Then open that file and extract or copy the sysmonconfig-export.xml to the C:\Monitor folder.

The file must be extracted out of the zip file or Sysmon will not install correctly.

Once the the configuration file has been extracted the C:\Monitor folder should look something like the image below

 

[ 5 ]

Click on START and type in CMD.EXE and when it shows on the menu right-click and select "Run as administrator"

Type the following and press the Enter key

CD C:\Monitor

Then type the following and press the enter key

DIR

You should then see something similar to the following

 

[ 6 ]

Copy and Paste the following to the command prompt window to install Sysmon with the specified configuration file and press the Enter key

sysmon64.exe -accepteula -i sysmonconfig-export.xml

That should produce a similar output as shown below

C:\Monitor>sysmon.exe -accepteula -i sysmonconfig-export.xml


System Monitor v14.14 - System activity monitor
By Mark Russinovich and Thomas Garnier
Copyright (C) 2014-2023 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Sysinternals - www.sysinternals.com

Loading configuration file with schema version 4.50
Sysmon schema version: 4.83
Configuration file validated.
Sysmon installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon..
Sysmon started.

 

[ 7 ]

Once Sysmon is installed properly it will create a new Event folder and log.  Microsoft-Windows-Sysmon/Operational

In the command prompt window type in the following and press the Enter key:  eventvwr

Then click on Applications and Services Logs -> Microsoft -> Windows -> Sysmon -> Operational

That is where Sysmon will store the events it is now tracking.

 

Restart the computer now

 

Then monitor the Event Log for Sysmon for any undesirable actions

 

To uninstall Sysmon once completed, please do the following

Click on START and type in CMD.EXE and when it shows on the menu right-click and select "Run as administrator"

Type the following and press the Enter key

CD C:\Monitor

Then type the following and press the enter key

sysmon64.exe -u

If there is an error or it refuses to uninstall then use the following

sysmon64.exe -u force

 

 

 

 

Edited March 8, 2023 by AdvancedSetup
Updated information

[somethingtechn]

Thanks! I got Sysmon up and running!

There's tons of stuff, and I'm having a hard time deciphering what is and isn't undesirable. Any clues as to what I'm looking for? Just all events with the word "powershell" in the description?

[AdvancedSetup]

Yes, only look for PowerShell in your case. Make sure you rebooted too.

Let it run for a day and then we can have you zip up the Event Log and send to me if needed and I'll review it.

 

[somethingtechn]

That would be great, thank you.

I'm a bit too creeped out by all this to just use the laptop normally, but I'll restart it one more time and leave it running with Sleep disabled.

[AdvancedSetup]

Sounds good. I'll check back on you again some time tomorrow

 

[somethingtechn]

I believe I've spotted the culprit! Here's what I'm seeing through Sysmon. It matches the Powershell command still being run.

Spoiler

Process Create:
RuleName: -
UtcTime: 2023-03-08 10:10:26.581
ProcessGuid: {Random letters and numbers.}
ProcessId: 7096
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.19041.546 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\WINDOWS\TEMP\Random letters and numbers
CurrentDirectory: C:\WINDOWS\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {Random letters and numbers.}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: MD5=Random letters and numbers, IMPHASH=Random letters and numbers
ParentProcessGuid: {fRandom letters and numbers.}
ParentProcessId: 4960
ParentImage: C:\Windows\System32\drivers\Lenovo\udc\Service\UDClientService.exe
ParentCommandLine: "C:\WINDOWS\System32\drivers\Lenovo\udc\Service\UDClientService.exe"
ParentUser: NT AUTHORITY\SYSTEM

Should I assume this is just standard Lenovo stuff?

[AdvancedSetup]

Yes, this is a valid file being used by Lenovo

https://www.systemlookup.com/O23/8687-UDClientService_exe.html

You should be able to uninstall SYSMON now and remove the folder and files if you like.

 

To uninstall Sysmon once completed, please do the following

Click on START and type in CMD.EXE and when it shows on the menu right-click and select "Run as administrator"

Type the following and press the Enter key

CD C:\Monitor

Then type the following and press the enter key

sysmon64.exe -u

If there is an error or it refuses to uninstall then use the following

sysmon64.exe -u force

 

[somethingtechn]

Then I'm assuming nothing is out of the ordinary on my laptop?

Thank you! You've been a huge help.

[AdvancedSetup]

Yep, all seems okay at this time. @somethingtechn

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please attach that file to your next reply. (not compulsory)

 

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you