A powershell window opened and closed.
I checked Event Logs for Application/Microsoft/Windows/Powershell and I found different events.
I have scriptblock ids, but I do not know what to do with those (No path)
How can I stop powershell deom executing remote commands?
How can I find out where my computer is infected?
Thanks.
the Powershell is actually an app that is running, maybe in Task Scheduler. You can download Autoruns and it will tell you what apps are running at startup and you can narrow it down. https://learn.microsoft.com/en-us/sy...loads/autoruns
I didn't think that any of the built-in PowerShell tasks displayed any form of window.
Is there an entry in Task scheduler's opening screen's Task status section at the time you saw the PS window?
Exactly where were you looking?
At the bottom of the Event viewer window, what does it say for Log name & Source?
Is it this?
Log name - Windows PowerShell
Source - PowerShell (PowerShell)
In each PS event's records, there is a line beginning
HostApplication=
and I think you are saying that there is no file path identified in that entry.
Please look up and down the list to see if there is an entry that identifies a file and path around the time you saw that window.
PowerShell does not, by default, execute remote commands.
This is explained in Change PowerShell Script Execution Policy - TenForumsTutorials
Run a Windows Defender Quick scan.
How to Scan with Windows Defender - TenForumsTutorials
Best of luck,
Denis
I checked Task Scheduler. Could not find any task around that time. (At least a related one, 1 minute before the window opening there was a Vivaldi update task, but this window , and event 4104 happens more than 1 in a day)
In the events I am looking at Applications/Microsoft/Windows/Powershell/Operational
The path I am talking about is in event details at the end:
Event ID 4104 Executing a remote commandCode:ScriptBlock ID: 22f3f871-********* Path:
Log Name : Microsoft-Windows-PowerShell/Operational
Source: PowerShell (Microsoft-Windows-PowerShell)
Execution Policy is undefined for everything.
Currently, I believe, this came from an infected (or infector) USB Stick. It has the characteristics of a virus that hides pretty well.
I will make a full Defender check, as I know that Defender should recognize this as a virus or threat.
OK, I found the log you are looking at. I have several EventID 4104 entries.
They are categorised as Execute a Remote Command but that is incorrect in my case. The entries are created when I run my own PS1 files. I have not yet found any that lack a Path entry.
Yes, that equals Restricted and that prevents remote scripts running [well, any scripts].
I believe that any script trying to override that would have to exist on the local computer. I have not considered that question for years and cannot find any documentation to confirm my belief.
Best of luck,
Denis
This is definitely a virus, trying to connect to chatgigi2.com. (I installed a free trial of an antivirus. - Still doing the Windows Defender Scan)
I checked about the site and about the script , it is a crypto virus related to Vipersoft.
It is using C:{Windows/System32/WindowsPowershell/v1.0/powershell.exe
Apparently, it hides in log files.
I cannot see where it hides from the antivirus (Malwarebytes trial).
Only information is that it uses powershell.exe
Either it came from a link in an email or a USB Stick (Can just speculate at the moment)
I do not see any strange programs or extensions installed.
The scan should reveal hopefully which program or extension is infected.
It is outbound and trying to connect to Cloudfare IP Addresses. (Port 80)
For extra information, this is an unsecured wireless network, which several people has access to router configuration.
The Defender Quick Scan should only have taken a few minutes.
[Its Full scan is something to run after a Quick scan has detected & removed malware. The Full scan seeks out & removes inactive remnants of malware and takes ages.]
If Malwarebytes detected it, couldn't it remove it?
Microsoft Safety Scanner is worth using.
Its log is
i.e.Code:%SYSTEMROOT%\debug\msert.log
Code:C:\Windows\debug\msert.log
Best of luck,
Denis
Malwarebytes just says that it is a trojan and website blocked, but no item in quarantine or removed.
Running a scan on that too. (Apparently malwarebytes scan stopped Defender scan as it registered itself as the antivirus)
Will inform the results.
Thanks.
Defender scans can still be run despite Malwarebytes.
And you can turn off Malwarebytes real-time protection to get back Defender as your normal defence. But there's little point doing that until the problem has been solved.
You can also use Defender offline scan to check for such things as rootkits.
Windows Defender Offline Scan - TenForumsTutorials
Denis
Quote
