I dont often have weird things going on with my pc, but this time something is bothering me

it started with this powershell window (i think) opening up and closing suddenly like a flash every 10 or 15 min.

So i thought maybe something was scheduled, i went to scheduler and sure i found something, it went under the name of:
Name: Wexlx
Location: \
Trigger: to be run every 10 minutes when started - activated
Action: Start a program.
Info: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Wexlx\).Jliadf)).EntryPoint.Invoke($Null,$Null)


So I went to regeditor and there is this "Wexlx", under "HKEY_CURRENT _USER" - "SOFTWARE" with two entries:

Name (Standard) Type: REG_SZ (NO VALUE)
Name Jliadf Type: REG_EXPAND_SZ

(inside Jliadf there is a long ass string i found it easier to capture screen)



Any clue of what this can be?

 

Last edited: Dec 30, 2021

The photo is not displayed. Do you have a few pictures?

 

Seems like adware or spyware or crytobot, comes with any crack keygen, uninstall if you've installed any program from unknown source recently and restore from restore point...

I always disable powershell and use CLI with admin right instead since Wannacry malware was spread

 

normally with windows junk like this, the real trick in removal is getting the program to not execute at startup. Otherwise you would be able to delete any malicious files. Once it is loaded at startup you cannot.

Say this one creates a registry entry. Alot of times the author knows you will find this, and then also writes lines into your win.ini, system.ini, and other places. You have to get rid of any reference which launches the app into memory.

 

Take this one: adwcleaner

Free Download Malwarebytes AdwCleaner 8 full version standalone offline installer for Windows PC, the world’s most popular adware cleaner, finds and removes unwanted programs and junkware. Hence, your online experience stays optimal and hassle-free.

https://filecr.com/windows/malwarebytes-adwcleaner/?id=6225444086

 

No I don't but a simple system restore should fit it.

Sorry to step on your toes a bit with the system restore suggestion. I hadn't seen your post yet when typing mine.

 

thanks for the heads-up, the task was created on Christmas eve and i didn't even used the pc around those days, but it was turned on.

the latest two programs with potential risk are a free eq for OBS called "Blue Cats Triple Eq", and dumb enough a @ffinity ph@hoto and designer (i needed to test something) one with a regular gen and the other with a fake gen of some sort, i thought i had stopped it in time and cleaned it up, but it could be that is still present. or the eq.

Other than that i havent installed anything but updated to legit software for a very long time.

 

https://www.alltomwindows.se/topic/31804-wexlx-kör-powershell-med-jämna-mellanrum/

This guy in this Swedish forum had the same problem as you. The post is 5 days ago. He is into film related stuff, so from logic I assume that he would use something like that for his film related stuff. I suspect that the Affinity Photo and Designer is your culprit.

 

very observant of you to notice he worked with video too! it must be related.

and that there is no other record of this but that is interesting, i wonder wtf this can be that created an entry in the registry without any other record, HKCU:\Software\Wexlx\).Jliadf, besides the scheduled task..

to bad registry entries dont point to any location in the system

 

Last edited: Dec 30, 2021

No it's okay rather i should be thanking you as i have forgotten about sylenth, after seeing your name i can recall the last one i downloaded was in the end part of 2016 from AoN, i now will update my sylenth, haven't used that for a long time

Hmm such nonsense are very sticky once installed you can't get rid of them easily at all...

Is your OS, host file, browser extensions, registries are clean ???

Correct, another one is desktop.ini, everytime i delete it comes back again in many places, can you tell me how to delete .ini and .macosx files permanently ???

 

You're very welcome..,Glad to be of assistance.

 

well, have been doing some research scanning, cleaning and deleting.

shows that "auslogics duplicate file finder" was causing some problems and probably some miner activity of some sort.

i deactivated suspect auto-runs and deleted registry entries like "Wexlx", and it seems it was targeting powershell, to what purpose? unkown.

but i got rid of the problem. no more freezing powershell popping up so far

 

This sounds a lot like malware. This line is converting that long string in the registry into a file and then loading (as a .dll) or executing it.

Base64 is way to convert and then write binary data (like files) in a text format. It's used in web programming for instance.

As long you delete that fucker entry you should be good. Well done explaining your problem, you did your homework.

 

Last edited: Dec 30, 2021

Do you still have that base64 entry from your picture?
Would be nice to see what's inside. If yes, please send it to me.

 

I already feel bad for that Windows virtual machine...

 

wow, thanks Xupito, didnt know you had this insight. i really wanted to know what that meant/did but i thought there was no point in asking here, i thought wrong thought hehe

you mean the one in the registry? i cant copy the string. if it doenst simply end like in the picture i posted earlier, it ends in those dots .... but maybe its just because the string is too long?

 

Last edited: Dec 30, 2021

btw i could export it! i uploaded it here as a text file, is that ok?

https://filebin.net/gh4ggjatstqm066s

 

Ye, thats fine. While decoding, I immediately got a malware popup from my Antivirus.
Will take a deeper look. I hope you already deleted that key from the registry because indeed
it's an executable malware translated to base64.
The Powershell script most likely decodes that code into its executable form and runs it.

Here are the scan results for that file:
https://www.virustotal.com/gui/file...ba9e39a16ae6a27ffdfb943409557a22837/detection

 

Last edited: Dec 30, 2021

It's only normal. First productive shit I say here in years

There's some really talented people when it comes to computers here, more than me. @r4e is one of them. I still remember that custom installer GUI for EzKeys man!!

 

Last edited: Dec 31, 2021

Hey, you could delete that desktop.ini billion times it will always come back. Has a simple reason.

"The desktop. ini file is a hidden file used to store information about the arrangement of a Windows folder. Essentially, if the layout or settings for a folder are changed, a desktop. ini file is automatically generated to save those changes."

So to answer your question, no you can't delete this files permanent, it is a necessary part of windows

 

Last edited: Jan 6, 2022