Remove a Powershell Script

Question

Hi, I have a suspicious PowerShell command running under Windows 2012 shown by the task manager that is trying to reach an IP address on the internet but I cannot find where it exists in the system. How can I detach or remove the command attached to the Powershell script? Powershell version 1. Thanks.

Answer 1

If you know the process id you can get the commandline like this (start PowerShell with "Run as Administrator":

Get-WmiObject Win32_Process -Filter "processid = '16540'" | Select-Object CommandLine

That should return something like this:

CommandLine
-----------
"C:\WINDOWS\system32\notepad.exe" c:\junk\1.csv

A good place to look for what's running the process would be the Task Scheduler.

Answer 2

I was able to find the command attached to the Powershell before posting here but don't know how to detach it from Powershell because instead of running any file, it is running some code that is trying to access an infected website. Thanks.

Answer 3

Try running this and see if it turns up anything:

Get-ScheduledTask |
        ForEach-Object{
            $xml = [xml](Export-ScheduledTask -TaskPath $_.TaskPath -TaskName $_.TaskName)
            if ($xml.task.actions.exec.command -like "*powershell.exe*" -or
                $xml.task.actions.exec.command -like "*pwsh.exe*"){
                    [PSCustomObject]@{
                        TaskPath    = $_.TaskPath
                        TaskName    = $_.TaskName
                        Command     = $xml.Task.Actions.Exec.Command
                        Arguments   = $xml.Task.Actions.Exec.Arguments
                    }
                }
        }