Windows 10: Malware calling powershell.exe for 'http://rotf.lol/mh8y7k4d'

ESET antivirus advises me of a blocked site 'http://rotf.lol/mh8y7k4d'Looking at the events :- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">- <System> <Provider Name="PowerShell" /> <EventID Qualifiers="0">600</EventID> <Version>0</Version> <Level>4</Level> <Task>6</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2022-06-13T09:23:02.2867334Z" /> <EventRecordID>7863</EventRec

:)

 

Remove .exe files caused by malware

You may do it easily with PowerShell, try open Windows PowerShell as administrator and type the following:

Remove-Item f:\malware\* -include .exe

Make in f:\malware\* add the name of the driver and folder and * is meaning all subfolders within the malware folder. if you want it within the driver you may write something like f:\* and -include .exe will remove all files with .exe extension.

 

Malware tprdpw64.exe after installing 7zip

Thank you for the reply and the suggestions. However neither link provided a working solution. I followed each set of instructions step by step, to the T, but the viruses are still there.

I killed the processes with Rkill as instructed, and it found and ended the malware process `tprdpw64.exe`. It, however, did nothing
about the adware `svcvmx` & `svcvmx client` processes. After doing so I downloaded and installed Zemana, as instructed, and let it do a full system scan. Might I add that this took over
10 hours to complete, as I have 1,396,541 files on my PC, so this whole thing wasted nearly half a day of my time with no results.

Zemana detected the malware virus `tprdpw64.exe` located at "C:\WINDOWS\System32\tprdpw64.exe"
(among other, smaller "threats"), and labeled it as malware. After it finished the scan, it said it has placed all files into quarantine, including `tprdpw64.exe`.
However, when checking the quarantine list `tprdpw64.exe` is
not listed. I then decided to have Zemana remove the files in the
quarantine list from my system and then rebooted my PC. It removed them all successfully, except for `tprdpw64.exe`
which is still on my system, and still runs (I can still see it in task manager after rebooting). So the 10+ hours of waiting were all for nothing.

I then used Zemana's "drag-and-drop" feature to re-scan just `tprdpw64.exe`
(in order to not have to wait 10+ hours again). It scanned it, and now says the file is not a threat (but it clearly is).

I then proceeded to step 2, using AdwCleaner to remove the adware. This did not work in the slightest. AdwCleaner did not detect the adware virus at all, and thus did nothing about it. I still cannot remove the viruses manually, either. However for some
reason, the adware `svcvmx` & `svcvmx client` processes no longer seem to run (my PC has been on for about an hour, and the processes
have yet to startup). However, even so the files are still on my file system and would like to delete them.

EDIT

I have just searched my registry, looking for any possible signs of tprdpw64 being listed, and there was nothing there.

 

PowerShell randomly poping-up in tool bar

Hello,

Just to verify, do you have any scheduled tasks that uses Powershell? Scheduled tasks makes Powershell window appear periodically on your computer, therefore we suggest that you check the Task Scheduler. Here are the steps:

• Click on Start.
• In the search bar, type Task Scheduler and click on
  
  Task Scheduler in the results.
• Under Active Tasks, check for any tasks that use Powershell and the scheduled time.

If the issue still persist, we suggest that you run a Windows Defender scan to see if it will pick up any malware that the first scan missed.

Let us know the outcome.