I've noticed my PowerShell running on an hourly schedule, briefly appearing and disappearing. After some digging, I found a scheduled task called OneChecker that was responsible. I've disabled it, but I'm concerned about what that script might be doing and whether it could be harmful. The script includes a lot of variable assignments with cryptic names, but the actual values of these variables are stored elsewhere. It's located in my AppData under 'reserve\red\n9N4kTqr', created on May 15. I've scanned it with Windows Defender and other tools, but it seems clean. I did uninstall some programs leading up to this discovery, so I can't recall what I might have installed. Any insights into what I should do next?
5 Answers
Everything about what you've shared raises red flags. If you didn't set this up, I'd consider it malicious, no question. I'd suggest wiping your system and starting fresh, then use a separate local account for admin tasks in the future to minimize risk.
Great advice! It's much safer to start over and then be cautious about admin access.
Honestly, this script alone isn’t doing much—it’s just creating some variables. But the fact that you didn't create it means it’s suspicious at best. You should look deeper into the task it's linked to and consider deleting both the task and the script to be safe.
There's gotta be more to it than just those variable assignments. Make sure to investigate what the scheduled task actually does; there could be more scripts involved.
The code you're dealing with mainly just sets variables. However, the use of random variable names is often seen in malware, so there might be hidden components elsewhere. I recommend running the command `Get-Variable -Name '$VARIABLE_NAME' -ValueOnly` to explore what those variables contain. Just be cautious—embedded scripts can often mask their actions.
Thanks for the tip, I'll check those variables out!
Yeah, definitely! If it's obfuscated, assume the worst. It's safer to reinstall Windows and change all your passwords from a different device.
Your instincts are right. If you didn’t set it up, assume it’s malicious. Deleting that task and the script is the best move. Also, check for any other files that may be linked.
I definitely appreciate you saying that! Better safe than sorry.