Q: For quite some time lately, I've been getting an error message on boot-up from one computer. It never shows on the other PC. It says I don't have access to a file, but I haven't been able find what is calling that file.
Today, I dug deeper and found that the file does exist. Its properties say I have full control, but it won't let me open it. Somehow, when I was messing with it, it opened a command level file I've never seen before. It appears to be amassing some information, but I don't know what it is doing with it. It asks the computer to echo some obscure files, and shows the results (also obscure) of each.
I'm attaching screen captures of the error message and the cmd file I uncovered today.
Also, this same machine constantly finds and quarantines the trojan Powessere.H. Is this related? I haven't found a way to get rid of that without preparing to spend a lot of time trying to clean it out.
You've been a great help when I've asked before. I find your column is a must-read, even if it often doesn't apply to me or in some cases I already knew the answer. You are good at confirming my suspicions or clearing up the gray areas. Thanks for doing this column.
— William B., Niceville
A: I’ll be honest here, William — the text in the screen shot you sent me was basically gibberish; at least it was to my human eyes. Perhaps there is information encoded within it that someone is stealing off your PC. Or perhaps not. I really have no way to know for sure.
What I can tell you is that the only place the command “echo” is valid is inside of a batch-file, which is a human-readable file of commands like the ones you would enter into a DOS cmd window. The difference is that the commands run sequentially as a batch, hence the name. These files always have an extension of .bat, and never (hilarious) things like you are finding, such as “.ekgijbu.”
The last line in your screen shot concerns me, as it uses the command “start” to begin the execution of something, then it seems to pass the file it created into it for processing. This raises all sorts of red flags to me, and unless some legitimate software company can provide a rational explanation for this, I would want it off my PC immediately!
Since your PC is repeatedly identifying the presence of a Trojan, I recommend you start there. I did a little research on Powessere, and learned that this family of malware steals data about your PC and sends it off to someone on the Internet, and also downloads and installs other malware. That certainly fits the pattern of what you described and what I saw in your screen capture.
According to Microsoft, Windows Defender should be able to detect and remove this threat. Apparently, that’s not necessarily the case, as it appears that the “daily error box” that you get is Defender trying and failing to remove it. My only real suggestion at this time is to try Microsoft’s Safety Scanner, which is a stand-alone tool that isn’t designed for protection, but rather to find and remove malware. Visit TinyURL.com/IGTM-0568 for download links, and for other information on how to deal with difficult-to-remove threats. Good luck!
To view additional content, comment on articles, or submit a question of your own, visit my website at ItsGeekToMe.co (not .com!)