Soul

i can see it while using fiddler. It keeps making request to that api.chatting url. Something weird is that before it was always red meaning it cant reach im guessing but now its status 200 so im assuming the host is up now? As soon as i stop the powershell from task manager, the links stop

ahhhh and yea, when using procexp, i can go to the powershell and the netowkr tab and it shows there is a connection establish to a ip. Would it work if i were to block that ip directly on my router?

interesting. Yea it seems hard to find as im running various scans and deep scans, manually deleting files but not having any luck finding the malicious files.

there seems to be nothing related to powershell on autorun.

So what would be the necessary steps in order to eliminate this?

sorry for the late reply. Interestingly enough, this was fixed for last 2 days or so and just started again today. Powershell opened and is doing the same thing. I just saw this so i am updating vmware right now.

im unable to send its 200mb

I just installed ESET again and now running the log collector

I did but i removed because i wanted to see if the script it blocked was permanent or temp and i couldnt turn it off so i uninstalled it and the script executed.

yea i could do that. Also to add to this, I restarted my computer and ESET did block the script that was running but i want more of a permanent solution if thats possible. To fully remove whats even initiating that script to open to begin with

sorry im a little confused. Which log file should i be giving you. I scanned the system_log file with eset and it said it was fine.

it was not detected

It is exactly the same stuff above. Exact same ip addresses and the api.chatting thing. Exact same shell command that is causing powershell to run in the background. What Itman posted is the shell command being executed.

I am going through the exact same thing and if this is indeed malicious, what could be done to remove it? Could you possible give a solution please? thank you!