PowerShell Virus: How to Get Rid of It?

Solved
Kangourou qui envoie du pâté Posted messages 24 Status Member -  
MisteryBean Posted messages 8948 Registration date   Status Moderator Last intervention   -

Hello,

I have the same problem as Belze and several other people: a pop-up window opens unexpectedly, repeatedly, sometimes displaying multiple instances at the same time, lasting less than two seconds upon opening or while using my computer.

It says: C:\Windows\System32\WindowsPowerShell\v1.0/powershell.exe in the header of an empty blue window. Here is the screenshot I managed to take:

It seems that it is probably a virus; could someone please help me?

I ran an FRST analysis, as indicated by Bazfile, and I am attaching the two links from cjoint.com:

  • Addition.txt file: https://www.cjoint.com/c/NCsvoA0cSMP
  • FRST.txt file: https://www.cjoint.com/c/NCsvsgLpxNP

I hope you can help me. Thank you so much in advance!

3 answers

MisteryBean Posted messages 8948 Registration date   Status Moderator Last intervention   1 292
 

Hello,

--> Copy what is found here https://www.cjoint.com/doc/24_03/NCswe7H21qg_fixlist.txt from start:: to end:: (without pasting it anywhere)

--> Open FRST (or FRST64) as an administrator and click on Fix
If FRST seems to freeze or is unresponsive, let it run

--> The PC will ask to restart, accept it

--> A fixlog file is created in the same location as FRST, post it like the other reports

--> The fix will clean the firewall, programs you run afterwards will request access on the first launch

--> Let me know if you still have the problem.


0
Kangourou qui envoie du pâté Posted messages 24 Status Member 10
 

Thank you very much, MysteryBean, for your responsiveness and your amazing lifesaving support!

Following the correction, here is the resulting Fixlog.txt file:

 Results of the Farbar Recovery Scan Tool (x64) Version: 19.03.2024 Executed by User (19-03-2024 21:41:23) Run:2 Executed from C:\Users\User\Desktop Loaded profiles: User Boot mode: Normal ============================================== fixlist content: ***************** start:: closeprocesses: createrestorepoint: defaultuser0 (S-1-5-21-3375461410-1454050851-1953557858-1000 - Limited - Disabled) CustomCLSID: HKU\S-1-5-21-3375461410-1454050851-1953557858-1001_Classes\CLSID\{38142727-3008-9161-1521-349515000000}\localserver32 -> "C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe" -ToastActivated => File not found ContextMenuHandlers1: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => -> File not found ContextMenuHandlers4: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => -> File not found ContextMenuHandlers5: [DriveFS 28 or later] -> {EE15C2BD-CECB-49F8-A113-CA1BFC528F5B} => -> File not found ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> File not found SearchScopes: HKU\S-1-5-21-3375461410-1454050851-1953557858-1001 -> DefaultScope {CB71AAF6-FA5A-4501-B4A9-D213ABBD1322} URL = SearchScopes: HKU\S-1-5-21-3375461410-1454050851-1953557858-1001 -> {CB71AAF6-FA5A-4501-B4A9-D213ABBD1322} URL = HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] -> GroupPolicy-Firefox: Restriction <==== WARNING Task: {918FAB71-4746-4D99-8220-6FD82D02801E} - System32\Tasks\Microsoft\Windows\Data Integrity Scan\Data Integrity Scan for Crash Recovery7eEDyQYF => C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe [450560 2024-01-24] (Microsoft Windows -> Microsoft Corporation) -> -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\User\AppData\Roaming\discord\wvnS5v.ps1" <==== WARNING Task: {3E270D60-4D1F-401E-B9C4-ABAC23BA8884} - System32\Tasks\Microsoft\Windows\HelloFace\FODCleanupTaskMdKq3BtO => C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe [450560 2024-01-24] (Microsoft Windows -> Microsoft Corporation) -> -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\User\AppData\Roaming\DropboxElectron\zH4lFdHbs.ps1" <==== WARNING Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe (File not found) Task: {7AC01EC7-411A-47A3-856D-EA42E9D6251A} - System32\Tasks\Microsoft\Windows\SyncCenter\MJs8tc => C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe [450560 2024-01-24] (Microsoft Windows -> Microsoft Corporation) -> -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\User\AppData\Roaming\Adobe\7dCti1.ps1" <==== WARNING Task: {878F7A1A-DD2E-4C03-B0AE-F71D12A4DD0B} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval => %systemroot%\system32\MusNotification.exe Display (File not found) Task: {93407F19-13F3-4E3F-8586-DE4DF697405A} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe /RunOnAC RebootDialog (File not found) Task: {72F5CBA4-84E8-4921-B559-BABF11BCEF9E} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe /RunOnBattery RebootDialog (File not found) Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe (File not found) Task: {7F15CC3A-0199-455D-97A7-6FBA941B023B} - System32\Tasks\S-1-5-21-3375461410-1454050851-1953557858-1001\DataSenseLiveTileTask => %SystemRoot%\System32\DataUsageLiveTileTask.exe (File not found) CHR HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\User\AppData\Local\Google\Drive\user_default\apdfllckaahabafndbhieahigkjlhalf_live.crx <not found> CHR HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] CHR HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [ekmeppjgajofkpiofbebgcbohbmfldaf] CHR HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [llbcnfanfmjhpedaedhbcnpgeepdnnok] CHR HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] CHR HKLM-x32\...\Chrome\Extension: [cifnddnffldieaamihfkhkdgnbhfmaci] - C:\Program Files (x86)\Foxit Software\Foxit PDF Editor\plugins\Creator\ChromeAddin\ChromeAddin.crx [2023-02-08] CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] CHR HKLM-x32\...\Chrome\Extension: [ekmeppjgajofkpiofbebgcbohbmfldaf] CHR HKLM-x32\...\Chrome\Extension: [llbcnfanfmjhpedaedhbcnpgeepdnnok] C:\Users\User\AppData\Roaming\discord\wvnS5v.ps1 C:\Users\User\AppData\Roaming\DropboxElectron C:\Users\User\AppData\Roaming\Adobe S3 dcpm-notify; "C:\Program Files\Dell\CommandPowerManager\NotifyService.exe" [X] S4 Dell SupportAssist Remediation; "C:\Program Files\Dell\SARemediation\agent\DellSupportAssistRemedationService.exe" [X] S4 DellClientManagementService; "C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe" [X] S4 DellDigitalDelivery; "c:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe" [X] S2 rsSyncSvc; C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe -pn:EPP -lpn:rav_antivirus -url:hxxps://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10 <==== WARNING cmd: netsh advfirewall reset emptytemp: end:: ***************** Processes closed successfully. The restore point was created successfully. defaultuser0 (S-1-5-21-3375461410-1454050851-1953557858-1000 - Limited - Disabled) => not found HKU\S-1-5-21-3375461410-1454050851-1953557858-1001_Classes\CLSID\{38142727-3008-9161-1521-349515000000} => not found HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\DriveFS 28 or later => not found HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\DriveFS 28 or later => not found HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\DriveFS 28 or later => not found HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => not found "HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => not found HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CB71AAF6-FA5A-4501-B4A9-D213ABBD1322} => not found HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{C885AA15-1764-4293-B82A-0586ADD46B35} => not found "C:\Program Files\Mozilla Firefox\distribution\policies.json" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{918FAB71-4746-4D99-8220-6FD82D02801E}" => not found "C:\WINDOWS\System32\Tasks\Microsoft\Windows\Data Integrity Scan\Data Integrity Scan for Crash Recovery7eEDyQYF" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Data Integrity Scan\Data Integrity Scan for Crash Recovery7eEDyQYF" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3E270D60-4D1F-401E-B9C4-ABAC23BA8884}" => not found "C:\WINDOWS\System32\Tasks\Microsoft\Windows\HelloFace\FODCleanupTaskMdKq3BtO" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\HelloFace\FODCleanupTaskMdKq3BtO" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CCDFC0B8-01A3-4E74-A820-4F13F51D269E}" => not found "C:\WINDOWS\System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AC01EC7-411A-47A3-856D-EA42E9D6251A}" => not found "C:\WINDOWS\System32\Tasks\Microsoft\Windows\SyncCenter\MJs8tc" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SyncCenter\MJs8tc" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{878F7A1A-DD2E-4C03-B0AE-F71D12A4DD0B}" => not found "C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{93407F19-13F3-4E3F-8586-DE4DF697405A}" => not found "C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Reboot_AC" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{72F5CBA4-84E8-4921-B559-BABF11BCEF9E}" => not found "C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E0F10DCF-44AD-40E8-9370-FB5DA59F93FB}" => not found "C:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7F15CC3A-0199-455D-97A7-6FBA941B023B}" => not found "C:\WINDOWS\System32\Tasks\S-1-5-21-3375461410-1454050851-1953557858-1001\DataSenseLiveTileTask" => not found "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\S-1-5-21-3375461410-1454050851-1953557858-1001\DataSenseLiveTileTask" => not found HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Google\Chrome\Extensions\apdfllckaahabafndbhieahigkjlhalf => not found HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj => not found HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Google\Chrome\Extensions\ekmeppjgajofkpiofbebgcbohbmfldaf => not found HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Google\Chrome\Extensions\llbcnfanfmjhpedaedhbcnpgeepdnnok => not found HKU\S-1-5-21-3375461410-1454050851-1953557858-1001\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh => not found HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cifnddnffldieaamihfkhkdgnbhfmaci => not found "C:\Program Files (x86)\Foxit Software\Foxit PDF Editor\plugins\Creator\ChromeAddin\ChromeAddin.crx" => not found HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj => not found HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ekmeppjgajofkpiofbebgcbohbmfldaf => not found HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\llbcnfanfmjhpedaedhbcnpgeepdnnok => not found "C:\Users\User\AppData\Roaming\discord\wvnS5v.ps1" => not found "C:\Users\User\AppData\Roaming\DropboxElectron" => not found "C:\Users\User\AppData\Roaming\Adobe" => not found dcpm-notify => service not found. Dell SupportAssist Remediation => service not found. DellClientManagementService => service not found. DellDigitalDelivery => service not found. rsSyncSvc => service not found. ========= netsh advfirewall reset ========= Ok. ========= End of CMD: ========= =========== EmptyTemp: ========== FlushDNS => completed BITS transfer queue => 0 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6306816 B Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B Windows/system/drivers => 1651 B Edge => 0 B Chrome => 0 B Firefox => 22071765 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B ProgramData => 0 B Public => 0 B systemprofile => 23107054 B systemprofile32 => 23107062 B LocalService => 23769352 B NetworkService => 23770628 B User => 67250610 B RecycleBin => 0 B EmptyTemp: => 180.6 MB temporary data deleted. ================================ The system had to restart. ==== End of Fixlog 21:42:55 ====

At first glance, no more issues, the PC is faster.

Thanks again!

0
MisteryBean Posted messages 8948 Registration date   Status Moderator Last intervention   1 292
 

RE_

Alright, if everything is good:

To automatically delete all files/folders created by FRST and the tool itself, rename FRST/FRST64.exe to uninstall.exe and run it.

The procedure requires a reboot.

See you later on CCM.


0