Jump to content

Suspected Rootkit/Malware generator on PC, via Powershell

Recommended Posts

Hey guys. I came to the Malwarebytes forums to try and solve this reoccurring issue I've been having with my Windows 10 Samsung laptop since about last August. To start, I never had any malware/adware problems period on my PC until said August when I had been trying to download a school-related pdf textbook from a suspicious website via a Google search. To sum it up, on that August day I downloaded a fake pdf .iso file that put some sort of ransomware on my PC that locked me out of my desktop when I opened it. Stupid on my part, yes, I know. I made a desperate decision due to a textbook emergency which I regretted instantly.  Anyhow, I managed to boot into Windows without explorer.exe so I could run Task Manager and subsequently Malwarebytes to get rid of the viruses, and after a day of work it seemed to be running decently again and I breathed a sigh of relief. I then went to my local Microsoft store and a tech guy ran Hitman Pro which found more crap on there which was removed. However, ever since then I have been getting monthly or so adware/malware viruses picked up by Malwarebytes/AdwCleaner that are removed, but they always seem to re-occur in the next few weeks or so. I don't do anything suspicious to get them or download any random suspicious files (that pdf debacle was a very rare occurrence for me), which had me confused as to where these things were coming from. As of this month I had gotten more of this stuff and I began to suspect a rootkit or something was on my PC that was generating the malware (I had suspected this in the months prior to March as well). Upon scanning with Malwarebytes I could quarantine the viruses found, but not remove them. It would replace them upon PC restart and I also encountered a strange Windows temporary profile bug upon restart too, meaning I was locked out of my programs/files. This bug seemed to go away on its own. At this time I also downloaded Avast upon a referral from a family member and noticed that it was giving me warnings about a Win32:Rootkit-gen and a Win32:Malware-gen infection. It seemed like I finally found what the issue was, except I can't get rid of it.

To put it simply, my issue is basically the same issue this person has that posted in this forum today. It is almost word-for-word exactly the same issue I have. 

I have the same powershell taskbar icon pop up, and it happens upon every time I take my computer out of sleep mode. I even got a photo of the Avast notification that popped up again when I was (ironically) typing this post. So to put it short, I think this is my issue but apparently it's a complex problem as none of my virus programs detect it or can get rid of it. Can it be solved or do I have to resort to a full hard drive wipe (if that even will work)? If you need any other information just ask; help would be very appreciated, thank you.


Link to post
Share on other sites

Hello amd888 and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....


Follow the instructions in the following link to show hidden files:



Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...

  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Download and save RogueKiller to your Desktop from this link:


Right click setup.exe and select Run as Administrator to start installing RogueKiller.

At the next window Checkmark "Install 32 and 64 bit versions, then select "Next"

user posted image

In the next window skip Licence I.D. and Licence Key, select "Next"

user posted image

In the next window make no changes and select "Next"

user posted image

In the next window leave both "Additional Shortcuts" checkmarked, then select "Next"

user posted image

In the next window make no changes and select "Install"

user posted image

RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish.

user posted image

RogueKiller will launch. Accept UAC, then read and accept "User Agreements"

user posted image

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes select "Open Report"

user posted image

In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply

user posted image

Let me see those logs...

Thank you,


Link to post
Share on other sites

Thank you for your assistance. I ran the two programs you asked for and have the three logs you also asked for. RogueKiller detected numerous problems on my PC; is it safe to go ahead and remove all of them at this time? In addition, I had backed up my data on an external hard drive numerous times since the August problem origin, so is that hard drive infected too? If so, how do I go about removing it from that hard drive? It has no operating system on it.




Link to post
Share on other sites

Thanks for those logs amd888, continue with the following:

Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC..

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked

[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3608033313-1376809995-3719013177-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://samsung13.msn.com -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3608033313-1376809995-3719013177-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://samsung13.msn.com -> Found

Checkmark (tick) the following against Tasks[b/b] entries, ensure that all other entries are not Checkmarked

[Suspicious.Path|Tr.Gen1] \{A3FA95B3-1451-2218-A630-40E8F565B6B1} -- C:\ProgramData\{8DFDE3A7-3A56-540C-8847-B5D1621D12B7}\51CC23CB-E667-9460-9DA5-95C8229FDEB5.exe (/run) -> Found

Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked

[Adw.DNSUnlocker][File] C:\Program Files (x86)\Steam\depotcache\223851_1463440244266315419.manifest -> Found
[Adw.DNSUnlocker][File] C:\Program Files (x86)\Steam\depotcache\223851_5648498717833789511.manifest -> Found

Checkmark (tick) the following against Web Browser entries, ensure that all other entries are not Checkmarked

[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [https://news.google.com/nwshp?hl=en&tab=wn&ei=XtliUsa-Is_4rAGXyYA4&ved=0CAsQqS4oBQ] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [https://news.google.com/nwshp?hl=en&tab=wn&ei=XtliUsa-Is_4rAGXyYA4&ved=0CAsQqS4oBQ] -> Found

Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...


Download AdwCleaner by Xplode onto your Desktop.
  • Double click on Adwcleaner.exe to run the tool.
Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs in your reply, also tell me if you have are any remaining issues or concerns....

Thank you,

Link to post
Share on other sites

All right, I have followed these instructions too and have the 5 logs you asked for. Malwarebytes and AdwCleaner found nothing upon my scans as you asked. Is my PC clean again? I noticed 2 Internet Explorer entries found by RogueKiller were replaced upon the removal process. Otherwise the PC seems okay; time will tell if any issues come back. My only other question is about my external hard drive, as mentioned before. How should I ensure the viruses on this PC are not on that drive? I had backed up my whole PC in the past few months onto that drive with (supposedly) the virus here still on my PC then. What do you recommend I do? I don't want that drive infected and it to infect my PC again.






Link to post
Share on other sites

Thanks for the update, yes your logs look good but I need confirmation that the PoweShell issue has cleared.. Regarding the external drive, install the following program to protect your system from infection via USB devices:

McShield - http://www.mcshield.net/ to protect your system from potential malware/infection when plugging in USB devices..

When that is complete connect your external drive, then run the following;

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....

The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.


Thank you,



Link to post
Share on other sites

Okay, I followed these steps as well and McShield and Sophos did not find any threats on my PC. I ran Sophos with my external hard drive plugged in. McShield detected it and said no malware was found on the drive, too. Does that mean I can deem my external hard drive safe to use? As for the Powershell issue, I tested by putting my PC into sleep mode and upon wake up, it did not run that process so it seems good. I don't know how else to test to see if that virus is completely gone.

What programs do I need to keep that I installed here with your help? Should I keep all of them? Is there anything else I need to do or know? Thank you for the continued help.

Link to post
Share on other sites

Thanks for the update amd888, yes your system should be good to go. Regarding programs to keep... Definitely keep McShield, keep RogueKiller and Sophos as stand alone scanners if you are ok with their use... FRST and AdwCleaner update at source so should only be downloaded when needed....

To clean up use the following:

Uninstall Sophos AV http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/


Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…


Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image


Link to post
Share on other sites

OK, did the last steps you stated above. Thanks a lot for your help. I'll be sure to stay safer on the internet and when using computers so this doesn't occur again. If I ever need any help in the future with anything, I'll remember you guys.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.