Jump to content

PowerShell.exe Removal help


Recommended Posts

Hello, I am looking for some assistance. For about two weeks now I have a blue command prompt window popping up during Windows 10 start-up. It only lasts for about 2 seconds and goes away. I took a video of it and found it was PowerShell.exe that is running. I have been trying to figure out how to remove it. No anti-virus or malware software will detect it. A few weeks ago I had a virus/malware where I had two tabs showing up in Chrome when I launched it. The tabs were "disable-http2" and "use-spdy%3Doff". Samething, nothing would remove them. However, these tabs have now just randomly stopped showing up after being there for a few weeks. I ran Farbar Recovery scan and attached the Addition & FRST files. I appriciate any assistance in getting this fixed.

Addition_23-12-2018 15.19.41.txt

FRST_23-12-2018 15.19.41.txt

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

  • 2 weeks later...

Hi,

Powershell.exe is not seen in your logs.

Lets see what we can find in the Registry.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
powershell.exe
Once done, click on the Search Registry button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
====

Link to post
Share on other sites

Hello,

Here is the text per your instructions:

 

Farbar Recovery Scan Tool (x64) Version: 07.01.2019
Ran by David (07-01-2019 17:22:12)
Running from C:\Users\David\Downloads
Boot Mode: Normal

================== Search Registry: "powershell.exe" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\background\shell\Powershell\command]
""="powershell.exe -noexit -command Set-Location -literalPath '%V'"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\Powershell\command]
""="powershell.exe -noexit -command Set-Location '%V'"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shell\Powershell\command]
""="powershell.exe -noexit -command Set-Location -literalPath '%V'"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellCmdletDefinitionXML.1]
"FriendlyTypeName"="@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-120"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellConsole.1]
"FriendlyTypeName"="@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-107"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellConsole.1\Shell\0]
"MUIVerb"="@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-112"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellConsole.1\Shell\0\Command]
""=""C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -p "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellConsole.1\Shell\Open\Command]
""=""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -p "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellData.1]
"FriendlyTypeName"="@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-104"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellModule.1]
"FriendlyTypeName"="@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-106"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellScript.1]
"FriendlyTypeName"="@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-103"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellScript.1\Shell\0]
"MUIVerb"="@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe ",-108"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellScript.1\Shell\0\Command]
""=""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & '%1'""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellSessionConfiguration.1]
"FriendlyTypeName"="@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-121"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Microsoft.PowerShellXMLData.1]
"FriendlyTypeName"="@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-105"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7]
"Name"="@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path"="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PowerShell.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PowerShell.exe]
""="%SystemRoot%\system32\WindowsPowerShell\v1.0\PowerShell.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_none_ed5135d0a0cd60d3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-powershell-exe_31bf3856ad364e35_none_4784e0d7cef851fc]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\wow64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_none_f7a5e022d52e22ce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_none_51d98b2a035913f7]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7]
"Name"="@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"Path"="C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\PowerShell.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\PowerShell.exe]
""="%SystemRoot%\system32\WindowsPowerShell\v1.0\PowerShell.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-2182757963-3301432244-2496146322-1001]
"\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"="0x7EC13DDCD2A6D40100000000000000000000000002000000"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-2182757963-3301432244-2496146322-1001]
"\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"="0x8FC306D2FB9AD40100000000000000000000000002000000"
[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E]
"@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124"="Document Encryption"
[HKEY_USERS\S-1-5-19\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe]
[HKEY_USERS\S-1-5-19\Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe]
[HKEY_USERS\S-1-5-20\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe]
[HKEY_USERS\S-1-5-20\Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe]
[HKEY_USERS\S-1-5-21-2182757963-3301432244-2496146322-1001\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe]
[HKEY_USERS\S-1-5-21-2182757963-3301432244-2496146322-1001\Console\%SystemRoot%_SysWOW64_WindowsPowerShell_v1.0_powershell.exe]
[HKEY_USERS\S-1-5-21-2182757963-3301432244-2496146322-1001\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"3"="C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk
C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe
"
[HKEY_USERS\S-1-5-21-2182757963-3301432244-2496146322-1001\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"4"="C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"
[HKEY_USERS\S-1-5-21-2182757963-3301432244-2496146322-1001\Software\Classes\Local Settings\MrtCache\C:%5CWINDOWS%5CSystemResources%5CWindows.UI.SettingsAppThreshold%5CWindows.UI.SettingsAppThreshold.pri\1d44cc5e0fe83ec\69f53cf0]
"@{windows?ms-resource://Windows.UI.SettingsAppThreshold/SearchResources/SystemSettings_Developer_Mode_Setting_PowerShellExecution/HighKeywords}"="powershell settings;developer settings;powershell developer settings;powershell execution policy"
[HKEY_USERS\S-1-5-21-2182757963-3301432244-2496146322-1001\Software\Classes\Local Settings\MuiCache\2\52C64B7E]
"@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124"="Document Encryption"
[HKEY_USERS\S-1-5-21-2182757963-3301432244-2496146322-1001\Software\Classes\Local Settings\MuiCache\2\52C64B7E]
"@"C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe",-105"="Windows PowerShell XML Document"

====== End of Search ======

 

Link to post
Share on other sites


The process seems to be coming from a Shotcut (.lnk)

[HKEY_USERS\S-1-5-21-2182757963-3301432244-2496146322-1001\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]


 "3"="C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk
C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe
"
[HKEY_USERS\S-1-5-21-2182757963-3301432244-2496146322-1001\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"4"="C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe

Please run the Farbar program and select the box to create a shortcut log.

Post the log for my review.

Link to post
Share on other sites

Hi,


The shorcut are clean.

This is the offending Registry Key.
Will remove it the posershlell sub keys.
===

Copy all the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.

Quote

 

Windows Registry Editor Version 5.00

[HKEY_USERS\S-1-5-21-2182757963-3301432244-2496146322-1001\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
 "3"=-

[HKEY_USERS\S-1-5-21-2182757963-3301432244-2496146322-1001\Software\Microsoft\Windows\CurrentVersion\UFH\SHC]
"4"=-


 

Restart the computer when completed.

You can delete the fixme.reg file when done.

How is it now?


 

Link to post
Share on other sites

Hello, I tried the steps you have me but I ran into an issue. I got an error message when trying to "Merge" the reg file. I attached some files:

Pic1 - This is the message I got when saving the file
Pic2 - Error message I got when trying to Merge the reg file
Pic3 - I copied the above just as you had it but when I reopen the reg file I made it looks like this
 

 

Pic1.png

pic2.png

pic3.png

Pic1.png

pic2.png

pic3.png

Link to post
Share on other sites

Hi,

Delete the copy of the of the Fixme.reg you have downloaded.

This time creatre a new regme.ter file, do this with the text in the Quote box I suggested.

Copy and paste the entries into the open Notepad, select Save As..., under Encoding: select UTF-8, give it the fixme.reg name and save it.
Execute the .reg file.

How is it now?

Link to post
Share on other sites

Hello,

1. I deleted the old fixme.reg file.
2. I created a regme.ter with the text in your quote box.
3. I created a fixme.reg file with the text in your quote box and made sure to change it to UTF-8
4. I right clicked on the fixme.reg file and chose "Merge". I also tried just double-clicking on it. Both times I still got the same error message about "cannot import: "Error accessing the registry".

 

Link to post
Share on other sites

Hi,

I may be able to remove or edit that key using the Farbar program.

First I need to know what else is in that registry key.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

fixlist.txt

Link to post
Share on other sites

Hi,

The registry key was for TeamViewer which is no longer on your computer.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

fixlist.txt

Link to post
Share on other sites

Hi,

An expert just informed me to query a registry key that it may be the remnant of the bitcoin.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

All the fix will be is report this key.

Reg: REG QUERY HKU\S-1-5-21-2182757963-3301432244-2496146322-1001\...\Run /v amsiredm

Please post the log for my review.

p.s.
Do not forget to run also the fixlist in post no. 19. The order you do it is not important.

fixlist.txt

Edited by nasdaq
Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.