Jump to content

Powershell.exe registry hack

Recommended Posts

I screwed up yesterday and opened a hack inserted from an email.  Very professional and from a close business associate. Was in a hurry and didn't look at the email address behind the name.  So, when it started, I ran Malwarebytes and it found two Trojan.Q bot files.  quarantined. Closed computer and restarted. I noticed a C prompt window for the Powershell.exe and it flashed a red entry and closed.  I ran Malwarebytes again and it found 4 files.  Quarantined.  My computer is hacked for sure. I am pretty sure they have remote control, since I get a message that Microsoft Management Console isn't closed when I shut down the computer. I have lost access to all of the USB ports and cannot find anyway to restart them. I have lost my recent restore points.

At this point I have disconnected the computer from the internet router and have copied the main files that I NEED for the business. I was getting ready to just reformat the C drive and install a new windows 10, but I read an earlier forum where someone sounded like they had close to or the same issue. It was pretty intense and complicated, but sounded like you were able to restore the computer without the hackers still having control.  I am afraid to open anything online, since I am pretty sure they are grabbing anything they can and I am hoping I caught this quick enough.  But, it is pretty likely they have been able to copy files from my computer, at least that is what I am thinking.

Would it be best to just take the hit, which is massive since this is a computer I use for a home based business, and do a clean install of a new OS?  I will lose a lot, but I will pay that price to get my computer back.  Is it likely they have accessed all of the hard drives on the computer also?  I have 3 different hard drives.

Even when I restart the computer now, without the internet connected, the Powershell.exe C: prompt opens and flashes the red command before closing. I am guessing that means they are running the computer?

Not a clue where to go next other than to do a clean install and take the hit for my stupidity.


Share this post

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

Boot the computer in Safe Mode with Newtorking.

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.

Please post the logs  for my review.

Wait for further instructions


Or you can download the Farbar program using the other computer.

Open the Windows 10 computer in Safe Mode only.
Copy the the Farbar program to the Desktop of the compromised computer and run it from there. 

Share this post

Link to post
Share on other sites

I am back.  I really do apologize.  I threw in the towel.  A lot of reasons, but it felt like I just needed to start anew. I removed the old hard drives, installed two new ones, installed a new clean Windows 10 Pro OS, new programs and threw away the old hard drives.  Lost a bit, but I felt like I had been raped, so just closing the door and beginning completely new felt right.

Malwarebytes is my GO TO. Back running now. 

Thanks again.  I hope i don't have to come back here again.  Going to be a whole lot more watchful and careful.

Share this post

Link to post
Share on other sites

Okay, sorry to hear but glad you're back up and running well again. Please review the information below and don't forget about backups so that you don't lose your data.


Help Secure your browsers

Please install uBlock Origin for your browsers to better protect your system

FireFox, ChromeOpera , SafariMicrosoft Edge
AdBlock for Internet Explorer

Follow-up Reading

Everything you need to know about cybercrime
10 easy ways to prevent malware infection 
Keep your data backed up


Thank you for choosing Malwarebytes



Share this post

Link to post
Share on other sites
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.