powershell.exe (CPU Problems) Malware

[ChristopherLH05]

It's been about 4 days since I've had this virus/malware (which is what I'm expecting it to be), and I've turned here for help. There is always multiple when they pop up on my resource monitor, although they pop up as terminated, they clearly have an effect on my CPU. I've ran multiple malware scans and it didn't detect whatever this powershell.exe is. I can't play lots of CPU heavy games because of this. 

[AdvancedSetup]

Hello @ChristopherLH05 and

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan Now.
• When finished, please click Clean & Repair.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

[ChristopherLH05]

Malwarebytes Scan.txtFirst Step

AdwCleaner[C00].txt Second Step

Addition.txtThird Step

FRST.txtThird Step

 

First step detected quite a bit as you'll be able to see

[AdvancedSetup]

Thanks. The Malwarebytes log says you did not have the program remove what it found.

Please restart the computer and run all of the steps again. This time please make sure you tell Malwarebytes to remove what it finds.

 No Action By User,

[ChristopherLH05]

I quarantined the files instead of deleting them. I'll remove them.

[AdvancedSetup]

No, it would say it was quarantined. Perhaps you copied the log before it was completed.

Please just scan again and let me see the new log. If all is valid then the new log should be clean this time.

 

[ChristopherLH05]

Will do

[AdvancedSetup]

What is this command for?

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\noSysprep.cmd

You have an old out of date, compromised version of Java. Please go to Control Panel, Programs, Uninstall - and uninstall the following

Java 8 Update 144

 

 

[AdvancedSetup]

Please follow the directions from the following topic to clean up Google Chrome

https://forums.malwarebytes.com/topic/258886-chrome-secure-preferences-detection-always-returns/

After you've reset Chrome then please run the following fix.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[ChristopherLH05]

Here you are.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/26/20
Scan Time: 7:26 PM
Log File: d956d03a-b80c-11ea-a6f9-4ccc6a922400.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.955
Update Package Version: 1.0.26061
License: Trial

-System Information-
OS: Windows 10 (Build 18362.900)
CPU: x64
File System: NTFS
User: DESKTOP-O9HUBEH\Christopher Hellen

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 387556
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 16 min, 15 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

[ChristopherLH05]

I'd have to say I'm not quite sure what that command is. A bit ago I disabled a good bit of things that I saw as not important, and that they were dragging my system down when starting up my PC, not sure if that's relatable AT ALL but that's the only thing I remember doing

 

I uninstalled the Java as well.

[ChristopherLH05]

Fixlog.txt

 

Here ya are.

[AdvancedSetup]

Windows Resource Protection found corrupt files and successfully repaired them.

How is the computer running now?

I'm off work now but will check back on you either later tonight or sometime this weekend.

 

[ChristopherLH05]

I'll try running some games and get back to ya, since that's when powershell pops up.

[AdvancedSetup]

Okay, sounds good

 

[ChristopherLH05]

Seems like not much changed, powershell is still there, saying it's terminated, but running my cpu.

[ChristopherLH05]

This person has actually the EXACT same problem that I'm having right now. Whenever you can read through this thread, I'm wondering if I should try the same steps he did? Everything he described is what's happening to me, with powershell.exe running, then terminating itself

[ChristopherLH05]

Whenever you see this again, I don't actually believe it's a malware, but there's something running script I believe. If I could somehow disable powershell, that would be great. I found the application in my files but I don't have permission to change it?

[AdvancedSetup]

I do not recommend disabling or renaming or removing PowerShell. It has become very important for use with Windows these days

 

Create an Autoruns Log:

• Please download Sysinternals Autoruns from here.
• Save Autoruns.exe to your desktop and double-click it to run it.
• Once it starts, please press the Esc key on your keyboard.
• Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures and Check VirusTotal.com and Submit Unknown Images
• Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
• When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
• Right-click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
• Attach the Autoruns.zip folder you just created to your next reply

 

 

 

Thanks

 

 

[ChristopherLH05]

When I traced the file it seemed it was another application named powershell. I uninstalled it, and I still have my Windows Powershell. I'd have to say I'm not quite sure what it was. I was thinking it was a 32bit version. It's gone and I still have my regular powershell which I just used to change my Teredo state yesterday, so I know it's still working good. Thanks for all your help, the problem has been resolved.

[AdvancedSetup]

Great, sounds good.

Let's go ahead and run a secondary scanner to double-check all is well

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you