Powershell blinks in Task Manager during startup. Event Viewer confuses me.

[somethingtechn]

Windows 10 Home, Lenovo laptop.

Malwarebytes and Windows Defender both come up with nothing. (Full and offline scans included.) As far as I or my Antivirus programs know, I have no recent history of infections.

I've downloaded some 3rd party software, but nothing sketchy. However, I'm occasionally forced to plug in USBs and accept files from people who are less careful in their online habits.

I noticed Powershell appears in the Task Manager whenever I turn on my laptop. It stays there for a few seconds, and then vanishes. There's nothing in the taskbar, and no window, either. Googling the issue hinted that having Powershell run every time you turn on your device is not a good sign, so I investigated further.

Event Viewer shows that whatever this is, it has been going on for a while. It goes all the way back to when I reset this laptop. (Not a clean boot from USB, but a full reset from Windows settings with files deleted. I saw no need for heavier measures at the time, and am a bit unsure how to do a completely clean boot anyway.)

There's nothing relevant in the Task Manager Startup tab. This phenomenon doesn't seem to occur in Safe Mode. DISM health check and sfc scannow both find nothing wrong.

Interestingly, whatever this is, it seems to have kicked up immediately upon reset, even before some basic set up. (I can see it already repeating in Event Viewer before Lenovo ran some first time setup scripts.) The first sequences display a different name for the computer (WIN-random letters and numbers) while latter ones show the familiar name of my laptop. (LAPTOP-random letters and numbers)

Based on what I can decipher, here are the three commands Powershell is executing, in the order that the Event Viewer Date and Time column places them in. Since I'm a bit paranoid, and not so great with computers, I took out some exact numbers that seemed like they might contain personal info:

Spoiler

1. HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\WINDOWS\TEMP\(A long string of numbers that changes at every restart. I looked in the TEMP folder, but couldn't find anything matching the latest number. Not even with Hidden Files shown.)
2. HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
3. HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;

Here is the event info:

Spoiler

Event IDs: 600, 400, and 403.

Level: Information

User: N/A

OpCode: Info

Task Category: Provider Lifecycle and Engine Lifecycle

Here are the full event sequences in their apparent chronological order. I believe each sequence only runs once upon restart, and does not repeat afterwards.

The first one:

Spoiler

1. Provider "Registry" is Started.

   Details:
       ProviderName=Registry
       NewProviderState=Started

       SequenceNumber=1

       HostName=ConsoleHost
       HostVersion=(A series of numbers and periods that remains constant. It looks a bit like an OS version number. If it is one, it does not match the OS version number shown in my System information.)
       HostId=(A series of numbers, lowercase letters and dashes that changes every restart.)
       HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\WINDOWS\TEMP\(A long string of numbers that changes at every restart. I looked in the TEMP folder, but couldn't find anything matching the latest number. Not even with Hidden Files shown.)
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

2. Provider "Alias" is Started.

   Details:
       ProviderName=Alias
       NewProviderState=Started

       SequenceNumber=3

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\WINDOWS\TEMP\(Same as before.)
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

3. Provider "Environment" is Started.

   Details:
       ProviderName=Environment
       NewProviderState=Started

       SequenceNumber=5

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\WINDOWS\TEMP\(Same as before.)
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

4. Provider "FileSystem" is Started.

   Details:
       ProviderName=FileSystem
       NewProviderState=Started

       SequenceNumber=7

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\WINDOWS\TEMP\(Same as before.)
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

5. Provider "Function" is Started.

   Details:
       ProviderName=Function
       NewProviderState=Started

       SequenceNumber=9

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\WINDOWS\TEMP\(Same as before.)
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

6. Provider "Variable" is Started.

   Details:
       ProviderName=Variable
       NewProviderState=Started

       SequenceNumber=11

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\WINDOWS\TEMP\(Same as before.)
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

7. Engine state is changed from None to Available.

   Details:
       NewEngineState=Available
       PreviousEngineState=None

       SequenceNumber=13

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\WINDOWS\TEMP\(Same as before.)
       EngineVersion=(This was empty before, but now contains a number matching with HostVersion.)
       RunspaceId=(This was empty before, but now contains a series of numbers, dashes and lowercase letters.)
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

8. Engine state is changed from Available to Stopped.

   Details:
       NewEngineState=Stopped
       PreviousEngineState=Available

       SequenceNumber=15

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\WINDOWS\TEMP\(Same as before.)
       EngineVersion=(Same as before.)
       RunspaceId=(Same as before.)
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

The second one:

Spoiler

1. Provider "Registry" is Started.

   Details:
       ProviderName=Registry
       NewProviderState=Started

       SequenceNumber=1

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

2. Provider "Alias" is Started.

   Details:
       ProviderName=Alias
       NewProviderState=Started

       SequenceNumber=3

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

3. Provider "Environment" is Started.

   Details:
       ProviderName=Environment
       NewProviderState=Started

       SequenceNumber=5

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

4. Provider "FileSystem" is Started.

   Details:
       ProviderName=FileSystem
       NewProviderState=Started

       SequenceNumber=7

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

5. Provider "Function" is Started.

   Details:
       ProviderName=Function
       NewProviderState=Started

       SequenceNumber=9

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

6. Provider "Variable" is Started.

   Details:
       ProviderName=Variable
       NewProviderState=Started

       SequenceNumber=11

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

7. Engine state is changed from None to Available.

   Details:
       NewEngineState=Available
       PreviousEngineState=None

       SequenceNumber=13

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
       EngineVersion=(Same as before.)
       RunspaceId=(Same as before.)
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=

8. Engine state is changed from Available to Stopped.

   Details:
       NewEngineState=Stopped
       PreviousEngineState=Available

       SequenceNumber=15

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
       EngineVersion=(Same as before.)
       RunspaceId=(Same as before.)
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

       CommandPath=
       CommandLine=

The third one:

Spoiler

1. Provider "Registry" is Started.

   Details:
       ProviderName=Registry
       NewProviderState=Started

       SequenceNumber=1

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

2. Provider "Alias" is Started.

   Details:
       ProviderName=Alias
       NewProviderState=Started

       SequenceNumber=3

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

3. Provider "Environment" is Started.

   Details:
       ProviderName=Environment
       NewProviderState=Started

       SequenceNumber=5

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

4. Provider "FileSystem" is Started.

   Details:
       ProviderName=FileSystem
       NewProviderState=Started

       SequenceNumber=7

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

5. Provider "Function" is Started.

   Details:
       ProviderName=Function
       NewProviderState=Started

       SequenceNumber=9

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

6. Provider "Variable" is Started.

   Details:
       ProviderName=Variable
       NewProviderState=Started

       SequenceNumber=11

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
       EngineVersion=
       RunspaceId=
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

7. Engine state is changed from None to Available.

   Details:
       NewEngineState=Available
       PreviousEngineState=None

       SequenceNumber=13

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
       EngineVersion=(Same as before.)
       RunspaceId=(Same as before.)
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

8. Engine state is changed from Available to Stopped.

   Details:
       NewEngineState=Stopped
       PreviousEngineState=Available

       SequenceNumber=15

       HostName=ConsoleHost
       HostVersion=(Same as before.)
       HostId=(Same as before.)
       HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;
       EngineVersion=(Same as before.)
       RunspaceId=(Same as before.)
       PipelineId=
       CommandName=
       CommandType=
       ScriptName=
       CommandPath=
       CommandLine=

Problem is, I have no idea what any of this means. Any idea what is happening? Does it look bad, and if so, how bad? How can I find out what's causing this?

Autoruns shows two Task Scheduler Powershell instances (\Microsoft\Windows\SMB\UninstallSMB1ClientTask and \Microsoft\Windows\SMB\UninstallSMB1ServerTask) running on startup, but disabling them does not fix the problem. Additionally, while I can see them listed in Autoruns, Task Scheduler claims these tasks have never been run. Investigating DisableUnusedSMB1 ps1 script as a text file shows the following:
 

Spoiler

# Copyright (c) 2017 Microsoft Corporation. All rights reserved.
#
# This script is used to automatically removes support for the legacy SMB 1.0/CIFS protocol when such support isnt actively needed during normal system usage..
Param
(
    [Parameter(Mandatory=$True)]
    [ValidateSet("Client", "Server")]
    [string]
    $Scenario
)

#
# ------------------
# FUNCTIONS - START
# ------------------
#
Function UninstallSmb1 ($FeatureNames)
{
  try
    {
       Remove-SMBComponent -Name $FeatureNames
    }
    catch {}
}

#
# ------------------
# FUNCTIONS - END
# ------------------
#

#
# ------------------------
# SCRIPT MAIN BODY - START
# ------------------------
#

$ScenarioData = @{
    "Client" = @{
        "FeatureName" = "SMB1Protocol-Client";
        "ServiceName" = "LanmanWorkstation"
    };
    "Server" = @{
        "FeatureName" = "SMB1Protocol-Server";
        "ServiceName" = "LanmanServer"
    }
}

$FeaturesToRemove = @()

foreach ($key in $ScenarioData.Keys)
{
    $FeatureName = $ScenarioData[$key].FeatureName
    $ServiceName = $ScenarioData[$key].ServiceName

    $ScenarioData[$key].FeatureState = (Get-WindowsOptionalFeature -Online -FeatureName $FeatureName).State
    $ScenarioData[$key].ServiceParameters = Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\${ServiceName}\Parameters"
}

$FeaturesToRemove += $ScenarioData[$Scenario].FeatureName
$ScenarioData[$Scenario].FeatureState = "Disabled"

$RemoveDeprecationTasks = $true

foreach ($key in $ScenarioData.Keys)
{
    if($ScenarioData[$key].FeatureState -ne "Disabled" -and
       $ScenarioData[$key].ServiceParameters.AuditSmb1Access -ne 0) {

        $RemoveDeprecationTasks = $false
    }
}

if ($RemoveDeprecationTasks) {
    $FeaturesToRemove += "SMB1Protocol-Deprecation"

    $RemoveToplevelFeature = $true

    foreach ($key in $ScenarioData.Keys)
    {
        if($ScenarioData[$key].FeatureState -ne "Disabled") {
            $RemoveToplevelFeature = $false
        }
    }

    if ($RemoveToplevelFeature) {
        $FeaturesToRemove += "SMB1Protocol"
    }
}

UninstallSmb1 -FeatureName $FeaturesToRemove

$NewFeatureState = (Get-WindowsOptionalFeature -Online -FeatureName $ScenarioData[$Scenario].FeatureName).State

if ($NewFeatureState -ne "Enabled")
{
    $ServiceName = $ScenarioData[$Scenario].ServiceName
    $RegistryPath = "HKLM:\System\CurrentControlSet\Services\${ServiceName}\Parameters"
    New-ItemProperty -Path $RegistryPath -Name AuditSmb1Access -Value 0 -PropertyType DWORD -Force | Out-Null
}

To my amateur eyes, this seems neither suspicious nor related to the commands appearing in my Event Viewer? This, in addition to the facts that Task Scheduler claims these two tasks have never ran, and disabling them from Autoruns doesn't help, makes me believe I might be dealing with something else?

Thanks for your time!

[1PW]

Hello @somethingtechn and :

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

1. Download the Malwarebytes Support Tool.
2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
4. Run the MBST Support Tool.
5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

[somethingtechn]

@1PW

Will anyone, in theory, be able to access that attached file, or just trusted Malwarebytes advisors and staff? I know that the odds of anyone but me caring are astronomically low, but when I unzipped it, it seems to contain a lot of identifiable information. That makes me kind of nervous... Is it really a non-negotiable requirement?

[1PW]

Hello @somethingtechn:

It is not a theory. The facts are that only Malwarebytes' forum Trusted Advisors, Experts, and Malwarebytes Staff have access to the attachments in this subforum.

All of us admire your elevated sense of security. Yes. A thorough analysis of the system's logs is just the beginning for the path to a solution.

Thank you for the questions.

 

 

[somethingtechn]

@1PW So, no-one besides verified people can download the attachment?

Thank you very much for bothering to clarify all this for me. As I'm sure you can tell, I'm paranoid about this stuff right now. For obvious reasons.

[1PW]

5 hours ago, somethingtechn said:

So, no-one besides verified people can download the attachment?

That's correct. Only those designated by Malwarebytes may access your posted attachments. You may test this by:

1. Please 'Sign Out' of this forum and see if you can read the contents of another member's attachments in this subforum.
2. Or, stay signed in and, again, see if you can read the contents of another member's attachments in this subforum.

When you are convinced, please consider following the procedure in my first post to you if you desire to continue.

Thank you, @somethingtechn

[AdvancedSetup]

8 hours ago, somethingtechn said:

@1PW So, no-one besides verified people can download the attachment?

Log out of our forums then close the browser and come back as a guest and see if you can download the log file from someone else's post. @somethingtechn and you should not be able to.

 

[somethingtechn]

Thank you for your patience! I've attached the requested file.

To make sure this wasn't just some 3rd party software I installed, I reset the laptop from Windows settings with clean the drive and cloud download enabled. Then, I uninstalled all of the same bloat I normally do. There should be nothing extra on this laptop now aside from some stuff that came through cloud download, Firefox, Autoruns, and, of course, Malwarebytes.

I also checked for updates through both Windows Update and Lenovo Vantage after the reset.

Unfortunately, this did not help. I checked Event Viewer immediately after Windows set up screen changed to desktop, and I could see the same old Powershell event sequences had already ran.

Just to clarify, this was all done before gathering logs.

mbst-grab-results.zip

[AdvancedSetup]

Please run the following fix @somethingtechn

 

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\J\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed in most, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[somethingtechn]

Thanks for the reply! Here's the log.

I checked Event Viewer again, and unfortunately, Powershell is still doing the same thing.

Fixlog.txt

[AdvancedSetup]

Thank you. Please restart the computer one more time.

Then get me a fresh set of logs

Find the MBST tool and run it again with Admin rights. From there, as before, gather logs and post back @somethingtechn

 

[somethingtechn]

Here you go!

mbst-grab-results.zip

[AdvancedSetup]

The logs do not include anything indicating running of PowerShell directly. So, if it's being called it is from another command making the call. @somethingtechn

Let me have you run the following, please.

 

Create an Autoruns Log:

• Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
• Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
• Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
• Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
• Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
• Then click the Rescan button. Agree to the VirusTotal EULA
• Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
• Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
• Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

 

Thank you

 

 

[somethingtechn]

Here you are! I'm admittedly getting a bit worried, but still hoping for a benign explanation...

AutorunsScanResult.zip

[AdvancedSetup]

Go ahead and delete those 2 SMB Uninstaller tasks. Once they've been ran they're not needed.

 

[somethingtechn]

Done! However, the Powershell situation remains unchanged.

[AdvancedSetup]

Please run the following

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

[somethingtechn]

Apparently, nothing was found.

report.txt

[AdvancedSetup]

No problem, we can have other scanners also check.

Please run the following

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get started. 
• When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
• On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
• When prompted for scan type, Click on the Full Scan button
• Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
• Have patience.  The entire process may take a few hours or more.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log and give it a name and location you remember.
• If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
• Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

[somethingtechn]

My apologies. I was mistaken. Two of the three Powershell events

1. HostApplication=powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1';
2. HostApplication=powershell.exe -ExecutionPolicy Restricted -Command $Res = 0; $Infs = Get-Item -Path ($env:WinDir + '\inf\*.inf'); foreach ($Inf in $Infs) { $Data = Get-Content $Inf.FullName; if ($Data -match '\[defaultinstall.nt(amd64|arm|arm64|x86)\]') { $Res = 1; break; } } Write-Host 'Final result:', $Res;

no longer show up in Event Viewer. I didn't notice immediately, because

1. HostApplication=C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive get-computerinfo -Property OSName > C:\WINDOWS\TEMP\(A long string of numbers that changes at every restart. I looked in the TEMP folder, but couldn't find anything matching the latest number. Not even with Hidden Files shown.)

is still repeating.

[somethingtechn]

Here are the ESET results.

esetlog.txt

[AdvancedSetup]

This looks to probably be a Microsoft scheduled task

We can do a few things to try to track it down.

Please click on Start and type in PowerShell and then run with Admin rights. Then copy and paste the following and press the Enter key

Get-ExecutionPolicy

Then post back the results

 

 

[AdvancedSetup]

Please save the attached FIXLIST.TXT file to the same folder as the Farbar program.

Then run the Farbar program with Admin rights and click the FIX button.

This will create a new zip file on your desktop with the date and time as the name. It will zip the contents of your Tasks folder.

Attach that file on your next reply and I will review them.

fixlist.txt

 

Thanks

 

 

[somethingtechn]

When I tried "Get-ExecutionPolicy," Powershell said "Restricted." I tried multiple times, making sure I ran the program as Administrator.

07.03.2023_21.53.24.zip

[AdvancedSetup]

None of the Scheduled Tasks include PowerShell in them.

Give me some time to review settings for Windows 10 Home to use SYSMON as it does not include Group Policy Management