Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Powershell has stopped working


  • Please log in to reply
6 replies to this topic

#1 chirpchirp

chirpchirp

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 03 January 2015 - 07:14 PM

hello everyone,

 

Over the past two or three days my laptop has started to act up. (just in time for my new semester... yay!)

 

I run Windows 8 x64 on a HP pavilion g7. It was used when I bought it, and I've had it almost two years now with no problem at all. Recently I've been getting errors of "Windows Powershell has stopped responding." Sometimes numerous errors will come up. I've ran malware and virus scans, I've tried installing updates. Nothing has seemed to work.

 

Along with that,  my fans in my laptop begin to get loud and my battery decreases. Now, this does not always happen when the error occurs, but I'm assuming it goes with it, considering it has happened around the same time. Usually I have a three and a half battery, but now it bounces between one and two hours.

 

I've searched the internet several days in a row now and most seem to believe it's a virus, but seeing as I have run scans through three different antivirus/malware I do not think this is the case.

 

I apologize if this is a repeat post. Thank you in advance. If you need any other information please let me know and I will get back asap.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:16 PM

Posted 04 January 2015 - 08:54 AM

:welcome: to Bleeping Computer.

You are most likely infected with Poweliks which typically affects the ability to browse or download files using Internet Explorer and causes PowerShell error alerts. Task Manager typically shows numerous occurrences of (COM Surrogate) dllhost.exe or dllhst3g.exe. If using a 64-bit version of Windows, then these entries will be listed as dllhost.exe *32 or dllhst3g.exe *32. These processes are known to spawn and consume a large amount of system resources as described here.


If you are having trouble downloading files with Internet Explorer, follow these instructions to re-enable downloads/reset all Security zones to default.

Please download ESETPoweliksCleaner and save it to your Desktop logo.png
  • Double-click on ESETPoweliksCleaner.exe to start the tool.
  • Read the terms of the End-user license agreement and click Agree if you agree to them.
  • The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.
    .
    1.png
    .
  • If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed.
  • If Poweliks was not detected "Win32/Poweliks not found" will be displayed.
  • Press any key to exit the tool and reboot your computer.
    .
    2.png
    .
  • The tool will produce a log in the same directory the tool was run from.
  • Copy and paste the contents of that log in your next reply.
Note: If the log is too long...you may need to split it and use multiple replies in order to post all the information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 chirpchirp

chirpchirp
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 04 January 2015 - 07:15 PM

Hello!!

It did indeed find the poweliks.

 

Here is my log:

 [2015.01.04 18:46:51.424] - Begin

[2015.01.04 18:46:51.426] - 
[2015.01.04 18:46:51.429] -     ....................................
[2015.01.04 18:46:51.431] -   ..::::::::::::::::::....................
[2015.01.04 18:46:51.435] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Poweliks
[2015.01.04 18:46:51.442] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 1.0.0.1
[2015.01.04 18:46:51.447] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Oct 15 2014
[2015.01.04 18:46:51.452] -  .::EE:::::::::::::SS:.EE..........TT......
[2015.01.04 18:46:51.456] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2015.01.04 18:46:51.458] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2015.01.04 18:46:51.458] -     ....................................
[2015.01.04 18:46:51.459] - 
[2015.01.04 18:46:51.459] - --------------------------------------------------------------------------------
[2015.01.04 18:46:51.460] - 
[2015.01.04 18:46:51.462] - INFO: OS: 6.2.9200 SP0
[2015.01.04 18:46:51.462] - INFO: Product Type: Workstation
[2015.01.04 18:46:51.463] - INFO: WoW64: True
[2015.01.04 18:46:51.464] - INFO: Machine guid: 73C2DCF7-4451-4108-ADF8-921F94226196 
[2015.01.04 18:46:51.465] - 
[2015.01.04 18:46:54.759] - INFO: Scanning for system infection...
[2015.01.04 18:46:54.759] - --------------------------------------------------------------------------------
[2015.01.04 18:46:54.759] - 
[2015.01.04 18:46:54.759] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.04 18:46:54.759] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.04 18:46:54.759] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.04 18:46:54.759] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.04 18:46:54.759] - INFO: Processing classes...
[2015.01.04 18:46:54.759] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}]
[2015.01.04 18:46:54.759] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBA}]
[2015.01.04 18:46:54.759] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBB}]
[2015.01.04 18:46:54.759] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBC}]
[2015.01.04 18:46:54.759] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}]
[2015.01.04 18:46:54.759] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}]
[2015.01.04 18:46:54.759] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.04 18:46:54.759] - WARNING: Found suspicous classid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.04 18:46:54.759] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{D9AC5E73-BB10-467b-B884-AA1E475C51F5}]
[2015.01.04 18:46:54.759] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.04 18:46:54.775] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.04 18:46:54.790] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.04 18:46:54.790] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.04 18:46:54.790] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.04 18:46:54.790] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.04 18:46:54.790] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.04 18:46:54.790] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.04 18:46:54.790] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.04 18:46:54.790] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2015.01.04 18:46:54.790] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.04 18:46:54.806] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.04 18:46:54.806] - INFO: Win32/Poweliks found
[2015.01.04 18:47:02.158] - INFO: process: dllhost.exe, pid 4988, parent 1068
[2015.01.04 18:47:02.158] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.04 18:47:02.158] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2015.01.04 18:47:02.158] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.04 18:47:02.158] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2015.01.04 18:47:02.158] - INFO: Processing classes...
[2015.01.04 18:47:02.158] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}]
[2015.01.04 18:47:02.158] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBA}]
[2015.01.04 18:47:02.158] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBB}]
[2015.01.04 18:47:02.158] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBC}]
[2015.01.04 18:47:02.158] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-FFFF-ABCDEFFEDCBA}]
[2015.01.04 18:47:02.158] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}]
[2015.01.04 18:47:02.158] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.04 18:47:02.158] - INFO: Deleted classid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2015.01.04 18:47:02.158] - INFO: Processing clsid [\Registry\User\S-1-5-21-2261974188-3153171149-3812889726-1000\SOFTWARE\Classes\CLSID\{D9AC5E73-BB10-467b-B884-AA1E475C51F5}]
[2015.01.04 18:47:02.158] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.04 18:47:02.158] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.04 18:47:02.158] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.04 18:47:02.158] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.04 18:47:02.158] - INFO: Processing value [] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.04 18:47:02.158] - INFO: Processing value [ServerExecutable] = [%systemroot%\sysWOW64\wbem\wmiprvse.exe]
[2015.01.04 18:47:02.158] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.04 18:47:02.158] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2015.01.04 18:47:02.158] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2015.01.04 18:47:02.158] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2015.01.04 18:47:02.158] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.04 18:47:02.158] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2015.01.04 18:47:02.158] - INFO: Cleaning status: 0
[2015.01.04 18:47:12.199] - End


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:16 PM

Posted 04 January 2015 - 07:21 PM

Your log shows Poweliks was found and removed.

[2015.01.04 18:46:54.806] - INFO: Win32/Poweliks found
[2015.01.04 18:47:02.158] - INFO: process: dllhost.exe, pid 4988, parent 1068
...
[2015.01.04 18:47:02.158] - INFO: Cleaning status: 0


Let's do another scan since this infection is known to download other malicious files.

Please download and scan with Emsisoft Anti-Malware 30 day trial version.
  • Double-click on the EmsisoftAntiMalwareSetup.exe icon to install.
  • If the setup program displays an alert about safe mode, please click on the Yes button to continue.
  • Agree to the license agreement and click on the Install button to continue with the installation.
  • You will get to a screen asking what type of license you wish to use with Emsisoft Anti-Malware.
    .
    If you have an existing license key or want to buy a new license key, please select the appropriate option. Otherwise, select the Freeware or Test for 30 days, free option. If you receive an alert after clicking this button that your trial has expired, just click on the Yes button to enter freeware mode, which still allows the cleaning of infections.
    .
  • Emsisoft Anti-Malware will now begin to update it's virus detections.
  • When the updates are completed, select Enable PUPs Detection.
  • Select the Full Scan option to begin scanning your computer for infections.
    scan-selection.jpg
    .
  • When the scan has finished, the program will display the scan results that shows what infections where found.
  • Click on the Quarantine Selected button, which will remove the infections and place them in the program's quarantine.
    scan-results.jpg
    .
  • If Emsisoft prompts you to reboot your computer to finish the clean up process, please allow it to do so.
Note: By default Emsisoft Anti-Malware installs as a free fully functional 30-day trial version with real-time protection. After the trial period expires you can either choose to buy a full version license or continue to use it in limited freeware mode which still allows you to scan and clean infections. The freeware mode no longer provides any real-time protection to guard against new infections. However, even if the trial is still enabled, you can easily turn off all real time protection and just have it running as on-demand scanner only. After the trial period expires nothing really changes except that the options to activate real-time protection are no longer available without purchasing the full version.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 chirpchirp

chirpchirp
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:16 PM

Posted 06 January 2015 - 04:41 PM

i ran a scan through that software and through Malwarebytes and it did catch several that were not detected prior to removing the Poweliks virus, and I have not had any other "powershell" errors come up. Thank you so much!



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:16 PM

Posted 06 January 2015 - 04:43 PM

You're welcome. :thumbup2:
Best Practices for Safe Computing - Prevention of Malware Infection.
 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 datamirage

datamirage

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:16 AM

Posted 21 July 2016 - 02:04 AM

In my case I was glad that the system was not infected. The Powershell problem was caused by Microsoft security update KB3163245. More details can be found here Windows Powershell has stopped working






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users