Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple instances of powershell.exe in Task manager - all but one can be closed


  • Please log in to reply
6 replies to this topic

#1 mantosof

mantosof

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 07 February 2015 - 03:58 PM

Hi,

 

I noticed my Vista-64 pc slowing down. So i checked Task Manager to see multiple instances of powershell.exe*32 running, somtimes just a few and sometimes up to 40 instances! (see attached screen shot).

 

When i right click and END PROCESS - i can do it, except usually the last one gives me a message "access denied". But sometimes it lets me END all of them. However it just reappers moments later.

Lastly - when i shut down the PC i get a message "Powershell application error: The application failed to initialize properly (0xc0000142). Click ok to terminate the application"

Then it shuts down succesfully.

Malwarebytes and AVG scans found nothing.

 

I ran Eset scanner and attached that ext file.

Attached are the dds, and farbar files.

 

Thanks.

 

Mike.

 

 

 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 mantosof

mantosof
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 07 February 2015 - 08:45 PM

I'm going to run combofix....let me know if anyone wants to see the text file.

#3 mantosof

mantosof
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 09 February 2015 - 04:05 PM

It would seem Combofix took care of the problem...my pc is running faster and powershell isn't appearing in the

processes list anymore.

 

If anyone wants to help me make sure I got it, and can look at the logs, id appreciate it.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 PM

Posted 11 February 2015 - 09:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe
() C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\loggingserver.exe
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [2640408 2014-09-01] ()
HKU\S-1-5-21-1840366709-3044067625-2682742513-500\...409d6c4515e9\InprocServer32: [Default-shell32]  <==== ATTENTION!
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1840366709-3044067625-2682742513-500\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1840366709-3044067625-2682742513-500 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://mysearch.avg.com/search?cid={D0A4B8D2-E358-480F-9451-FDA8EE0F2B0F}&mid=efe0c62898f147d385b5d16dcababb55-ec5306e47777acfd303d2da134b168edc1215869&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-12-10 20:09:32&v=17.1.2.1&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
BHO-x32: AVG SafeGuard toolbar -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.9.799\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
Toolbar: HKLM-x32 - AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\18.1.9.799\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.9\ViProtocol.dll (AVG Secure Search)
FF DefaultSearchEngine: AVG Secure Search
FF SelectedSearchEngine: AVG Secure Search
FF Homepage: hxxp://mysearch.avg.com?cid={D0A4B8D2-E358-480F-9451-FDA8EE0F2B0F}&mid=efe0c62898f147d385b5d16dcababb55-ec5306e47777acfd303d2da134b168edc1215869&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-12-10 20:09:32&v=17.1.2.1&pid=%CMPID%&sg=0&sap=hp
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.1.9\\npsitesafety.dll No File
FF Plugin-x32: @bittorrent.com/BitTorrentDNA -> C:\Program Files (x86)\DNA\plugins\npbtdna.dll No File
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
FF user.js: detected! => C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vwh8u60q.default\user.js
FF SearchPlugin: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vwh8u60q.default\searchplugins\safeguard-secure-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\safeguard-secure-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml
FF Extension: QuickShare Widget - C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\vwh8u60q.default\Extensions\{d69786b2-f575-0588-13b0-eb65b05ea8e9} [2013-10-27]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-09-14]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2012-11-16]
FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\18.1.9.799
FF Extension: AVG SafeGuard toolbar - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\18.1.9.799 [2014-09-01]
CHR Extension: (Google Wallet) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-10]
R2 vToolbarUpdater18.1.9; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe [1820184 2014-08-11] (AVG Secure Search)
S2 WinDefend; %ProgramFiles(x86)%\Windows Defender\mpsvc.dll [X]
S2 aswFsBlk; No ImagePath
S1 aswRdr; No ImagePath
S1 aswSP; No ImagePath
S1 aswTdi; No ImagePath
AlternateDataStreams: C:\Users\Administrator\Desktop\00032.mp4:TOC.WMV
AlternateDataStreams: C:\Users\Administrator\Desktop\Peanut.JPG:com.dropbox.attributes
AlternateDataStreams: C:\Users\Administrator\Desktop\WILDLIFE IN 4K (ULTRA HD) 60fps.mp4:TOC.WMV
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater
C:\Program Files (x86)\AVG SafeGuard toolbar

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

Edited by nasdaq, 11 February 2015 - 09:58 AM.


#5 mantosof

mantosof
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 11 February 2015 - 10:24 AM

Hi, and thanks for replying.

After I ran the combofix, everything ran much better and the problem is totally resolved.

 

Do you still want me to follow the instructions you've listed above?

If so, im going on vacation for 10 days and will do them when I return.

 

Thanks.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:00 PM

Posted 11 February 2015 - 02:35 PM

Your call it's just a cleanup of unwanted toolbars from AVG.
No rush in doing it when you return.

#7 mantosof

mantosof
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 11 February 2015 - 03:22 PM

 When I return I will attempt.

Thanks for your help.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users