Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Powershell has stopped working on windows 10


  • Please log in to reply
9 replies to this topic

#1 Arphahat

Arphahat

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 PM

Posted 10 April 2017 - 09:58 AM

On startup, I recently have started seeing a single "powershell has stopped" message. When I searched online, I found references to a virus, poweliks, from a year or two ago. However, when I run spybot and my Antivirus, neither find anything. There was also a tool for specifically finding and removing poweliks that also didn't find anything.

What is the likely cause? What steps should I take to figure this out and correct it?

BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,470 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:26 AM

Posted 10 April 2017 - 10:27 AM

What tool did you use to remove the poweliks?

 

If you didn't use the ESETPoweliksCleaner I would suggest using it to be sure that it is gone.  If you used the ESETPoweliksCleaner please post the log for this scan.

 

newtool3_zpsae6d2122.png

Please download Powelikscleaner (by ESET) and save it to your Desktop.

1.  Double-click on ESETPoweliksCleaner.exe to start the tool.

2.  Read the terms of the End-user license agreement and click Agree.

3.  The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it.

newtool1_zpsa1caa06e.png

4.  If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed. Press any key to exit the tool and reboot your PC.

newtool2_zps0e6d39b1.png

The tool will produce a log in the same directory the tool was run from.

Please copy and paste the log in your next reply.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 Arphahat

Arphahat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 PM

Posted 10 April 2017 - 11:24 AM

Thanks for the reply. It was this tool, the ESETPoweliksCleaner.exe that I had run. I ran it again and attached the log fileAttached File  ESETPoweliksCleaner.exe_20170410.120631.14936.log   2.74MB   0 downloads. When it ran, it did NOT find Poweliks, I want to emphasize that. Neither the first time nor this second time. I also ran Malwarebytes with rootkit detection enabled, kill.com, Adwcleaner, JRT, as well as scanning with Panda Antivirus. Some junk was found, but nothing sinister. I am only concerned because my search had indicated that this had been a big issue, but the last discussions about it were a year or two ago.



#4 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,011 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:26 PM

Posted 10 April 2017 - 11:30 AM

Perhaps it's not malware... let's check what's going on using Autoruns:
 
:step1: Autoruns by Sysinternals

  • Download and save Autoruns from here.
  • Navigate to the directory in which you saved the file.
  • Right-click on Autoruns64.exe, select Run as administrator, and accept any User Account Control prompts.
  • Wait for a minute or so, then go to File, Save..., and save the file to your Desktop. Use the default name and ensure that the file extension while saving is .arn.
  • Zip and attach the .arn file in your next post.

Regards,
bwv848


Edited by bwv848, 10 April 2017 - 11:34 AM.

If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,470 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:26 AM

Posted 10 April 2017 - 11:36 AM

A couple of years ago Poweliks was being found quite frequently, but I don't see it very often any more.  You ran the ESET program which was very effective in removing this from computers infected with this bug.  I made this suggestion because you had indicated that you believed this was the cause of your problem.

 

bwv848's suggestion is well worth running.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,011 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:26 PM

Posted 10 April 2017 - 11:48 AM

Good point, dc3. I just have a feeling that it could be Kovter though. :mellow:


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#7 Arphahat

Arphahat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 PM

Posted 10 April 2017 - 11:53 AM

A couple of years ago Poweliks was being found quite frequently, but I don't see it very often any more.  You ran the ESET program which was very effective in removing this from computers infected with this bug.  I made this suggestion because you had indicated that you believed this was the cause of your problem.
 
bwv848's suggestion is well worth running.


I hope my reply didn't seem ungrateful. I really do appreciate your help, I just wanted to make sure you knew all that I knew about it already. Thanks again.

I will run the other scan when I return home a little later.

#8 Arphahat

Arphahat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 PM

Posted 10 April 2017 - 01:19 PM

Perhaps it's not malware... let's check what's going on using Autoruns:
 
:step1: Autoruns by Sysinternals

  • Download and save Autoruns from here.
  • Navigate to the directory in which you saved the file.
  • Right-click on Autoruns64.exe, select Run as administrator, and accept any User Account Control prompts.
  • Wait for a minute or so, then go to File, Save..., and save the file to your Desktop. Use the default name and ensure that the file extension while saving is .arn.
  • Zip and attach the .arn file in your next post.

Regards,
bwv848

Thanks, file attached below.

 

Attached File  ANDY-PC.zip   324.03KB   4 downloads



#9 Arphahat

Arphahat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:26 PM

Posted 11 April 2017 - 03:18 PM

So, I had Windows update and have not seen the powershell failure since. I am wondering if it was really just something wrong with Windows that is now corrected. Was there anything suspicious in the file I provided?



#10 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,011 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:26 PM

Posted 11 April 2017 - 05:15 PM

I do apologize for the tardy response.

I didn't find any PowerShell run entries, or any other suspicious entries in the Autoruns file. Anyway, I'm glad that Windows Update has fixed the problem. If issues persist, we should probably capture a ProcMon boot trace.

Regards,
bwv848


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users