What's new
Team OS : Your Only Destination To Custom OS !!

Welcome to TeamOS Community, Register or Login to the Community to Download Torrents, Get Access to Shoutbox, Post Replies, Use Search Engine and many more features. Register Today!

Locked powershell opening form nowhere

Status
Not open for further replies.
N

neozbr

Member
Downloaded
57.6 GB
Uploaded
451.8 GB
Ratio
7.84
Seedbonus
30,621
Upload Count
0 (0)
Member for 4 years
problem at 5:13 am already happened other days, I tried to see if there is something scheduled but did not find

problem: two powershell opens quickly then closes, out of nowhere without me having done anything, this happened already the other day

run powerhell
then conhost.exe
then svchost.exe
then smartscreen.exe
then consent.exe

I tried to find it in the task scheduler and saw nothing,

the first thing to happen is this:

Time of action Description File name Full path More info File Extension Data Source
30/05/2023 05:13:02 Task Run powershell.exe powershell.exe TouchpadSyncDataAvailableVBElS, \Microsoft\Windows\InputTouchpadSyncDataAvailableVBElS exe

then this:

Time of action Description File name Full path More information File Extension Data Source
05/30/2023 05:13:02 Task Run powershell.exe powershell.exe SystemSoundsServicemxFgC, \Microsoft\Windows\MultimediaSystemSoundsServicemxFgC exe


then two powershell windows open quickly:

Time of action Description File name Full path More information File Extension Data Source
30/05/2023 05:13:02 .EXE file executed POWERSHELL.EXE C:\Windows\System32\WINDOWSPOWERSHELL\v1.0\POWERSHELL.EXE Microsoft Corporation, Microsoft® Windows® Operating System, Windows PowerShell, 10.0.18362.2394 (WinBuild.160101.0800) EXE C:\WINDOWS\Prefetch\POWERSHELL.EXE-920BBA2A.pf


and open this twice:
Action Time Description File Name Full Path More Information File Extension Data Source
05/30/2023 05:13:02 .EXE file executed CONHOST.EXE C:\WINDOWS\SYSTEM32\CONHOST.EXE Microsoft Corporation, Microsoft® Windows® Operating System, Console Window Host, 10.0.18362.2394 (WinBuild.160101.0800) EXE C:\WINDOWS\PrefetchCONHOST.EXE-1F3E9D7E.pf


then this:

Time of action Description File name Full path More information File Extension Data Source
05/30/2023 05:13:02 .EXE file executed svchost.exe C:\Windows\System32\svchost.exe Microsoft Corporation, Microsoft® Windows® Operating System, Host Process for Windows Services, 10.0.18362.2394 (WinBuild.160101.0800) exe C:\WINDOWS\PrefetchSVCHOST.EXE-98090C0A.pf

then this:

Time of action Description File name Full path More information File Extension Data Source
05/30/2023 05:13:24 .EXE file executed SMARTSCREEN.EXE C:\WINDOWSSYSTEM32\SMARTSCREEN.EXE Microsoft Corporation, Microsoft® Windows® Operating System, Windows Defender SmartScreen, 10.0.19041.1 (WinBuild.160101.0800) EXE C:\WINDOWSPrefetchSMARTSCREEN.EXE-9B5E4173.pf


and finally this:

Action Time Description File Name Full Path More Information File Extension Data Source
05/30/2023 05:13:29 .EXE file executed CONSENT.EXE C:\WINDOWSSYSTEM32\CONSENT.EXE Microsoft Corporation, Microsoft® Windows® Operating System, Administrative Application Consent UI, 10.0.18362.2394 (WinBuild.160101.0800) EXE C:\WINDOWSPrefetchCONSENT.EXE-531BD9EA.pf


I don't know if it's a virus or something like that, can anyone tell me what it is?

I was in the middle of a game and out of nowhere it went to windows and powershell blinked twice and closed and I checked in last activity view and found what happened as I described.

how to deactivate it or stop it, does anyone know ?!
 
Jerry_Xristos

Jerry_Xristos

🤴 Super Admin
Downloaded
195.6 GB
Uploaded
67.3 TB
Ratio
352.47
Seedbonus
3,849,640
Upload Count
365 (416)
Member for 9 years
Have you scanned your system for virus?
Use windows defender or a free AV.
Also scan with malwarbytes
Thats for a start
 
vdogeek

vdogeek

🤴 Super Admin
Uploader
Downloaded
93.5 GB
Uploaded
56.5 TB
Ratio
619.16
Seedbonus
8,757,035
Upload Count
1199 (1205)
Member for 9 years
I assume that this is Windows 10? and is it a Lite windows? Something you downloaded here? I can't seem to find any of those things mentioned in your Post.. It might help people out to help you.
 
kVertix

kVertix

Member
Downloaded
12 GB
Uploaded
779.8 GB
Ratio
64.87
Seedbonus
1,160
Upload Count
0 (0)
Member for 8 years
Those pf files:
Since Windows XP, Windows creates a prefetch file every time you run an app for the first time. This file contains data the OS needs to speed up the app's load time whenever you run it. And this is a big help during the startup process since it helps Windows load faster.
Click to expand...
Perhaps some bits of your applications and Windows got updated and new prefech data was generated for them? Or did something, like a cleaning utility, delete that data so new had to be generated?

Viruses are pretty sophisticated nowadays. It's very lucky to actually find ones autorun entry. But you could try anyway, get yourself Autoruns tool - it's freeware by Microsoft. With it you can get an overview of less sophisticated autorunning entries. Try to see if there's something that's not part of your system or of your apps. Autoruns also allows to perform "Check VirusTotal" on entries. You can put "powershell" into its Quick Filter box to search for only those entries.

I also recommend running Malwarebytes. It can find most things. But ofc not latest sophisticated ones.
A well configured firewall is also a must. Make it ask on outbound connections for all apps, even "certified" ones, since many viruses use forged or stolen certificates nowadays. Viruses also use Microsoft Windows' own tools as proxy to call home for instructions. With a properly set up firewall you can get an overview what tries to call home and then you can analyze further. The only good firewall I know for this task is Comodo Firewall. But it requires user to have somewhat advanced understanding of Windows.

Those powershells may come from something you installed recently, but they aren't doing their work properly due to various reasons. Or maybe they are. But programmers couldn't care less of end-user satisfaction, e.g. malicious intent.
There's a neat article titled "9 Ways to Fix the Windows PowerShell When It Pops Up on Restart" at makeuseof.
Code: 
makeuseof.com/windows-powershell-pops-up-on-restart-fix/

If the problem is too much to handle, then quick format the hard disk and install a fresh copy of Windows, with all the security tools.
 
Last edited:
Megaraider

Megaraider

✅ Verified Member
Member
Downloaded
24.7 GB
Uploaded
133.2 GB
Ratio
5.4
Seedbonus
4,884
Upload Count
0 (0)
Member for 7 years
Those .pf files are clean (if SHA256 match), see here:
Code: 
https://www.hybrid-analysis.com/file-collection/5f5b11b091044d42d85843e5
You can even submit your files for analysis to that site.

IMHO the problem lies before those are called.
Therefore check who is launching or calling:
\Microsoft\Windows\InputTouchpadSyncDataAvailableVBElS.exe
\Microsoft\Windows\MultimediaSystemSoundsServicemxFgC.exe
 
pleiadians

pleiadians

✅ Verified Member
Member
Downloaded
188.8 GB
Uploaded
713.5 GB
Ratio
3.78
Seedbonus
10,018
Upload Count
0 (0)
Member for 6 years
Perhaps change your User Action Control settings to the opposite of what they are now and see what happens, as those files are related. You may get a prompt for User Action Control that could point you to what is going on.
 
Status
Not open for further replies.
Top