SOLVED Unwanted "PowerShell"

[skytab]

When my homepage comes up, Google search, (and happening either before or after,) I am experiencing a blue screen that lasts for about 1-2 minutes with cmd on it. I can delete it although sometimes it takes a few tries.

Across the top it shows: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

I would like to get rid of this; actually, I do not know of any reason that I need PowerShell.

I have Windows 10, 64 bit, and use Google Chrome.

Help.

 

[Regedit32]

Hi skytab,

What you are describing is not normal behavior of PowerShell and Windows OS.

Two scenarios allow a PowerShell console to open during a web browser launch:

• Either an installation file for the browser that may be installing the browser itself, or add-ons, or an App update service etcetera is currently active and this would only be the case if you as a User chose to allow this in the first place, or a bundled Windows Service came with the original installation software for your browser or other third party program.
• Or, you have malware on your system attempting to clone the PowerShell Shell executable, to mask the fact its active, in which case you'd need to clear your browser history and do a full scan of your computer with an antivirus and/or anti Malware program.

I have the latest Chrome installed on a test machine and can assure you it does not come with anything by default designed to make use of PowerShell.exe [ but I cannot speak for every add-on that people might choose to install for their browser which may make use of PowerShell.exe ]

If there is a genuine task running, then you can check that and remove it from your Windows Task Scheduler, by typing task scheduler in your Windows Search box then pressing Enter key to open it where you can review all tasks currently set up to run on your computer. Any task you do not want there can be safely deleted to prevent it running in the future.

 

[skytab]

Hi skytab,

What you are describing is not normal behavior of PowerShell and Windows OS.

Two scenarios allow a PowerShell console to open during a web browser launch:

• Either an installation file for the browser that may be installing the browser itself, or add-ons, or an App update service etcetera is currently active and this would only be the case if you as a User chose to allow this in the first place, or a bundled Windows Service came with the original installation software for your browser or other third party program.
• Or, you have malware on your system attempting to clone the PowerShell Shell executable, to mask the fact its active, in which case you'd need to clear your browser history and do a full scan of your computer with an antivirus and/or anti Malware program.

I have the latest Chrome installed on a test machine and can assure you it does not come with anything by default designed to make use of PowerShell.exe [ but I cannot speak for every add-on that people might choose to install for their browser which may make use of PowerShell.exe ]

If there is a genuine task running, then you can check that and remove it from your Windows Task Scheduler, by typing task scheduler in your Windows Search box then pressing Enter key to open it where you can review all tasks currently set up to run on your computer. Any task you do not want there can be safely deleted to prevent it running in the future.

Hi Regedit32,

I used task scheduler to review the current running tasks.

It looked like about 75 were running . . . none of which appeared to be Windows PowerShell. I suspicion that it could be lurking in one of them, however.

I also ran Malwarebytes and unchecked the few Chrome Extensions that were running . . . no luck, it randomly pops up around the time of boot, most recently just before I see the desktop. Also, Windows Defender runs daily.

At this point, I simply want to uninstall Windows PowerShell v1.0 . . . what steps do I take to find this rogue file and uninstall it?

 

[davehc]

I have an idea, that turning off Powershell will not solve your problem. It is more likely, as REgedit suggests,,emanating from elsewhere.
But, if you want to, you can disable it:
Open programs and features (Type Appwiz.cpl)
Select, top left, Turn Windows Features on or off.

Scroll down and UNtick the Powershell option. (I think you may find it is already unticked.
Then "OK" out of the window.

 

[Regedit32]

Windows 10 makes use of multiple PowerShell modules for its own tasks, including Windows Update Service, Disk Cleanup, Windows Recovery Environment, Windows Restore Points, etcetera.

There is no easy way to remove PowerShell and doing so would likely have affects on your system far more annoying that a pop up console.

I'd still be looking at third party offenders, if nothing is sticking out in Task Scheduler window.

If you press windows key + S then type command in the search field and in the search results right-click on Command Prompt and select Run as administrator you could query your Run and RunOnce registry keys to see if anything has inserted itself into your Startup executables:

You'll have to click yes when prompted by the User Account Control before the Administrator: Command Prompt appears, then at the prompt type or copy & paste the following queries:

REG QUERY "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"

Press enter key

REG QUERY "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"

Press enter key

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Press enter key

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"

Press enter key

Also if using a 64-bit computer:

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"

Press enter key

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce"

Press enter key

Let us know what applications you see appear under any of these Registry locations. One of those could well be the culprit.

 

[skytab]

I have an idea, that turning off Powershell will not solve your problem. It is more likely, as REgedit suggests,,emanating from elsewhere.
But, if you want to, you can disable it:
Open programs and features (Type Appwiz.cpl)
Select, top left, Turn Windows Features on or off.

Scroll down and UNtick the Powershell option. (I think you may find it is already unticked.
Then "OK" out of the window.

Hi davehc,

Thanks for responding.

Following your suggestion, I found "Windows PowerShell 2.0" (but no 1.0) and, hoping for a solution, unticked it.

No luck . . . upon restart, the rogue PS 1.0 again simultaneously overlaid the desktop, as it has been doing consistently yesterday and today. So, I reticked PS 2.0.

As an aside, when I tried to pull up several of my visible entries on the Bookmarks bar, they would not respond. However, a restart solved that (concerning) problem.

Now, on to Regedit32's multi-step suggestion to solving this vexing problem.

 

[skytab]

Hi Regedit32,

Here are the results:

Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32>REG QUERY "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
7 Taskbar Tweaker REG_SZ "C:\Users\tGRAMPA\AppData\Roaming\7+ Taskbar Tweaker 14Jun17\7+ Taskbar Tweaker.exe" -hidewnd
WinPatrol REG_SZ C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe
CCleaner Monitoring REG_SZ "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR


C:\WINDOWS\system32>REG QUERY "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"


C:\WINDOWS\system32>REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SecurityHealth REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCuiL.exe


C:\WINDOWS\system32>REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"


C:\WINDOWS\system32>REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"


C:\WINDOWS\system32>REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run"

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
KeyScrambler REG_SZ C:\Program Files (x86)\KeyScrambler 24Ap17\keyscrambler.exe /a
StartCCC REG_SZ "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled

C:\WINDOWS\system32>REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce"


C:\WINDOWS\system32>

Ctrl+Alt+Delete > Task Manager\Startup where the following appeared and I disabled each one and restarted . . . same annoying result!

Disabled: Catalyst Control Center, Key Scrambler, CCleaner, Win Patrol Monitor, 7+Taskbar Tweaker, and Windows Defender notification icon.

Also, a few days ago I ran startup in Safe Mode and the rogue popup still appeared.

Any more suggestions for a solution?

 

[Regedit32]

Hi skytab,

Taking a look at your results the following items would be perfectly normal:

• StartCCC REG_SZ "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
  
  • This is an executable associated with ATI Technologies Catalyst Control Center
  • It does not need to run on Startup, but that is entirely up to you, as it is a known and safe executable
• SecurityHealth REG_EXPAND_SZ %ProgramFiles%\Windows Defender\MSASCuiL.exe
  
  • This is part of Windows Defender and again is perfectly fine to leave alone.
  • If you do not use Windows Defender at all, but rather another Malware / Antivirus program, then you could remove this entry from your Registry if you wanted to.
• CCleaner Monitoring REG_SZ "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
  
  • This is part of CCleaner, a third party tool a lot of Users trust and use to clean their computer and tidy their Windows Registry. I'm not a personal fan of this software, but again it would be fine to leave it alone, or if you do not want it monitoring as your computer starts you could safely remove it from the Registry key. I suspect though, if you did that, you'd find it'd rewrite itself to the Registry on its own.

These three I am not overly familiar with.

Autoruns if I recall is a Systernal product and as such will be safe to use.

The tweak tool and the KeyScrambler tool are clearly 3rd party tools and quite likely are in part if not completely responsible for your current issue. Github - a repository for PowerShell actually has modules built that were based on KeyScrambler ----- and unlike that software do the same thing for no annual fee

• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled
  
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  7 Taskbar Tweaker REG_SZ "C:\Users\tGRAMPA\AppData\Roaming\7+ Taskbar Tweaker 14Jun17\7+ Taskbar Tweaker.exe" -hidewnd
  WinPatrol REG_SZ C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe
  
• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
  KeyScrambler REG_SZ C:\Program Files (x86)\KeyScrambler 24Ap17\keyscrambler.exe /a

 

[skytab]

Hi Regedit32,

Thank you for your comprehensive commentary on my prior post.

The apps that showed up from the queries that you provided have all been in place for a long time. However, they are updated from time-to-time and this could have started about the time of an update. I will see if I can discern any updates timeline.

I also had another thought . . . in my computer notebook, I made an August 10th entry noting information on this rogue file. (I do this when something is not readily cleared or is something that may be of value at a future time.)

However, in checking back further (August 4) I made an entry from a Google email (that had been buried in Junk) asking if I had logged in from a different IP address about a week prior - I had not and immediately changed my password as they recommended (I had never received that type of notice before.).

Here, about a month later, with the rogue file consistently, almost simultaneously, booting with my desktop, I am wondering if there is anything further that I can do related to that probable hack, (which could, I suppose, be the cause of this problem)?

Any suggestions?

 

[Regedit32]

Well as you have AutoRuns from Sysinternal installed you can use that to further examine all processes starting on Startup. That will help you find any other items be they legitimate or rogue that have entries in other locations of your Registry that allow it to start on Startup, and will also scan all Tasks in your Task Scheduler.

How to use it to do all this is explained here:

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

 

[skytab]

Hi Regedit32,

I was in a real estate course over the long holiday weekend and am now just catching up on several things.

I have not seen the annoying PowerShell popup in the last few days . . . I don't know why that has been the case.

However, I did notice that just prior to its disappearance, it was staying on the screen for a shorter and shorter time period as the desktop came up.

I hope that it has left for good; I will feel more comfortable if that remains the case at least until the end of September.

 

[Regedit32]

There has been a lot of activity from Microsoft preparing those with Windows 10 for the next significant update.

It's possible what you were seeing was background activity related to that, which has subsided now as no more new features are being created, just bug fixing.

Time will tell of course with the Fall Update due out very soon [ next few weeks ].

 

[skytab]

Yes, October 12th, I read . . . and I hope that was all it was.

 

[skytab]

As there have been no more instances of the unwanted PowerShell appearing at startup for almost 2 weeks now, I am going to conclude that it could well have been what Regedit32 suggested, namely Microsoft preparing for the forthcoming Fall Creators Update.

Accordingly, I have marked this question "solved".