What is this message in windows powershell and how to fix it ?

Question

What is this message in windows powershell and how to fix it ?

hesham elshipli 25

Windows 11 Powershell keeps opening at windows startup showing these strange language and messages! Could anybody help ? what are these messages and how to fix this problem ?

*Also Contacts folder opens at startup.

The Message "Overlgen Vitiates Gennemlysningerne foliose Trsteslsest Unattenuatedly Uigennemtrngelige Mesophyllum Freonen Succourless Broadlooms Basker227 Formol Rakkerier Nameboard221 Finoptllingen103 Kurssvingninger Antigens adiafora Overhoped Erstatningsforslag Mistimed Klubmde Unforfeited Overlgen Vitiates Gennemlysningerne foliose Trsteslsest Unattenuatedly Uigennemtrngelige Mesophyllum Freonen Succourless Broadlooms Basker227 Formol Rakkerier Nameboard221 Finoptllingen103 Kurssvingninger Antigens adiafora Overhoped Erstatningsforslag Mistimed Klubmde Unforfeited"

The rest of messages in the attached image.

I removed google chrome and reinstalled it.

I made virus scan with different softwares.

I made CHKDSK repair.

The problem still here!

Accepted answer

1 additional answer

Your answer

Answer 1

MotoX80 36,291

Download and run the Autoruns utility.

https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

Select the Logon and Scheduled Task tabs and look at the Image Path for something that references Powershell or your Contacts. When you select an entry, look at the lower pane and see what command line switches are passed. For Powershell it should include the name of the script. The folder name where the script is should give you an idea of what it relates to. If it doesn't, open the .ps1 script file with notepad and look at the code and comments to see what it does.

User's image

hesham elshipli 25 Reputation points

2024-10-12T16:09:44.0366667+00:00

Answer 2

hesham elshipli 25

Hi there,

This is what I found using Autoruns.

I donot understand what to do!

Autoruns

MotoX80 36,291 Reputation points

2024-10-11T20:28:31.6466667+00:00

For that entry, nothing. Notice that it says "File not found". That's because the program name is "powershell.exe.exe". That is incorrect. Whatever program made that entry made it in error. It should just be powershell.exe.

Do you see the blue check box next to the word "Slanderproof"? If you click on that, Autoruns will "hide" that entry, effectively disabling it. Do that.

Also check the command line and see what .ps1 file it is trying to execute. I had to use the mouse and select that text because the line is too long and I had to click and drag it to display everything in the image below. You should be able to right click that text and select "Copy" and then paste into notepad.

Try to find that file and open it in notepad. Do you recognize anything as being related to some software that you installed?

Keep looking for more Powershell entries.
hesham elshipli 25 Reputation points

2024-10-12T17:32:28.2566667+00:00

Thank you for your help. I have one question. The strange language in the message I got not a virus ? It is just an error ? This is the most important thing for me.
MotoX80 36,291 Reputation points

2024-10-12T19:31:13.5466667+00:00

I have no idea what it is. It could be malware. It could be something from some software that you had installed.

You have to identify the script or command line input that is being executed. Autoruns is the simplest tool that should be able to find that.

What does this mean in English? Does it mean anything to you?
hesham elshipli 25 Reputation points

2024-10-12T21:07:33.2166667+00:00

No, Google translate also cannot understand this language!
MotoX80 36,291 Reputation points

2024-10-13T12:12:13.9+00:00

Were you able to find any more powershell entries in autoruns?
Rich Matheisen 47,901 Reputation points

2024-10-13T15:53:43.7166667+00:00
That text is a combination of words from several languages. E.g.,

Overlgen [Danish] supervise

Vitiates [English] destroys/impairs the quality/effectiveness of

Gennemlysningerne [Danish] the transparancy

foliose [English] having a lobed leaf-like structure (regarding lichen)

Uigennemtrngelige [Danish] Impenetrable

Udgivelsesselskaber [Danish] Publishing companies

That sort of word salad is often used to avoid detection by spam/virus filters. Throw enough neutral/good words into a file and the overall "badness" score drops enough to pass, or at least to neutralize some other content that might arouse suspicion.

I'd be starting by looking for files that have the string "$platineering" or "realisticize" in them. They might not be PowerShell files (*.ps1, *.psm1, *.psd1, *.ps1xml, *.pssc, *,cdxml, *.psrc), start with those. They may also be executable files, or other script files that can interact with .Net to build PowerShell code or modules and then use that generated code from within the script. But even all of that may be futile if the code is encrypted, even with something as simple as ROT13 of Base64.

I've seen stuff that's also disguised as drivers. Check the devices (hidden ones, too) in Device Manager, and look for directories amongst the other drivers that might not match the expected names. E.g., if you have devices whose drivers are in directory "X", look for directories named "X<something else>".

You say you've use other AV. Was MalwareBytes one to those? It's pretty good (not infallible) at finding "stuff".
hesham elshipli 25 Reputation points

2024-10-13T16:33:52.45+00:00

No, This is the only one!
MotoX80 36,291 Reputation points

2024-10-13T23:03:32.58+00:00

Then download and run Process Monitor.

https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

In the options menu, select Enable Boot Logging.

You do not need to enable profiling.

Then reboot. When it comes back up, log on, and launch Process Monitor. It will prompt you about the boot log and let you save the .pml file.

In the filter menu, add an entry for "Process name contains powershell". Be sure to click add.

Then select an entry and click on the Process tab. What does it show for the Command Line?

Look at the PID column to see if you have multiple instances of Powershell.
hesham elshipli 25 Reputation points

2024-10-13T23:35:51.2733333+00:00

When I apply the filter all processes disappear! There is no one powershell process appears!
MotoX80 36,291 Reputation points

2024-10-14T00:09:46.0833333+00:00

In the filter menu, uncheck the entry for powershell, and add an entry for "path contains .ps1". Let's see if we can find the script file.

If that doesn't work then in the settings for the Terminals app, set the default to Console Host and try it again.
Rich Matheisen 47,901 Reputation points

2024-10-14T01:56:01.3433333+00:00

I don't recall if it's been asked: is PowerShell 7 installed on the machine? If so, then you also have to look for pwsh.exe, not just powershell.exe.
hesham elshipli 25 Reputation points

2024-10-14T02:01:35.7366667+00:00

This is the result
hesham elshipli 25 Reputation points

2024-10-14T02:02:50.0666667+00:00

@Rich Matheisen Yes, MalwareBytes was one of these AV.
hesham elshipli 25 Reputation points

2024-10-14T02:10:31.8433333+00:00

@Rich Matheisen @MotoX80 Yes, It is installed. I searched pwsh.exe and there are a lot of results!
MotoX80 36,291 Reputation points

2024-10-14T11:56:59.7333333+00:00

That's for PID 22596. Its just opening a PS7 prompt.

Look for other PID's and see what their command line is. You're looking for a .ps1 file name or a -Command string.
hesham elshipli 25 Reputation points

2024-10-14T19:14:27.65+00:00

When I use ps1 or powershell filter there are no results appear!
MotoX80 36,291 Reputation points

2024-10-14T22:46:27.1233333+00:00

About all I can offer is to look at the files for you. Autoruns can save a .arn file and Procmon can save a .pml file. If you can put them on the internet where I can download them I will take a look and see if I can find anything.

Other than that, my best suggestion is to "find a friend". That is, find someone who has more technical expertise with Windows than what you have. Show him this thread and let him run the tools and see if he can find anything. Troubleshooting a problem like this is just massively easier when someone has physical access to the pc.
hesham elshipli 25 Reputation points

2024-10-15T03:11:18.4033333+00:00

@MotoX80 Thank you very much. Really appreciate!

Share via

What is this message in windows powershell and how to fix it ?

1 additional answer

Your answer