Share via

Powershell suspiciously high ram usage

Anonymous
2023-02-07T18:17:15+00:00

Lately, Powershell pops up for less than a second, and I see it hogging 2 GB of ram in the task manager. It's obviously malware, but I can't seem to remove it.

In a similar post **** here. the moderator adviced the user to download a recovery tool from the following link:

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Then, the user had to scan the PC with it, upload 2 logs and proceed with the removal. Anyone here who can help me fix this thing? Obviously virous scanning with WIndows Defender and BitDefender didn't work...

Windows for home | Windows 10 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. DaveM121 891.6K Reputation points Independent Advisor
    2023-02-07T18:51:27+00:00

    Hi J.Panda,

    I am Dave, I will help you with this.

    Click the link below to download a small free utility that does not require installation.

    https://download.sysinternals.com/files/Autorun...

    When the file downloads, unzip it.

    Run Autoruns64 as Administrator

    1

    In the filter box in Autoruns, type powershell and press Enter.

    If that finds any entries, please provide a screenshot of that.

    2

    In the filter box in Autoruns, type ps1 and press Enter.

    If that finds any entries, please provide a screenshot of that.

    3

    In the filter box in Autoruns, type rundll and press Enter.

    If that finds any entries, please provide a screenshot of that.

    Was this answer helpful?

    5 people found this answer helpful.
    0 comments
  2. DaveM121 891.6K Reputation points Independent Advisor
    2023-02-08T08:51:34+00:00

    Hi J.Panda,

    Sorry, I was offline, rest assured, you can safely delete that PowerShell entry, that will ensue it does not come back, or if you prefer, you can leave that entry unticked, that will just leave the redundant entry in the registry.

    Was this answer helpful?

    3 people found this answer helpful.
    0 comments
  3. DaveM121 891.6K Reputation points Independent Advisor
    2023-02-07T19:21:59+00:00

    Hi J.Panda,

    Those popups are usually remnants left in the registry of malware that has already been removed form your PC by Defender or your preferred 3rd party anti-virus, it is unlikely to come back if you have now removed that entry in Autoruns, also, you can now delete the Autoruns folder.

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments
  4. Anonymous
    2023-02-07T18:56:32+00:00

    Here's the screenshot for Step 1:

    Besides this, it couldn't find neitehr of Step 2 nor 3's things.

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments
  5. DaveM121 891.6K Reputation points Independent Advisor
    2023-02-07T19:03:00+00:00

    Hi J.Panda,

    Thank you for the screenshot, untick that entry, then restart your PC and wait to see if the PowerShell popup has stopped, if it has, open Autoruns again and right click that entry in Autoruns and delete it.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments