Powershell sudden high ram usage

Question

Hi there!. i have a laptop with windows 10. first time it was 7 but in august i changed to 10 and first thing i noticed powershell was using just 10-20mb of ram that i didnt care about, BUT after i turned off windows security due its 300mb ram usage (iam 4gb ram so every mb is important for my work). i installed some vpn's to open telegram links of homework (internet issues) so some of them worked and some didn't but after that i noticed powershell ram usage became almost 1gb everytime i boot! i freaked about it but because i heard hackers are using powershell. so its been almost a week of this situation but i always end powershell tasks on startup but i was thinking of a solution if could. Thanks for reading <3

Answer 1

Hi AliThe killer, the excessive RAM usage sounds like it could be malware or miner related. If you could scan with Farbar Recovery Scan Tool (FRST), and share the logs it creates, I'll help you remove it.

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Run FRST as administrator, use default settings and press Scan. Two logs are created in the folder that FRST is run from, FRST.txt and Addition.txt. Zip the logs and share on OneDrive, Google Drive or any file sharing service, then post the share link.

* Note: If you are downloading FRST with Edge, smartscreen will initially block it.

Click on the 3 dots next to the warning and select Keep -> Show more -> Keep anyway.

Answer 2

Sorry for my late reply! just exams. anyway i did exactly what you said and here the fixlog file:

.

https://drive.google.com/file/d/13VpfxN5fxRTdoxMGwASCj8offrOEizbx/view?usp=sharing

i have no idea what happened i hope u can tell me in simple way.

Answer 3

Hi, you had multiple infections including a Crypto Stealer and CoinMiners. I'd like you to remove another file. Select all the bold text, then press Ctrl + C to copy it. There's no need to paste it anywhere, just run FRST and press the Fix button.

start::

C:\Users\lenovo\AppData\Roaming\freshgames\Realtek HD\rthdcpl.exeend::

Next, some threat exclusions need to be removed. Right click the start button and select Windows Powershell (Admin)

Paste in the following command and press enter:

Get-MpPreference | Select-Object ThreatIDDefaultAction_Ids | % {if ($null -ne $_.ThreatIDDefaultAction_Ids) {Remove-MpPreference -ThreatIDDefaultAction_Ids $_.ThreatIDDefaultAction_Ids -EA Sil}};

Then paste in the next command, press Enter and post a screenshot showing the result:

Get-MpPreference | fl ThreatIDDefaultAction_Ids, ThreatIDDefaultAction_Actions

Answer 4

Download Fixlist.txt from the link below to the same directory that FRST is in, then run FRST and press the Fix button.

FRST will restart the computer when it finishes processing the script.

Please post the resulting Fixlog from your Downloads\Programs directory and let me know if any problems remain.

https://1drv.ms/t/s!AqQnVFhmcB_wmDmmDPjK7aZsUadL?e=0sF7oa

Answer 5

Thanks for replying! i really appreciate it. i did the scan and it gave me those 2 files:-

First file:- https://drive.google.com/file/d/1wtdcK9qFrhKC5YU5T-r0KnmV9EFGSvKZ/view?usp=sharing

.

2nd File:- https://drive.google.com/file/d/113PSVMqCrtOLUKoj5eaD8IVyjPP1r26G/view?usp=sharing

.

sorry for late reply i hope you get a good day sir.