1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Windows PowerShell(ISE) used by hackers

By rogerthat69
Oct 14, 2016
  1. I have learned that hackers use Powershell to manage remote computers by installing malware-code etc. Prior to Win 10 it was possible to uninstall PowerShell as a Windows component. That is not an option with Win 10. Anyone knows why? Does Microsoft use Powershell(ISE) for I.e OS-maintenance?

    My EventLog shows that someone is running PowerShell scripts(block) executing remote commands. Message in Eventlog is "Varning" ID 4104. The process starts with Console Startup(ID40962) then an IPC listening thread on process 4292 in DeafaultAppDomain. All scripts are readable code.

    "Providers" was started last time by PowerShell Host; Filesystem, Variable, Alias, Function, Registry, Environment.

    It seems(?) Windows Remote Manager are involved making Client API-calls (ID 145). An operation(enumeration) starts by using resource: http://schemas.microsoft.com/wbem/wsman/1/config/listener.

    I donĀ“t feel comfortable with these processes going on. If MS were involved using PowerShell scripts they should be explicit about it.
  2. Broni

    Broni Malware Annihilator Posts: 53,856   +370

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.


    All I can do here is to check if your computer is clean.
    If you wish to do so, you know the drill...

    Please, complete all steps listed here: https://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
  3. rogerthat69

    rogerthat69 TS Enthusiast Topic Starter Posts: 57

    Hi, Broni. Will soon reply for a check, thank you!

  4. Broni

    Broni Malware Annihilator Posts: 53,856   +370

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...