I've noticed several instances of PowerShell running on my computer, and I'm worried that one or more of them could be malicious. I read somewhere that if these were malware, they would stop functioning when disconnected from the internet, but that's not happening. I used to have Visual Studio installed, which some suggest might lead to this issue, but I uninstalled it. One of the PowerShell processes is using around 150 MB of memory, and things got worse after I saw a PowerShell window pop up and vanish quickly. An image of my Task Manager with the command line column enabled is linked. Can anyone help me figure out if the command lines are suspicious or not? I've also noticed they seem to be multiplying. I've installed Symantec Endpoint Protection, and it identified them as a heuristic virus, preventing them from running, but I really need to understand what's going on with these scripts.
5 Answers
Isn't it interesting that the OP's display name matches the username of the process? Makes you wonder, right?
If you want to dig deeper, you can right-click the process in Task Manager and create a memory dump to analyze it with tools like WinDbg. This could give you more clues about what's happening.
It sounds pretty likely that you’re dealing with malware. If you’re unsure when you got infected or what the processes do, your best bet is to restore your system from a backup if you have one that predates the infection. Otherwise, consider doing a complete wipe and reinstall of your OS. A lot of those so-called 'fix my windows' tools won't do much to help. Also, the idea that malware stops working when it's offline is misleading—malware behaves as programmed by its creator, so it might still run without internet access.
Thanks for the insight! Looks like a reinstall is my next move.
You might want to check the environment variables associated with those PowerShell processes—sharing them here could help. Given the obfuscation, it’s safe to assume you’re likely dealing with malware. If there’s any chance you can restore from a known clean backup, that would be ideal, but otherwise, a clean OS install is the way to go.
To be on the safe side, disconnect your machine from the network, then either restore your system or reinstall Windows. If you haven’t already backed up your important data, make sure that’s done—preferably to an external device. Change your passwords from a secure machine once you’ve dealt with this.
Haha, my Reddit name is just my actual username at home! Nothing too suspicious about that!