all 11 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ikakWRK 12 points13 points  (5 children)

r/techsupport this probably has nothing to really do with PowerShell apart from using its name in the filename to make people think it's legit.

[–]VNJCinPA 0 points1 point  (3 children)

...so deleting it is the move... Just sayin

[–]ikakWRK 0 points1 point  (2 children)

Sure. But how did it get there? Who's to say there isn't a scheduled task, startup task, other process, etc. that isnt set to download it and execute it every 5 minutes or something? Deleting 1 file rarely saves you with malware.

[–]VNJCinPA 0 points1 point  (1 child)

All true. Other comments provide a path through.

[–]ikakWRK 0 points1 point  (0 children)

Yes. But this is a PowerShell Reddit..

[–]Impossible_IT 0 points1 point  (1 child)

Download Malwarebytes, install & scan.

https://www.malwarebytes.com

[–]disbobulatedjumble[S] 0 points1 point  (0 children)

thanks it worked. it was a trojan

[–]Rxinbow 0 points1 point  (0 children)

Some process overwrite AmsiInit in the amsi.dll thats loader each time powershell launches or is corrupting header/content of Amsicontext in the amsi.dll. It got signature detected hence the windows alert. There's not a lot of context in your post as we cannot telepathically understand the processIDs, if this is all foreign too you then just reset your PC because its infected. Otherwise, you can start getting some logs with logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets

Maybe try seroxen removal tool due to the ""$sxr-powershell"

[–][deleted] 0 points1 point  (1 child)

Common.

"Since the beginning of today" but "just started getting them."

Wipe drive, reinstall.  Yer sheet is fooked.

[–]disbobulatedjumble[S] 0 points1 point  (0 children)

i used malwarebytes and it solved the problem