If you ever come across this problem, you know by now that this is almost impossible to remove if you are relying only on your antivirus. Most of them will block the connection attempts and scripts, but in time to time a warning that the one below will pop up.
Initially, to solve this problem, I’ve run dozens o antivirus programs and several other malware tools. After any other tool run, after several scanning hours, I’ve said “Gotcha!” – so far from the truth. This pesky one is a sneaky little bastard.
I’ve also spent some hours looking for an answer in forums alike with no avail. So, let’s dive into it.
Looking at the details provided by ESET antivirus alert and log information, it looks like that Windows PowerShell is being blocked when trying to run a script. But no more information is given. So I thought – If PowerShell is being called, maybe there is a scheduled task calling it, and that’s why it pops up from time to time, and the antivirus can’t find any threat and can’t remove it, because PowerShell is a valid Windows program.
But there is another, problem it is not easy to find anything just looking at the Task Scheduler. There are hundreds and hundreds of entries. Finding the one that is calling PowerShell is a massive task.
So… how to solve this? Idea – let’s go and take a look at the Windows Event Viewer. For this one, I’ll save you the trouble, navigate to: Applications and Services Logs / Microsoft / Windows / TaskScheduler
Now you have a very long list of the events from Task Scheduler. Before start looking, look first in the antivirus log the time you’ve received that alert. Now in the event viewer, look for the same time in the category “Task Started”, in the description windows below you now have the path to the task, mine was like:
O Programador de Tarefas iniciou a instância “{487c430f-6d78-45e4-9171-68e17d53298b}” da tarefa “\Microsoft\Windows\Management\Provisioning\Gbfr2\6A342465-4880-4A0E-B95F-C2FFAB3E6DF4″.
Now you can go to the Task Scheduler and navigate to that specific task.
To test, just run the task and look if you have the right one. The antivirus alert should pop up again. And finally, to get rid of it, just delete that task.
Leave a comment if this has helped you.
