Author Topic: Powershell process seems to have tried uninstalling Avast?  (Read 2614 times)

0 Members and 1 Guest are viewing this topic.

Offline 6576

  • Newbie
  • *
  • Posts: 1
Powershell process seems to have tried uninstalling Avast?
« on: April 24, 2021, 05:59:16 PM »
Hello,

I received the following threat warning earlier:


1. Given that I did not perform a scan myself, and that the following threat popped up while I was not actively at my computer, I assume Avast must have detected an action occurring in the background. While the warning above mentions the source being Windows' PowerShell, I did not have one actively open myself, which means that some other program must have tried to run it.

2. The file in question, "UNINSTALLEXCHANGE.PS1", seems to have been located in the /SETUP folder of my Avast installation, although I currently cannot find it in there anymore. Perhaps Avast deleted it from there upon issuing the warning? Given the name of the file, it sounds like some program tried to uninstall Avast, although I might of course be wrong.

3. As mentioned earlier, the file was not downloaded or received, but rather in the /SETUP folder of my Avast installation. Whether it was originally there or put there by a virus, I don't know.

4. The exact filename seems to have been "UNINSTALLEXCHANGE.PS1", and has been attempted to run by powershell.exe in "C:\Windows\System32\WindowsPowerShell\v1.0\".

5. The Avast message, as seen in my screenshot above, was "We've blocked UNINSTALLEXCHANGE.PS1 because it was infected with IDP.ALEXA.53".

6. As the file currently does not exist within the directory anymore, I unfortunately cannot scan it again.

7. Given that, I also cannot upload the file to VirusTotal or other online scan services.

I have, of course, tried to already search on Google to find further information on my situation, but unfortunately have not found much. The only relevant link I found is the following: https://discuss.elastic.co/t/kv-filter-dont-split-on-field-split-pattern-once/165431, where someone (suspiciously?) seems to want to run a certain command using PowerShell on the aforementioned file. However, given the short excerpt of their code, I cannot come to a conclusion on what exactly it is they tried to do.

I would perhaps have put it aside as a false positive, but the fact that something happened in the location Avast itself was installed in, without my knowledge, seems somewhat worrying.

I would really appreciate any help regarding this, as I am worried that my PC might have gotten infected.
Thank you very much!
« Last Edit: April 24, 2021, 06:01:29 PM by 6576 »

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33754
  • malware fighter
Re: Powershell process seems to have tried uninstalling Avast?
« Reply #1 on: April 25, 2021, 11:46:30 PM »
This could be caused by a heuristically flagged extension inside your browser (Chrome, Firefox, Microsoft Edge etc).
Remove that particular extension and/or restore to the original settings of your browser.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Horst1

  • Newbie
  • *
  • Posts: 1
Re: Powershell process seems to have tried uninstalling Avast?
« Reply #2 on: April 28, 2021, 10:58:09 PM »
Hi,

I am facing the same issue. My browser is microsoft edge and i did not install any extensions. Is this a seríous thread or a false positive?