Hello,
I received the following threat warning earlier:
https://i.imgur.com/BNgNcb4.png
-
Given that I did not perform a scan myself, and that the following threat popped up while I was not actively at my computer, I assume Avast must have detected an action occurring in the background. While the warning above mentions the source being Windows’ PowerShell, I did not have one actively open myself, which means that some other program must have tried to run it.
-
The file in question, “UNINSTALLEXCHANGE.PS1”, seems to have been located in the /SETUP folder of my Avast installation, although I currently cannot find it in there anymore. Perhaps Avast deleted it from there upon issuing the warning? Given the name of the file, it sounds like some program tried to uninstall Avast, although I might of course be wrong.
-
As mentioned earlier, the file was not downloaded or received, but rather in the /SETUP folder of my Avast installation. Whether it was originally there or put there by a virus, I don’t know.
-
The exact filename seems to have been “UNINSTALLEXCHANGE.PS1”, and has been attempted to run by powershell.exe in "C:\Windows\System32\WindowsPowerShell\v1.0".
-
The Avast message, as seen in my screenshot above, was “We’ve blocked UNINSTALLEXCHANGE.PS1 because it was infected with IDP.ALEXA.53”.
-
As the file currently does not exist within the directory anymore, I unfortunately cannot scan it again.
-
Given that, I also cannot upload the file to VirusTotal or other online scan services.
I have, of course, tried to already search on Google to find further information on my situation, but unfortunately have not found much. The only relevant link I found is the following: https://discuss.elastic.co/t/kv-filter-dont-split-on-field-split-pattern-once/165431, where someone (suspiciously?) seems to want to run a certain command using PowerShell on the aforementioned file. However, given the short excerpt of their code, I cannot come to a conclusion on what exactly it is they tried to do.
I would perhaps have put it aside as a false positive, but the fact that something happened in the location Avast itself was installed in, without my knowledge, seems somewhat worrying.
I would really appreciate any help regarding this, as I am worried that my PC might have gotten infected.
Thank you very much!