Stopping harmless PS - ****** and only provides noncopyable text

naturpur1 · 2025-06-24T06:50:06+00:00

There was an error rendering this rich post.

Hello, now 2 times via extended threat detection a PS ****** was stopped. Dont now the real origin/executer, but virustotal said 0 found malicious, also their sandboxes, even Bitdefender…

Then I only could screencopy the finding, no text copy/rightklick, no button to a logfile. :/ so I used chatgpt for OCR. Later I found only under notification I can mark text and copy via rightclick. Seems like a hidden feature..

Finding (copy then has no line breaks :/ like in GUI):

Funktion:Erweiterte GefahrenabwehrDie Anwendung powershell.exe wurde als potenziell schädlich erkannt und blockiert.Anwendungspfad: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeBefehlszeilenparameter: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Restricted -Command $isBroken = 0 # Define the root registry path $ShellRegRoot = 'HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell' $bagMRURoot = $ShellRegRoot + '\BagMRU' $bagRoot = $ShellRegRoot + '\Bags' # Define the target GUID tail for MSGraphHome $HomeFolderGuid = '14001F400E3174F8B7B6DC47BC84B9E6B38F59030000' $properties = Get-ItemProperty -Path $bagMRURoot foreach ($property in $properties.PSObject.Properties) { if ($property.TypeNameOfValue -eq 'System.Byte[]') { $hexString = ($property.Value | ForEach-Object { $_.ToString('X2') }) -join '' if ($hexString -eq $HomeFolderGuid) { $subkey = $property.Name $nodeSlot = Get-ItemPropertyValue -Path ($bagMRURoot + '\' + $subkey) -Name 'NodeSlot' $isBroken = if ((Get-ItemPropertyValue -Path ($bagRoot + '\' + $nodeSlot + '\Shell\*') -Name 'GroupView') -eq 0) { 1 } else { 0 } break } } } Write-Host 'Final result:',$isBrokenErkennungs-ID: SuspiciousBehavior.2304F2F54F048A90

suspicious_powershell_******.txt

suspicious_powershell_script.txt

Find more posts tagged with

Comments

naturpur1

also the timeline seems not possible to extract, so I here some screens:

Gjoksi

Hello.

On the same issue, this is a comment from @camarie on another topic:

https://community.bitdefender.com/en/discussion/comment/354576#Comment_354576

Maybe the issue has occurred again, can't be sure about that.

You should contact Bitdefender Consumer Support by chat, telephone or e-mail:

https://www.bitdefender.com/consumer/support/help/

Chat is the fastest way to get in touch with Bitdefender Consumer Support.

NOTE: Bitdefender telephone support is not toll-free!

Regards.

@camarie @Alexandru_BD

Flexx

To add to the main post reply, I just had a conversation with Bitdefender Support, and according to their response (as shown in the image below), the issue has been resolved. If the issue is still persisting for some users, they will need to contact Bitdefender Support directly and provide the necessary logs so that it can be investigated further.

Kindly contact Bitdefender support by visiting https://www.bitdefender.com/consumer/support/help/

Select, How to's & Troubleshooting Bitdefender products→Troubleshooting→I don't know→Contact Support→ You will get the option of chat, call or email.

To get an immediate update, kindly use the chat option. Also, ensure that no ad blockers or privacy extensions are enabled in your web browser, as they may prevent the chat window from appearing.

Generate and attach the following logs to the ticket:

Generate Bitdefender BDsysLog: https://www.bitdefender.com/consumer/support/answer/1922/
Generate Bitdefender Support Tool Log: https://www.bitdefender.com/consumer/support/answer/1733/

If the generated logs are larger than 25 MB (the attachment limit for most email vendors), you can upload the logs to https://upload.bitdefender.net/ and share the link with the support team.

This post is now closed to further comments.

Regards