something calling powershell for https://eleneven.site/knottiness

Dear raphael amorim,

Thank you for reaching out to the Microsoft Q&A.

The image you provided shows a classic sign of a malicious script trying to run on your computer. The command is attempting to use PowerShell to download and immediately execute a file from a website.

The good news is that the command failed because the server returned a (404) Not Found error. This means the malicious payload couldn't be downloaded. However, the script that tries to do this is still on your system and needs to be removed. It's likely hidden in a place that makes it run automatically when you start your computer.

You could try following these steps below to solve your issue:

1. Run a full security scan:
   • Go to Settings > Privacy & security > Windows Security.
   • Click on Virus & threat protection.
   • Click Scan options.
   • Select Microsoft Defender Offline scan and click Scan now.
   • Or you can use Malwarebytes Antivirus, Anti-Malware, Privacy & Scam Protection. Download the free version and run a full scan.
   Disclaimer: This is a non-Microsoft website. The page appears to be providing accurate and safe information. Watch out for ads on the site that may advertise products frequently classified as PUP (Potential Unwanted Products). Thoroughly research any product advertised on the site before you device to download and install it.
2. Use Autoruns for Windows:
   • Go to Autoruns - Sysinternals | Microsoft Learn and download it
   • Extract the ZIP file and right-click Autoruns64.exe (if you have 64-bit Windows) and select "Run as administrator".
   • Once it's loaded, you'll see a list of everything that starts with your PC. It can be overwhelming, so let's filter it:
   • In the "Filter" box at the top, type powershell and press Enter. Look for any suspicious entries that are launching PowerShell.
   • Clear that filter, then type eleneven (part of the malicious URL) and press Enter. See if anything shows up.
   • If you find a suspicious entry:
   • Yellow Highlight: An entry highlighted in yellow means the file it's trying to run is missing (which makes sense, since you got a 404 error). This is very likely your culprit.
   • Pink Highlight: An entry highlighted in pink means there is no verified publisher, which is also suspicious.
   • To disable it, simply uncheck the blue checkbox next to the entry. This is safer than deleting. Restart your PC to see if the problem is gone. If it is, you can re-open Autoruns, find the entry again, right-click it, and select Delete.
3. Check PowerShell Profiles:
   • Open PowerShell as an administrator.
   • Run this command:

          notepad $PROFILE
     

   • Look inside the text file for any suspicious lines, especially anything containing IEX, DownloadString, or eleneven.site.
   • Delete any malicious lines, save the file, and close Notepad.

If nothing works, you can also try to fix the issue by performing an In-place Upgrade. Please read this Reinstall Windows with the installation media - Microsoft Support Disclaimer: Let's try performing an in-place install or in-place upgrade which will refresh your Windows files and operating system without removing files or applications. That being said, we always recommend that if you have important data, you should back up it up before making large system changes. If you want to back up your data first, please do so. Once you are done backing up, you can follow the steps in the following guides: How to run In-place upgrade in Windows 11 - Microsoft Q&A

To assist others who might have similar questions and to help us improve our support system, we kindly encourage you to "Accept the answer" if it successfully addressed your concern. Accepting an answer lets other users know that this solution worked for you, and it also helps us track the effectiveness of our support efforts.

Best regards, 

Bryan Vu | Microsoft Q&A Support Specialist