I seem to be in the same boat all of a sudden and I cannot find the culprit to save my life...
Did a fresh W10 install, put all my stuff back the way it was and a few hours later, out of the blue, PowerShell opened and closed super fast and my machine started acting up and now PowerShell and/or Chrome constantly get detected by Malwarebytes as something (no idea what) repeatedly attempts to make an outbound connection to "activatorcounter.com" and 2 specific IPs, namely "188.114.96.3" and "188.114.97.3".
I've tried everything (that I know of, at least) from scanning my rig with Defender, Malwarebytes, HitmanPro, Norton Power Eraser, Adlice Diag, Kaspersky Virus Removal Tool and ESET Online Scanner, to blocking the website and both IPs via Windows Firewall, to completely uninstalling and manually deleting any remains that had anything to do with MediaHuman's YouTube Downloader and YouTube to MP3 Converter (the ONLY two things similar, if not the same, as the potential suspects already mentioned in the replies above), to personally checking every corner of Task Manager and so on, but so far everything appears to have been in vain.
Now VirusTotal and a few Google links are telling me that the "activatorcounter.com" website is safe but are flagging the aforementioned IPs as malicious and I really am at a loss here since #1 - I have no idea what is causing this and #2 - is this a serious threat? And if it potentially or surely is, just HOW serious are we talking here? Because I don't fall for scams or anything like that so if that were the worst thing that could happen, I'd be more than ok with it, HOWEVER I'd like to somehow maybe confirm that by allowing this outbound connection, I'm not allowing ANYONE to hack me and/or steal data one way or another.
But in any case and until further notice (specifically until I get some answers, preferably from you fine guys and gals), for now I have allowed the website (without the IPs) through Malwarebytes (I am fully aware that by doing so I am potentially putting myself at risk, but bare with me for just a few more seconds) BECAUSE when Malwarebytes constantly blocks PowerShell from sending anything outbound, this website (TheWindowsForum), along with a few other sites, do not work anymore and neither do some Chrome extensions but as soon as I allow it to do whatever it's doing, everything suddenly works again, so basically when that malware (for lack of a better term so far) is being blocked, I seem to be limited in certain aspects with regards to operating my rig to its full potential, whereas when it's left unchecked to do whatever it is that it's doing, everything works fine.
Lastly, this is literally the only website I found that even mentions "activatorcounter.com", hence why I came here, so if anyone has had any revelations or breakthroughs or any new ideas in the last few weeks since the final reply was made in this topic, I'd really love some input. Actually scratch that - ANY AND ALL input/suggestions/etc. are more than welcome!
Thank you in advance.
EDIT:
Actually, while I'm here, is anyone familiar with something called Adware.PhoenixInvicta? It's apparently tied to Chrome with regards to extensions or something along those lines (I have a few folders and files that point to" AppData/Local/Google/Chrome/User Data/Default/Local Extension Settings" and a registry value that leads to "CHROME/PREFERENCEMACS/Default") and no matter how many times I quarantine and/or delete the threats via Malwarebytes, they end up coming back the next day or upon the next PC restart or shut down/boot (and sometimes merely a few hours later).
And, for what it's worth, if it helps, upon visiting "Local Extension Settings", I'm met with roughly 13-ish items (sometimes the number is higher, sometimes lower) and each and every folder has a very strange name, i.e.:
"ammjkodgmmoknidbanneddgankgfejfh"
"hgeljhfekpckiiplhkigfehkdpldcggm"
"oombnmpbbhbakfpfgdflaajkhicgfaam"
You get the idea. What the heck is this? What exactly is it tied to and how can I pinpoint the specific extension/s that's causing this? (to ultimately get rid of it) Also, why is Malwarebytes the only software detecting Adware.PhoenixInvicta? Defender and ESET have not given a single notification about any danger related to it.
Again, thank you in advance.
R Don't download cracked program without a group's name on the release. I won't go into why, its just groups do that to gain cred. Nobody wants to be associated with infected code.
