Just got this message from Bitdefender Internet Security.

[Yobbo]

If you're interested, not long ago I renewed Bitdefender Internet Security for 3 years. AU $90.00. AU $2.50 per month. I don't know what this means. If someone here in the Windows Forum can describe this to me in simple English. It would be much appreciated. I was on reddit website, and this never happened before.
The app C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe was passed a malicious command line and has been blocked. Your device is now safe.Command line: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "$fp='C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\5e810ba5502dd7d8\Razer Chroma.lnk';if(!(Test-Path $fp)){exit 1};$p=Split-Path $fp;$s=New-Object -ComObject 'Shell.Application';$fo=$s.Namespace($p);$it=$fo.Parsename((Split-Path $fp -Leaf));try{$t=[type]'CosmosKey.Util.MuiHelper'}catch{$d=[Text.StringBuilder]'';[void]$d.AppendLine('[DllImport(\"user32.dll\")]');[void]$d.AppendLine('public static extern int LoadString(IntPtr h,uint id,System.Text.StringBuilder sb,int maxBuffer);');[void]$d.AppendLine('[DllImport(\"kernel32.dll\")]');[void]$d.AppendLine('public static extern IntPtr LoadLibrary(string s);');Add-Type -MemberDefinition $d.ToString() -Name MuiHelper -Namespace CosmosKey.Util};$h=[CosmosKey.Util.MuiHelper]::LoadLibrary('shell32.dll');$vb=New-Object Text.StringBuilder '',255;[void][CosmosKey.Util.MuiHelper]::LoadString($h,5387,$vb,255);$vn=$vb.ToString().Replace('&','');$iv=$it.Verbs()|Where-Object{$_.Name.Replace('&','')-eq $vn};if($iv){$iv.DoIt()}else{exit 1}

 

[starhawk69]

Asked Leo AI about this and this is what it came up with:

This pattern is commonly used by software updaters, launchers, or system utilities to start an application via its pinned shortcut rather than calling the executable directly. This ensures the app starts with the correct working directory or context associated with the shortcut.

Potential for Abuse​

While the code itself is functional, the technique of using -ExecutionPolicy Bypass and dynamic C# compilation (Add-Type) is frequently seen in malware to evade detection or launch payloads.

• Red Flags: The use of Bypass and obfuscated API calls can mimic malicious behavior.
• Context Matters: If you did not install Razer software or if this command appears unexpectedly in startup logs or task scheduler, it could indicate a malicious script masquerading as a legitimate launcher.

• Conclusion​

  If you have Razer Synapse or Razer Chroma software installed, this is likely a benign command triggered by the Razer updater or launcher to start the application. If you do not use Razer products, or if this command runs without your initiation, you should investigate the parent process triggering it using tools like Process Explorer or Autoruns.

So it looks it could be malicious but could be Razer doing normal Razer stuff. If you don't have and Razer software then defiantly suspicious.

Asked Leo if this code is malicious and:

Based on the command line provided, yes, this code is malicious.

While the antivirus message states "Your device is now safe" (indicating the threat was blocked), the command itself exhibits classic behaviors of a fileless malware loader or a dropper attempting to execute a payload disguised as a legitimate application.

Conclusion​

This is a blocked attack. The antivirus software (likely Bitdefender, based on the message format) identified the specific pattern of the command line—specifically the combination of ExecutionPolicy Bypass, dynamic type definition, and the manipulation of shell verbs to execute a hidden payload—and prevented it from running.

Recommended Actions:

• No immediate action is required if the message says it was "blocked," as the code did not execute.
• Scan your system with a full offline scan to ensure no precursor files (the .lnk file or the target executable) remain on the disk.
• Check Startup Items: Verify if there are any suspicious entries in your Task Scheduler or Startup folder related to "Razer Chroma" or unknown scripts.

 

[DVDR_Dog]

Did you happen to ask BitDefender (do the have a forum?) why it flagged this?

 

[Yobbo]

Thanks very much to all who replied.
I have Razer wired mouse and on Synapse 4 installed not Chroma.
This never happened before.
I also got some information from 2 reddit members
One was from ESET and the other member obviously knew about code, which I know nothing about. It was very obvious they were very concerned about my situation. Like you Windows Forum members do.
Thanks very much again.

 

[DVDR_Dog]

Well I am glad you found help. There was a heck of a lot of code packed into that warning and I found some of it confusing. It did look like possibly a hijack but in a very unique way. Whew, tough one to reverse engineer.

 

[Diguelo]

Asked Leo AI about this and this is what it came up with:

This pattern is commonly used by software updaters, launchers, or system utilities to start an application via its pinned shortcut rather than calling the executable directly. This ensures the app starts with the correct working directory or context associated with the shortcut.

Potential for Abuse​

While the code itself is functional, the technique of using -ExecutionPolicy Bypass and dynamic C# compilation (Add-Type) is frequently seen in malware to evade detection or launch payloads.

• Red Flags: The use of Bypass and obfuscated API calls can mimic malicious behavior.
• Context Matters: If you did not install Razer software or if this command appears unexpectedly in startup logs or task scheduler, it could indicate a malicious script masquerading as a legitimate launcher.

• Conclusion​

  If you have Razer Synapse or Razer Chroma software installed, this is likely a benign command triggered by the Razer updater or launcher to start the application. If you do not use Razer products, or if this command runs without your initiation, you should investigate the parent process triggering it using tools like Process Explorer or Autoruns.

So it looks it could be malicious but could be Razer doing normal Razer stuff. If you don't have and Razer software then defiantly suspicious.

Asked Leo if this code is malicious and:

Based on the command line provided, yes, this code is malicious.

While the antivirus message states "Your device is now safe" (indicating the threat was blocked), the command itself exhibits classic behaviors of a fileless malware loader or a dropper attempting to execute a payload disguised as a legitimate application.

Conclusion​

This is a blocked attack. The antivirus software (likely Bitdefender, based on the message format) identified the specific pattern of the command line—specifically the combination of ExecutionPolicy Bypass, dynamic type definition, and the manipulation of shell verbs to execute a hidden payload—and prevented it from running.

Recommended Actions:

• No immediate action is required if the message says it was "blocked," as the code did not execute.
• Scan your system with a full offline scan to ensure no precursor files (the .lnk file or the target executable) remain on the disk.
• Check Startup Items: Verify if there are any suspicious entries in your Task Scheduler or Startup folder related to "Razer Chroma" or unknown scripts.

As a user of the Razer Pro system, Ive had no end of issues with Synapsa / Chroma, usually in the legacy part of booting and wont turn on the lights till boot is finished and its spent an hour forming god knows how many Service hosts. In the end it all went back in its boxes and back to Razer for a full refund.

Bitdefender, after testing in a few years past, I decided that it was a terrible thing to have on a machine due to the amount of over generic searches it does on systems rather than the precise key actions that should be done. Had it on test for two weeks, 10 updates and it got no better. Uninstalled completely and went back to Comodo.

Bitdefender isnt that good, it also picks out a lot of well known fals positives and safe code for thos who do programming it a pain in the ass and a huge waste of time. Consider a new Virus/ Malware pack.

No advert, everyone know my priority package for defence

 

[Yobbo]

Well I am glad you found help. There was a heck of a lot of code packed into that warning and I found some of it confusing. It did look like possibly a hijack but in a very unique way. Whew, tough one to reverse engineer.

Thanks very much.

 

[Yobbo]

As a user of the Razer Pro system, Ive had no end of issues with Synapsa / Chroma, usually in the legacy part of booting and wont turn on the lights till boot is finished and its spent an hour forming god knows how many Service hosts. In the end it all went back in its boxes and back to Razer for a full refund.

Bitdefender, after testing in a few years past, I decided that it was a terrible thing to have on a machine due to the amount of over generic searches it does on systems rather than the precise key actions that should be done. Had it on test for two weeks, 10 updates and it got no better. Uninstalled completely and went back to Comodo.

Bitdefender isnt that good, it also picks out a lot of well known fals positives and safe code for thos who do programming it a pain in the ass and a huge waste of time. Consider a new Virus/ Malware pack.

No advert, everyone know my priority package for defence

I had a subscription with ESET Internet Security for many many years here in Hong Kong. I bought it because it had the Firewall Function, which was very difficult to configure to block a program from accessing the web. There were options, you could block in or out or both.

Hong Kong support sent the directions to me in an email. Just over 3 years ago when I went to renew my sub they advised me ESET had just imposed regional restrictions. Which meant I could only use it in Hong Kong.

I then did a thorough search for alternatives and found Bitdefender was rated at the best. I paid for Bitdefender Internet Security because it has the Firewall Function and also a VPN which is limited on data if you don't pay for it. I just checked again today and Bitdefender on many AV review non sponsored websites is rated at the top.
The Firewall function is very easy and much quicker to block or allow a program from accessing the net.

I have a Razer Basilisk 3V 35K wired mouse and I have no problems with Synapse 4 at all. In fact its the best mouse I've ever had and at a very reasonable price. I ordered online from the authorised Razer website in Hong Kong and it was delivered to my door the next day. Whenever a local or anybody delivers a package to our home I always give them an icy cold mini can of zero coke.

 

[DVDR_Dog]

I have been reading occasional posts with folks have difficulties with Bitdefender. I am not questioning the fact it provides good security, I found it a nagging royal pain in the ass. Maybe some users need that, I hate being disturb for no valid immediate danger.
Some programs like Bitdefender are like that kid in your class, always making it important for everyone to know how smart they are. I find that disruptive.