![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 96%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Defender | Other
Additional Microsoft Defender tools and services that provide security across various platforms and environments
Hi, Isolate your PC (unplug the power). 2) Close wscript.exe, cscript.exe, and suspicious PowerShell processes from Task Manager. 3) Find and remove any VBS remnants: (a) user/system Startup folders; (b) Run/RunOnce keys in HKCU/HKLM; (c) scheduled tasks; (d) WMI subscriptions (root\subscription). 4) Temporarily disable Windows Script Host to block .vbs: create/adjust HKLM\Software\Microsoft\Windows Script Host\Settings → Enabled=0. 5) Delete the malicious file C:\Users\Public\PT2ZQ8.vbs (and clones in %Public%, %TEMP%). 6) Repair Windows: sfc /scannow then DISM /Online /Cleanup-Image /RestoreHealth. 7) Perform a Microsoft Defender Offline scan. 8) Harden: Enable ASR rules in Defender (block suspicious scripts, Office children, etc.), consider AppLocker/WDAC to prohibit scripts from user-writable locations, and set PowerShell to AllSigned. 9) If it returns, use Sysinternals Autoruns (Everything tab) to disable/remove residual startups; if it persists, consider an in-place repair or clean reinstall. Note: PowerShell is almost certainly not "infected," but simply launched by the VBS; eliminating the persistence will stop the warnings.