How do you remove PowerShell from my computer?

Question

I have a Windows 7 laptop, I have had it since 2012. I just started getting a notification from my security software stating that SONAR has blocked suspicious behavior. When I go in to view the details it says that it is with Powershell.exe  I have looked for help with how to remove this from my computer but I have only found how to uninstall the program. Powershell is not in my Programs, I found it actually in my system folder.  I right clicked on it and there was no option to uninstall only delete and was concerned that this would not remove it completely. Can I remove this and if so, how?

This is the path to the location: Computer>Gateway (C:)>Windows>System32>WindowsPowerShell>v1.0

Also, here is the list of the other things located here that appear to be related to PowerShell. I want to get rid of all of it if I can as I don't want something that is not safe on my computer.

powershell

powershell_ise

PowerShellCore.format

PowerShellTrace.format

PSEvents.dll

pspluginwkr.dll

pwrshmsg.dll

pwrshsip.dll

Thank you!

Answer 1

Although you can uninstall PowerShell, PowerShell itself is highly unlikely to be your problem.

It's much more likely that you have downloaded a malicious script file that is running using PowerShell.  Look more closely at the warning messages from your security software.

Windows 7 comes with PowerShell 2.0 built in.  I've seen suggestions that you can uninstall PowerShell by going to Control Panel > Programs and Features and clicking "View Installed Updates" and then searching for PowerShell.  However, because I've upgraded my Windows 7 system to PowerShell 5.0, I can't confirm that using that as a search term will work.  If you don't find "PowerShell" in Installed Updates, look for "Windows Management Framework" and if you find that, do some Google research on the KB number associated with it.  You don't want to uninstall the baby along with the bath water.

If I were you, however, rather than attempting to uninstall PowerShell, I would either scan my system with both of the following programs (one at a time) or seek guided malware removal help from ONE of the specialist forums listed below.

ESET Online Scanner (free):  https://www.eset.com/us/home/online-scanner/

Malwarebytes (free 14-day trial of full program; either uninstall or after 14 days reverts to a free on-demand only scanner):  https://www.malwarebytes.com/

Specialist Malware Removal Forums:

Pick ONE and read the "Before You Post" instructions.

   • Bleeping Computer: Am I infected? What do I do?

      http://www.bleepingcomputer.com/forums/forum103.html

   • MalwareBytes' Anti-Malware

     https://forums.malwarebytes.com/forum/7-malware-removal-for-windows/

     • SpywareHammer: Malware Removal

     http://spywarehammer.com/post-here-for-malware-removal/

     • Spyware Warrior: Help with spyware removal

      http://www.spywarewarrior.com/viewforum.php?f=5

Answer 2

I have Norton Security so I see no reason to scan with those others that you mentioned. The notification from SONAR (Norton) specifically states, powershell.exe tried to do something suspicious. I am still getting the notifications. I happens about every hour or so, everyday. It also says, On computer as of 8/20/2017 at 12:05:20 AM and then on each new notification that I get says, Last Used and gives date and time. This is the one that I just got as I was typing this reply, 3/12/2018 at 12:02:18. I have tried to find anything that was added, updated or changed on my computer on 8/20/2017 at 12:05:20 AM and also on 03/08/2018 and I can't find anything. I did a Windows 7 re-install sometime in 2017 but don't remember when, I suppose it's possible it could have been August, but the first of these notifications from Norton's SONAR was on 03/08/2018. So really not sure what to do. I have Googled PowerShell and there are a lot of things that come up that relate to hackers and PowerShell so this makes me very uneasy. The last Windows update was done 03/05/2018 and was KB4054852.  I would like to get this resolved.

Answer 3

If you're so confident of Norton's efficacy, why are you concerned about suspicious behavior?

I repeat, PowerShell itself is perfectly safe; script files that use PowerShell may be malicious.

Based on your descriptions, I doubt very much that you'll find anything that was added, updated or changed on your computer at any of those specific dates and times.  It seems much more likely that there is a script file that is being triggered, either by time or by some event.  Whenever the script tries to run, your security software detects it and issues the alert.

I'm a bit surprised that the Norton alert only mentions PowerShell without also giving you information about the script file.  If that is indeed the case, this is yet another substantial failure of Norton security software.

Although you can't, in fact, remove PowerShell v.2 from Windows 7, you can do a few things to prevent it from running unauthorized scripts, although a determined attacker can probably circumvent these measures.

Method 1

PowerShell is supposed to default to a state in which running scripts is not permitted.  Check this as follows:

Click Start, type powershell into the Search box, and press Enter

Type the following in the blue PowerShell Window

     get-executionpolicy

It should return the word "Restricted"

If your system is something other than "Restricted" enter the following command

     set-executionpolicy Restricted

You'll get a warning.  Respond by typing Y to make the change.

Method 2

If that isn't sufficient, or if your setting was already Restricted and you are getting the warnings anyway, you can do the following if you have Windows 7 Pro or better.

Click Start, type gpedit.msc into the Search box, and press Enter.

In the left pane, navigate to User Configuration > Administrative Templates > System

In the right pane, double-click on "Don't run specified Windows applications"

Click the "Enable" radio button, and then click "Show"

Enter the following items in the list and then OK your way out

     C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

     C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe

If you have a 64-bit system, add these two as well before clicking OK

      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe

This is a per-user setting.  If you have more than one user account on your computer, you'll have to make the change for each account.  If you're making the changes in a "Standard User" account, in the first step you'll have to right-click on the shortcut for gpedit.msc and select "Run as administrator" rather than simply pressing Enter.

If the problem recurs even after you make these changes, it means that the malicious script is running under some system account.  In order to find that, you can either search manually or follow the recommendations that I gave earlier.

Method 3

Navigate in Windows Explorer to the 2 (or 4 if you have a 64-bit system) *.exe files listed in Method 2 and rename them to have an extension such a exX or the like.  For example:

      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exX

This method is likely to cause a different error message to occur when whatever tries to run the potentially malicious script tries to execute PowerShell.  Again, you'll have to find the place where the script is being invoked.

From your initial question, it looks as if when you're in Windows Explorer, you're not seeing the file extensions.  Do this in Windows Explorer:

• Click Tools > Folder Options and then select the "View" tab
• Scroll down and UNcheck the box to "Hide extensions for known file types"
• Click OK