How do i remove powershell virus on my computer?

Question

Hello.

I have installed a program for which AVG antivirus informed me that is infected with a trojan. I ignored this because i thought it was a false positive because I was downloading from a trusted source.

However, after downloading this file, strange things started happening such as Powershell activating on startup and a few days later my search engine on brave and chrome have been changed to binq.co which i could not change because it said it was managed by my organization.

I have since uninstalled this program but it was too late. I have run checks on Malwarebytes, Autoruns, AVG and nothing helped so far, besides Malwarebytes which removed the search engine for me on chrome, and I have removed the search engine manually for Brave in registry.

But it seems that the virus changes permissions in registry and adds this random website as my search engine. It keeps popping up on the list of users as account-unknown (picture provided below).

I have removed this user from ALL permissions tabs in registry, however it keeps popping up again whenever i restart or reboot my pc because Powershell seems to keep adding it, however I do NOT have any issues with the search engine anymore since I removed this user from the registry, but the user keeps adding himself through Powershell and I am certain this will happen again. I have also installed Gridinsoft Anti-Malware and it detected that something is happening in Powershell(picture provided below), however i cannot remove this virus using GridIn because GridIn requests a paid version to remove the virus, and i cannot activate free trial because an error keeps popping up that their servers are too busy.

I would be grateful for any help regarding this and how to remove this virus.

Answer 1

Powershell is not a virus. It's a Windows tool like command prompt. You can right click on it in the start menu and click uninstall.

Answer 2

I am aware that Powershell in of itself is not a virus, however as shown through the photos and my explanation, Powershell seems to be running a script on startup (mind you, in 2 years since i owned this pc, Powershell never showed itself on startup), and keeps adding a sketchy user and gives him permissions to edit my registry, and Gridin indentifies that there is a virus in the pc, as shown in the photos.

Answer 3

PowerShell might be in your start-up folder.

Try these methods:

Remove PowerShell from start-up:

1. Open task manager
   1. Right Click on task bar
   2. Select Task Manager
2. Navigate to the start up tab
3. Find PowerShell, right click it
4. Select Disable

Remove PowerShell from the start-up folder:

1. Hold down Win Key + R
2. Type
   %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp
3. Press OK
4. If PowerShell shows in the folder, delete it.

Answer 4

Hello! I'm Manoel Barros!

The recommendation for these cases is to perform a Clean Install of Windows. Even if you scan and try to remove the virus with an antivirus, some viruses disguise themselves as system processes or have very high privileges.

But you can try to eliminate the virus by performing the troubleshooting below:

1. Download the Kaspersky Virus Removal Tool.

https://www.kaspersky.com/downloads/free-virus-...

NOTE: This is not a Microsoft site, but it appears to provide accurate and reliable information. Be aware of ads that may advertise products that are often classified as PUP (Potentially Unwanted Products). Research any product advertised on the site before deciding to download and install it.

2. Before running Kaspersky Virus Removal Too, scan using Windows Defender. Type “Windows Security'' in the Search Bar > Open Program > Click 'Virus and Threat Protection'.
3. Under "Verification Options" (marked in blue), choose the option "Microsoft Defender Offline Verification" > Verify Now.
4. When the scan is complete, enter Safe Mode.

Safe mode.

1. Press the shortcut CTRL + R > Type ''msconfig'' (without quotation marks) > Click on the tab System Boot > Check the option "Secure Boot'' > Apply > OK.
2. Restart the computer > When rebooting, scan your computer using the Kaspersky Virus Removal Tool.

• Select all volumes to scan.

3. To exit the Safe Mode, Press the shortcut CTRL + R again > Type "msconfig" > Click on the tab General > Select Normal Boot > Apply > OK > Restart your computer.

Clean Install (Recommended)

ATTENTION: Restore is not always able to "clean" Windows 100%. Some issues may still persist after Restoration.

Therefore, we recommend performing a Format and Clean Installation of Windows, which ensures that the problem is resolved, and that Windows has 100% intact and original files.

ATTENTION: You must manually back up your files to another location, as all files and programs will be deleted. If you do not have experience and knowledge, take your device to a specialized and trustworthy technical assistance!

1. In the link below, Kapil Arya MVP explains how to do a Clean Format.

https://answers.microsoft.com/en-us/windows/for...

2. Update Windows and install drivers via Windows Update.

ATTENTION: Do not use third-party programs to install drivers (only from the Manufacturer or Windows Update).

Update Windows and Drivers

1. Open System Configuration > Click ''Update & Security'' > ''Windows Update'' > ''Check for Updates''.
2. Download all available updates. Click ''Show optional updates'' marked in blue > Select all drivers and updates > Click ''Download and Install''.
3. When everything is finished, restart the computer > See if the problem appears while performing the steps above.

I look forward to your feedback on the issue! If your problem is solved, please review the topic so I can help other users with this issue.