How to delete PowerShell virus?

Question

I am heaving one virus in PowerShell and sometimes PowerShell is opening by itself, without ME opening it.

The virus is so sophisticated that also Microsoft Defender when I scan with PC Manager is able to detect it, but Microsoft Defender is not able to delete it. The PowerShell virus is like this. Look at the screenshot of GridinSoft Anti-Malware that I attached to You because GridinSoft Anti-Malware is also able to detect the virus but not able to delete it. GridinSoft Anti-Malware says you have to reboot your Computer then we will delete the virus but, after the reboot and one new scan with GridinSoft Anti-Malware that is supported by one antivirus and Computers security in Israel. After the reboot and one new scan with GridinSoft Anti-Malware the PowerShell virus is still there. Nor GridinSoft Anti-Malware nor Microsoft Defender is able to delete this PowerShell virus. They only can detect it try to delete but, they cannot delete it. The exact name and where the virus is you have in the screenshot of GridinSoft Anti-Malware.

Answer 1

Hi Arsim, that will be triggered by a scheduled task.

Download Autoruns:

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

• Unzip autorun64.exe, then right click and run as admnistrator.
• In the Quick Filter enter: powershell
• Click on each entry found, then look to the bottom of autoruns and you'll see the command line
• If it matches the script file referenced in your picture, right click that entry and delete.

Let me know if this resolves the issue.

If you have any problems, press Ctrl + S and save the autoruns log.

Share the log on your OneDrive or similar.

Post the link with your reply.

Answer 2

Hi Arsim,

I'm Dyari. Thanks for reaching out. I will be happy to assist you in this regard.

Kindly try the steps below:

Uninstall all third-party security software and scan for viruses & malware with the free Malwarebytes:

https://www.malwarebytes.com/mwb-download

You can find more steps to disinfect your computer:

https://answers.microsoft.com/en-us/windows/for...

Please do not hesitate to ask if you need further assistance.

Stay safe.

____________________________________________________________

Standard Disclaimer: There are links to non-Microsoft websites. The pages appear to be providing accurate, safe information. Watch out for ads on the sites that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the sites before you decide to download and install it.

Answer 3

I have free Malwarebytes installed in my computer, but free Malwarebytes is not able to detect this kind of PowerShell virus.

As I said this kind of PowerShell virus is able to detect only GridinSoft Anti-Malware or Microsoft Defender when I do the scan with the new Microsoft software PC Manager, but none of this antivirus software's is able to delete the virus and PowerShell opens by itself in my computer.

And I read that this kind of PowerShell viruses are very dangerous because hackers can steal you Banking Information or all another e-mails and passwords information.

But, I secured everything I have in Internet with the two-step verification and hackers are not able to steal anything from ME for now.

It there any another way to delete this virus manually?

I Deleted many PowerShell virus files that were in C drive and Extinctions folder and also by the C, Users, Public folder but this one is left and I cannot find it to delete it manually.

By Spotify folder the virus file does not exists. I also searched my whole C drive, with the name of the virus file but my Computer could not find it.

In the other side the Antiviruses GridinSoft Anti-Malware and Microsoft Defender report that I have PowerShell virus in My Computer.

We have to find one way to delete this kind of virus files once and forever and that after one Computer restart, the virus cannot come back again.

Answer 4

Thank you _AW_ you have helped ME. Now GridinSoft Anti-Malware reports that in my Windows 11 PC there is no more any PowerShell virus.

As you advised ME, I extracted and opened Autoruns64 and I searched for the entry or file SwfW5w4.ps1 it was not there, to find anywhere but there was one linux subsystem and android subsystem entry that was suspicious and did not have to much info, as all another entry's and I deleted that and the PowerShell virus that was opening my Windows PowerShell by itself was deleted also and now I am safe, because I read that this kind of PowerShell viruses are very dangerous because hackers can steal you banking data and passwords in every web page that you log in.

Thank you very much for your help _AW_

GOD bless You.

Arsim Murtezi

Answer 5

Thanks for updating me Arsim,

It seems there is a PowerShell script infected with malware. Since you want to be assured that your computer is safe and secure and since the other security software did not detect the malware, I would suggest performing a Windows reset or even going through a clean install. By this, no malware and viruses will remain on your computer.

https://www.elevenforum.com/t/repair-install-wi...

https://answers.microsoft.com/en-us/windows/for...

By the way, you did a great job by enabling 2SV. Your accounts should be protected and safe.

____________________________________________________________

Standard Disclaimer: There are links to non-Microsoft websites. The pages appear to be providing accurate, safe information. Watch out for ads on the sites that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the sites before you decide to download and install it.