Erasing PowerShell Trojan Virus

Question

I am not a techy so need some help. I have discovered the Powershell Trojan on my PC at C:\Windows\System32\WindowsPowerShell\v1.0\ aand I am at loss what to do. I am th eonly user and administrator on the PC. Can anyne help here? I have tried virus scans and malware scans (multiple ones including Defender) but it is not identifed as a threat. Sometimes it sucks in all of my 16gb RAM. When I try to delete it in Command it says I do not have the rights to delete it using Takeown /F C:\Windows\System32\WindowsPowerShell\v1.0. I am the only user and administrator.

I have tried going in through properties and this does not allow me to make any changes, and I dont know if it would work but I dont know how to get into Defender to quarantine the file.

Help!!!!

Answer 1

Could you upload and share the logs?

Answer 2

Thanks fo ryour help. I ran the software and this part of the log may give you an insight and I would welcome your thoughts on what to do!!

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\Path -> C:\Program Files (x86)\Intel\iCLS Client;C:\Program Files\Intel\iCLS Client;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0;%SYSTEMROOT%\System32\OpenSSH;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files\Intel\Intel(R) Management Engine Components\IPT;C:\Program Files\Intel\WiFi\bin;C:\Program Files\Common Files\Intel\WirelessCommon\

HKU\S-1-5-21-3674254590-2644969954-436516507-1000\Control Panel\Desktop\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg

HKU\S-1-5-21-3674254590-2644969954-436516507-1001\Control Panel\Desktop\Wallpaper -> C:\Users\Donal\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\167.jpg

DNS Servers: 192.168.1.254

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost => (EnableWebContentEvaluation: 1)

Windows Firewall is enabled.

Answer 3

THanks for your help but the siftware did not ecognise th etrojan

Answer 4

If the above advice doesn't work, please upload and share logs from Farbar Recovery Scan Tool (FRST).

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

• Run FRST and press Scan.
• Two logs are created in the folder that FRST is run from, FRST.txt and Addition.txt.
• Upload the logs to OneDrive, Google Drive or any file sharing service.
• Post the share link.

Note: If you are downloading FRST with Edge, smartscreen will initially block it.

Click on the 3 dots next to the warning and select Keep-> Show more-> Keep anyway.

Answer 5

Hi, I'm Elise, a fellow user like yourself and I'd be happy to help with your issue.

You may wish to try a different app such as MalwareBytes and see if this can remove the issue.

https://www.malwarebytes.com/

Please let me know if you need any further assistance.

Kind Regards,

Elise

Note: This is a non-Microsoft website. The page appears to be providing accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.