Multiplying Virus

Question

Multiplying Virus

Anonymous

Hello!
So basically a few days ago i was chilling, i had an update so i restarted my computer and as soon as i restarted (and signed in), Windows Defender alerted me there's a powershell virus and some app or thing is using powershell to create malware

I used Microsoft Live Chat but they took alot of time. Responded at 1.42am.

Then today when i press "Take Action, Remove" it added more viruses

Anyone please help. As of i am writing this now, my pc is lagging

Viruses

CmdLine: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA
CmdLine: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA

Trojan 1
amsi: \Device\HarddiskVolume2\Users\User\AppData\Roaming\Programs\winet.exe

Trojan 2
C:\Users\User\AppData\Roaming\Windows\services.exe

I need help of how to get rid of this

PC info/specs

Device name MH-and-HMs-Desktop

Processor Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz 2.59 GHz

Installed RAM 8.00 GB (7.70 GB usable)

Device ID 35965E25-DDD7-40DB-BFA9-C30EDB8A59DE

Product ID 00330-80000-00000-AA234

System type 64-bit operating system, x64-based processor

Pen and touch No pen or touch input is available for this display

Edition Windows 10 Pro

Version 21H2

Installed on ‎15-‎May-‎2021

OS build 19044.1620

Experience Windows Feature Experience Pack 120.2212.4170.0

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

5 answers

Answer 1

_AW_ 67,926 Volunteer Moderator

You're welcome Muhammad. All looks good in the log.

To remove FRST and its folders, rename FRST64.exe to uninstall.exe and run it.

Also, if any particular reply provided the solution, please mark it so by pressing Yes below that post.

0 comments

Answer 2

Hi Muhammad, if you could scan with Farbar Recovery Scan Tool (FRST), and share the logs it creates, I'll help you remove it.

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Run FRST as administrator, use default settings and press Scan. Two logs are created in the folder that FRST is run from, FRST.txt and Addition.txt. Zip the logs and share on OneDrive, Google Drive or any file sharing service, then post the share link.

Answer 3

_AW_ 67,926 Volunteer Moderator

Hi Muhammad,

Download Fixlist.txt from the link below, then run FRST and press the Fix button.

FRST will restart the computer when it finishes processing the script.

Could you please post the resulting Fixlog from your Downloads directory and let me know if any problems remain.

https://1drv.ms/t/s!AqQnVFhmcB_wlSvNuHTljUIA1U-R?e=fg1sjO

0 comments

Answer 4

Anonymous

Thank you so much!
Windows defender has now a verified green checkmark and no more viruses

Here is the fixlogs anyway: Drive link

0 comments

Answer 5

Hi Muhammad, if you could scan with Farbar Recovery Scan Tool (FRST), and share the logs it creates, I'll help you remove it.

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Run FRST as administrator, use default settings and press Scan. Two logs are created in the folder that FRST is run from, FRST.txt and Addition.txt. Zip the logs and share on OneDrive, Google Drive or any file sharing service, then post the share link.

Okay! Here is the sharing link logs

Share via

Multiplying Virus

5 answers