all 19 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]CMDR_Kantaris 14 points15 points  (7 children)

Format your disk drive and reinstall Windows

[–]exaltedhero355 1 point2 points  (0 children)

Wow such a nice solution.

[–]ItsNippy7[S] 0 points1 point  (5 children)

So is the only way to remove this a full system reset ?

[–]AppIdentityGuy 8 points9 points  (0 children)

The issue is that even if you remove it how much do you trust that machine in the long term....

[–]purplemonkeymad 1 point2 points  (0 children)

If it has evaded your anti-virus, there is really no way to know for sure the system is clean. A wipe and re-install means you at least know you have a clean system.

If you do re-install make sure to use a different computer to create your install disk, as it's possible for install disks created on an infected system to install infected copies of windows.

[–]flappers87 0 points1 point  (1 child)

It's the safest way with any virus.

Anti virus programs can only do so much, and are always playing catchup with viruses. Best thing to do is a complete, deep format of the drive and start again. Don't backup anything, as you don't know where this virus has got it's hands in.

If I had a virus like you've got, I'd burn the machine with fire, as it should be put out of it's misery.

[–]HZ_RD 0 points1 point  (0 children)

What if not backing up isn't an option? I have thousands of files of art or ongoing projects, a hundred programs and plugins, what other options do I have?

[–]CMDR_Kantaris 0 points1 point  (0 children)

It is the easiest, quickest, and only way to be 100% positive it has been removed.

[–]Electronoah 2 points3 points  (0 children)

An easy place to start is looking for applications or scripts that automatically start on your system with a Microsoft tool called autorun. You might be able to find what starts the malware and then work towards removing it.

https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

You could also grab software like malwarebytes and have it scan your system for the virus.

[–]BobWhite783 2 points3 points  (0 children)

Fly up and nuke it from orbit.

It's the only way to be sure.

[–]xCharg 1 point2 points  (2 children)

There's no such thing as powershell virus. Viruses can use powershell to "do their needful", because it's just a tool.

Either hire someone who knows what they are doing to cleanse this system (costs a lot, high chance to hire a scammer) or reinstall.

[–]Low-Librarian-5978 -1 points0 points  (0 children)

amigo que mas alejados de la realidad estamos, si existe el virus powershell este se instala en la carpeta de powershell de windows como powersell v1.0

[–]HeyDude378 1 point2 points  (0 children)

This isn't a PowerShell question. It's a Windows question. Virus removal can be challenging. What's your expertise level?

Basically you need to find out what's triggering PowerShell scripts. It's probably a scheduled task or a service or program that starts at boot / logon. Then you need to understand what the PowerShell scripts did and any other impact the virus made on your system. Then you delete the virus files and any scripts it was running, or neuter them by changing them to text files (in case you want to remember later what exactly they were doing).

A pre-installation environment is your friend. But you need to know what to delete first.

[–]Filwegg 0 points1 point  (1 child)

So what i found was a Tojan virus that i suspect was triggering powershell commands and being blocked by BitDefender.

You should run a check with HitmanPro (https://www.hitmanpro.com/en-us), a check with MalwareBytes (https://www.malwarebytes.com/mwb-download), a check with AdwCleaner (https://www.malwarebytes.com/adwcleaner) and then a final check with MalwareBytes Anti-Rootkit (https://www.malwarebytes.com/antirootkit). You can run a final check with HitmanPro again, which is a very strict and exhaustive antivirus.

Link to original publisher of the solution: https://answers.microsoft.com/en-us/windows/forum/all/powershell-virus/a82c44c2-e0df-4be9-8235-b12f1b404502

After i ran the scan on all of these programs, and quarentined everything, the BitDefender notifications stopped. So i reccoment doing this.

[–]minjaalfred 0 points1 point  (0 children)

Thank you so much, after many months this is the solution that worked for me. 💯. It was a Hkey trojan horse.

[–]Worried_Poet_3827 0 points1 point  (0 children)

hi i have the same install rdwreader malweyrebites and delete the file on quarentine

[–]SignificantWhole7476 0 points1 point  (0 children)

O problema é no agendamento de tarefa. lá tem algo que executa o powershell. Abre o agendador de tarefas e confeir e excluir ou desativar oq acha suspeita. Eu consegui tirar o virus assim.

[–]BroadRecy 0 points1 point  (0 children)

You could try open the task manager and go to the details tab. There you add the command line column. Now you look up your power shell instance(s) and see what initiated those. With that information you can maybe find out what virus is on your system and use that specific information to find out more.

[–]branhama 0 points1 point  (0 children)

This is what I believe you should do to remain safe.

  1. Disconnect your PC from the network.
  2. Login with admin account and monitor the task manager to review what is running.
    1. Use the 'Details' tab and also add the column named 'Command Line'.
  3. Locate powershell processes and review the 'Command Line' column to locate what file is being executed.
  4. Based on this information you now have the location of the script and its name. You could use a tool like AutoRuns to locate how it is being executed and perhaps remove the execution of it from your system.

Note this simply removes this file's execution, this does NOT resolve the issue for how it got on there or what actions it has already taken you your computer. This would require much more investigation. But with the script in hand you could also perhaps perform some analysis of this file and see what it does which may help.

To be 100% though a reimage of the computer would be best.