Can't remove powershell.exe marked as Trojan, HEUR:Trojan-Downloader.BAT.Agent.gen

[QQxR]

I'm not using English Kaspersky.
Issue: powershell.exe repetitively marked as trojan, unable to remove completely.
OS: Windows 11
Kaspersky Plus

Context: Seems to be a trojan I got from running a bad .exe

Full process:

First running yesterday (Windows security detected and removed the supposed trojan right away)but haven't started until the first startup of today, powershell ran weird commands, my discord account was the first to get infected. Has already changed password, so far other account hasn't been infected yet. powershell hasn't started up ever since even if I were to try to restart my pc.

 A ScreenImage.png was created in temp folder, seems to be updated regularly, first generated the same time I started up my pc, I haven't restarted the pc since started doing a full scan with kaspersky, not sure whether it's stopped because of the scan or screenshots only taken after startup.

It seems that a registry key was removed related to powershell? I did find a suspicous powershell registry key manually but wasn't sure whether it's geniune, no longer find it, (kaspersky may had removed the very same registry.)

I'm not sure how should I proceed next, any help would be appreciated, can provide more information if needed.

[QQxR]

More detail on the scans I did, don't know whether it's helpful or not

 

[harlan4096]

Welcome to Kaspersky Community.

 

Please provide the exact version of KPlus 21.x?

 

Also, the captured attached have very low quality, almost impossible to distinguish anything there.

 

Could You also change into English temporally having K. main interface windows -> key combination SHIFT + F12 (to revert SHIFT + F5), and re take the captures with better quality, please?

[QQxR]

Exact version: 21.24.8.522(a)
Initially, I gave up on changing the interface into English, can't find the option anywhere, it worked, thanks.
I don't understand why but my screenshots always seems to be quite low resolution, please see whether it's working properly or not.

I'll copy-paste the the content in other scans:

Disinfect scan:

Result description: Disinfected
Type: Trojan
Name: HEUR:Trojan.Multi.Powesta.d
Precision: Exactly
Threat level: High
Object type: File
Object name: Run:Windows PowerShell v1.0
Object path: reg:\HKU\S-1-5-21-1158635976-3454111911-2512903236-1001\Software\Microsoft\Windows\CurrentVersion

Background Scan:

Result description: Detected
Type: Trojan
Name: HEUR:Trojan.Multi.Powesta.d
Precision: Exactly
Threat level: High
Object type: File
Object name: Run:Windows PowerShell v1.0
Object path: reg:\HKU\S-1-5-21-1158635976-3454111911-2512903236-1001\Software\Microsoft\Windows\CurrentVersion
Reason: Expert analysis
Databases release date: Today, 3/14/2026 8:00:00 AM

Result description: Not processed
Type: Trojan
Name: HEUR:Trojan.Multi.Powesta.d
Precision: Exactly
Threat level: High
Object type: File
Object name: System Memory
Reason: Skipped

Edited March 14 by QQxR

[QQxR]

FULL SCAN COMPLETED, 1 OBJECT NOT PROCESSED

I've finished running the full scan, I still don't understand why powershell was marked as malicous, but can't be removed. I'm currently way too anxious, and paranoid to do anything on my pc at all. Why would powershell marked as malicous? Is this common? Any possible ways to check for damages? How should I proceed next or am I fine for now? Is there any extra steps for checking for the remnants, some leftovers? What is this type of attack? How long would it last? Do I have to monitor my PC for a while for any unusual activities or it's not needed? Is an OS reinstall even needed?(I have a lot of files I'm too afraid to lose). I'm not even sure if I can trust kaspersky. I'm clearly clueless on how to read these results kaspersky sending out so any help at all would be appreciated.

Current identified damage: Steam account, EA account, Discord account. I minimized damage by suspending the accounts or changing passwords. Other accounts seems to be fine for now.

I'm horrible with pressure and stuff like this put a heavy toll on my mentality. 

Full copy paste for Detected and Not processed powershell.exe

Event: Malicious object detected
User: DESKTOP-NPN53GS\Admin
User type: Initiator
Application name: powershell.exe
Application path: C:\Windows\System32\WindowsPowerShell\v1.0
Component: AMSI Protection
Result description: Detected
Type: Trojan
Name: HEUR:Trojan-Downloader.BAT.Agent.gen
Precision: Heuristic analysis
Threat level: High
Object type: File
Object name: amsi_stream_952
Object path: uid://
MD5 of an object: B3127F27D52B5A4B709C5ABD09B52141
Reason: Expert analysis
Databases release date: Today, 3/14/2026 2:30:00 PM

Name: HEUR:Trojan-Downloader.BAT.Agent.gen
Precision: Heuristic analysis
Threat level: High
Object type: File
Object name: amsi_stream_952
Object path: uid://
MD5 of an object: B3127F27D52B5A4B709C5ABD09B52141
Reason: Logged

[harlan4096]

That object found:

 

https://opentip.kaspersky.com/B3127F27D52B5A4B709C5ABD09B52141/results?tab=lookup

 

What if You try a scan via KRD:

 

https://support.kaspersky.com/krd/24/272239

 

There You can download the iso file, create a bootable USB and boot the system, and finally run a scan.

[QQxR]

Thank you for your reply.
I'm sorry, I don't quite get what are you trying to have me to do.
So if I understand correctly, 

https://opentip.kaspersky.com/B3127F27D52B5A4B709C5ABD09B52141/results?tab=lookup
Is the type of malware I'm getting infected by, which I can't read nor understand anything from the site.

From this site: https://support.kaspersky.com/kis/2018/en-US/96493.htm
I have to download: https://rufus.ie/en/
Get a USB? or perhaps install on a separate external disk is fine?
I can't find the ISO file anywhere at all
Following this guide: https://support.kaspersky.com/kis/2018/en-US/43538.htm
It seems that it's some sort of software, and I can just set it up like most other software or something?
Then follow the rest of the tutorial? 

I dread my own lack of knowledge...

 

[harlan4096]

That tool of Kaspersky (Kaspersky Rescue Disk), allows scanning from a separated Windows system, actually it's in Linux environment... 

 

KRD it's used to scan and disinfect systems.

[QQxR]

I'm proceeding to install KRD right now.
i got Rufus, attempted to install but got this screen instead, I used the download option on the official site...
https://support.kaspersky.com/krd/24/294012

[harlan4096]

Yes, that warning is common, just click ok.

[QQxR]

I've finished setting up KRD, following this tutorial: https://www.youtube.com/watch?v=r9Wezti9TUU,
I see this warning, do I have to be careful with this?

 

Kaspersky Rescue Disk modifies system files of the operating system. This may make your operating system inoperable. We recommend creating a backup copy of your operating system before using Kaspersky Rescue Disk.

There seems to be a typo of some sorts in: https://support.kaspersky.com/krd/24/272963
Open the system menu  and select Administration → Cleanup KRD artefacts. (Considering the difference of the text in the image, I'll just assume it's a typo)

Reading this: https://support.kaspersky.com/krd/24/269992
I'm seeing that there's only 1 infected in C disk, should I do a full scan or just C disk specifically?

The thing I'm most afraid of right now is probably a restart, since getting powershell start on start up, I haven't done a restart aside from installing kaspersky, am I safe doing a restart or shut down?

 

[harlan4096]

Can You post a capture of the infected file?

 

Scan specially these folders:

 

C.\ProgramData\

C:\Users\

C:\Windows\

[QQxR]

I followed the path to the infected file:
C:\Windows\System32\WindowsPowerShell\v1.0
 

Thanks, so this is what I should be doing:
Shut down my pc, then boot it up using the KRD, scan specifically these folders:
C:\ProgramData\

C:\Users\

C:\Windows\

There should generally be no issues with shutting down or restarting after doing this?

[Schulte]

Hi @QQxR,

One more thing:
“powershell.exe” itself probably isn't the problem.
It looks more like the infected object is a script that requires an active PowerShell session to run.
There are many ways the script could be launched. I would start by checking the Task Scheduler for any unknown entries. Maybe that's where the script (“anyName.ps1”) is being launched?

[harlan4096]

It's weird that VirusTotal system does not know yet the ps1 file detected (B3127F27D52B5A4B709C5ABD09B52141) 

[QQxR]

Hi, @Schulte

This is my Task Scheduler so far, (Only task scheduler library) I don't see any strange tasks I don't recognize, I may be missing something, is there anything suspicious or locations required further checking?

[QQxR]

Actually, am I good to go with a KRD scan now?...

 

[Schulte]

Just a quick check:
Could you please take a look at the ‘UpdateHostsFile’ task? Does a script run here?
Unfortunately, I don't have Windows 11 available right now to verify this.
I'm sure @harlan4096 can help with this...

... and then continue with the KRD.

[QQxR]

You meant the one start at 12:00AM every day? As far as I can remember, it's one I created my own. 

Action: Start a porgram, start the right program I directed it to, I don't see powershell here, conditions, settings, history doesn't show anything strange,...

Thanks, I'll go for a KRD scan now

[Schulte]

The interesting part can be found on the ‘Actions’ tab.
Note: Kaspersky doesn't really like it when the ‘Hosts’ file is modified. It is protected by default.

[QQxR]

After doing an 80% KRD scan (Yes, for some reason I misclicked and stopped the scan), and restart the pc, I don't see powershell open up on start up anymore.) Both the quarantined objects and Reports didn't show anything in particular. 
There's still a questionable ScreenImage.png (Is this legit? or even common at all to be in temp?)

AMSI Protection still sending powershell.exe, though, this is strange... I'm not even sure what is going on anymore...

It's very late right now, and I'm really getting very exhausted of having to deal with this... I may redo the scan tomorrow if needed...
 

[QQxR]

Should I wait for tomorrow or am I generally good to go for now? I'm extremely paranoid about the AMSI Protection keep marking powershell.exe. Do I just have to keep monitoring this or anything?
My full timeline:

Edited March 14 by QQxR
add images

[harlan4096]

Check Windows StartUp Apps:

Quote

Tips for Seeing Startup Programs in Windows 11

• Use Task Manager: You can also use Task Manager by pressing Ctrl + Shift + Esc, then clicking the Startup tab to manage startup programs.
• Research Programs: Before disabling, research unknown programs to ensure they’re not crucial to system operations.
• Consider Impact: Focus on programs with high impact ratings, as these affect startup time the most.
• Regularly Review: Make it a habit to review startup programs every few months to adapt to new installations or updates.
• Backup Settings: Create a system restore point before making changes, so you can revert if necessary.

[QQxR]

I actually don't like it when I start up my pc with a tons of softwares so I actually disabled most of them.
This is my start up list: 

I think I recognize all of them, is there anything catch your attention?

[QQxR]

Random trojan getting downloaded!

I was browsing kaspersky forum for some related issues and had this thing pop up?

This is... questionable, so my pc is still infected after all? I'm getting more and more clueless...

 

This is the most recent logs:
Event: Malicious object detected
User: DESKTOP-NPN53GS\Admin
User type: Initiator
Application name: powershell.exe
Application path: C:\Windows\System32\WindowsPowerShell\v1.0
Component: AMSI Protection
Result description: Detected
Type: Trojan
Name: HEUR:Trojan-Downloader.BAT.Agent.gen
Precision: Heuristic analysis
Threat level: High
Object type: File
Object name: amsi_stream_193
Object path: uid://
MD5 of an object: B3127F27D52B5A4B709C5ABD09B52141
Reason: Expert analysis
Databases release date: Yesterday, 3/14/2026 9:42:00 PM

Event: The object scan result has been sent to a third-party application
User: DESKTOP-NPN53GS\Admin
User type: Initiator
Application name: powershell.exe
Application path: C:\Windows\System32\WindowsPowerShell\v1.0
Component: AMSI Protection
Result description: Not processed
Type: Trojan
Name: HEUR:Trojan-Downloader.BAT.Agent.gen
Precision: Heuristic analysis
Threat level: High
Object type: File
Object name: amsi_stream_193
Object path: uid://
MD5 of an object: B3127F27D52B5A4B709C5ABD09B52141
Reason: Logged