Windows 10: Trojan:MSIL/Redline.CBYZ!MTB in windows powershell.

Hello, Windows defender keeps detecting Trojan:MSIL/Redline.CBYZ!MTB found in amsi: \Device\HarddiskVolume2\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe. I know other people have had this problem and malwarbytes, defender, microsoft safety scan, etc. won't fix it. I have already downloaded and ran Farbar Recovery Scan Tool and have the logs saved to google drive for sharing. Any help would be appreciated.

:)

 

How to remove Trojan:MSIL/Redline.CBYZ!MTB ?

Hello, community people

On every windows startup, powershell is briefly opened then automatically closed. (I didn't see any script typed in) Then, window security detects Trojan:MSIL/Redline.CBYZ!MTB and then I select to remove it. After that, I have not found any other side effect yet.




Is there anyway to remove or stop this redline trojan from running powershell on startup?
Here what i have tried in order to remove this trojan. (redline trojan wasn't found)

• Microsoft Defender quick scan and offline scan
  
• Full scan from Malwarebytes
  
• Quick scan from HitmanPro, BitDefender, Emison emergency kit
  
• iExplore (RKill) does not detect any running malware
  

Thanks in advance

 

Trojan and Malware

2/21/2022 5:28:49 AM

Files scanned: 1217349

Detected files: 43

Cleaned files: 43

Total scan time 06:50:37

Scan status: Finished

C:\$SysReset\AppxLogs\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\$SysReset\CloudImage\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\$SysReset\Logs\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\$SysReset\MDM\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\$SysReset\Scratch\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\$SysReset\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Aomei\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Boot\sm_da\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Boot\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\FRST\Quarantine\C\WINDOWS\system32\Tasks\Microsoft\Windows\PI\PI.xBAD PowerShell/Kryptik.D trojan cleaned by deleting



C:\LDPlayer\LDPlayer4.0\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\LDPlayer\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\MobiMoverBackup\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\NVIDIA\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\OneDriveTemp\S-1-5-21-2131174034-2530422207-1368632259-1001\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\OneDriveTemp\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Program Files\Wondershare\Wondershare Filmora\WsAP-Filmora.dll a variant of Win64/HackTool.Crack.W potentially unsafe application cleaned by deleting



C:\Program Files\Wondershare\Wondershare Filmora - Copy\WsAP-Filmora.dll a variant of Win64/HackTool.Crack.W potentially unsafe application cleaned by deleting



C:\Program Files (x86)\****-GoldBerg\****\OnlineFix64.dll a variant of Win64/HackTool.Crack.AA potentially unsafe application cleaned by deleting



C:\Riot Games\League of Legends\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Riot Games\Riot Client\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Riot Games\VALORANT\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Riot Games\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\SWSetup\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\temp\TxGameDownload\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\temp\{AA7C2609-F5C3-4F2D-85D0-97C700C016B3}\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\temp\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\text\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Users\TSKY\AppData\Local\VirtualStore\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Users\TSKY\Desktop\Ready.Or.Not.v17900.Early.Access\Ready Or Not\ReadyOrNot\Binaries\Win64\Custom.dll a variant of Win64/HackTool.Crack.AD potentially unsafe application cleaned by deleting



C:\Users\TSKY\Desktop\Ready.Or.Not.v17900.Early.Access\Ready Or Not\ReadyOrNot\Binaries\Win64\OnlineFix64.dll a variant of Win64/HackTool.Crack.AA potentially unsafe application cleaned by deleting



C:\Users\TSKY\Downloads\Ready_or_Not_Fix_Repair_Steam_V3_Generic\ReadyOrNot\Binaries\Win64\Custom.dll a variant of Win64/HackTool.Crack.AD potentially unsafe application cleaned by deleting



C:\Users\TSKY\Downloads\Ready_or_Not_Fix_Repair_Steam_V3_Generic\ReadyOrNot\Binaries\Win64\OnlineFix64.dll a variant of Win64/HackTool.Crack.AA potentially unsafe application cleaned by deleting



C:\Users\TSKY\Downloads\Windows 10_Digital_License\BIN\slc.dll Win32/HackTool.WinActivator.AL potentially unsafe application cleaned by deleting



C:\Users\TSKY\Downloads\Windows 10_Digital_License\Windows 10 Digital License Activation Script.cmd Win32/HackTool.WinActivator.AI potentially unsafe application cleaned by deleting



C:\Users\TSKY\Downloads\BrowserSetup_b0zz0i5.exe a variant of Win32/CryptoTab.A potentially unwanted application cleaned by deleting



C:\Users\TSKY\Downloads\counter-strike-1-6.exe a variant of Win32/GameHack.ANF potentially unsafe application cleaned by deleting



C:\Users\TSKY\Downloads\windows.cmd BAT/RiskWare.HackTool.WinActivator.A application cleaned by deleting



C:\Users\TSKY\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Windows \System32\_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Windows \_readme.txt MSIL/Filecoder.ANG trojan deleted



C:\Xamp Premium\_readme.txt MSIL/Filecoder.ANG trojan deleted



D:\_readme.txt MSIL/Filecoder.ANG trojan deleted

 

windows defender detects but cant remove Trojan msil crypinject C!MIL.....

C:\Users\Admin\Downloads\krnl\krnlss.exe

Trojan msil cryptinject C!MIL

I cant get windows defender to remove/quarantine this virus, any help would be appreciated.