Trojan:PowerShell/AgentTesla.SHD!MTB Removal

Brendan Smith
Brendan Smith - Cybersecurity Analyst
7 Min Read
AgentTesla PowerShell alert evidence capsule with credential key
AgentTesla PowerShell alert evidence capsule with credential key

Trojan:PowerShell/AgentTesla.SHD!MTB is a Microsoft Defender detection for a PowerShell-based AgentTesla-related threat. Treat it as serious if it appeared after running a ROM installer, crack, fake game, email attachment, script, or command copied from a web page. AgentTesla is associated with credential theft and data collection, so cleanup must include both malware removal and account protection.

First checks after this Defender alert

  • Keep the detection quarantined or removed. Do not restore the file to test it.
  • Delete the original download. Check archives, scripts, and installers that arrived with it.
  • Run a full system scan. PowerShell detections can be part of a downloader or stealer chain.
  • Change important passwords from a clean device if the file or script ran.
  • Check persistence: Startup Apps, Task Scheduler, browser extensions, PowerShell history, and unknown processes.
Detection name Trojan:PowerShell/AgentTesla.SHD!MTB
Detected by Microsoft Defender Antivirus
Likely category Trojan / PowerShell script / AgentTesla-related activity
Common source Fake installers, ROM packs, cracked software, email attachments, scripts, malicious archives
Best action Remove it, scan fully, check persistence, and protect accounts if anything executed.

What is Trojan:PowerShell/AgentTesla.SHD!MTB?

Microsoft lists Trojan:PowerShell/AgentTesla.SHD!MTB in its Security Intelligence encyclopedia as a Defender detection [1]. The name tells you several useful things: Trojan is the threat type, PowerShell is the script platform, AgentTesla is the family label, and !MTB is a Microsoft suffix used for detection context.

AgentTesla is commonly discussed as an information-stealing malware family; MITRE tracks Agent Tesla as malware/spyware [2]. In practical terms, you should care less about the exact suffix and more about what file or command triggered the alert, whether it ran, and whether any account sessions changed afterward.

Is it a false positive?

It can be a false positive in rare cases, but you should not assume that. A PowerShell Trojan detection after a random installer, ROM download, crack, mod, email attachment, or fake update is high risk. PowerShell is a normal Windows tool, but attackers abuse it because it can download payloads, run commands, hide behind legitimate system processes, and create persistence.

Lower-risk context A known enterprise script from your IT team, digitally controlled environment, and no suspicious download history.
High-risk context Unknown installer, Discord file, ROM pack, crack, fake CAPTCHA command, email attachment, or archive password.
Decision On a personal PC, keep it removed unless you can prove the script came from a trusted source.

Symptoms that make the alert more serious

  • Defender repeatedly detects the same PowerShell threat after reboot.
  • Discord, Steam, Microsoft, Google, or email accounts show new sign-ins.
  • Browser sessions are logged out, recovery email changed, or MFA prompts appear.
  • New scheduled tasks or startup entries appeared around the time of the download.
  • PowerShell, wscript.exe, cmd.exe, or unknown processes run unexpectedly.

How to remove Trojan:PowerShell/AgentTesla.SHD!MTB

  1. Open Windows Security and keep the Defender action as Remove or Quarantine.
  2. Delete the original file, zip, script, ROM installer, crack, or email attachment that caused the alert.
  3. Run a full system scan with Gridinsoft Anti-Malware to check dropped files, startup entries, and hidden components.
  4. Open Task Scheduler and remove unknown tasks created around the infection time.
  5. Check Startup Apps and recently installed programs.
  6. Review browser extensions, notification permissions, and saved sessions.
  7. From a clean device, change passwords for email, Microsoft, Google, Discord, Steam, banking, and crypto accounts if the file ran.
  8. Revoke active sessions and remove unknown OAuth/connected apps; for Microsoft account abuse, follow account-recovery guidance from a clean device [3].

Safe file check

If you need to investigate the source, do not restore the quarantined file on the same PC. Record the path and detection name from Defender. Then check the source:

  • File path: Downloads, Temp, AppData, and game/mod folders are common in consumer infections.
  • Command history: check whether PowerShell or Run was used around the same time.
  • Signature: unknown or unsigned installers are suspicious.
  • Hash: save it if you need support or want to compare scan results.

For broader context, see our Microsoft Defender detection names guide and game/mod infostealer recovery checklist.

Why account cleanup matters

A Trojan or stealer incident is not finished just because Defender removed a script. If the payload ran, cookies, tokens, saved passwords, or wallet-related data may already be exposed. Change passwords from a clean device and revoke sessions [3]. Do not do password resets on the same PC until scans are clean.

FAQ

Is Trojan:PowerShell/AgentTesla.SHD!MTB a virus?

It is a Defender Trojan detection involving PowerShell and the AgentTesla family label. Treat it as malware unless you can prove the script is from a trusted source.

Can I allow the file in Defender?

No on a normal home PC. Do not allow or restore it if it came from a ROM pack, crack, email attachment, fake installer, or unknown script.

Why does Defender mention PowerShell?

PowerShell is a legitimate Windows tool, but attackers use it to run scripts, download payloads, and create persistence. The tool name does not make the activity safe.

What if detections return after cleanup?

Run Gridinsoft Anti-Malware again after reboot, then review startup entries, scheduled tasks, services, browser extensions, and recent files in AppData or Temp. If account abuse continues, rotate passwords from a clean device after the PC is clean.

References

  1. Microsoft Security Intelligence: Trojan:PowerShell/AgentTesla.SHD!MTB
  2. MITRE ATT&CK: Agent Tesla
  3. Microsoft Support: Recover a hacked or compromised Microsoft account
Fake Slack Download Malware: Hidden Desktop Cleanup
Adaware Web Companion: Is It Safe or a PUA?
What is Discord virus? Investigating a new online fraud
Script-Based Malware: How Attackers Run Malware Through Scripts
Is Public Wi-Fi Safe? How to Protect Your Data
TAGGED:
Share This Article
ByBrendan Smith
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Previous Article Dormant malware delayed execution timer with unknown EXE sample capsule Can Malware Activate Later? What to Do
Next Article OnePlatform PUA bundled software box with unwanted app warning OnePlatform PUA Removal
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?