Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: PowerShell starts with Windows, can't disable it from msconfig.exe

30 Sep 2015   #1
YUNoCake

Windows 7 Ultimate 64bit
 
 
PowerShell starts with Windows, can't disable it from msconfig.exe

I have just figgured out there's a startup item in msconfig under the name of "Microsoft® Windows® Operating System". Apparently it launches the PowerShell with some weird arguments and I can't disable it. Here's a screenshot:


I can see it's something to do with a character string, and I'm afraid it's a keylogger.
What do you think? Is it a virus? If yes, how do I remove it?

P.S.: I've tried deleting the WindowsPowerShell folder under system32 but it requires permision from TrustedInstaller to remove, and it will just not let me take the ownership of the foler. Oh, and I've searched for it in "Add or remove programs" , it's not there.


My System SpecsSystem Spec
.
30 Sep 2015   #2
YUNoCake

Windows 7 Ultimate 64bit
 
 

Here's a screenshot of the registry key mentioned in the arguments
My System SpecsSystem Spec
01 Oct 2015   #3
Pyprohly

Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
 
 

Looks nasty to me. The fact that the PowerShell line is using the Invoke-Expression (alias: iex) cmdlet already sets of alarms. This cmdlet allows for dynamic code to be run, which is rarely something your typical script needs to do.

If you cannot disable or remove this startup item from msconfig, I'd delete the registry key the PowerShell line mentions... But before you do that, run the below Command Prompt command and post here the data of this 'GAZADSLU' value in your registry, so we can figure out what exactly the PowerShell startup line is doing.
Code:
reg query "HKCU:\Software\Classes\FYTNHRWPQH" /v "GAZADSLU"
P.S.: Please do not delete the WindowsPowerShell folder. Windows likes it there.
My System SpecsSystem Spec
.

02 Oct 2015   #4
YUNoCake

Windows 7 Ultimate 64bit
 
 

Quote   Quote: Originally Posted by Pyprohly View Post
Looks nasty to me. The fact that the PowerShell line is using the Invoke-Expression (alias: iex) cmdlet already sets of alarms. This cmdlet allows for dynamic code to be run, which is rarely something your typical script needs to do.

If you cannot disable or remove this startup item from msconfig, I'd delete the registry key the PowerShell line mentions... But before you do that, run the below Command Prompt command and post here the data of this 'GAZADSLU' value in your registry, so we can figure out what exactly the PowerShell startup line is doing.
Code:
reg query "HKCU:\Software\Classes\FYTNHRWPQH" /v "GAZADSLU"
P.S.: Please do not delete the WindowsPowerShell folder. Windows likes it there.
I have just tried your command but gave me this error


Anyways, I have exported the registry key to a txt file using this command


The export.txt file is too large to uploadid on this site, so I'll upload it here: export.txt :: Free File Hosting - File Dropper: File Host for Mp3, Videos, Music, Documents.
My System SpecsSystem Spec
02 Oct 2015   #5
YUNoCake

Windows 7 Ultimate 64bit
 
 

Quote:
I'd delete the registry key the PowerShell line mentions
Oh, by the way, that was the first thing that came into my mind, but when I try it says "Unable to delete all specified values". Any other way to get rid of it?
My System SpecsSystem Spec
02 Oct 2015   #6
Urthboundmisfit

Win 10 Pro x64, Win 7 Pro x64
 
 

Looks like a remnant of Poweliks or ZeroAccess Rootkit... have you seen signs of infection recently?

Quote:
Poweliks is a malware with rootkit-like features, with no file (directly passing from registry to memory at boot time). The payload (malware file) is stored in an encrypted registry value, and loaded at boot time by a RUN key calling rundll32 process on an encrypted javascript payload.

Once payload loaded in rundll32, it tries to execute an embedded powershell script in interactive mode (no UI). That powershell scripts contains a base64-encoded payload (another one) which will be injected into a dllhost process (the persistent item), which will be zombified and act as a trojan downloader for other infections.

The dllhost injected thread is also responsible for protecting the registry value (persistence item) by recreating it when removed. This is why it’s necessary to shutdown the process first...

...Value name and Subkey name are injected with unicode characters, so that the high level API cannot read them, and remove them.
Poweliks removal:
RogueKiller Poweliks removal with RogueKiller
Eset Poweliks Cleaner ESET :: Download :: Utilities :: Detail :: Poweliks Cleaner
Google search: Poweliks removal

You should probably have a Security expert scan your system... I am NOT an expert I just play one on TV

HTH
My System SpecsSystem Spec
02 Oct 2015   #7
YUNoCake

Windows 7 Ultimate 64bit
 
 

Quote:
have you seen signs of infection recently?
Well, a few days ago I got one of my usb thumb drives virused with that common shortcut virus (from a library computer). I think it's because of that.
My System SpecsSystem Spec
02 Oct 2015   #8
YUNoCake

Windows 7 Ultimate 64bit
 
 


Looks like it's something else, but not Powerliks
My System SpecsSystem Spec
02 Oct 2015   #9
Urthboundmisfit

Win 10 Pro x64, Win 7 Pro x64
 
 
These monsters are constantly evolving and adapting...

Which is why I suggested:

Quote:
You should probably have a Security expert scan your system... I am NOT an expert I just play one on TV
My System SpecsSystem Spec
02 Oct 2015   #10
YUNoCake

Windows 7 Ultimate 64bit
 
 

Quote   Quote: Originally Posted by Urthboundmisfit View Post
Which is why I suggested:

Quote:
You should probably have a Security expert scan your system... I am NOT an expert I just play one on TV
Nah, I'll just make a little startup program to close PowerShell.
My System SpecsSystem Spec
Reply

 PowerShell starts with Windows, can't disable it from msconfig.exe




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
is there anyway to disable msconfig?
reason i want to disable it is due to safe mode,as i want to disable sae mode with networking permanently so my little brother cant bypass my k9 web filter. ive disabled run,control panel and services.msc so far
Performance & Maintenance
Cant disable programs in msconfig startup
I'm having all sorts of problems trying to configure startup for windows. I disable a program, then after rebooting it starts up again and the checkbox is checked (in msconfig). When I try to enable a program, it does the opposite and wont run and the checkbox is empty after a reboot. also, some...
General Discussion
Which Startup Entries can i disable in msconfig
I'm trying to improve the performance of my Dad's Ultrabook. It is a Toshiba Satellite T230D, Running Windows 7 Home Premium 32bit. AMD Athlon II Neo 1.70GHz, 2.00GB Memory. I've just done a refresh on the PC, back to out of box state. Installed his security suite and a couple other programs....
Performance & Maintenance
BSOD ntoskrnl.exe+75c00 randomly... maybe when Powershell.exe starts
Hello I am getting almost every time I boot W7 the BSOD described in the thread title... I suspect it's related to an automatic task which starts to backup my laptop in the network using TSM, but I think it's unrelated to TSM, it could be more related to a bug of the powershell process (but...
BSOD Help and Support
how to disable base video mode boot in msconfig
My OS is Windows 7 32 bits. I checked base video in boot option in msconfig and also checked make all boot settings permanent. So my window always boots with low resolution mode. Therefore I rechecked base video, checked all boot settings permanent, applied, ok and then restarted the windows. OK....
General Discussion
Which programs are safe to disable with MSCONFIG Startup tab?
I have a few remaining programs which I would like to disable, however, do not want to disable any programs which will result in me losing some functionality. I'm mostly unsure about the HP programs, but that seem to me, just some form of OEM bloatware. Thanks, Harry Please see...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 09:43.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App