Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Powershell programs keeps enabling itself after disabling it

22 Dec 2015   #1
jhefreyzz

Windows 7 Ultimate x86
 
 
Powershell programs keeps enabling itself after disabling it

Hello I'm so frustrated on how this thing would vanished on my computer system. It keeps checked even though I disabled or uncheck it in the msconfig
here's what I am referring to.

Microsoft Operating System Microsoft Corporation C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\FeiSholEpOohbCv').sSqBn))); HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I try to delete the registry key but I can't delete it.
Going through the Run registry and found it but it keeps coming back.

What should I do.
I scanned my computer already with MBAM, Rogue Killer, Microsoft Windows Defender yet I get no possible virus infection.

Moreover I try to reg query it like this one
reg query "HKCU\Software\Classes\FeiSholEpOohbCv" /v "sSqBn"
and the result is in the attachment


Maybe someone can help me get rid of this virus or what this thing called




Attached Files
File Type: txt reg query.txt (15.7 KB, 6 views)
My System SpecsSystem Spec
.
22 Dec 2015   #2
Pyprohly

Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
 
 

We've seen something like this before: PowerShell starts with Windows, can't disable it from msconfig.exe. The OP claimed that he was able to remove the start item after deleting PowerShell altogether! Not a great solution.

Btw, the data in the text file you've provided isn't complete; I wasn't able to decode it very well.

Try redirecting the registry value's contents directly to a file,
Code:
reg query "HKCU\Software\Classes\FeiSholEpOohbCv" /v "sSqBn" > "C:\Users\%USERNAME%\Desktop\FeiSholEpOohbCv.txt"
My System SpecsSystem Spec
22 Dec 2015   #3
jhefreyzz

Windows 7 Ultimate x86
 
 

Thank you for the response sir.
I already did what you've said and I've attach the result file.

Hoping you could address my problem.


Attached Files
File Type: txt FeiSholEpOohbCv.txt (35.0 KB, 4 views)
My System SpecsSystem Spec
.

24 Dec 2015   #4
Pyprohly

Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
 
 

Hi,

I cannot help you combat viruses. I can only confirm to you that you're experiencing the exact same issue YUNoCake had in the thread I mentioned.

The data in that "sSqBn" registry value of yours, Jhefreyzz, decodes into the exact same script as YUNoCake's, but all the obfuscated variable names are different.

I'll see if I can get someone more experienced to help you remove that registry key and that startup entry.
My System SpecsSystem Spec
24 Dec 2015   #5
ThrashZone

Win-7-Pro64bit 7-H-Prem-64bit
 
 

Hi,
Review Jacee’s instructions to run Adwcleaner here post #7,
Ignore the title of the thread,
Instant Savings App
On the BleepingComputer site use the button that looks like this,

You can use these free tools to see if they find anything,
Manually Update them before running full scans,
Try not to use your computer while the scans are running, (one at a time of course).
See this tutorial on how to download and run Malwarebytes,
Malwarebytes Anti-Malware Free

Also use the Custom scan option not the Threat scan select the drives to scan,
Malwarebytes | Free Anti-Malware Detection & Removal Software
SAS is safe to remove anything it finds
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

I also would use TFC,
This must be downloaded to your desktop
Then right click the desktop icon and run it as administrator
TFC - Temp File Cleaner by OldTimer Download - Geeks to Go Forum
My System SpecsSystem Spec
24 Dec 2015   #6
jhefreyzz

Windows 7 Ultimate x86
 
 

Thank you for the suggestions

[x]Malwarebytes custom scan detects nothing
[✓] logfile attached
[✓] software updated before full scan
[x]SAS sames result with Malwarebytes
[✓] no logfile was attached as it detects almost 1000 threats yet it was browser cookies, some virus false detection
[✓] TFC run and clean the system
[✓] I run autoruns and found out that the persistent startup item is hidden
Screenshot attached:


I wondered after I run autoruns and try to delete the persistent item is disappears from startup item but then again I try to trace if there's still the virus and without a surprise I found out that the registry key is still present while on the CurrentVersion\Run has empty entries
pictures show below

Try to delete the key it says "Cannot delete FeiSholEpOohbCv: Error while deleting the key


Attached Thumbnails
Powershell programs keeps enabling itself after disabling it-capture.png   Powershell programs keeps enabling itself after disabling it-capture2.png  
Attached Files
File Type: txt logfile.txt (1.0 KB, 0 views)
My System SpecsSystem Spec
25 Dec 2015   #7
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

My System SpecsSystem Spec
26 Dec 2015   #8
Jacee
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Please stay with your topic at Bleeping Computers and follow all instructions given there!
Startup item keeps coming back after disabling it - Am I infected? What do I do?

You will only confuse yourself opening the same topic on different forums.
My System SpecsSystem Spec
27 Dec 2015   #9
jhefreyzz

Windows 7 Ultimate x86
 
 

hello thank you for the concern.

Somehow helpful response here help me get rid of the virus.

It was like after many scan from different scanners it was just become terminable. I used Autoruns and delete the startup entry. I was expect it to come back after it was deleted but happily it wasn't

I traced the registry entry for that virus and delete it.

I searched for possible reappearance of the virus on the registry entry but it wasn't there.

I used malwarebytes again for the last time for the remains of the virus if it was there and detect nothing.

I think my system is already clean.

Thank you for the response guys
My System SpecsSystem Spec
27 Dec 2015   #10
Layback Bear

Windows 7 Pro. 64/SP-1
 
 

If you system is fixed; please inform the good folks at Bleeping Computer that are helping you.
My System SpecsSystem Spec
Reply

 Powershell programs keeps enabling itself after disabling it




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
My Alfa AWUS036H USB Device Keeps Enabling and Disabling
Hi all, I finally broke down and decided to make an account as ask for some help. Really trying to get this working normally again. As stated in the title when I plug in my USB wireless device to my Desktop Tower, the device appears in the task-bar and adapter screen to continuously enable...
Hardware & Devices
BSOD while enabling/disabling wireless device NETwNs64.sys
Hi guys, I am having some troubles trying to use my laptop wireless device, because every time I try to connect to my home connection it last no more than 10 minutes and after that it shows LIMITED ACCESS on my connection icon. Im not very good at computers so the only thing I can do is DISABLE...
BSOD Help and Support
Enabling onboard graphics/Disabling graphics card method
Hi all, Video card appears to be reaching the end of the road, with regular crashes of 0x117 type. After extensive attempts to fix it, the conclusion is that the card needs to be replaced. I plan to acquire a completely new computer when I go overseas in 8 days time. Until then, a band-aid...
Graphic Cards
Android 4.1.2 Multi Window - enabling and disabling
Hi there I found the Multi - Window feature a bit of a nuisance after the Android 4.1.1 ==>4.1.2 Android update. This can easily be enabled or disabled by PRESSING THE BACK BUTTON on your phone and holding it for around 7 seconds. (By Back button you don't have to have a "physical button"...
Chillout Room
Start-Up Programs; Disabling Of ?
Hello, Where should I look to be able to dis-able some of the programs and items that seem to start "automatically" when the PC boots up ? Thanks, Bob
Performance & Maintenance
Disabling some startup programs
I put two programs folder, but now they've disappeared from the folder and they still startup. They're not listed in the startup msconfig either. I actually want these programs to start minimized but I don't know how to do it.
Performance & Maintenance


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 15:25.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App