PowerShell starts with Windows, can't disable it from msconfig.exe

Page 1 of 2 12 LastLast

  1. YUNoCake
    Posts : 8
    Windows 7 Ultimate 64bit
       New #1

    PowerShell starts with Windows, can't disable it from msconfig.exe


    I have just figgured out there's a startup item in msconfig under the name of "Microsoft® Windows® Operating System". Apparently it launches the PowerShell with some weird arguments and I can't disable it. Here's a screenshot:


    I can see it's something to do with a character string, and I'm afraid it's a keylogger.
    What do you think? Is it a virus? If yes, how do I remove it?

    P.S.: I've tried deleting the WindowsPowerShell folder under system32 but it requires permision from TrustedInstaller to remove, and it will just not let me take the ownership of the foler. Oh, and I've searched for it in "Add or remove programs" , it's not there.
      My Computer
    Quote Quote

  3. YUNoCake
    Posts : 8
    Windows 7 Ultimate 64bit
    Thread Starter
       New #2

    Here's a screenshot of the registry key mentioned in the arguments
      My Computer
    Quote Quote

  4. Pyprohly
    Posts : 721
    Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
       New #3

    Looks nasty to me. The fact that the PowerShell line is using the Invoke-Expression (alias: iex) cmdlet already sets of alarms. This cmdlet allows for dynamic code to be run, which is rarely something your typical script needs to do.

    If you cannot disable or remove this startup item from msconfig, I'd delete the registry key the PowerShell line mentions... But before you do that, run the below Command Prompt command and post here the data of this 'GAZADSLU' value in your registry, so we can figure out what exactly the PowerShell startup line is doing.
    Code:
    reg query "HKCU:\Software\Classes\FYTNHRWPQH" /v "GAZADSLU"
    P.S.: Please do not delete the WindowsPowerShell folder. Windows likes it there.
      My Computer
    Quote Quote

  6. YUNoCake
    Posts : 8
    Windows 7 Ultimate 64bit
    Thread Starter
       New #4

    Pyprohly said:
    Looks nasty to me. The fact that the PowerShell line is using the Invoke-Expression (alias: iex) cmdlet already sets of alarms. This cmdlet allows for dynamic code to be run, which is rarely something your typical script needs to do.

    If you cannot disable or remove this startup item from msconfig, I'd delete the registry key the PowerShell line mentions... But before you do that, run the below Command Prompt command and post here the data of this 'GAZADSLU' value in your registry, so we can figure out what exactly the PowerShell startup line is doing.
    Code:
    reg query "HKCU:\Software\Classes\FYTNHRWPQH" /v "GAZADSLU"
    P.S.: Please do not delete the WindowsPowerShell folder. Windows likes it there.
    I have just tried your command but gave me this error


    Anyways, I have exported the registry key to a txt file using this command


    The export.txt file is too large to uploadid on this site, so I'll upload it here: export.txt :: Free File Hosting - File Dropper: File Host for Mp3, Videos, Music, Documents.
      My Computer
    Quote Quote

  7. YUNoCake
    Posts : 8
    Windows 7 Ultimate 64bit
    Thread Starter
       New #5

    I'd delete the registry key the PowerShell line mentions
    Oh, by the way, that was the first thing that came into my mind, but when I try it says "Unable to delete all specified values". Any other way to get rid of it?
      My Computer
    Quote Quote

  8. Urthboundmisfit
    Posts : 461
    Win 10 Pro x64, Win 7 Pro x64
       New #6

    Looks like a remnant of Poweliks or ZeroAccess Rootkit... have you seen signs of infection recently?

    Poweliks is a malware with rootkit-like features, with no file (directly passing from registry to memory at boot time). The payload (malware file) is stored in an encrypted registry value, and loaded at boot time by a RUN key calling rundll32 process on an encrypted javascript payload.

    Once payload loaded in rundll32, it tries to execute an embedded powershell script in interactive mode (no UI). That powershell scripts contains a base64-encoded payload (another one) which will be injected into a dllhost process (the persistent item), which will be zombified and act as a trojan downloader for other infections.

    The dllhost injected thread is also responsible for protecting the registry value (persistence item) by recreating it when removed. This is why it’s necessary to shutdown the process first...

    ...Value name and Subkey name are injected with unicode characters, so that the high level API cannot read them, and remove them.
    Poweliks removal:
    RogueKiller Poweliks removal with RogueKiller
    Eset Poweliks Cleaner ESET :: Download :: Utilities :: Detail :: Poweliks Cleaner
    Google search: Poweliks removal

    You should probably have a Security expert scan your system... I am NOT an expert I just play one on TV

    HTH :)
    Last edited by Urthboundmisfit; 02 Oct 2015 at 09:37. Reason: added links
      My Computer
    Quote Quote

  10. YUNoCake
    Posts : 8
    Windows 7 Ultimate 64bit
    Thread Starter
       New #7

    have you seen signs of infection recently?
    Well, a few days ago I got one of my usb thumb drives virused with that common shortcut virus (from a library computer). I think it's because of that.
      My Computer
    Quote Quote

  11. YUNoCake
    Posts : 8
    Windows 7 Ultimate 64bit
    Thread Starter
       New #8


    Looks like it's something else, but not Powerliks
      My Computer
    Quote Quote

  12. Urthboundmisfit
    Posts : 461
    Win 10 Pro x64, Win 7 Pro x64
       New #9

    These monsters are constantly evolving and adapting...


    Which is why I suggested:

    You should probably have a Security expert scan your system... I am NOT an expert I just play one on TV
      My Computer
    Quote Quote

  13. YUNoCake
    Posts : 8
    Windows 7 Ultimate 64bit
    Thread Starter
       New #10

    Urthboundmisfit said:
    Which is why I suggested:

    You should probably have a Security expert scan your system... I am NOT an expert I just play one on TV
    Nah, I'll just make a little startup program to close PowerShell.
      My Computer
    Quote Quote

 
Page 1 of 2 12 LastLast

  Related Discussions
is there anyway to disable msconfig?
in Performance & Maintenance

reason i want to disable it is due to safe mode,as i want to disable sae mode with networking permanently so my little brother cant bypass my k9 web filter. ive disabled run,control panel and services.msc so far
I'm having all sorts of problems trying to configure startup for windows. I disable a program, then after rebooting it starts up again and the checkbox is checked (in msconfig). When I try to enable a program, it does the opposite and wont run and the checkbox is empty after a reboot. also, some...
I'm trying to improve the performance of my Dad's Ultrabook. It is a Toshiba Satellite T230D, Running Windows 7 Home Premium 32bit. AMD Athlon II Neo 1.70GHz, 2.00GB Memory. I've just done a refresh on the PC, back to out of box state. Installed his security suite and a couple other programs....
Hello I am getting almost every time I boot W7 the BSOD described in the thread title... I suspect it's related to an automatic task which starts to backup my laptop in the network using TSM, but I think it's unrelated to TSM, it could be more related to a bug of the powershell process (but...
I have a few remaining programs which I would like to disable, however, do not want to disable any programs which will result in me losing some functionality. I'm mostly unsure about the HP programs, but that seem to me, just some form of OEM bloatware. Thanks, Harry Please see...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 07:16.
Find Us