Powershell programs keeps enabling itself after disabling it

Hello I'm so frustrated on how this thing would vanished on my computer system. It keeps checked even though I disabled or uncheck it in the msconfig
here's what I am referring to.

Microsoft Operating System Microsoft Corporation C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\FeiSholEpOohbCv').sSqBn))); HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I try to delete the registry key but I can't delete it.
Going through the Run registry and found it but it keeps coming back.

What should I do.
I scanned my computer already with MBAM, Rogue Killer, Microsoft Windows Defender yet I get no possible virus infection.

Moreover I try to reg query it like this one
reg query "HKCU\Software\Classes\FeiSholEpOohbCv" /v "sSqBn"
and the result is in the attachment


Maybe someone can help me get rid of this virus or what this thing called

We've seen something like this before: PowerShell starts with Windows, can't disable it from msconfig.exe. The OP claimed that he was able to remove the start item after deleting PowerShell altogether! Not a great solution.

Btw, the data in the text file you've provided isn't complete; I wasn't able to decode it very well.

Try redirecting the registry value's contents directly to a file,

Code:

reg query "HKCU\Software\Classes\FeiSholEpOohbCv" /v "sSqBn" > "C:\Users\%USERNAME%\Desktop\FeiSholEpOohbCv.txt"

Thank you for the response sir.
I already did what you've said and I've attach the result file.

Hoping you could address my problem.

Hi,

I cannot help you combat viruses. I can only confirm to you that you're experiencing the exact same issue YUNoCake had in the thread I mentioned.

The data in that "sSqBn" registry value of yours, Jhefreyzz, decodes into the exact same script as YUNoCake's, but all the obfuscated variable names are different.

I'll see if I can get someone more experienced to help you remove that registry key and that startup entry.

Thank you for the suggestions

[x]Malwarebytes custom scan detects nothing
[✓] logfile attached
[✓] software updated before full scan
[x]SAS sames result with Malwarebytes
[✓] no logfile was attached as it detects almost 1000 threats yet it was browser cookies, some virus false detection
[✓] TFC run and clean the system
[✓] I run autoruns and found out that the persistent startup item is hidden
Screenshot attached:


I wondered after I run autoruns and try to delete the persistent item is disappears from startup item but then again I try to trace if there's still the virus and without a surprise I found out that the registry key is still present while on the CurrentVersion\Run has empty entries
pictures show below

Try to delete the key it says "Cannot delete FeiSholEpOohbCv: Error while deleting the key

hello thank you for the concern.

Somehow helpful response here help me get rid of the virus.

It was like after many scan from different scanners it was just become terminable. I used Autoruns and delete the startup entry. I was expect it to come back after it was deleted but happily it wasn't

I traced the registry entry for that virus and delete it.

I searched for possible reappearance of the virus on the registry entry but it wasn't there.

I used malwarebytes again for the last time for the remains of the virus if it was there and detect nothing.

I think my system is already clean.

Thank you for the response guys