Solved Help with PowerShell?

Hello everyone,

I'm assuming this is some kind of malware. No idea how it got on my system. Bright VPN had no entry under add/remove programs. I had to manually search for and kill it's executables. The Bright VPN background processes are no longer running in the background, but I'm assuming it's trigger is still present on my system. MS Defender or MalwareBytes didn't catch this unfortunately. Every time I restart my system, an Administrator Window of Powershell appears for a split second. A quick look in AutoRuns, shows it's related to BrightVPN (see pic) but I cannot delete it. I am 100% clueless when it comes to using PowerShell. Can somebody please tell me how to delete this autostart script?

Windows 11 22H2 Build 22621.1413

Since there's no Bright VPN entry in Programs and Features, it may be malware masquerading as Bright VPN. If I get a chance, I'll install Bright VPN in a VM and see if it creates a similar registry entry. Whatever put it there is a concern, especially as that is an HKLM entry. I wouldn't be satisfied until the source is identified.

But removal is not a PowerShell issue. It may, however, be a permission issue. That entry is located in a key named "Shell". Normally there is a "Shell" value set to "explorer.exe", but there isn't typically a Shell key.

Go into RegEdit and see if you can whack that Shell key. If not, reset that key's owner to "Administrators" and give "Administrators" Full access. Export the contents, so you can refer to it for further research, and then try to delete that key (and I'm assuming there is nothing else within that Shell key).

Do you actually have a C:\Program Files (x86)\Bright VPN folder? If so, it may contain an uninstaller.

Whatever it contains, save the contents to a different folder or flash drive! That will be vital to learn more!

I installed Bright VPN on a test machine. It did NOT create that registry entry. Its "run at startup" option just creates a typical HKCU Run key entry.

BTW, with Bright VPN running, I tried to download Autoruns. Google search showed the Sysinternals link right away. Clicking on that link just hung. Disabled Bright VPN and got right there. Reenabled Bright VPN and then it was fine. Hmmm.

Have exactly the same issue on Windows 10 after installing something from an untrustworthy source.

"Bright VPN" and a "Web Indexing Service" suddently appeared in my task bar. A Powershell window pops up for a short amount of time at startup.
A folder at C:\Program Files (x86)\Bright VPN is present. It doesn't contain an uninstaller.

I have deleted the folder. This has lead to an error in the Powershell script on startup because it can't find the file that it wants to access.


I have also found the registry key that is mentioned in @REDDWARF's AutoRuns results:



I will now delete the powershell ... part of that entry and restart to see what happens.

Deleting that part of the entry got rid of the Powershell window on startup.
AutoRuns also showed the service that was trying to start:

I couldn't start because the path was already deleted. I still deleted the entry.

System seems back to normal now.