0

Awhile back I got infected with a bunch of viruses and malware. I've gotten rid of most of them with malware bytes, windows defender, and manually checking for unknown processes which I would open their file location and delete. I'm stuck with one last one which is especially annoying:

At random times (frequency from days in between to weeks in between), google chrome will crash and be removed from the taskbar. Another fake chrome and fake firefox will then be installed (look and function the same, but aren't the correct filepath).

A few new folders are created as well. I delete them every time, but they are still created the next time the virus runs. It's slightly different each time, but the consistant ones are:

  1. a folder in %appdata% called "WinSapSvc" with a single file "WinSAP.dll". This file then runs in Task Manager
  2. In Program Files (x86) multiple folders of long gibberish (example: {61A49C04-9843-4B67-8890-1862F29D01AD}). These folders contain a 2nd folder called "ALLOWDEL(more gibberish)", which contain a bunch of .exe and .dll files, and a .msi called Snarer.msi. Also a few files w/ no extension that look like javascript that pertains to google hangouts.

Edit: #3- It turns off windows defender and makes it think definitions are 1 year out of date. It also seems to re-install windows defender

Edit #2: One of the main things it does is launch a service called "kitty". It runs under svchost.exe with the command "C:\windows\system32\svchost.exe -k Kitty -s". I can't figure out how to get rid of this (though after stopping it, it started again, so maybe it's not the root problem)


This time I opened task manager right away when google chrome crashed and there were 10-20 powershell commands running that were quickly closing themselves. I assume if I can figure out where these are being triggered from, I can finally kill the virus. Where might powershell comands be triggered from? Task scheduler says no tasks run in the last 24 hours.

Improve this question
6
  • 3
    Sounds like time to nuke and reinstall.
    – DavidPostill
    Commented Apr 29, 2017 at 9:12
  • I'd REALLY like to avoid that option if at all possible. I've customized this computer so much that there's no way to remember all the little tweaks i'd need to re-do
    – Blaine
    Commented Apr 29, 2017 at 9:45
  • Couple things for quick ideas... Do an offline scan with defender offline perhaps. Consider downloading and installing the Trojan remover software are simplysup.com; it's thorough and you get a free 30 day trial and I've had success with this in the past when other AV or AntiMalware failed. You may need to repair the OS afterward when bugs are removed with advanced boot options and/or SFC /scannow. Lastly, start backing up your system and critical data so ensure you have a way to recover in the event it's needed. Sometimes blowing away the HD is the best approach in these cases.
    – Vomit IT - Chunky Mess Style
    Commented Apr 29, 2017 at 14:48
  • @Spittin'IT are you saying that simplysup will potentially corrupt my bootloader and/or system files? ...why would it do that?
    – Blaine
    Commented Apr 30, 2017 at 2:27
  • No, that's what malware and malicious software can and will do so once these are cleaned and off the machine, you'd then run the repair options after the bugs are removed that cause the corruption.
    – Vomit IT - Chunky Mess Style
    Commented Apr 30, 2017 at 3:09

1 Answer 1

Reset to default
0

Well, I think I found the answer for me at least. I had a service called BIT that was always running in the background and was running svchost with some extra parameters I didn't recognize. I deleted it with the commands below and haven't had an incident since. (I also ran malwarebytes and the simplysup trojan scanner afterwards, which all came up positive, but since haven't detected anything new).

sc stop BIT

sc delete BIT

Update: The services re-install themselves after some time. I think Spotify updater was infected, as each time spotify updated, it would run the commands, install the services, and a bunch of other malware. After re-instaling spotify, i've not had any more problems.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .