Awhile back I got infected with a bunch of viruses and malware. I've gotten rid of most of them with malware bytes, windows defender, and manually checking for unknown processes which I would open their file location and delete. I'm stuck with one last one which is especially annoying:
At random times (frequency from days in between to weeks in between), google chrome will crash and be removed from the taskbar. Another fake chrome and fake firefox will then be installed (look and function the same, but aren't the correct filepath).
A few new folders are created as well. I delete them every time, but they are still created the next time the virus runs. It's slightly different each time, but the consistant ones are:
- a folder in %appdata% called "WinSapSvc" with a single file "WinSAP.dll". This file then runs in Task Manager
- In Program Files (x86) multiple folders of long gibberish (example: {61A49C04-9843-4B67-8890-1862F29D01AD}). These folders contain a 2nd folder called "ALLOWDEL(more gibberish)", which contain a bunch of .exe and .dll files, and a .msi called Snarer.msi. Also a few files w/ no extension that look like javascript that pertains to google hangouts.
Edit: #3- It turns off windows defender and makes it think definitions are 1 year out of date. It also seems to re-install windows defender
Edit #2: One of the main things it does is launch a service called "kitty". It runs under svchost.exe with the command "C:\windows\system32\svchost.exe -k Kitty -s". I can't figure out how to get rid of this (though after stopping it, it started again, so maybe it's not the root problem)
This time I opened task manager right away when google chrome crashed and there were 10-20 powershell commands running that were quickly closing themselves. I assume if I can figure out where these are being triggered from, I can finally kill the virus. Where might powershell comands be triggered from? Task scheduler says no tasks run in the last 24 hours.
SFC /scannow
. Lastly, start backing up your system and critical data so ensure you have a way to recover in the event it's needed. Sometimes blowing away the HD is the best approach in these cases.