Have you installed the Play Store on Windows 11? Read this now

solarseven / Shutterstock.com

In March 2022, we published instructions for installing the Google Play Store on Windows 11. The method involved an open source project from GitHub. Unfortunately, it contained malware. Here’s how to fix it.

Let’s start with the important part:

At this time, we have no reason to believe that any of your sensitive information has been compromised.

Here’s what happened

Windows 11 introduced the ability to install Android apps, but not via the Google Play Store. Naturally, people are starting to look for ways to get around this. The tutorial we posted contained instructions for downloading a script from a third party website. Over the weekend, a group working on the script discovered that it contained malware.

Noticeable: Some other sites have also recommended this script. Even if you followed the tutorial of another website, you may have downloaded the script that contains the malware.

What did the script do?

The script has downloaded a tool – Windows Toolbox – which includes a feature to install the Google Play Store on your Windows 11 device. Unfortunately, the script that downloaded the Windows Toolbox did more than what was advertised. It also contained an obscure code that would set up a series of scheduled tasks and create a browser extension targeting Chromium-based browsers – Google Chrome, Microsoft Edge, and Brave. Only Windows PCs with their language set to English were targeted.

The browser extension then ran in a “headless” browser window in the background, effectively hiding it from the user. At this time, the group that discovered the malware believes that the primary purpose of the extension is ad fraud, and not anything more serious.

Scheduled Tasks also ran a few other scripts that serve a few different purposes. For example, one can monitor active tasks on a computer and kill the browser and extension used for ad fraud any time the task manager is opened. Even if you notice that your system is acting a bit slow and you go looking for a problem, you won’t find one. A separate scheduled task, set to run every 9 minutes, will restart the browser and the extension.

More worrisome paired tasks generated might use curl to download files from the original website that delivered the malicious script, then execute whatever was downloaded. Tasks are set to run every 9 minutes after the user logs into their account. In theory, this could have been used to deliver updates to the malicious code to add functionality to the existing malware, or to offer completely separate malware, or whatever else the author wanted.

Fortunately, whoever was behind the attack didn’t get there – as far as we know, the curl task was never used for anything more than downloading a test file named “asd”, which did nothing. The domain from which files were downloaded for the curl task has since been removed thanks to CloudFlare’s quick action. This means that even if the malware is still running on your device, it cannot download anything else. You just need to remove it, and you are good to go.

Noticeable: To reiterate: Because Cloudflare has removed the domain, the malware cannot download any additional software or receive any commands.

If you’re interested in reading a detailed breakdown of how the malware is delivered, and what each task does, it’s available on GitHub.

how to fix it

There are two options now available to fix it. The first is to manually delete all affected files and scheduled tasks yourself. The second is to use script written by the people who discovered the malware in the first place.

Noticeable: Currently, no antivirus software will detect or remove this malware if it is running on your device.

Manual cleaning

We’ll start by deleting all malicious tasks, then we’ll delete all files and folders you’ve created.

Remove malicious tasks

All tasks created under Microsoft > Windows Tasks are buried in Task Scheduler. Here’s how to find and remove them.

Click Start, type “task scheduler” in the search bar and press Enter or click Open.

Click the Start button, type "Tasks table" in the search bar, then tap "Opens."

You need to go to Microsoft > Windows Tasks. All you have to do is double-click on “Task Scheduler Library”, “Microsoft” and then click on “Windows” in that order. This also applies to unlocking any of the tasks listed below.

Example of a task schedule hierarchy.

Once you’re there, you’re ready to start deleting tasks. The malware creates up to 8 tasks.

Noticeable: Due to how malware works, you may not have all the services listed.

You need to delete any of the existing:

  • Application ID > VerifiedCert
  • Application Experience > Maintenance
  • Services > CertPathCheck
  • Services > CertPathw
  • Service> ComponentCleanup
  • Services> Cleaning Service
  • Shell > ObjectTask
  • Clip > Cleaning Service

Once you have identified a malicious service in the Task Scheduler, right-click on it and press Delete.

warning: Do not delete any tasks other than the specific tasks we mentioned above. Most of the tasks here are created by Windows itself or by legitimate third-party apps.

Right-click on the task, then click "delete."

Delete all the tasks that you can find from the list above, and then you are ready to move on to the next step.

Remove malicious files and folders

The malware creates only a few files, and fortunately, they are contained in only three folders:

  • C:\system file
  • C:\Windows\Security\pywinvera
  • C:\Windows\Security\pywinveraa

First, open File Explorer. At the top of File Explorer, click View, go to Show, and then make sure Hidden Items is checked.

click "Opinion," Then hover over it "Displays," then tick "hidden items."

Look for a somewhat transparent folder called “System File”. If there is, right-click on it and hit Delete.

Update: There have been some reports that the System Files folder will remain invisible even if Show Hidden Folders is enabled. We can’t replicate this behavior, but you should still check for yourself out of a lot of caution. Enter the path “C:\systemfile” in the address bar of File Explorer and press Enter. If you can open the folder by entering the path manually, but you cannot view it in File Explorer, you must use the script we have attached to ensure that the folder and all its contents are deleted.

warning: Ensure that the folders we are going to delete are selected correctly. Accidentally deleting real Windows folders can cause problems. If you do, restore them from the Recycle Bin as soon as possible.

Right click "system file" If it is present, click on the delete button.

Once the System Files folder has been deleted, double-click the Windows folder, then scroll until you find the Security folder. You are looking for two folders: one called ‘pywinvera’ and one called ‘pywinveraa’. Right-click on each of them, then click Delete.

Delete pywinvera and pywinveraa

Noticeable: Deleting files and folders within the Windows folder will likely trigger a warning about the need for administrative privileges. If asked, go ahead and let it go. (Be sure to delete only the files and folders we mention here.)

You’re done – while this malware was annoying, it didn’t do much to protect itself.

Cleaning with script

The same people who got to know the malware in the first place also spent the weekend dissecting the malicious code, determining how it works, and eventually writing a script to remove it. We would like to give a shout out to the team for their efforts.

You are right to be wary of trust else A benefit from GitHub given how we got here. However, the circumstances are somewhat different. Unlike the script involved in delivering the malicious code, the removal script is short, and we checked it manually – every line. We also host the file ourselves to ensure that it cannot be updated without giving us the opportunity to manually check that it is secure. We tested this script on multiple devices to make sure it was effective.

First, download the zip script from our website, then extract the script anywhere you want.

Then you need to enable scripts. Click the Start button, type “PowerShell” in the search bar, and then click Run as administrator.

click "Run as administrator."

Then type or paste set-executionpolicy remotesigned in the PowerShell window, and press Y. You can then close the PowerShell window.

Enter the command into PowerShell, then press Enter.

Go to the Downloads folder, right-click on Removal.ps1, and click Run with PowerShell. The script will scan for malicious tasks, folders, and files on your system.

click "Run with PowerShell."

If they exist, you will be given the option to delete them. Type “Y” or “y” into the PowerShell window, then press Enter.

The script confirmed the presence of malware.

The script will then delete all the unwanted files created by the malware.

The script removed the malware.

Once the removal script is run, return the script execution policy to the default setting. Open PowerShell as administrator, enter set-executionpolicy default press Y. Then close the PowerShell window.

what were they doing

The situation is developing, and we are watching things as they happen. There are still some unanswered questions – like why some people reported installing an unexplained OpenSSH server. If any important new information comes out, we’ll make sure to keep you updated.

Editor’s note: Over the past 15 years, we’ve seen many Windows apps and browser extensions turn to the dark side. We strive to be incredibly careful and only recommend trustworthy solutions to our readers. Because of the increasing risks that malicious actors pose to open source projects, we will be more careful with future recommendations.

In addition, we would like to emphasize once again that there is no evidence that your sensitive information has been compromised. The domain on which the malware relies has now been removed, and its creators can no longer control it.

Once again, we would like to give special thanks to the people who worked out how malware works and designed a script to remove it automatically. Not in any particular order:

  • Papomaki
  • BlockyTheDev
  • blubbablasen
  • Kai
  • Yemen 0
  • LinuxUserGD
  • Mikasa
  • my choice
  • Sonnenläufer
  • Zergo 0
  • Zuescho
  • cerno
  • Haruman
  • Jan mm 14
  • Luzidev
  • XplLiciT
  • zarether

Leave a Comment

Your email address will not be published.