In March 2022, we published instructions for installing the Google Play Store on Windows 11. The method involved an open source project from GitHub. Unfortunately, it contained malware. Here’s how to fix it.
Let’s start with the important part:
At this time, we have no reason to believe that any of your sensitive information has been compromised.
Here’s what happened
Windows 11 introduced the ability to install Android apps, but not via the Google Play Store. Naturally, people are starting to look for ways to get around this. The tutorial we posted contained instructions for downloading a script from a third party website. Over the weekend, a group working on the script discovered that it contained malware.
Noticeable: Some other sites have also recommended this script. Even if you followed the tutorial of another website, you may have downloaded the script that contains the malware.
What did the script do?
The script has downloaded a tool – Windows Toolbox – which includes a feature to install the Google Play Store on your Windows 11 device. Unfortunately, the script that downloaded the Windows Toolbox did more than what was advertised. It also contained an obscure code that would set up a series of scheduled tasks and create a browser extension targeting Chromium-based browsers – Google Chrome, Microsoft Edge, and Brave. Only Windows PCs with their language set to English were targeted.
The browser extension then ran in a “headless” browser window in the background, effectively hiding it from the user. At this time, the group that discovered the malware believes that the primary purpose of the extension is ad fraud, and not anything more serious.
Scheduled Tasks also ran a few other scripts that serve a few different purposes. For example, one can monitor active tasks on a computer and kill the browser and extension used for ad fraud any time the task manager is opened. Even if you notice that your system is acting a bit slow and you go looking for a problem, you won’t find one. A separate scheduled task, set to run every 9 minutes, will restart the browser and the extension.
More worrisome paired tasks generated might use curl to download files from the original website that delivered the malicious script, then execute whatever was downloaded. Tasks are set to run every 9 minutes after the user logs into their account. In theory, this could have been used to deliver updates to the malicious code to add functionality to the existing malware, or to offer completely separate malware, or whatever else the author wanted.
Fortunately, whoever was behind the attack didn’t get there – as far as we know, the curl task was never used for anything more than downloading a test file named “asd”, which did nothing. The domain from which files were downloaded for the curl task has since been removed thanks to CloudFlare’s quick action. This means that even if the malware is still running on your device, it cannot download anything else. You just need to remove it, and you are good to go.
Noticeable: To reiterate: Because Cloudflare has removed the domain, the malware cannot download any additional software or receive any commands.
If you’re interested in reading a detailed breakdown of how the malware is delivered, and what each task does, it’s available on GitHub.
how to fix it
There are two options now available to fix it. The first is to manually delete all affected files and scheduled tasks yourself. The second is to use script written by the people who discovered the malware in the first place.
Noticeable: Currently, no antivirus software will detect or remove this malware if it is running on your device.
We’ll start by deleting all malicious tasks, then we’ll delete all files and folders you’ve created.
Remove malicious tasks
All tasks created under Microsoft > Windows Tasks are buried in Task Scheduler. Here’s how to find and remove them.
Click Start, type “task scheduler” in the search bar and press Enter or click Open.
You need to go to Microsoft > Windows Tasks. All you have to do is double-click on “Task Scheduler Library”, “Microsoft” and then click on “Windows” in that order. This also applies to unlocking any of the tasks listed below.
Once you’re there, you’re ready to start deleting tasks. The malware creates up to 8 tasks.
Noticeable: Due to how malware works, you may not have all the services listed.
You need to delete any of the existing:
- Application ID > VerifiedCert
- Application Experience > Maintenance
- Services > CertPathCheck
- Services > CertPathw
- Service> ComponentCleanup
- Services> Cleaning Service
- Shell > ObjectTask
- Clip > Cleaning Service
Once you have identified a malicious service in the Task Scheduler, right-click on it and press Delete.
warning: Do not delete any tasks other than the specific tasks we mentioned above. Most of the tasks here are created by Windows itself or by legitimate third-party apps.
Delete all the tasks that you can find from the list above, and then you are ready to move on to the next step.
Remove malicious files and folders
The malware creates only a few files, and fortunately, they are contained in only three folders:
- C:\system file
First, open File Explorer. At the top of File Explorer, click View, go to Show, and then make sure Hidden Items is checked.
Look for a somewhat transparent folder called “System File”. If there is, right-click on it and hit Delete.
Update: There have been some reports that the System Files folder will remain invisible even if Show Hidden Folders is enabled. We can’t replicate this behavior, but you should still check for yourself out of a lot of caution. Enter the path “C:\systemfile” in the address bar of File Explorer and press Enter. If you can open the folder by entering the path manually, but you cannot view it in File Explorer, you must use the script we have attached to ensure that the folder and all its contents are deleted.
warning: Ensure that the folders we are going to delete are selected correctly. Accidentally deleting real Windows folders can cause problems. If you do, restore them from the Recycle Bin as soon as possible.
Once the System Files folder has been deleted, double-click the Windows folder, then scroll until you find the Security folder. You are looking for two folders: one called ‘pywinvera’ and one called ‘pywinveraa’. Right-click on each of them, then click Delete.
Noticeable: Deleting files and folders within the Windows folder will likely trigger a warning about the need for administrative privileges. If asked, go ahead and let it go. (Be sure to delete only the files and folders we mention here.)
You’re done – while this malware was annoying, it didn’t do much to protect itself.
Cleaning with script
The same people who got to know the malware in the first place also spent the weekend dissecting the malicious code, determining how it works, and eventually writing a script to remove it. We would like to give a shout out to the team for their efforts.
You are right to be wary of trust else A benefit from GitHub given how we got here. However, the circumstances are somewhat different. Unlike the script involved in delivering the malicious code, the removal script is short, and we checked it manually – every line. We also host the file ourselves to ensure that it cannot be updated without giving us the opportunity to manually check that it is secure. We tested this script on multiple devices to make sure it was effective.
First, download the zip script from our website, then extract the script anywhere you want.
Then you need to enable scripts. Click the Start button, type “PowerShell” in the search bar, and then click Run as administrator.
Then type or paste
set-executionpolicy remotesigned in the PowerShell window, and press Y. You can then close the PowerShell window.
Go to the Downloads folder, right-click on Removal.ps1, and click Run with PowerShell. The script will scan for malicious tasks, folders, and files on your system.
If they exist, you will be given the option to delete them. Type “Y” or “y” into the PowerShell window, then press Enter.
The script will then delete all the unwanted files created by the malware.
Once the removal script is run, return the script execution policy to the default setting. Open PowerShell as administrator, enter
set-executionpolicy default press Y. Then close the PowerShell window.
what were they doing
The situation is developing, and we are watching things as they happen. There are still some unanswered questions – like why some people reported installing an unexplained OpenSSH server. If any important new information comes out, we’ll make sure to keep you updated.
In addition, we would like to emphasize once again that there is no evidence that your sensitive information has been compromised. The domain on which the malware relies has now been removed, and its creators can no longer control it.
Once again, we would like to give special thanks to the people who worked out how malware works and designed a script to remove it automatically. Not in any particular order:
- Yemen 0
- my choice
- Zergo 0
- Jan mm 14