A curious malware has been raging in Windows since the beginning of the year: spreading via software cracks, it installs a virulent extension in Chrome and displays a PowerShell window at regular intervals. Manual cleaning is required.

A curious malware has been raging in Windows since the

A curious malware has been raging in Windows since the beginning of the year: spreading via software cracks, it installs a virulent extension in Chrome and displays a PowerShell window at regular intervals. Manual cleaning is required.

Our forum evidence of this: a strange malware has been raging since the beginning of January 2022 – and even since the end of December 2021 for some – in the Windows world. Many PC users have indeed informed us of curious behaviors of their computer, with in particular the sudden and repeated appearance of windows PowerShell – Microsoft’s new command interpreter – and hijacked web pages in Chrome, going so far as to make browsing the Internet difficult or impossible. Symptoms that reflect the presence of malicious and quite pernicious software. All the victims have one thing in common: they have recently installed at least one pirated software using a “crack”, a small program responsible for hijacking the internal protections by generating a serial number and rewriting lines of code. . Most often, these are games downloaded via torrents, but we can legitimately assume that the problem has also insinuated itself into other cracked commercial apps.

Admittedly, this “PowerShell virus” as it could be described does not visibly cause serious damage: failing to hack confidential data or encrypt files as the most dangerous malware does, it would seem to content itself with regularly displaying PowerShell windows, with a return to the Windows desktop that interrupts active software, and disrupt web browsing in Chrome – which remains the only browser affected so far. But that’s no reason to let him act!

PowerShell virus: still undetected by antivirus

Unfortunately, for now, the malware slips through the mesh of conventional antivirus without being detected. It would seem that specialized utilities like the excellent AdwCleaner and Malwarebytes Anti-Malware are also currently ineffective in identifying and removing malware. The location is also all the more difficult as the infected extension takes different names, such as ChromeTask, Chromeloader or ChromeChecker. Curiously, and even fortunately, it is the impromptu appearance of the PowerShell windows – proof of a very awkward development… – which betrays its presence.

But all is not lost for all that. While waiting for the editors of these security tools to update themselves, it is possible to locate the intruder and eradicate the infected extension manually, with the help of a free and very effective diagnostic utility, FRST ( Farbar Recovery ScanTool). This powerful tool – to be used with care – makes it possible to locate a scheduled task in System32Tasks which launches at regular intervals, causing the symptoms mentioned with the infected extension. The treatment is then relatively simple: you have to delete the scheduled task with a custom FRST script, then reset Chrome with a specialized utility such as the excellent ResetBrowser, free and in French. If you are affected by the problem, do not hesitate to consult the pages that deal with it on our forum.

A huge thank you to bazfile who reported the problem to us and who is actively helping victims of the “PowerShell virus” on the CCM forum.

ccn5