Analyzing and Cleaning the “Your computer is infected with dangerous viruses” Adware

This blog post is about an annoying Adware that infected my browser and how I cleaned it. If you are interested just in how to clean it, scroll to the bottom of this post.

One day, while browsing through a particular website, it succeeded in infecting me with Adware. Adware is unwanted software designed to throw advertisements up on your screen, most often within a web browser. How I was aware of it, only when the Windows notification system pop-up this message:

It is in Hebrew, so I found a picture that shows it in English:

Taken from malwaretips website

It is compelling that it’s legitimate to press it and clean the “viruses”, but you will run the actual virus while doing so.

I am lazy, so the first thing that I did is check if someone else encountered this and found an article on how to remove it. But it didn’t investigate it. It only suggested you with actions, like running malware scanners and removing unwanted programs, but I had several open questions: How the Adware infected the computer? From where are these messages coming from? and lastly, how can I remove this Adware.

If you understand how it works, you don’t need to run scan for you whole computer from different AVs, and it’s more fun :)

It is also worth mention that Windows Defender, Malwarebytes and Chrome scan for unwanted programs, didn’t find it.

Finding the source of the pop-up notification

The message is annoying because it doesn’t seem to come in constant intervals, so it’s hard to tell when will be the next time it will pop up. Later you will how I found the time intervals.

Luckily, I opened Procmon and started recording in the beginning, and I was able to catch it while it happened. I could open the Windows notification and see it, but I wanted to see its execution.

With Procmon I used the “Include Process” icon on the notification to see what process is executing it:

“Include Process” icon

The process is C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe. This is Windows process that is responsible for the notifications. One interesting thing that it did is to access a file c:\Users\eviatar\AppData\Local\Microsoft\Windows\ActionCenterCache\chrome_6544_1.tmp.

I went to this folder, several files end with .tmp but they are PNG files (pictures). In our case, we can see that this is only a picture that shows you the message:

“Virus Detected (5)” and then “You computer is detected with a dangerous virus, press ‘clean the computer’ to remove all the viruses”

And a red button that says “clean the computer”:

There were more pictures of this and also a picture of Tahina (which is very tasty)!

We know the source of the pictures, but we still don’t know what causes them to be created there.

I checked the folder and noticed that all the Adware pictures were created every 30 minutes:

I assumed that Chrome is probably created them, but what is causing it to create them? If it happens every 30 minutes, maybe the task scheduler?

I didn’t think it can be the task scheduler, but I checked for safety and didn’t find anything related to this activity.

Chrome notification

I decided to check the Chrome notification system because these notifications are related to it. When I checked it, I found the smoking gun:

This herdcowhas.icu URL appeared also in the notifications, here is a reminder:

We can see that it has the permissions for the notifications and pictures:

It was also using two cookies. These cookies were being stored in the file C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Cookies, but can be seen through Chrome by accessing: chrome://settings/siteData?search=cookies.

Through the web view I searched for the name “herd” which found me the cookies:

Here is the full details of the cookies:

Cleaning

Clear data and reset permissions

Go to the notifications chrome://settings/content?search=notification in Chrome, find the suspicious notification, in my case it is herdcowhas.icu, and clear the data:

It should remove this notification.

To be on the safe side, I also preferred to clean cookies from the time this Adware was access my browser, in my case it was in the last 24 hours. Go to chrome://settings/clearBrowserData?search=clear, set Last 24 hours, choose “Cookies and other site data” and clean:

Summary

This was a short analysis of this Adware. I wrote about it because I saw that other people encountered it, and the suggested solutions by several articles are to run some scans by some AVs, hoping to catch. There is no need to work so hard to remove it. It pretty simple when you understand how it works.

The only thing that I didn’t check is what happens when you press it and how it entered into my browser, but maybe when I have enough time to reproduce it on my VMware, I will update it.

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)