{"id":430864,"date":"2022-04-12T18:50:48","date_gmt":"2022-04-12T15:50:48","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/did-you-install-the-play-store-on-windows-11-read-this-now\/"},"modified":"2022-04-12T18:50:48","modified_gmt":"2022-04-12T15:50:48","slug":"did-you-install-the-play-store-on-windows-11-read-this-now","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/did-you-install-the-play-store-on-windows-11-read-this-now\/","title":{"rendered":"#Did You Install the Play Store on Windows 11? Read This Now"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3071e6e8aec\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3071e6e8aec\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/did-you-install-the-play-store-on-windows-11-read-this-now\/#%E2%80%9CDid_You_Install_the_Play_Store_on_Windows_11_Read_This_Now%E2%80%9D\" >&#8220;Did You Install the Play Store on Windows 11? Read This Now&#8221;<\/a><ul class='ez-toc-list-level-2' ><li class='ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/did-you-install-the-play-store-on-windows-11-read-this-now\/#Heres_What_Happened\" >Here\u2019s What Happened<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/did-you-install-the-play-store-on-windows-11-read-this-now\/#What_the_Script_Did\" >What the Script Did<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/did-you-install-the-play-store-on-windows-11-read-this-now\/#How_to_Fix_It\" >How to Fix It<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/did-you-install-the-play-store-on-windows-11-read-this-now\/#Cleaning_Up_Manually\" >Cleaning Up Manually<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/did-you-install-the-play-store-on-windows-11-read-this-now\/#Removing_Malicious_Tasks\" >Removing Malicious Tasks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/did-you-install-the-play-store-on-windows-11-read-this-now\/#Removing_Malicious_Files_and_Folders\" >Removing Malicious Files and Folders<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/did-you-install-the-play-store-on-windows-11-read-this-now\/#Cleaning_Up_With_a_Script\" >Cleaning Up With a Script<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/buradabiliyorum.com\/en\/did-you-install-the-play-store-on-windows-11-read-this-now\/#What_Were_Doing\" >What We\u2019re Doing<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9CDid_You_Install_the_Play_Store_on_Windows_11_Read_This_Now%E2%80%9D\"><\/span>&#8220;Did You Install the Play Store on Windows 11? Read This Now&#8221;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div>\n<figure style=\"width: 1200px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage size-full wp-image-788519\" data-pagespeed-lazy-srcset=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/02\/malware-skull.jpg?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/02\/malware-skull.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/02\/malware-skull.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Skull over code\" width=\"1200\" height=\"675\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/computer-code-on-screen-skull-representing-1050436496\">solarseven\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>In March 2022, we published instructions for installing the Google Play store on Windows 11. The method involved an open-source project from GitHub. Unfortunately, it contained malware. Here\u2019s how to fix it.<\/p>\n<p>Let\u2019s lead with the important part:<\/p>\n<p><em><strong>At this point in time, we don\u2019t have reason to believe that any of your sensitive information was compromised.<br \/><\/strong><\/em><\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"Heres_What_Happened\"><\/span>Here\u2019s What Happened<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Windows 11 introduced the ability to <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/764014\/how-to-install-android-apps-on-windows-11\/\">install Android apps, but not via the Google Play Store. Naturally, people began looking for ways around this. The tutorial we published contained instructions to download a script from a third-party website. Over the weekend, a group working with the script discovered it contained malware.<\/p>\n<blockquote class=\"admonishment_note\"><p><strong>Note:<\/strong> Some other websites also recommended this script. Even if you followed another website\u2019s tutorial, you might have <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a>ed the script that contained the malware.<\/p><\/blockquote>\n<h3><span class=\"ez-toc-section\" id=\"What_the_Script_Did\"><\/span>What the Script Did<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The script downloaded a tool \u2014 Windows Toolbox \u2014 that includes a feature to install the Google Play store to your Windows 11 device. Unfortunately, the script that downloaded the Windows Toolbox did more than it advertised. It also contained obfuscated code that would set up a <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/watch-movies-tv-seriess\/\" data-internallinksmanager029f6b8e52c=\"8\" title=\"Watch Movies &amp; TV Series\" target=\"_blank\" rel=\"noopener\">series<\/a> of scheduled tasks and created a browser extension targeting Chromium-based browsers \u2014 Google Chrome, Microsoft Edge, and Brave. Only Windows PCs with their language set to English were targeted.<\/p>\n<p>The browser extension was then run in a \u201cheadless\u201d\u00a0browser window in the background, effectively hiding it from the user. At this time, the group that discovered the malware thinks the primary purpose of the extension was ad fraud, rather than anything more sinister.<\/p>\n<p>The scheduled tasks also ran a handful of other scripts that served a few different purposes. For example, one would monitor the active tasks on a PC and kill the browser and extension being used for ad fraud any time Task Manager was opened. Even if you noticed your system acting a bit laggy and went to check for a problem, you wouldn\u2019t find one. A separate scheduled task, set to run every 9 minutes, would then restart the browser and extension.<\/p>\n<p>The most concerning pair tasks created would use <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/447033\/how-to-use-curl-to-download-files-from-the-linux-command-line\/\">curl to download files from the original website that delivered the malicious script, and then execute whatever it downloaded. The tasks were set to run every 9 minutes after a user logged into their account. In theory, this could have been used to deliver updates to the malicious code to add functionality to the current malware, deliver totally separate malware, or anything else the author wanted.<\/p>\n<p>Luckily, whoever was behind the attack didn\u2019t get there \u2014 so far as we know, the curl task was never used for anything more than to download a test filed named \u201casd,\u201d that did nothing. The domain that the curl task downloaded files from has since been removed thanks to speedy action from CloudFlare. That means that even if the malware is still running on your machine, it cannot download anything else. You just need to remove it, and you\u2019re good to go.<\/p>\n<blockquote class=\"admonishment_note\"><p><strong>Note:<\/strong> To reiterate: As Cloudflare has removed the domain, the malware cannot download any additional software or receive any commands.<\/p><\/blockquote>\n<p>If you\u2019re interested in reading <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/pabumake\/windowToolboxMalware-Removal#31-deobfuscated\">a detailed breakdown<\/a> of how the malware delivery was staged, and what each task does, <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/pabumake\/windowToolboxMalware-Removal#31-deobfuscated\">it is available on GitHub<\/a>.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"How_to_Fix_It\"><\/span><a rel=\"nofollow noopener\" target=\"_blank\" name=\"autotoc_anchor_2\">How to Fix It<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>There are two options available right now to fix it. The first is to manually delete all of the impacted files and scheduled tasks yourself. The second is to use a script written by the people who discovered the malware in the first place.<\/p>\n<blockquote class=\"admonishment_note\"><p><strong>Note:<\/strong> At the moment, no antivirus software will detect or remove this malware if it is running on your machine.<\/p><\/blockquote>\n<h3><span class=\"ez-toc-section\" id=\"Cleaning_Up_Manually\"><\/span><a rel=\"nofollow noopener\" target=\"_blank\" name=\"autotoc_anchor_3\">Cleaning Up Manually<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>We\u2019ll start by deleting all of the malicious tasks, and then we\u2019ll delete all of the files and folders it created.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Removing_Malicious_Tasks\"><\/span>Removing Malicious Tasks<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>The tasks created are all buried under the Microsoft &gt; Windows tasks in Task Scheduler. Here\u2019s how to find and remove them.<\/p>\n<p>Click Start, then type \u201cTask Scheduler\u201d into the search bar and hit Enter or click \u201cOpen.\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-797378\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/04\/task-scheduler.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Click the Start button, type &quot;Task Scheduler&quot; into the search bar, then click &quot;Open.&quot;\" width=\"421\" height=\"326\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You need to navigate into the Microsoft &gt; Windows tasks. All you need to do is double click \u201cTask Scheduler Library,\u201d \u201cMicrosoft,\u201d and then \u201cWindows,\u201d in that order. That holds true for opening up any of the tasks listed below, too.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-797379\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/04\/task-scheduler-hierarchy.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Example of Task Scheduler Hierarchy.\" width=\"413\" height=\"284\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Once you\u2019re there, you\u2019re ready to begin deleting tasks. The malware creates as many as 8 tasks.<\/p>\n<blockquote class=\"admonishment_note\"><p><strong>Note:<\/strong> Because of how the malware works, you might not have all of the listed services.<\/p><\/blockquote>\n<p>You need to delete any of these that are present:<\/p>\n<ul>\n<li>AppID &gt; VerifiedCert<\/li>\n<li>Application Experience &gt; Maintenance<\/li>\n<li>Services &gt; CertPathCheck<\/li>\n<li>Services &gt; CertPathw<\/li>\n<li>Servicing &gt; ComponentCleanup<\/li>\n<li>Servicing &gt; ServiceCleanup<\/li>\n<li>Shell &gt; ObjectTask<\/li>\n<li>Clip &gt; ServiceCleanup<\/li>\n<\/ul>\n<p>Once you identify a malicious service in the Task Scheduler, right-click it, then hit \u201cDelete.\u201d<\/p>\n<blockquote class=\"admonishment_warning\"><p><strong>Warning:<\/strong> Do not delete any other tasks aside from the precise ones we mentioned above. Most tasks here are created by Windows itself or by legitimate third-party applications.<\/p><\/blockquote>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-797354 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/04\/click-delete-e1649772407522.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Right-click the task, then click &quot;Delete.&quot;\" width=\"650\" height=\"260\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Delete all of the tasks from the above list that you can find, and then you\u2019re ready to move on to the next step.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Removing_Malicious_Files_and_Folders\"><\/span>Removing Malicious Files and Folders<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>The malware creates only a handful of files, and luckily, they\u2019re contained within only three folders:<\/p>\n<ul>\n<li>C:\\systemfiles<\/li>\n<li>C:\\Windows\\security\\pywinvera<\/li>\n<li>C:\\Windows\\security\\pywinveraa<\/li>\n<\/ul>\n<p>First, open File Explorer. At the top of File Explorer, click \u201cView,\u201d go to \u201cShow,\u201d and then make sure \u201cHidden Items\u201d is ticked.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-797372\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/04\/click-view-then-click-show-then-click-hidden-items.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Click &quot;View,&quot; then mouse over &quot;Show,&quot; then tick &quot;Hidden Items.&quot;\" width=\"382\" height=\"500\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Look for a slightly transparent folder named \u201csystemfile.\u201d If it is there, right-click it and hit \u201cDelete.\u201d<\/p>\n<blockquote class=\"admonishment_warning\"><p><strong>Warning:<\/strong> Be sure you correctly identify the folders we\u2019re about to delete. Accidentally deleting real Windows folders can cause problems. If you do that, restore them from the Recycle Bin as soon as possible.<\/p><\/blockquote>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-797376\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/04\/right-click-systemfile-then-click-delete-button.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Right-click &quot;systemfile&quot; if present, then click the delete button.\" width=\"650\" height=\"337\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Once you delete the \u201csystemfiles\u201d folder, double-click the Windows folder, and then scroll until you find the \u201cSecurity\u201d folder. You\u2019re looking for two folders: one is named \u201cpywinvera\u201d and the other is named \u201cpywinveraa\u201d. Right-click each of them, and then click \u201cDelete.\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-797377\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/04\/delete-pywinvera-and-pywinveraa.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Delete pywinvera and pywinveraa\" width=\"613\" height=\"454\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<blockquote class=\"admonishment_note\"><p><strong>Note:<\/strong> Deleting files and folders within the Windows folder will probably trigger a warning about needing administrative privileges. If prompted, go ahead and allow it. (Be sure you\u2019re deleting only the exact files and folders we mention here, however.)<\/p><\/blockquote>\n<p>You\u2019re done \u2014 while annoying, this particular piece of malware didn\u2019t do too much to protect itself.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Cleaning_Up_With_a_Script\"><\/span><a rel=\"nofollow noopener\" target=\"_blank\" name=\"autotoc_anchor_4\">Cleaning Up With a Script<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The same eagle-eyed folks that identified the malware in the first place also spent the weekend dissecting the malicious code, determining how it functioned, and ultimately, writing a script to remove it. We\u2019d like to give a shout-out to the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/pabumake\/windowToolboxMalware-Removal#4-thanks-to\">team<\/a> for their efforts.<\/p>\n<p>You\u2019re right to be leery of trusting <em>another<\/em> utility from GitHub considering how we got here. However, the circumstances are a bit different. Unlike the script involved in delivering the malicious code, the removal script is short, and we\u2019ve manually audited it \u2014 every single line. We\u2019re also hosting the file ourselves to ensure that it cannot be updated without giving us the opportunity to manually confirm it is safe. We tested this script on multiple machines to make sure it was effective.<\/p>\n<p>First, download the zipped script from our website, and then extract the script anywhere you want.<\/p>\n<p>Then you need to enable scripts. Click the Start button, type \u201cPowerShell\u201d into the search bar, and click \u201cRun as Administrator.\u201d<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-797367\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/04\/click-run-as-admin.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Click &quot;Run as Administrator.&quot;\" width=\"650\" height=\"387\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Then type or paste <code>set-executionpolicy remotesigned<\/code> into the PowerShell window, and hit Y. You can then close the PowerShell window.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-797361\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/04\/set-execution-policy.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Enter the command into PowerShell, then hit Enter.\" width=\"650\" height=\"329\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Navigate to your downloads folder, right-click Removal.ps1, and click \u201cRun with PowerShell\u201d The script will check for the malicious tasks, folders, and files on your system.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-797369\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/04\/click-run-with-powershell.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Click &quot;Run with PowerShell.&quot;\" width=\"634\" height=\"301\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>If they\u2019re present, you\u2019ll be given the option to delete them. Type \u201cY\u201d or \u201cy\u201d into the PowerShell window, and then hit Enter.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-797357\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/04\/malware-found.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"The script confirmed malware.\" width=\"650\" height=\"269\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The script will then delete all of the junk created by the malware.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-797359\" data-pagespeed-lazy-src=\"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/04\/malware-removed.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"The script removed Malware.\" width=\"650\" height=\"269\" src=\"\/pagespeed_static\/1.JiBnMqyl6S.gif\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Once you\u2019ve run the removal script, return your script execution policy to the default setting. Open PowerShell as administrator, enter <code> set-executionpolicy default<\/code> , and hit Y. Then close the PowerShell window.<\/p>\n<h2 role=\"heading\" aria-level=\"2\"><span class=\"ez-toc-section\" id=\"What_Were_Doing\"><\/span><a rel=\"nofollow noopener\" target=\"_blank\" name=\"autotoc_anchor_5\">What We\u2019re Doing<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The situation is evolving, and we\u2019re keeping an eye on things as it does. There are still some unanswered questions \u2014 like why some people report an unexplained OpenSSH Server being installed. If any important new information comes to light, we\u2019ll be sure to keep you updated.<\/p>\n<div class=\"greybox_callout\"><strong>Editor\u2019s Note: <\/strong>Over the past 15+ years, we\u2019ve seen many Windows applications and browser extensions turn to the dark side. We strive to be incredibly careful and only recommend trustworthy solutions to our readers. Because of the increasing risk that malicious actors pose to open-source projects, we will be even more diligent with future recommendations.<br \/>\nAdditionally, we\u2019d like to stress once again that there is no evidence your sensitive information was compromised.\u00a0The domain the malware depends on has now been removed, and its creators can no longer control it.<\/p>\n<\/div>\n<p>Again, we\u2019d like to offer a special thanks to the people that worked out how the malware functioned and built a script to automatically remove it. In no particular order:<\/p>\n<ul>\n<li>Pabumake<\/li>\n<li>BlockyTheDev<\/li>\n<li>blubbablasen<\/li>\n<li>Kay<\/li>\n<li>Limn0<\/li>\n<li>LinuxUserGD<\/li>\n<li>Mikasa<\/li>\n<li>OptionalM<\/li>\n<li>Sonnenl\u00e4ufer<\/li>\n<li>Zergo0<\/li>\n<li>Zuescho<\/li>\n<li>Cirno<\/li>\n<li>Harromann<\/li>\n<li>Janmm14<\/li>\n<li>luzeadev<\/li>\n<li>XplLiciT<\/li>\n<li>Zeryther<\/li>\n<\/ul>\n<\/div>\n<p><script>\n setTimeout(function(){\n  !function(f,b,e,v,n,t,s)\n  {if(f.fbq)return;n=f.fbq=function(){n.callMethod?\n  n.callMethod.apply(n,arguments):n.queue.push(arguments)};\n  if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version='2.0';\n  n.queue=[];t=b.createElement(e);t.async=!0;\n  t.src=v;s=b.getElementsByTagName(e)[0];\n  s.parentNode.insertBefore(t,s) } (window, document,'script',\n  'https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n   fbq('init', '335401813750447');\n   fbq('track', 'PageView');\n  },3000);\n<\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.howtogeek.com\/797298\/warning-did-you-install-the-play-store-on-windows-11-read-this-now\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;Did You Install the Play Store on Windows 11? Read This Now&#8221; solarseven\/Shutterstock.com In March 2022, we published instructions for installing the Google Play store on Windows 11. The method involved an open-source project from GitHub. Unfortunately, it contained malware. Here\u2019s how to fix it. Let\u2019s lead with the important part: At this point in&#8230;<\/p>\n","protected":false},"author":1,"featured_media":430865,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.howtogeek.com\/wp-content\/uploads\/2022\/02\/malware-skull.jpg?height=200p&trim=2,2,2,2","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-430864","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/430864","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=430864"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/430864\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/430865"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=430864"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=430864"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=430864"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}