Sun king threat? Detected by avast while surfing on Youtube.

Hello everyone.

First I would like to apologise for my english, since it isn’t my native language. And I also wanted to say that I’m creating this topic in order to receive the help about: “what to do next” and also check if someone else also experienced such a threat. This thread could also act as a warning for a potential threat.

I have also acted with the recommended questions and answers. And I have a screenshot which I will post after I explain situation.

I was normally watching youtube videos on YouTube and the alert pop up. It was located in [b]C:\Program Files\globalUpdate\Update\Install{9838645C-DCDC-4540-B413-1885C9B0E514}[/b] and it was called setup.exe. It was transported to the quarantine as the alert said. The folder Sun king located in C:\Program files\ has been created a second after the alert pop up. It got me worried, because there wasn’t any “ask for permission” nor instalator thingy. The folder just created itself without my knowledge and permission. I panicked and deleted the folder immiedately… the folder also contained a file named “sun_king_updating_service.exe”.

There’s recommended questions and answers:

  1. It was detected by the program itself. I didn’t do anything. So I’m guessing it was back-ground scanner. The alert happened while I was just normally surfing on Youtube watching videos.
  2. I don’t know where it come from. The folder has been created just a moment after the alert pop up.
  3. Received.
  4. The file was called setup.exe and it was located in [b]C:\Program Files\globalUpdate\Update\Install{9838645C-DCDC-4540-B413-1885C9B0E514}[/b]. The Sun king folder was created the moment after the avast alerted me about it. That’s what got me worried.
  5. I have a screenshot which I will upload underneath this.
  6. I actually deleted the entire folder immiedately, because I panicked. Can’t scan it.
  7. Don’t know if it’s possible that I can get it back after I deleted it also from desktop bin.
  8. I have check the google and there’s no info about this file. That’s why I am here.
    9 -||-
    10.-||-

The screenshot of the alert:

http://screenshu.com/static/uploads/temporary/9l/8y/5e/c4r1ra.jpg

I just wanted to ask for a help, what to do. If I should scan my computer or I can feel safe? Did it happened to someone else? The folder which created itself without any permission? And this “sun king”. What even is it?

Thanks in advance

Cheers.

@edit
The setup.exe was located in globalUpdate. Not Sun king folder. Sorry for the confusion.

https://forum.avast.com/index.php?topic=53253.0

What do you want to say by that? I just would like to know if I should be worried by the avast alert, which detected suspicious file in globalUpdate folder. And then it created a moment after folder called “Sun king” in Program Files. Both file and folder are gone. What this thread have to do with my problem?

The thread itself suggest to create an own thread in this subforum when asking for help, so I did. How your thread is supposed to help me?

Global update is an adware programme and it should be removed. I am not sure how much of it Avast has blocked

TTo be on the safe side a quick check using the logs will ensure it is all gone

I just scaned this folder with avast and nothing was found. It also contains “GoogleUpdate.exe” files and such. Is it really a threat? And if yes, then should I delete it or move to quarantine?

Cheers.

Witam spietres,

Do as essexboy suggests and provide him with these log files see: https://forum.avast.com/index.php?topic=53253.0
The larger part of it is now secure inside Avast’s virus chest, from where it cannot harm any longer. Did you post this on the MBAM forums also: https://forums.malwarebytes.org/index.php?/topic/166907-sun-king-virus-detected-by-avast/

pozdrawiam,

polonus

Yes it was me. I have been told that I will receive more help on the Avast forum about this issue. So here I am.

And I’m sorry, but I don’t know what kind of logs you speak of. I’m kind of newbie about the Anti-Virus things. And I don’t know how to get this file from this “Avast virus chest”.

Hi spietres,

Look in the link I provided (it is the second sticky in the virus and worms section of the forums where we are now posting) and there the tools and logfiles essexboy needs to evaluate are provided. Give him with your log file results and attach these results as txt files to your next posting and he will give it a look. That may be to-morrow because it is already late here in Western-Europe and he might already be gone off “to the Swan mountains” as some say in Polish.

polonus

see instructions here https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool logs … 3 logs total

when done, essexboy will check and fix if anything is found, if nothing he will confirm clean :wink:

obs … and Polonus, you posted same link twice :wink:

Okay will do tomorrow when I will have time.
Thanks for the help!

Cheers.

Just wanted to update you guys, that I think it’s getting worse. Today, the avast found another virus while I wasn’t doing anything. I was sitting on the forum and immiedately the alert pop up. This time I couldn’t get a screenshot from the alert, because avast recommended me to restart my computer and do an pre-start scan. It didn’t let me show the last alert. So I did restart my computer - it did scanned before launching Windows and it found lots of threats. They were called Gen-something etc. mostly located in C:\Windows and C:\User.

Also I will be posting logs from Malwarebyte and this another program in one second.

Cheers.

I did as you said. I deleted globalUpdate folder, just after I have read on google that people were complaining about it. So it’s gone I think.

Thanks.

Cheers.

There’s one problem. The thread you linked says that I should move the files to quarantine in Malwarebytes, but there’s only one option to choose. “Remove selected”.

What should I do then? There’s no option to move to quarantine.

http://screenshu.com/static/uploads/temporary/r5/bp/fh/99hn9k.jpg

Maybe I am missing something? I don’t know.

Cheers.

That is whats happening when clicking that button :wink:

Oh okay.

xD

Thought it would be marked as “move to quarantine” or something.

I agree, it is a bit confusing :slight_smile:

Btw. leave the files in quarantine, and don’t delete them from there ( yet ) !

Greetz, Red.

All right : )

The logs from Malwarebytes are waiting to get attached. I’m doing this Farbar scan now. Will post when I’m done.
Thanks for the help everyone!

Cheers,

Okay so I have the logs. But I just wanted to warn you that I have never posted such things, so I might do something wrong. I apologise for that if it happens!

But I think eveyrthing is ok.

Cheers.

looks good

Essexboy will be back online tomorrow and create fix for you if he find something in those diagnostic logs