Un-Quarentinable Files and Ghost Malware?
I've run into a series of odd behaviours from my computer (Windows10) and Avast Antivirus and believe I might be infected with an impersonator malware (or I'm being paranoid). I don't know what to do to identify the real source of the issue and was hoping someone can shed some light on how to proceed.
So, I use Avast Premium and have internet connections and several other configs set to 'ask me first' because I'm a bit of a control freak. 2 days ago, Microsoft Installer (msiexec.exe in the System32 folder) asked to access the network and I thought that was odd and blocked it. Seconds later I noticed a small grey window flash on the upper left part of my monitor and I went to task manager and saw several processes of Microsoft Installer open, without me installing anything, and 2 'MDES SDK 4V 3rd Party Host' processes open, which I've never seen before (I later found it belongs to OPSWAT Inc. and its located in one of the Avast folders and they have been recently updated, but this is the first time they appeared on task manager).
Now here comes the weird part: right after this some shortcuts started appearing on my desktop, from software I already have, as if they were just updated. So I unplugged my internet cable from the computer, but still 2 more shortcuts showed up so I killed the msiexec processes. I scanned my computer but it found nothing, so just for precaution I manually sent the msiexec file to quarentine...but nothing happened. Avast says the file is quarantined but the file never moves out of the Windows32 folder. Same thing with the software that had shortcuts appear in the background, I sent them to quarantine but they don't move. I can send any file to the quarantine but these. Which I'm guessing might be either because my Avast is compromised or the malware is antivirus-proof.
After this, I got Malwarebytes and did a scan as well. Same thing, found nothing, but if the virus is in the msiexec then I think whatever I install on the computer would be automatically compromised.
Another thing that caught my attention was the software that were updated/modified: Codec Tweak Tool, Media Classic Player, Calibre E-Book Management and Adobe Digital Editions. Now the last one is part of the Adobe subscription, every time you update a sotware that belongs to Adobe the Creative Cloud Manager processes open in the background, but this time none of the usual Adobe processes showed up in the task manager when the Adobe Digital Editions was "updated", which to me indicates that Adobe was not the one updating the file, something else did.
Today, same thing happened. Started my computer, Avast asks if I want to allow msiexec.exe (now in the SysWoW64 folder) and I blocked it, another grey screen flashed on the upper side of the screen and now a shortcut for VLC Media Player shows up. Can't send files from VLC to quarantine either. This time several processes for Firefox appeared as well and Firefox wasn't being used. Same weird MDES SDK processes show up with Windows Installer as well. Process Explorer had an endless list of svchost processes running, some were linked to msiexec.
Also would like to point out I don't have any auto-update configuration going on. Windows doesn't auto-update any software and I don't have auto-update options for software on the antivirus either. I do it all manually. Even Windows can't auto-update because I blocked it in the Registry.
As of now, my computer is booted on SafeMode without internet connection. And I noticed some of the folders in the C disk (Windows, Users, Program Files) have "State:Shared" (and an emoji in the middle) when you open them. I don't have any other User in this computer and never had any folder being shared in the network, not even cloud services folders like Google Drive and Dropbox (I don't use the cloud service from Adobe either). I didn't check who is it being shared with yet (I used fsmgmt.msc but the server service is disabled in SafeMode so it doesn't work). Avast doesn't seem to work in SafeMode for some reason too, so I couldn't try putting files in quarentine while in SafeMode.
So, is this a ghost malware? How do I get rid of this? I thought about deleting both msiexec.exe files with Avast File Shredder and later running sfc/scannow to restore them, but I'm not sure if I can trust Avast at the moment or if the supposed malware is in fact in the msiexec file or somewhere else.
