So basically, I got infected with the worst virus/trojan/malware I’ve ever seen in 20+ years of working on PCs. At this point, I’m really just looking for some insight and information as to what happened!
On 6/15, I was playing a game and decided to pause and minimize the window to take a shower. Roughly 15 minutes later, I came back into the room to see my mouse moving across the screen. At first, I thought some sort of popup had appeared (like those old ones you used to see back in the day with a fake dialogue box). Upon looking closer, I realized that this was actually my cursor moving towards the “Save” button on Chrome trying to download a file. I immediately grabbed my mouse and moved the cursor, and for a brief moment there was a “struggle” of sorts. It felt like whoever was controlling my mouse tried to fight me for control for a second.
I don’t really know what info is relevant and what isn’t, so I’m just going to describe everything. The window that was open was for “KO Player” - this is the file that was trying to be downloaded. From what I looked up, it appears to be an Android emulator. I decided to go through my download history, and I found a piece of software called “AnyDesk.” From what I understand this is a remote desktop access software, so I’m not entirely sure why they would need this if access had already been gained to my machine. I ended up finding traces of this in my appdata “Roaming” folder...more on that later.
I really should have pulled the plug immediately, but I wasn’t thinking at the time. I decided to check my history, and I saw that the hacker had been searching my emails for anything to do with cryptocurrency or bitcoin:
Because I had 2FA enabled on all my accounts, none of the hacker's attempts to change my passwords were successful.
I ended up going to the task manager to see if there were any strange processes that shouldn’t be running. At this point, I found a process called “Windows Fing H” - it had also been set as a startup item with high impact. I killed the process, which I hope stopped the remote connection.
I cannot find anything about this process. I was, however, able to trace the task manager process to the file’s location. The startup process was located here:
It led to a .scr file called “Windows12.scr” - in addition, there’s a strange 4.0.3.t.dat file in there that I’m not really sure where it came from. Perhaps it has to do with .NET framework? More info on the file:
Okay, so this is when it gets weird – I decided to just do a full reformat. So I did – completely wiped the SSD twice, including the recovery partitions, until it was just “unallocated space.” I should mention that I also had an internal HDD that I didn’t do anything to, and it was plugged in during the process. This is dumb of me, and I should’ve removed it first.
Regardless, I wiped the machine, reinstalled Windows, so far so good. A few hours into it, my paranoia gets the better of me and I decide to start snooping. I check the Event Viewer and things are going crazy:
Alright, so at this point I don’t have more screenshots because they’re on the infected machine. Not sure how to grab them off without infecting another machine without snapping a photo of the monitor itself. But here’s what happened next:
Using the event viewer, I find an application that was installed shortly after the reformat. Somehow, 7Zip was put into the Temp folder (I had not installed 7Zip yet), and it extracted something called “PACKAGE.7z.” This contained a file called “Chrmoe Sevrice.exe” or something along those lines – clearly fishy.
So I keep searching more, and I then find files in the roaming folder containing extractions from Chrome. They were text documents, each with a username and password for every domain that had been saved. Luckily I’ve used a third-party password manager for the last several years so the old passwords in Chrome were long gone – but still, a tool had been used to extract saved images and forms from Chrome. If I had used Chrome to save passwords, these people could’ve done some serious damage. This same process was repeated for my other profile in Chrome, which I primarily use for work. I’m not exactly sure if they were able to monitor the tool in real time, or if the goal is to go back to the machine later when unoccupied (using a remote connection) to retrieve the files containing passwords and logins. I’m not a virus expert, so I’m not really sure what’s possible these days.
I should mention that this time I unplugged the internet right away. When restarting, Windows would error because it could not connect to a file called winup.js – I also remember seeing something like winit.js, and there was a .vbs file that was constantly trying to launch. This would only happen with the internet disconnected, so I’m guessing it has something to do with a remote connection. I also recall seeing galcod.scr at one point in this process, but I can’t recall if that was pre-format or post-format.
So, what am I dealing with here? Is it most likely that the virus was dormant on my secondary HDD? Some of my tech buddies have also said my hardware may be compromised – I’ve heard everything from my network card’s MAC address being compromised to peripherals with upgradeable firmware being hacked (gaming monitor, mouse, etc).
Regardless, the machine is now sitting unplugged in a closet. I reformatted (using DBAN) the other PC in my house to be sure nothing got transferred over the network, and the machine I’m on now is brand new. I also threw my old modem and router in the trash and bought a new unit just to be safe. Made sure to change every password, including the router login.
I should also mention that during this time, neither MalwareBytes, HitmanPro, or Adwcleaner detected anything – even when scanning the files I knew to be malicious. However, Windows defender did pop up warning that the .js file was detected as “Trojan:JS/Foretype.A!ml”.
All my machines now have MalwareBytes Premium as well as BitDefender (paid) – so I’m definitely going to be cautious moving forward. As to how I got the infection, I’m guessing it’s because I stupidly downloaded a software torrent I shouldn’t have. I always buy my software, but sometimes I would download something first (like a game) to see if it would run on my machine before purchasing it on Steam. Regardless, I’ve learned my lesson, and I won’t be torrenting anything anymore.
I have done all the necessary precautions (changed every password, removed all authorized devices from my accounts, etc). I even printed new 2FA backup codes (voiding the old ones) in the rare case that the hacker was able to print out my old codes when they had access to my Google account.
Any advice or feedback would be appreciated. Thanks!