Jump to content

Breached by 4 trojans. What now? Not sure


Go to solution Solved by Maurice Naggar,

Recommended Posts

I read other cases and most of all the introduction on how to file a support request.

This is first time in a long time if not even the first time ever I get something like this and it seems not being a false positive.

The threats were these:Trojan:Win64/CryptInject
Trojan:Win32/Casdet!rfn
Trojan:VBS/Tnega!MSR
and
Trojan:Win32/CoinMiner!MSR

Other stuff seems to have been detected after I did some stuff I read from this site, like a MSERT (following instructions given to other people)
like: VirTool Win32/DefenderTamperingRestore (and other two which I don't know the name of)

Few hours after the discovery by the OS defender, and removal which worked (apparently!) I proceded with Avira or Avast I don't remember now which found stuff and also Malwarebytes which found stuff too.

How it happened? As I came back from the full screen of a game I noticed there was this alert that was issued around 40 minutes before I got out from the game and I did not notice it as the notification do not pop in front of the screen nor play a sound because these are my choices...
still I don't know how to put visual notification to still pop in front of the screen, which I am sure can be done. As far as the sound goes I avoid having stuff like this as I hate ads and anything that fills our lives with notifications, like we were machines.

So,
I was operating on a videogame which has been known since its release to have major issues, Age of Empires III Definitive edition , which in the first months caused to people (who bought it and beta tested it despite it's a praxis to release unfinished stuff today) severe memory leaks and forced to format and lose all the data from their PC due to forced format...  (the game is a Microsoft outsourced to indie companies effort which lead to a bad unpolished game so much that I seeked to get some improvements and in the enthusiasm to improve and test some more mods than I really need I fear I clicked a bad apple... it was one that added taunts to the game, but it happened right when I was also testing these mods)...

However it could be totally another thing (I put someone else USB in my pc to do work for this friend, and this guy is not expert at all on how to be safe), considering what I have done in last days\months or another case, a sleeper thing that activated now after maybe a long time of no activity.. and I am worried this is still here, spreading... (and I don't want infect others nor get ransom requests or other crazy stuff), and I did other things too that could be bad.. but I have TONS OF protections on browser and attitude \ modus operandi that is very safe\hard posture...

The real lowering, the cause of all this I believe is the lowering of my defenses, episodes which I believe I can  I can count in less than one hand's fingers episodes (and the good is that I remember what I did).

I believe it's connected to a mod of AOE III DE game, because that happened as I was in it, or maybe from another application: I tried to check also event viewer and could be that or another app that "maybe" wasn't original.

In this case what I suspect is that the IN GAME MODS browser has infected stuff as it feels like all this stuff is uncontrolled, not like Nexus mods which surely is an hub that controls stuff and immediately removes bad apples, in this case instead it really feels very "indie" and thus people can tamper with stuff and infect entire communities. Or... it has been else.

However all this stuff popping on my PC was quite alarming.


Thanks for your time and patience, and shared experience.

So could you answer me this: before loading up the 3 file you request like FSRT aaddition and also MB report log: should not I remove all the private information that are inside them?

Link to post
Share on other sites

1 minute ago, Taurus1 said:

So could you answer me this: before loading up the 3 file you request like FSRT aaddition and also MB report log: should not I remove all the private information that are inside them?

No, it affects the FRST scripts that will be made for you to fix your issue.

  • Like 1
Link to post
Share on other sites

No, please do not make changes to the diagnostic reports from FRST.

Hello. :welcome: My name is Maurice. I will guide you.

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

    Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
    1. Show-Hidden-Folders-Files-Extensions
    https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

    2. Disable-Fast-Startup
    https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

3. I would like a report set for review. This is a report only. This is the first beginning step so I can see what is what on this particular machine.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

Link to post
Share on other sites

Hi, since I am not from US\not a US citizen, here we have a different concept of privacy and rights, in genral of community and society (I won't go in detail) so I am a bit concerned to offer the various data of my pc including the name of the pc user and so on, stuff that must stay private, including other choices.
I really appreciate your help and time, but offering these data without being able to "hide" some info and showing this to the entire world wide web, it's a bit crazy, I am not hiding nothing, I just am conscious and literate about privacy which some stupids say "I don't have nothing to hide and publish anything about me if I have done nothing" which is just a non sense typical to introduce Cyberpunk dystopic  futures. This is not a critique to you! 100% it's just explanation of my concern, despite I know someone will take it personal, and that is their problem.

Thanks for your help, maybe I can still have some suggestions on what to do.

After running MSERT and other things before it, like MBytes scan and also I think avira or avast, with these last two some stuff appeared and was removed, and then with mser which lasted around 2 hours considering high speed computational power despite the around 2tb of space, I got that it found 3 things but 2 were not disclosed, only one was a shown in the final results: which is  "Virtool Win32\ Defender tampering restore (partial remove\ requesting reboot).

I have done all the things following stuff that was written in other reports, not just blinded, but my question is: am I being watched now and will be hit when the best time comes?
I have made the effort to remove anything that was suspicious, and haven't done modification (nor played, also because of what is happpening in Gaza, I really cannot play games or do much knowing what's going on...) to the computer.

I have to say that since July 2023 I started having the mouse that strangely was "lagging" like freezing for 1 second 1 second .5 too which I had hard time to realize what was. Now after this "attack" I fear that it might have been connected to some spyware and someone getting in the pc.

I even disconnected the internet during some malware scans of some programs (inspired by the msft standard defender offline optional scan) and also disconnect the pc at night as I fear there are ways to actually use the internet once a trojan is inside despite a pc is off (I know it can feel like sci fi but you expert surely know a lot of this and can explain and also could confirm "we don't know everything" so there could be stuff that can work on the pc even if switched off but cable connected.

I hope the trojans haven't infected the router or other things... other people connected to the  internet where I am. I am also scared to infect others, who knows.

I would have also liked to understand if these trojans can (could have been in my case) be detected as soon as they are downloaded and "played" as files (images, audio, whatever) or they could have been in my pc since some time and just turned on that 27th of october but still have been in the pc since long time and not just 1-2 minute or few seconds before they started to work (?)

What I am trying to ask as made understand above is that if NOW nothing is showing up anymore and several stuff was removed in the various analysis described above, DOES IT MEAN that the pc is not infected anymore or it's not sure?, considering I also have removed old applications or possible non original applications (I had I think 1 or max two) which indeed I was silly to get since they are priced not much money and anyway I don't do these things SINCE QUITE SOME TIME like basically 20 years anymore...

Right now I am running a mod that is consider PUP and another PUADI but I mean these are of course system that are required to allow a longer time cycle (in the single player gameplay and of course do fiddle with the code of the game, so it' s normal they are considered suspicious as far as I know).

I will remove that as soon as I am done with the game that require that thing as I have hard time finding co-op players for it and without the complexity of microphone and movement interaction, it's very dull to play a game single player without some motivating immersive realistic stuff...
I hope that PUP and PUADI things aren't dangerous stuff as they have been allowed to work.

Anyway as soon as I am done with that gmae I might be closer to a format of the main drive.

What I anyway think is that the malware could still be in the pc after the formats as if I don't format 101% of every physical drive they could still be there including in the drives...

So it's like a very difficult hunt that requires ton of work and precision in general also in keeping stuff in order, but since I carry stuff since a long time with me, and I still need lot of time (lacking) to fix some old storage drives files that I don't wanna lose and so on I won't explain now the recovery work I am trying to do, then It's gonna be hard to get completely sure these trojans haven't replicated here or there elsewhere.

Link to post
Share on other sites

@Taurus1 I have some suggestions.

I would learn (if you do not already know how) to format and reinstall Windows Or take your computer and pay for someone to work on your system.

Do not use your actual name when creating your user account on the computer so that concern is addressed.

After the computer is fresh and clean, Do not download any hacked or cracked software or game mods/cheats. Buy all games from legitimate companies. Do not be lured in by all of the "free" games out there.

Do not download any free music or videos that normally should be purchased.

 

Link to post
Share on other sites

I am no longer watching this thread. We cannot help if there are no provided diagnostic reports.

I would urge you highly to stay far away from hack / cracked software of any sort. Whether a so called free program or free game, or whatever.

Hidden risks in pirated software
https://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/

Why You Shouldn't Use Pirated Software
https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

Torrenting & filesharing. Try to not do that, as a general security matter. All it takes is one malicious file to lead to tragedy & loss.
https://informationsecuritybuzz.com/articles/torrenting-know-risks-take/

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.