Jump to content

I fell for the classic discord "try my game" virus


Recommended Posts

A couple of days ago @alonexrd contacted me on discord. And after a day or so he sent me his "game" named arenawars for me to playtest. The file is located on the website playsgamesarenawars.github.io and is downloaded as a winrar file that requires a password to open, which I later learned is so that the virus checks I ran on the file before installing it would be rendered useless. The person also has made a youtube account: https://www.youtube.com/@ArenaWarsGame, which I reported but youtube has not taken down yet. After starting the installation process of the file located in the winrar file my chrome closed and soon after my discord aswell, that was when I knew it was a virus and turned my pc off. The virus stole all my tokens and saved usernames/emails and passwords but luckily was able to only lock me out of my discord account. After restarting the pc, which was also maybe not the smartest idea, I tried to open windows defender as that is the only antivirus I use and I noticed the virus was unabling me to do so, that was when I got scared and turned my pc off again. After a day I first started to locate the virus using a bootable usb antivirus as I was scared of what the virus could do. I tried avira rescue system and the kaspersky rescue disc. Neither of them were able to locate the virus. After I ran the .exe file that ran the virus trough the triage virtual machine sandbox (wish I knew about this sooner) and saw that during the process most of the files the virus creates it then marks for deletion. Neverhteless, I was able to locate some of the files described in the triage analyzation and deleted them, some of them were located in the temp folder so I just deleted it as a whole. After booting up my pc normally I noticed that the sign in screen just logs me in automatically, I don't have a password but I am pretty sure it didn't do that before and I couldn't find any documentation about it. The next thing I noticed was that my windows defender was working and I immidiately did an offline scan. That scan didn't find anything and I proceeded with a full scan. In the meantime I also uninstalled my discord, steam and all of my browsers (when uninstalling the browsers they asked me if they should delete their user data or something like that and I clicked no, as I did not want to lose my open tabs and extensions, my question is was that another mistake). While that was happening I did a full scan using Zonealarm, hitman pro and sophos (all of which I downloaded after the virus had infected my pc, I don't know if that matters). None of these found anything, I cannot find any traces of the virus (however my desktop briefly flashes after booting up my pc and I again don't rememer it doing that before), but I am unsure whether it is gone or not, as I do not know hot to access the registry and basically anything that isn't the file explorer (I have hidden files shown).I have changed the passwords for most of my accounts but would love if I could get recommended a password manager. I don't know if I have provided too much information but I wanted to be thorough. I wasn't able to find the exact virus I was infected with but maybe someone here knows it and how to remove it.

Link to post
Share on other sites

  • Replies 80
  • Created
  • Last Reply

Top Posters In This Topic

1 minute ago, PapoPlayz said:

playsgamesarenawars.github.io and is downloaded as a winrar file that requires a password to open

What is the password? Give us that and then do the following.

Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following.

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point  <<<<< Important.
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup   Windows 8 and newer only <<<<< Important.
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes
       RESTART the computer <<<<< Important.
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

Then be patient for the next expert to take your case. <<<<< Important.

 

Thank you

Link to post
Share on other sites

I ran the adwcleaner, it didn't find anything and so I did the basic repair. However after doing that and clicking to open the log I couldn't, I also couldn't open the windows search menu and none of my tabs in the edge browser were loading. I restarted the pc and it is now stuck in a "Your pc did not start correctly" loop. I don't know what to do. It seems I have a restore point from yesterday named "Microsoft Visual C++ 2013 Redistributable (x64)..." and the type is system

Link to post
Share on other sites

Thank you @PapoPlayz

This is another example of the "Try My Beta Game" ploy affecting so many we see here and it is not a virus, it is a complex trojan. 

The fake game beta is spam'd via email, SMS and Discord Direct Message.  It is not a game but an Electron based password and data stealer,  Many variants are an Ageo Stealer.


RE:   Fake Game password and data stealer and sites

Link to post
Share on other sites

So my pc fixed itself somehow and I completed the scans, providing the logs below.

Is a complex trojan worse, should I be worried, are we going to be able to remove it?

Also would you please answer the questions from my first post.

"After booting up my pc normally I noticed that the sign in screen just logs me in automatically, I don't have a password but I am pretty sure it didn't do that before and I couldn't find any documentation about it."

"when uninstalling the browsers they asked me if they should delete their user data or something like that and I clicked no, as I did not want to lose my open tabs and extensions, my question is was that another mistake"

"While that was happening I did a full scan using Zonealarm, hitman pro and sophos (all of which I downloaded after the virus had infected my pc, I don't know if that matters)"

"however my desktop briefly flashes after booting up my pc and I again don't rememer it doing that before"

Thanks

 

Addition.txt FRST.txt AdwCleaner[C00].txt Malwarebytes Scan Report 2024-09-29 140130.txt

Link to post
Share on other sites

Trojans and viruses are both sub-types of malware.

Viruses self replicate.  In other other words viruses spread autonomously from file to file or PC to PC.

Trojans need assistance to spread.  In this case it is the action of a spam'd message using the Social Engineering ploy of a Beta version of a game exploiting the gaming community's gaming desires.

It is not a simple trojan.  It is written in Electron and has multiple layers of obfuscation that makes static analysis more than difficult.

The recommended password manager is 1Password.

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites

Welcome smile.png
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. smile.png

Let's begin... 

The following Fix will empty these folders:

  • Windows Temp
  • Users' Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns, please ask before running this fix.

The system will be rebooted after the fix has run.

FRST64 was saved as D:\downloads\FRSTEnglish.exe

  • Download the enclosed file  Fixlist.txt
  • Save it in the same location FRST64 is saved. (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply
Link to post
Share on other sites

After the FRST scan my pc rebooted as instructed but when the screen turned on it was asking me if I wanted to skip drive scan. I didn't click anything and it scanned both my drives and said repairing drive c: and only then did the pc fully boot up. I don't know if I maybe did something wrong.

On the doctor web scan I turned all apps off as instructed but during the scan my Razer opened up and I didn't know if that would affect anything so I restarded the scan to be safe. The 1st scan found 1 threat so I am attaching both logs here. The one from the full scan is named cureit(21772)(2nd).log

cureit(21772)(2nd).log Fixlog.txt cureit(21772).log

Link to post
Share on other sites

The script ran well. Windows Resource Protection found corrupted files and successfully repaired them. We should reset your hosts as it contains a SUSPICIOUS.URL

FRST64 was saved as D:\downloads\FRSTEnglish.exe

  • Download the enclosed file  
  • Save it in the same location FRST64 is saved. (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply.

Fixlist.txt

Link to post
Share on other sites

Well my desktop still flashesh on bootup, I have turned off all startup apps and the only apps starting are nvidia and malwarebytes and 1 microsoft app, I don't know if it might be one of them (I am also unsure if it did that before)

Also my sign in screen still logs me in automatically (I don't remember it doing that before even though I don't have a password)

Otherwise I haven't see any traces of the trojan but I also did't see any before.

Also if we know exactly what the trojan does can't we just remove it completely manually instead of rellying on antiviruses and scanners.

 

Link to post
Share on other sites

2 minutes ago, PapoPlayz said:

Well my desktop still flashesh on bootup

Also it doesn't really flash it looks like a winwowed application opens up and minimizes/closes. The only thing I can see is a completely wide rectangle on the left side of the screen

Link to post
Share on other sites

Here are some programs to update:
 
Unchecky v1.2 v.1.2 Warning! This software is no longer supported. Please uninstall it and use another software.
TeamViewer v.15.43.6 Warning! Download Update
NVIDIA GeForce Experience 3.27.0.120 v.3.27.0.120 Warning! Download Update
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
7-Zip 22.01 (x64) v.22.01 Warning! Download Update
Uninstall old version and install new one.
WinRAR 6.21 (64-bit) v.6.21.0 Warning! Download Update
Zoom v.5.16.10 (26186) Warning! Download Update
Viber v.21.0.0.0 Warning! Download Update
Java 8 Update 371 (64-bit) v.8.0.3710.11 Warning! Download Update
Uninstall old version and install new one (jre-8u421-windows-x64.exe).
 
Razer Cortex v.10.15.5.0 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it.
 
As far as malware, there is no sign of it.
 
Update the software above and let me know if that would improve the performance:
 
Open an Administrator Command Prompt. At the prompt type the following and press Enter:
 
CHKDSK /R
 
Schedule CHKDSK to run at the next Startup. Restart the computer.
 
Upon restart, CHKDSK will run. Allow it to do so unhindered.
 
After the next restart run this fix:
 
FRST64 was saved as D:\downloads\FRSTEnglish.exe
  • Download the enclosed file  Fixlist.txt
  • Save it in the same location FRST64 is saved. (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply. Another file will be created on your desktop, DiskCheckLog.txt. Please also attach this file to your next reply.

 
 
 
Link to post
Share on other sites

The CHKDSK is taking very long so I don't think I will be able to send the logs today. Will send them as soon as possible though. 

23 hours ago, PapoPlayz said:

Also if we know exactly what the trojan does can't we just remove it completely manually instead of rellying on antiviruses and scanners

If you don't mind can you answer this

Link to post
Share on other sites

2 hours ago, PapoPlayz said:

The CHKDSK is taking very long so I don't think I will be able to send the logs today. Will send them as soon as possible though. 

If you don't mind can you answer this

If included in the logs, and we can see it, manually will be the action. There is no protection against new variants that have not been identified.

Lets perform a full scan with Malwarebytes Antimalware:

  • Open Malwarebytes and check for updates
  • Click on the Silhouette -> About Malwarebytes -> check for updates

image.png

image.png

  • Go back to the main screen Dashboard
  • Click on the left side of the Scanner panel

image.png

  • Click the Advanced scans link

image.png

  • Under Custom Scan click the Configure the scan button

image.png

  • Then select ALL options including the Scan for rootkits and your C: drive as shown

image.png

  • Then click the Start Custom Scan button

Once the scan has completed, please export it to text and save the log and attach it to your next reply

Thank you

Link to post
Share on other sites

18 hours ago, PapoPlayz said:

Should I also run it for my other drive?

So no need to do it for D: drive?

17 hours ago, JSntgRvr said:

If included in the logs, and we can see it, manually will be the action.

Yeah but I already provided the exact trojan I got infected with and someone ran it trough virustotal, so I thought we know exactly what it does

 

On 9/29/2024 at 5:51 PM, David H. Lipman said:

Thank you @PapoPlayz

This is another example of the "Try My Beta Game" ploy affecting so many we see here and it is not a virus, it is a complex trojan. 

The fake game beta is spam'd via email, SMS and Discord Direct Message.  It is not a game but an Electron based password and data stealer,  Many variants are an Ageo Stealer.


RE:   Fake Game password and data stealer and sites

This is what I am talking about.

 

Attaching the report below.

Malwarebytes Scan Report 2024-10-02 104224.txt

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.