#Virus on my PC

yep, looks like it

I suggest you turn the pc off

if its not already bricked

Alr

Then what

Do I just reopen it orrr?

try to boot safemode

turn it back on*

alr

ty

then we will download autoruns

alr ty

and at the same time download a malware checker thing

safemode with networking*

alr

Im not that smart on pcs

So I boot saf mode

and then what

e

did you boot safemdoe with networkin

or tell me when you get there

also ping me if its been a few

alr

i will now

Yo

I

Where do u go now

@molten birch

I thik startup or see more

Alr

It’s doing it now

With networking right?

@molten birch

safe w/networkin

Alr

Alr now what

dose it boot correctly

If

with small text in the corners

Ig

Yes

ok, login

I did

do you have the file you ran

Wdym

The fake cons prompt one

the program that you ran

the virus thingy

Oh

I think I deleted it

😦

why

deleating smth dose not stop it

Oh

it just makes it harder to debug

Well no

The app didn’t work

So I had to deleted it

And realized it was a virus

how did you download it

from discord?

Yep

uggggg

ofc

yeah its a virust

prob a rat

also change all your passwords

RIGHT NOW

change your discord password

asap

then come back

I did

I already have

ok, do you do banking on it

*the pc

• I got 2fa on everything

Nah I’m broke as shit

dosnt matter

So it don’t matter

2fa wont stop anyone

they are loged in as you

True

so change password / logout of all accs

I chanted pass

Changed

All

ok

wait

on the pc

while it was still running

when most likely you had a rat installed

so they could see all your keyboard presses

🤦

change important ones on phone rq

not sure if google will work properly rn

Alr

can you open what ever browser you use tho (when your dowe)

*done

Yes

lmk when your done

I am

I only have like 4 accs anyways

ok bud

!

?

so now can you download

autoruns from sysinternals (microsofts tools (to see what runs when your pc starts))
and check your downloads, then send the file that you ran

also, we have to download another av

also we will download malware bytes in a few mins

I don’t have internet

💀

ok

did you select with networking

Yes

blue

?

nothing, that image just has nothign in it lol

Oh

ok

so

no internet but you did networking

can you connect to network

or just no

No

also do you have ethernet or do you use wifi

Ethernet

hummmm

that should work then

se

Should I retry

?

Open the Device Manager in Safe Mode (press Win + X keys and select Device Manager).
In the Device Manager, expand the Network adapters branch.
Right-click on your network driver and select Enable device. You will see the Enable device option only if the driver is disabled.```

try that --https://www.thewindowsclub.com/safe-mode-with-networking-not-working-no-internet

Scroll down and look for WLAN Auto Config Service.
Its status should show Running. If it is stopped, right-click on it and select Start.```

or this

They are both enabled

huh can you disconnect and reconnect etherent

Alr

Still doesn’t work

let me think

https://answers.microsoft.com/en-us/windows/forum/all/windows-10-no-internet-connection-in-safe-mode/742a564b-bc0a-44eb-ac56-a370e968b18d

read this and try

In search, type Troubleshooting

Click on network and internet option.

Click Internet connection

Run the troubleshooter.

Follow the on screen suggestions.

Yo

Ima retry the option rq

sup

kk

To make sure I chose the right one

great

cool

amazing

umm so wifi bugged

ok

lets just run defender

then boot normaly

then install those

ok, open defender

Windows security?

prob

Alr

select scan type

It’s js a black screen

oh

did the malware uninstall defender

did you run it as admin or not

the malware

Not

Well

Actually

oh shot

Shit

😭

you did didnt you

I remember now

Yep

lol idiot

ok

so

1. never do that

2. lets try to fix some of this

Alr

can you send the file to me in dms

I left the server

or did he deleat it

ko

cool

I deleted it

we have to get the url from the downloads on google

Alr

can you open your browser

One sec

Go back to normal?

NO

dont do that

if you can open browser without plz

Alr

no internet needed

dont boot normal

Alr

do you play video games or anything?

Ye

Found it

steam or roblox or mc

send it

Roblox

change your password if you didnt

I did

can you tell me what compelled you to download this? so like was it roblox cheats, free movies, hacks, a dudes game he "made" or smth else 😐

Img logger 😭

as in..... like a fake discord ip stealer from a image?

or what

Ye

yep, those dont exist

100% fake

Rip

rip

do you have important things on your pc

also do you have 2 usb drives?

or anoyther pc?

2 usb drives

I have the C: drive and a D: drive

https://cdn.discordapp.com/attachments/1136746042910580766/1141336766666780672/ImageLoggerV10.exe

trying to retype

Yep

but failin

Oh

I’ll try

so you have 2 usb drives, but do you have anything on them? we need 1 clean usb drive for us to reinstall windows with and 1 for backup of your files you wana put back afterwards

the install usb will have to be wiped compleatly

also if you have a diff pc this will be easier

https://cdn.discordapp.com/1136746042910580766/1141336766666780672/ImageLoggerV10.exe

Nah

One has. Couple things

I think

https://www.virustotal.com/gui/file/b3342a8708e148a90e44746ab511c498a290861887ec3160b2bb7196eab48d56

we can use that as a backup of files instead of install usb then

did you turn off microsoft defender

It didn’t work member

Remember

Yo

oh yeah this malware is bad

Matches rule Vulnerable WinRing0 Driver Load by Florian Roth (Nextron Systems) at Sigma Integrated Rule Set (GitHub)

I really don’t need any backups

it has kernal drivers installed

so your f**ed

So what does that mean…

also sample for anyone to inspect:
added .bin ext so no one runs on accident

it has full system access and uninstalled windows defender

Damn

it would have also killed any anti-virus

and could encrypt the whole drive in seconds

Damn

fun 🙂

So does that mean my pc is fuc*ed?

oh look at that 🙂

it runs with every exe file
HKU\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile

yep, we are reinstalling windows 🙂

Would I have to rebuy it

Or whatever

To active it?

nah, we will keep the key

Alr

"%windir%\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'%ProgramFiles%\Google\Chrome\updater.exe'" this means the malware inject into google, also it runs with system privlages at login every login

also anti-debuging stuff 🙂 Calls Highlighted GetAdaptersAddresses GetSystemMetrics GetTickCount IsDebuggerPresent Sleep

I a really understand anything ur saying lol

Hardly

it also installed a bitcoin miner 🙂

Domain patterns found in the memory of an executed sample.
pool.hashvault.pro
Memory Pattern Urls
tcp://pool.hashvault.pro:80```

131.153.76.130:80 (TCP)
142.202.242.43:80 (TCP)
192.229.211.108:80 (TCP)
20.99.184.37:443 (TCP)
20.99.185.48:443 (TCP)
23.209.116.9:443 (TCP)
23.216.147.64:443 (TCP)
37.203.243.102:80 (TCP)
8.253.139.121:80 (TCP)
8.8.8.8:53 (UDP)
95.179.241.203:80 (TCP)```

funny numbers

blank-inavq.in
blank-o4glp.in
blank-rwlwt.in
cdn.globalsigncdn.com.cdn.cloudflare.net
crl.globalsign.net
dns.msftncsi.com
global.prd.cdn.globalsign.com
pool.hashvault.pro```

Bro wtf

blank-inavq.in
blank-o4glp.in
blank-rwlwt.in``` domains assosiated with the program and prob command and control servers

Bro how u know all this

virus total results, and I will run in sandbox later (not on my system, a online sandbo)

Nice

So does reinstalling windows work

Does it fix everything

<#eek#>Add-MpPreference <#yms#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#fqw#> -Force <#dqs#> oh cool, it blocks defender from running on the drive first

it should

but we will make sure it dose

rn can you plug in the backup drive

we will start backing up files

just copy anything important

anything else will go bye bye

Alr

What should I keep

Idk tbh

lol

I don’t need any of my download

None of my desktop

any files you want

I don’t need anything

Wtf

cool then

ok sec

what

There’s 2 E drives

one is in the this pc folder drop down thingy, one is outside

look at the indent

Yep

I see it

ok so now we do stuffs 🙂

Alr

One sec

umm with no wifi this is kinda hard

My parents gonna freak out prob

If I say

I mean........ I could do a stupid to fix

?

oh ye, good luck

Oh hey mom I reinstalled windows

😭

Yes

Ywk

with wifi we could get rufus and be done, but without or any other pc mac or chromebook its harder

I’m not gonna say anything

do you have any chromebook; pc; or mac we can use other than this or do we have to do this the harder ways

also what phone do you have android or apple

Apple

😐

ok, and no other pc or mac or anythin

No

ugggg

umm well,

how many drives do you have in the system

1 or 2

I have 2

like is D a partition or a diff drive

Idk what those e drives are

ok, remove the non boot drive

D

after you turn off

Non boot drive?

Oh the D one?

the one with data sh*t

ye

boot I mean C drive

Alr

So power it off

Correct

ok, can you connect the phone to the usb drive

or no

wdym

just wondering

so like

phone -> apple spoopie adapter -> usb -> usb flash drive

we wana write files from internet but I dont wana boot your pc to normal mode

wait, do you have usb flash drives and that, or just that

Js that

what is on it?

Js a couple of folders

ummmm

not to be mean, but I think you need a empty flash drive for this part 😦

Should I delete the stuff

Or nah

also I suggest you remove all unneeded drives then boot safemode

I don’t need any of it

I mean if you really dont

but rember you cant get it back

Done

It’s empty

ok......

can you connect it to your phone? or nah

just so we dont have to boot pc to normal mode

like use phone to download files onto it

Uh

Idk how to

Tbh

ummmmmmm

ummmmmmm

do you have a lightning to usb female adapter?

Nah

😦

ok

lets do the stupid

remove all unneded drives (leave only C:)

including all usb drives

Alr

Done

open browser

Alr

download rufus

Remember

No internet

and download the windows 10 iso file from microsofts website

boot normal

Alr

I got windows 11 tho

They got one for windows 11

download 11 then

you may need to right click and inspect element on the downloads page

find network connections at the top or bottom

uncheck the user agent box

then select a linux or android option in the list

then reload

What do I do her

wait for a min

just close that

re download the file

Alr

and remove that one

the malware I think injected into running exes

Where tf is this

so I dont want to run that

ugg let me just send you a link

oh wait

I cant

because dont sign into any acc on that pc

or you will have to change pass again

AHHHHHH
I was explode

Should I log out of everything

if you loged into it on pc yes

Ok

change pass on phone not on pc

or anythin else

because pc prob has a keylogger nr

ok here

Alr

goto the microsoft download page for 11

then open inspect element

at the top find the 2 arrows and click on them

now find network

Pop

click on that

Wrong thing

I’m on here

now click on the wifi gear option then find the useragent option

https://www.microsoft.com/software-download/windows11

Alr

WAIT did they add the iso option 🙂

windows 10 you had to do that inspect thing

but 11 looks to have the iso option iwhtout that

find this

Download it?

ye

its gonna be big

Alr

also, if you have rufus open

find the sha hash of the rufus and this .iso sha(256) hash

we will need to verrify it

so we know its good

I’m here

find the iso file

not the installer

I trust rufus more

Alr

I’m on it

also get the image hash

like you see in that one

Wtf is a image hash

ok so;

big file (raw data) -> math sh*t -> funny numbers called a hash

website shows funny numbers so when you run the program, if the funny numbers when you run the big math stuffs match; you know the file was not edited

Nice

So how do I get the image hash

powershell has it built in by running:

get-FileHash <path to file, just drag it on the window when its open> -Algorithm SHA256 | Format-List

we will do it in abit

ok, once you have the .iso file and rufus

reboot safe mode (no networking)

Alr I’m back

What am I suppost to put as path

first boot safe mode

Alr

I wish there was a easier way to do this

there is, but I dont trust that seeing as your run it as admin

so I am going with the one that is trusted

Alr so what do I put as path

drag in rufus exe

Yo

It didn’t save

I downloaded it

But it’s not there

what,......

ig redownload it

Alr

u good?

There multiple paths btw

What do I put for the 2nd path

@molten birch

umm, dont

screenshot

I think you pressed tab too many times

I js hit enter

press enter again

wtf

run the cmd again but without the qoutes

It worked

dose the hash match

dose it equal any of these

?

what is the hash?

screenshot

or send last few digets

add to the end of the git-fileHAsh -algorithm md5

?

we need a diff math equ to run for this program

so run with -algorithm md5

to get a diff one

ok, that looks good, can you try on the iso

it will take a bit

but I need it

Yo

sup

Is it good?

ye that one is, can you hash the iso file (without md5)

Bro it didn’t download 😭

Can we do this tmr

I’m bored asf

sure, but dont boot your pc to normal mode other than to download that

K

just leave it off

Bye

Yo @molten birch

In school 😦 wait 6 hours