Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Incredibly Sketchy File


  • This topic is locked This topic is locked
7 replies to this topic

#1 Meshiest

Meshiest

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 07 January 2015 - 06:48 PM

I was on omegle last night and I happened to stumble upon someone who was "developing a game" they offered to let me test their game

 

I was a little skeptical about the file he sent me over mediafire

 

"Games.rar" containing a folder called "Games" and inside that, a file called "GameCore.exe" consisting of 778019 bytes. 

 

I put this file into my virus scanner and got nothing...

 

I put this file into a sandboxed desktop and ran it "GameCore.exe wants access outside of sandbox"

 

Guy on omegle has already left the chat

 

This is where it gets bad.. In the process of removing the file (selecting and deleting), I accidentally opened it...

 

It created a process I could not remove. I removed the original executable and shut down my computer for the night.

 

Just 20 minutes ago, I booted my computer up. Windows gave me a warning about how "GameCore.exe" wants to run a service

 

I clicked no/cancel and it still didn't remove the process. I opened CCleaner and removed GameCore.exe from the registry startup

 

I restarted my computer and removed the files only to find the same thing, but with "scsisvc.exe"

 

I repeated the process, and restarted in safe mod. I opened CCleaner and appdata and removed all startup stuff

 

I got it to stop running a process and I'm currently running a virus scan. I /really/ hope it didn't steal any passwords or personal data...

 

Here is a download, it was too big to attach here: https://www.dropbox.com/s/pjvo6nwcic8xboz/possible%20virus.zip

FF2DE.. was in %appdata%/roaming

scsisvc.exe was the registry executable

Games.rar is the file I was sent

 

Please help!



BC AdBot (Login to Remove)

 


m

#2 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:03:54 PM

Posted 09 January 2015 - 01:26 AM

Hello Meshiest and welcome to BleepingComputer!            :)

 

My name is Sirawit and I'm here to help you.

 

Please note that I'm currently in training and my fixes need to be approved first, that may delay our fix a bit, but I will normally reply back in 24 hours.

 

If I don't reply after 2 days, feel free to PM me.            :)

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

==========================================================================


Farbar Recovery Scan Tool (FRST)

  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop.
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should.
  • Double click the icon.
  • Click Yes to the disclaimer.
  • Make sure the Addition.txt box is checked.
  • Click Scan and allow the program to run.
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen.
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#3 Meshiest

Meshiest
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 10 January 2015 - 09:39 AM

Thanks, but I have already solved my problem. I was just looking into the executable that started it all



#4 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:03:54 PM

Posted 10 January 2015 - 11:03 AM

So, you want us to analyze the executable file?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#5 Meshiest

Meshiest
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 10 January 2015 - 11:04 AM

So, you want us to analyze the executable file?

 

Thank you.

Yes, please



#6 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:03:54 PM

Posted 10 January 2015 - 12:07 PM

Hi Meshiest.

 

According to virustotal, this is the latest analysis of the malware file: https://www.virustotal.com/th/file/14a245973dc1b35dc9451f26e718f042779281c4722e6ee8a9f407f807db6170/analysis/1420906185/

 

I can help you check your machine for any other problem or malware leftover. Do you want that?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#7 Meshiest

Meshiest
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:54 AM

Posted 10 January 2015 - 03:01 PM

Thank you for the analysis. The extra check is not necessary, thanks for offering.



#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:54 AM

Posted 11 January 2015 - 01:52 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users