Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Uncertain if infected.


  • Please log in to reply
11 replies to this topic

#1 BigYikes

BigYikes

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 05 February 2018 - 03:35 PM

Hi there. I downloaded a standalone mod on ModDB based on the STALKER franchise, titled Last Day ( http://www.moddb.com/mods/stalker-last-day/downloads/last-day-english-translation ). Sometime in late December, or early January. As of about a week and a half ago, my computer burned out. I'm not sure what specifically was the issue, the processor and motherboard were in pretty poor condition after a lot of use. But my friend also had the same issue, with his computer dying in nearly the exact same way.

 

Being unbelievably paranoid, I decided to dig deeper, and learned that the mod manager provided in the addon pack for the mod ( http://www.moddb.com/mods/stalker-last-day/downloads/last-day-13-addon-pack , specifically the JSGME executable ) may or may not contain a bitcoin miner. I'm very conscious about the security of my computer, and I feel like I never really noticed any of the telltale signs of a miner on my computer, nor did my anti-virus have an issue when I decided to use the addon pack, which was around late January. That, and, I know a few other people who also used the mod and they don't seem to be having any issues.

 

So, basically, I'm trying to determine if this was all mere coincidence, or if there was something more sinister at work, but despite my usual caution, I'm miserable with actually knowing anything of use other than badware prevention, so I'm not sure if I actually am infected. Hence, I'm asking the experts.

 

https://www.virustotal.com/#/file/eaeaf23efd206d93e6eb3693df51d0dfdd30e47c17d3763d36d79d96c2fdef2f I ran the file in question through virustotal, and while it says that it's fine, my suspicion falls on one of the behaviors the executable exhibits, specifically this bit

 

"

Process and service actions

Processes terminated
  • C:\Documents and Settings\Administrator\Local Settings\Temp\EB93A6\996E.exe"

Googling '996E.exe' gives a few results, all of which reference malware, ransomware, and is even on a forum about cryptocurrency. At this point, I really need to know if I'm just working myself up or if I need to scrub my harddrive when my new computer arrives.

 

Thanks for reading my wall of text, and I appreciate any help in advance.


Edited by BigYikes, 05 February 2018 - 04:16 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:02 PM

Posted 05 February 2018 - 05:03 PM

Welcome to BC...

 

You say..."my computer burned out".....not sure if the computer is no longer usable or not. Because you say you are awaiting a new computer.

 

If you are planning to use the old hdd then I would think you are going to retrieve data from it but not attempt to copy programs or attempt to

boot from it in the new computer. Once you have retrieved the data then it would be best to reformat it if you plan to use it.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 BigYikes

BigYikes
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 05 February 2018 - 05:19 PM

Welcome to BC...

 

You say..."my computer burned out".....not sure if the computer is no longer usable or not. Because you say you are awaiting a new computer.

 

If you are planning to use the old hdd then I would think you are going to retrieve data from it but not attempt to copy programs or attempt to

boot from it in the new computer. Once you have retrieved the data then it would be best to reformat it if you plan to use it...

 

Well, the motherboard burned out, is what I meant. It could have also been some issues with my graphics card or my processor, obviously they couldn't look into it without the motherboard functioning, but given that they said a whole lot of my computer was in pretty bad shape, I figured I was better off just getting a replacement as opposed to systematically replacing all the parts, and installing them. I'm really hoping to dodge reformatting since it's such a hassle, and I think my HDD's in decent shape. My only immediate concern with any malicious files is the one detailed in my first post, which, if I can confirm I dodged that successfully, then I'm willing to at least pop it in and use it for awhile, if nothing else.



#4 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:02 PM

Posted 05 February 2018 - 05:27 PM

Use it as what? An external or internal storage drive? Or did you buy a computer without an OS installed? You can't boot

the new computer off of the existing hdd using whatever OS is installed on it.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 BigYikes

BigYikes
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 05 February 2018 - 05:33 PM

 I had it shipped with no OS, mostly because I didn't want windows 10 and it was kind of the only option.



#6 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:02 PM

Posted 05 February 2018 - 07:27 PM

So...again...what are your plans for the old hdd?

 

Do you plan on purchasing a Windows OS other than Windows 10?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 BigYikes

BigYikes
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 05 February 2018 - 07:42 PM

I'll get Win7. Ideally I want to just.. keep using that hard drive. I'll reformat if I have to, but I wasn't planning on it unless I had to, or that file in my original post is malicious.

#8 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:02 PM

Posted 05 February 2018 - 08:12 PM

So, your new computer won't have a new hdd? Again...you cannot use the Windows OS on the old hdd on the new computer.

 

If the new computer is not a used computer.....then I seriously doubt you saved any money by buying this custom...no hdd and no OS...machine.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 BigYikes

BigYikes
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 05 February 2018 - 08:54 PM

No, no, it has a 1 TB HDD with it. I was just trying to avoid having to reformat if at all possible. And I should have a spare license key around here somewhere.

#10 buddy215

buddy215

  • Moderator
  • 13,097 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:02 PM

Posted 06 February 2018 - 06:34 AM

When you get the new computer and you are having problems getting Windows installed on the new hdd....start a new

topic in the appropriate Windows Forum.... Windows 7....if you would like assistance.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 BigYikes

BigYikes
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 06 February 2018 - 10:06 AM

I mean, the main issue I was having wasn't really related to my hardware. I was hoping someone was able to determine if the mod manager file (in the last day addon pack, which I uploaded to virustotal) was doing anything malicious. Since I've been hearing rumors of it having a bitcoin miner hidden in it somewhere, and the behavior portion of the virustotal does mention a process that, when googled, gives me results for ransomware and even a cryptocurrency website



#12 Instinct_Authority

Instinct_Authority

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 09 June 2018 - 03:38 PM

i also got an EXE that looked suspicious and included "996E.exe" and i did some research about it.

first things first, googling "996E" will yield fake google results form websites that claim that ANY exe is a malware then tell you to download their "advanced" malware remover (don't, these programs are malware themselves)

i have'nt found anything about "996E" in google, but virus total is useful and you can use it to find other files that have the same behavior,many detected files seem to use this file in their behavior, it seems its packer/setup file related( a packer is a software the can compress multiable data into 1 file to make smaller file sizes) but you can also find this executable in legit software like ExpressVPN, with 0 detection and good community score, i also found it on software from 2009  (where bitcoin was just released) and 1999 (where CryptoCurrency wasn't even a thing) so it does seem like a generic executable that packer software need it to complete installation. although i'm not a security expert and i don't know anything about the MOD in your post or its creator, and it has a community score of (6/7) which is indeed suspicious. you may have a bit-coin miner caused by other software


Edited by Instinct_Authority, 09 June 2018 - 05:17 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users