Virus within a film?

[tlustymen]

11 minutes ago, Kisai said:

AV products do not protect you from PEBKAC. For all you know, the script reported you to the FBI. Figure out exactly what you did even if you have to get the link to the file again and paste it into virustotal.

I have the link, the problem is that it was deleted, and I don't think you can use virustotal on that.

 

15 minutes ago, Kisai said:

As for system restore, if it succeded in launching powershell, then it likely succeeded in downloading something. You may want to check the event log to see what it did first, but I'd probably just run system restore so that any files changed are changed back.

I have a restore few days back, so I'll give it a try. How can I see the event log?

[Kisai]

2 minutes ago, tlustymen said:

I have the link, the problem is that it was deleted, and I don't think you can use virustotal on that.

 

I have a restore few days back, so I'll give it a try. How can I see the event log?

Fastest way?

 

%windir%\system32\eventvwr.msc /s

 

Then look under Application and System around the timestamps. If a script was run, it should say what it ran.

 

Like it could have added a new user to your system and then added it to remote desktop. Stuff like that is why you want to rollback.

[tlustymen]

6 minutes ago, Kisai said:

Then look under Application and System around the timestamps. If a script was run, it should say what it ran.

Not sure if I'm doing it right, but I'm looking at system and application inside the logs window and it says it was modified today.

[Kisai]

5 minutes ago, tlustymen said:

Not sure if I'm doing it right, but I'm looking at system and application inside the logs window and it says it was modified today.

Look for something like "shell host" or "powershell" in the application log or system log to see what it did. 

 

It won't have something like linux's messages log, but it should tell you what it launched, if anything.

[tlustymen]

Wait, do you mean this summary, right? Because I don't see any option to view stuff further.

[Kisai]

5 minutes ago, tlustymen said:

Wait, do you mean this summary, right? Because I don't see any option to view stuff further.

No, drill down on the "Windows Logs" -- "Application" , or "System" to see the logs.

 

There's also a separate powershell log

[tlustymen]

5 minutes ago, Kisai said:

No, drill down on the "Windows Logs" -- "Application" , or "System" to see the logs.

Got it. There's no Shell host or Powershell, but there are some warnings from "Security SPP".

[Kisai]

1 minute ago, tlustymen said:

Got it. There's no Shell host or Powershell, but there are some warnings from "Security SPP".

look in those to see if it's anything to worry about. SPP is Software Protection Platform. So it could have turned off the task scheduler (and hence windows update)

 

Check the powershell log if you have it (see the edit to my previous post) and see if anything was run around the same time that might have done that.

[tlustymen]

1 minute ago, Kisai said:

look in those to see if it's anything to worry about. SPP is Software Protection Platform. So it could have turned off the task scheduler (and hence windows update)

 

Check the powershell log if you have it (see the edit to my previous post) and see if anything was run around the same time that might have done that.

It says "The rules engine reported a failed VL activation attempt.", not sure what it means.

 

And in the Powershell log, there's some perhaps shady stuff, but by the timestamps it doesn't look connected? I mean the warnings are all "xx:52" and all the Powershell from yesterday was at "22:28".

[Kisai]

1 minute ago, tlustymen said:

It says "The rules engine reported a failed VL activation attempt.", not sure what it means.

 

And in the Powershell log, there's some perhaps shady stuff, but by the timestamps it doesn't look connected? I mean the warnings are all "xx:52" and all the Powershell from yesterday was at "22:28".

 

Hmm, I'll not tell you what that VL activation means, google it.

 

Scroll through everything in the powershell log from around the time you ran the bad file that launched powershell. If you see something that looks like it has changed the permissions of something, particularly if something was stopped and then disabled from starting up, or something was installed that was then set to auto-start.

 

But again, to be safe, I'd just roll back using system restore to before the event that happened.

 

[tlustymen]

2 minutes ago, Kisai said:

Hmm, I'll not tell you what that VL activation means, google it.

By the looks of it it's usual as it wrote that many times before.

 

3 minutes ago, Kisai said:

Scroll through everything in the powershell log from around the time you ran the bad file that launched powershell. If you see something that looks like it has changed the permissions of something, particularly if something was stopped and then disabled from starting up, or something was installed that was then set to auto-start.

This is all of them (photo). Dunno what to make of it.

 

9 minutes ago, Kisai said:

But again, to be safe, I'd just roll back using system restore to before the event that happened.

Gonna do that tomorrow morning.

[Guest]

1 hour ago, tlustymen said:

What does that mean?

 

Interesting, haven't thought of that. Do you really think it has purpose? I already did ton of scans from even paid AVs.

 

How?

 

Thanks

At some point in your life as a student in IT and later professional, you'll need to learn to look for information by yourself and not wait from others to provide it to you constantly.
That's also HOW you learn.

You have all the key words needed, look for it and eventually ask here for validation, but don't ask others to provide it to you:

 

[tlustymen]

3 minutes ago, Cora_Lie said:

At some point in your life as a student in IT and later professional, you'll need to learn to look for information by yourself and not wait from others to provide it to you constantly.
That's also HOW you learn.

You have all the key words needed, look for it and eventually ask here for validation, but don't ask others to provide it to you:

 

Right, I normally do that, but my orientation in this field is close to zero, so I'm currently trying to get to know this a little better with straight communication

[Guest]

2 minutes ago, tlustymen said:

Right, I normally do that, but my orientation in this field is close to zero, so I'm currently trying to get to know this a little better with straight communication

Don't worry about that ^o^ I was just making a remark, not attacking you in any way

 

[tlustymen]

1 minute ago, Cora_Lie said:

Don't worry about that ^o^ I was just making a remark, not attacking you in any way

 

No hard feelings

[Andreas Lilja]

Downloading is still a thing with the advent of streaming?

[Euchre]

Something I haven't seen mentioned here is the premise of a 'size test'. The simple, no AV tests should include this one: If the file size is exceptionally smaller or even sometimes larger than the usual file for a comparable item, the thing you've downloaded may be fake, or at least a damaged file. A complete file of a feature film length video is not going to be a few kilobytes or megabytes, it should be in the gigabytes in size. If you're supposed to be downloading a one page document, it shouldn't be 10s or 100s of megabytes in size.

 

Already mentioned is having file extensions showing, which really ought to be how everyone does things, but if you forget to unhide them at some point, stacking extensions is a common tactic to make a file look like the one you want. Another thing I've not seen exploited yet, but I wonder if it might be tried, is managing to hide a file by getting the OS to see it as a 'system file', which most users leave hidden, even some of the more savvy ones. So, a file might appear as coolmovie.mk4.exe properly displayed, or the file you get may seem to just disappear.

 

As for the discussions of piracy vs torrenting, let's not be naive - yes, torrenting is not the same thing as piracy, but a lot of piracy is done via torrents. In this particular case, though, other things point to the potential of piracy. A film that is legally, freely shared and distributed via torrent is not likely to be targeted as a vehicle for malware distribution. It won't be something people have had a hard time getting, and the excitement of getting something costly for 'free' won't be there to cloud the judgement of the downloader. Popular films have long been a prime item to masquerade as to get malware distributed. And, even if this is what OP was doing, so what - the malware is the issue being resolved, and the damage and worries and time lost are their own punishment. That's already happened. The answers here apply to plenty of good faith, sincere, and legal attempts to get software and data.

[tlustymen]

5 hours ago, Euchre said:

Something I haven't seen mentioned here is the premise of a 'size test'. The simple, no AV tests should include this one: If the file size is exceptionally smaller or even sometimes larger than the usual file for a comparable item, the thing you've downloaded may be fake, or at least a damaged file. A complete file of a feature film length video is not going to be a few kilobytes or megabytes, it should be in the gigabytes in size. If you're supposed to be downloading a one page document, it shouldn't be 10s or 100s of megabytes in size.

 

Already mentioned is having file extensions showing, which really ought to be how everyone does things, but if you forget to unhide them at some point, stacking extensions is a common tactic to make a file look like the one you want. Another thing I've not seen exploited yet, but I wonder if it might be tried, is managing to hide a file by getting the OS to see it as a 'system file', which most users leave hidden, even some of the more savvy ones. So, a file might appear as coolmovie.mk4.exe properly displayed, or the file you get may seem to just disappear.

 

The file was abojt 1,5GB, so I didn’t suspect it from that point of view. I do have set to see system files, so I can say there were none for sure.

 

I most likely just missed the two extensions, my guess is because I had uTorrent window narrow enough to not show all the text.

[Chronified]

You could always open a virtual machine and install torrenting software and run the torrent on that. Disable any AV and Windows Defender to let it do its magic.
For the most part, your PC is safe when infecting a virtual machine. 

[tlustymen]

20 minutes ago, Chronified said:

You could always open a virtual machine and install torrenting software and run the torrent on that. Disable any AV and Windows Defender to let it do its magic.
For the most part, your PC is safe when infecting a virtual machine. 

Not a bad idea, but I most likely wouldn’t use it. Like I mentioned, I never download .exe files and this was the first and last  time I downloaded something with 0s/0p.

[tlustymen]

17 hours ago, Kisai said:

 

Hmm, I'll not tell you what that VL activation means, google it.

 

Scroll through everything in the powershell log from around the time you ran the bad file that launched powershell. If you see something that looks like it has changed the permissions of something, particularly if something was stopped and then disabled from starting up, or something was installed that was then set to auto-start.

 

But again, to be safe, I'd just roll back using system restore to before the event that happened.

 

System restored to previous version

[Donut417]

On 8/30/2019 at 5:22 AM, tlustymen said:

Yesterday I torrented a film. When I wanted to play it, it opened some system folder where it opened a command line (can't remember what program it was exactly, it was blue and wasn't cmd). Thankfully it was stopped by antivirus, but I just can’t stop wondering what it wanted to do. The torrent was deleted since then, so I can't try it again for more info. And how did it go through uTorrent pro’s antivirus protection? Any ideas? Thanks

 

edit: It opened Powershell and yes, it wasn't a movie

I also deep scanned the pc yesterday, everything should be alright, but I'm gonna scan it with few more scanners recommended to me, just to be sure.

This is what happens when you pirate. Arg!!!! I used to use Kodi to pirate movies. My AV saved my ass a few times. This is why your better off paying for shit. Netflix and Hulu are cheap enough. Eventually what you want to watch will be on a streaming service. 

 

If your concerned then reformat the drive and reinstall Windows. If you confident in your AV software then you should be fine the way it is. 

[Donut417]

On 8/30/2019 at 5:56 PM, Kisai said:

I'd just roll back using system restore to before the event that happened.

Unless Microsoft fixed it. System restore was know for Viruses hiding in it. People would get a virus and clean the system up. Just to restore to a previous restore point and reinfect themselves. 

[TomvanWijnen]

21 hours ago, Andreas Lilja said:

Downloading is still a thing with the advent of streaming?

Even excluding the (imo fair) argument of "that's expensive, especially for those who watch less than one thing a month (like me)", there are also many great movies or series or whatever that just aren't available on those sites. This means that you could either not watch them at all, or enjoy them through other means.

[tlustymen]

50 minutes ago, Donut417 said:

This is what happens when you pirate. Arg!!!! I used to use Kodi to pirate movies. My AV saved my ass a few times. This is why your better off paying for shit. Netflix and Hulu are cheap enough. Eventually what you want to watch will be on a streaming service.

I actually pay for Netflix, but not everything is in there. Plus as already mentioned here many times, torrenting =/= piracy

 

47 minutes ago, Donut417 said:

Unless Microsoft fixed it. System restore was know for Viruses hiding in it. People would get a virus and clean the system up. Just to restore to a previous restore point and reinfect themselves. 

Did another deep scan after restore, I think I'm ok (knock on wood)