Jump to content

MSIL/Injector.WGJ


Recommended Posts

Hello

a few months ago I downloaded a file containing malware, at the time I didn't have any antivirus software other than windows. The virus wasn't detected but I noticed it straight away because my GPU started to blow a lot.

 

Another thing that happened a little later, or at the same time, was that I could no longer read pictures on certain sites, like discord for example. And when I tried to send an image or video on whatsapp for example, it would appear blurry (see picture 2).

 

Somehow I managed to block internet access to something at the time because the fan didn't blow much afterwards.

At the same time, I tried several antivirus programs, all of which failed.

 

I was advised to try ESET, so I did, and after a full scan, some malware was found and killed. I thought it was over because when I tried to go on discord, I could see the pictures again.

 

The problem is that every time I start up, I get this "MSIL/Injector.WGJ" Dotnet message. And when I send pictures or videos to certain sites, the pictures look like those in picture 2.

 

Does anyone have any ideas? Looked like a token miner at first.

image.png

image.png

Link to comment
Share on other sites

Thanks for your reply,

ESET Log Collector seems to freeze when trying to collect windows updates data, do you need it or do I uncheck it from the menu ? Or maybe it just takes a long time.

Link to comment
Share on other sites

  • Administrators

It may take several minutes to gather certain logs. In this case information about Windows updates is not important so you may deselect it in ELC prior to collecting logs.

Link to comment
Share on other sites

  • Administrators

If the detection occurs shortly after the system starts, please create a Procmon boot log and stop logging only after the detection has occurred after a reboot. Then save the log unfiltered in the PML format. Collect fresh logs with ESET Log Collector, add the PML log to the archive and supply it to me.

Link to comment
Share on other sites

First of all, thank you for your help.
I can't send you the PML log and the ESET log collector report because it's 500mb after compression (5gb before), how can I adress it to you?
Note that the threat has not been detected. I forgot to mention a computer behaviour.

Almost every time I start it up, I get an empty desktop. No icons, no shortcuts, no processes launched.

Either I have to wait 2/3 minutes for everything to launch (including eset), or I restart the computer and one out of two times the icons and processes launch as soon as I start up.

 

The log I'm sending you is in the case where I waited a few minutes before the processes were launched and the icons appeared.

 

_UPDATE_

As I'm writing this message, I've just received the MSIL/injector detection, but the logs don't include this event.

 

I'm sending you this first version regardless and will do a second one later today.
Thanks again for your help.

Link to comment
Share on other sites

Older posting for like malware variant here: https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/ .

In this case, malware was resident in;

Quote

Please provide me with the content of the c:\users\admin\appdata\roaming\microsoft\hashcalc\md5 folder (do not delete anything yet, only rename file extensions if you want to see if the detection stops). Don't post the download link here but send it in a personal message.

https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/?do=findComment&comment=134240

Link to comment
Share on other sites

18 hours ago, itman said:

Thanks itman! I've already seen this post and unfortunately it doesn't seem to be the same thing.

Link to comment
Share on other sites

The problem here is by your previously posted admission, you have been infected for months with this malware. The longer the malware remains resident, the more system damage that can be done; e.g. downloading of additional malware, etc..

I recommend you ask for malware removal assistance at one of the like sites previously posted. These sites specialize in removing entrenched multiple malware.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...