BLM 0 Posted February 21 Share Posted February 21 Hello a few months ago I downloaded a file containing malware, at the time I didn't have any antivirus software other than windows. The virus wasn't detected but I noticed it straight away because my GPU started to blow a lot. Another thing that happened a little later, or at the same time, was that I could no longer read pictures on certain sites, like discord for example. And when I tried to send an image or video on whatsapp for example, it would appear blurry (see picture 2). Somehow I managed to block internet access to something at the time because the fan didn't blow much afterwards. At the same time, I tried several antivirus programs, all of which failed. I was advised to try ESET, so I did, and after a full scan, some malware was found and killed. I thought it was over because when I tried to go on discord, I could see the pictures again. The problem is that every time I start up, I get this "MSIL/Injector.WGJ" Dotnet message. And when I send pictures or videos to certain sites, the pictures look like those in picture 2. Does anyone have any ideas? Looked like a token miner at first. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,142 Posted February 21 Administrators Share Posted February 21 Please provide logs collected with ESET Log Collector. Link to comment Share on other sites More sharing options...
BLM 0 Posted February 21 Author Share Posted February 21 Thanks for your reply, ESET Log Collector seems to freeze when trying to collect windows updates data, do you need it or do I uncheck it from the menu ? Or maybe it just takes a long time. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,142 Posted February 21 Administrators Share Posted February 21 It may take several minutes to gather certain logs. In this case information about Windows updates is not important so you may deselect it in ELC prior to collecting logs. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,142 Posted February 21 Administrators Share Posted February 21 If the detection occurs shortly after the system starts, please create a Procmon boot log and stop logging only after the detection has occurred after a reboot. Then save the log unfiltered in the PML format. Collect fresh logs with ESET Log Collector, add the PML log to the archive and supply it to me. Link to comment Share on other sites More sharing options...
BLM 0 Posted February 21 Author Share Posted February 21 First of all, thank you for your help. I can't send you the PML log and the ESET log collector report because it's 500mb after compression (5gb before), how can I adress it to you? Note that the threat has not been detected. I forgot to mention a computer behaviour. Almost every time I start it up, I get an empty desktop. No icons, no shortcuts, no processes launched. Either I have to wait 2/3 minutes for everything to launch (including eset), or I restart the computer and one out of two times the icons and processes launch as soon as I start up. The log I'm sending you is in the case where I waited a few minutes before the processes were launched and the icons appeared. _UPDATE_ As I'm writing this message, I've just received the MSIL/injector detection, but the logs don't include this event. I'm sending you this first version regardless and will do a second one later today. Thanks again for your help. Link to comment Share on other sites More sharing options...
sesk 23 Posted February 21 Share Posted February 21 ... u may try https://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-help/ or https://malwaretips.com/forums/windows-malware-removal-help-support.10/ in your quest to solve some of your issues. good luck. Link to comment Share on other sites More sharing options...
itman 1,707 Posted February 21 Share Posted February 21 Older posting for like malware variant here: https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/ . In this case, malware was resident in; Quote Please provide me with the content of the c:\users\admin\appdata\roaming\microsoft\hashcalc\md5 folder (do not delete anything yet, only rename file extensions if you want to see if the detection stops). Don't post the download link here but send it in a personal message. https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/?do=findComment&comment=134240 BLM 1 Link to comment Share on other sites More sharing options...
BLM 0 Posted February 22 Author Share Posted February 22 18 hours ago, itman said: Older posting for like malware variant here: https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/ . In this case, malware was resident in; https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/?do=findComment&comment=134240 Thanks itman! I've already seen this post and unfortunately it doesn't seem to be the same thing. Link to comment Share on other sites More sharing options...
itman 1,707 Posted February 22 Share Posted February 22 The problem here is by your previously posted admission, you have been infected for months with this malware. The longer the malware remains resident, the more system damage that can be done; e.g. downloading of additional malware, etc.. I recommend you ask for malware removal assistance at one of the like sites previously posted. These sites specialize in removing entrenched multiple malware. BLM 1 Link to comment Share on other sites More sharing options...
Recommended Posts