Seylox | 792 points
I've researched this now and apparently either most or all of the game uploads by /u/pcgamer21 contain a Trojan, including his highly upvoted Cuphead Post.
His posts: https://www.reddit.com/user/pcgamer21/posts/
To quote /u/Moestopholies:
Dude WTF OP..upon clicking setup it launches svchost.exe from the user/temp and my firewall caught it trying to get to 42.114.224.149 over port 1911, Ha Noi, VietNam FPT Telecom Company.
Why would this installer do that?? Over all my years using scene/warez I've never had an installer hit my firewall. Not accusing you OP but your source is suspect..DL from g drive btw.
EDIT: Dude YOU ARE FUCKING SUSPECT, You have people in your past DELETED posts calling you out about the Viruses in your posts Also a redditor for a whole 18 days you can;t be trusted here.
EDIT 2: All you little bitches who DV me man up and disprove me why don;t you, you are gonna take the word of a user thats less than a month old also ha you deserve to have all your base had
Link: https://www.reddit.com/r/megalinks/comments/7jrpr4/game_cuphead_113_gog_google_drive_mirror/dr9vc1e/
I scanned the File and it also reported a Virus:
Windows Defender reports this as "Backdoor:MSIL/Bladabindi", are you sure it's free of Malware?
virustotal.com also reports threats: https://www.virustotal.com/#/file/710221c959ef8747b4dfa7474768c174a31f5b2ebd84e2d40a1f6f88806a7064/detection
Any more info on this, /u/pcgamer21 ?
EDIT: apparently pcgamer21's uploads all contains trojans. better do a virus scan. he might be using bots to downvote critical comments.
Link: https://www.reddit.com/r/megalinks/comments/7jrpr4/game_cuphead_113_gog_google_drive_mirror/dr9afqv/
Oh and I almost forgot: he seems to be using bots to downvote critical comments.
EDIT: Thanks to /u/iPhunwa2, I highly recommend upvoting his post https://www.reddit.com/r/megalinks/comments/7k3xkj/announcement_requirements_to_post_games_or/ or generally just checking it out if you need help removing malware.
[-] TheGoodSheep | 91 points
Piece of advice: Only trust people that are constant uploaders or at least have a trustworthy account older than a few months.
- Captain Hindsight
[-] throwawayadalkesfkl | 46 points
Yeah, called it out on last post https://www.reddit.com/r/megalinks/comments/7j286t/game_cuphead_113/dr4pi73/?context=3 (archive since he deleted his ~~comment~~ account.) and got downvoted, and I also reported that post via report button, but mods didn't remove it....
Also just in general I think rule for sharing exe files needs to be more strict than for sharing regular stuff that is posted here.
[-] [deleted] | 31 points
[deleted]
[-] R3a1ityCheque | 21 points
Yep it seems the most sensible choice. If you want .exe files get them from trustworthy places.
I usually use FitGirl for games, never had a problem.
[-] Glu7enFree | 6 points
One of the installers for her games; I think it was AC: Syndicate, locked my computer up hard and wouldn't recognize any peripheral mice or keyboards until I did a clean reinstall of windows.
Ive never had any other problems from her, so make sure you get her games from a decent source to save any hassles.
Sometimes people release software using her name for recognition. Not saying you did but you may have accidentally downloaded one of those
[-] Glu7enFree | 2 points
I'd say that was likely to be what happened.
[-] [deleted] | 29 points
From personal experience: definitely has a virus. Computer suddenly ran like shit. Woke up with new system files in System32 (which have now been deleted) and new installed apps (which have now been reset if they were Windows programs, and uninstalled if they were not). Best of luck to you all.
[-] howsyeronions | 37 points
Probably still have shit on your computer associated with it.
malwarebytes.org to feel a little safer
[-] [deleted] | 19 points
15 threats (pup.reimage) found, thank you for the advice ;_;
Personally I would just do a clean install of windows. Wouldn't want to risk missing something
[-] [deleted] | 16 points
This really fucks me up. I feel so dumb. I knew it was suspicious but I trusted it anyway because it came from megalinks. I'm so disappointed in myself.
[-] Demiglitch | 28 points
Trusting software
I'd rather rob a gamestop
[-] 8_Some_Chicken_Shit | 15 points
Usually cracked games are detected by av's as viruses (.dll and .exe files), but what's quoted above is not normal for when installling cracked games. Its better to download from sources like the Fitgirlrepacks site who are trusted and do not embed software with malware.
Good post.
I work in Cyber Incident Response. I follow this sub, but not for software. I'm too paranoid for cracked EXEs and the like these days. Honestly you should be too. But if you're gonna do it...
Normally AV software will flag a heuristic detection for dubious software (esp cracking stuff) or a "file is relatively unknown" type error. Something like "Trojan.Gen" (Symantec) or Artemis! (McAfee). These are awfully hit and miss. A lot of false positives. It means it tripped the AV for suspicious behavior, but the AV company doesn't know for sure what it is yet.
When it flashes something more specific, like MALWARE FAMILY NAME:BACKDOOR you're in trouble. It means it thinks it knows exactly what it is...a much stronger detection.
Get a file hashing tool like winMD5sum and you can drag/drop to get the file hash. And then check the hash on Virustotal. This won't necessarily catch NEW hashes of malware, but at least you can verify the file status (is it properly signed, how new is the file, etc) and if the file is months old, it is probably relatively safe. Vs. a new / unknown file or an unsigned one.
[-] CrapWeasel- | 1 points
Good stuff. Thank you
[-] [deleted] | 15 points
so the gog installer was actually a backdoor trojan?
[-] RentalSuperhero | 3 points
Appears to be
[-] KidAstronaut | 10 points
He hit TPB a few days ago with nearly 100 uploads of some of the most popular software. All super sus files.
[-] Mysterymender | 8 points
Thanks OP but his post threw up a big ol red flag as soon as I saw them. Look folks if you want to get your games like this then just use trusted sites found in the FAQ of the sub. Don't trust some rando saying hey guys check out these games.
[-] Silverbackus | 10 points
I actually feel guilty for not commenting on what I thought was an obvious virus.
[-] master_coyote | 7 points
[-] IgnoreMyName | 7 points
Just get your games from here yo. https://pcgames-download.com/
Check my comment history and you can see I've been a part of this sub for quite a while now and have mentioned that site before. They upload games to Mega as well as a bunch of other sites so you download from where you prefer. There are other sites like it but so far, they haven't let me down.
[-] Mrfrodough | 6 points
Confirmed i got the bladabindi backdoor. Also fuerboos.A!cl Trojan. Doing additional scans with malware bytes (this time added rootkit scan) and another with windows defender. Im wondering if thatll be safe enough if they come up empty or i should backup and wipe
[-] MyAssDoesHeeHawww | 5 points
Once your system has been compromised, there's no way of telling what's been done to make it more vulnerable. Even if you remove all suspect files, there may have been changes that aren't corrected.
[-] Mrfrodough | 2 points
Ya im gonna format after work today. Theres stuff im gonna lose but oh well
[-] MyAssDoesHeeHawww | 1 points
Yeah, they're a pain but it's still better than the doubt.
Don't forget to write down/save settings you like.
[-] Mrfrodough | 3 points
Good idea. One possible problem (and from what i understand its long odds) is i plugged in my external after i probably had it but before i knew. Ill have to scan that with my laptop (not much on it so if i gotta format that no biggie). But from what ive heard usb transfer of the virus is possible just rare.
[-] MyAssDoesHeeHawww | 2 points
Viruses like to spread themselves so a scan can't hurt.
[-] Mrfrodough | 2 points
Indeed. If its clean i just wasted a bit of time is all
LINK TO HIS POSTS: pcgamer21
Since his user is deleted and you may want to check his posts to see if you downloaded one of them.
[-] R3a1ityCheque | 4 points
Thanks for the heads up.
[-] xXsTeffOovErkILLXx | 3 points
So am I still good if I haven't tried to run it or is just downloading it enough?
You're fine as long as you didn't run it
[-] xXsTeffOovErkILLXx | 1 points
That puts my mind at ease, thank you.
[-] [deleted] | 3 points
[deleted]
Did you also run Advanced Full scan with Windows Defender? Also you should download this and run Malware scan.
https://www.emsisoft.com/en/software/eek/
[-] [deleted] | 2 points
[deleted]
[-] confesstoyou | 2 points
Don't rely on Defender. It's garbage. It doesn't matter what anyone else says, the tests run by AV-Comparatives show that it's far inferior to other AV apps out there. I'd suggest Bitdefender Free, so long as you're not using a VPN. Right now, it's behaving very poorly with various VPNs and essentially breaks them. They're aware of the situation and are supposedly fixing it, but there's been no status update from them for a long time on the issue.
backup your stuff and reinstall, is the best way to get rid of everything
[-] Mrfrodough | 4 points
Ya but if you backup you could infect your external. This particular backdoor has the possibility of transfering via usb. :(
dude, that's common since 2002, just disinfect after you made the backup with a free kaspersky offline, and that's it.
[-] confesstoyou | 2 points
I wouldn't touch Kaspersky with a 20-foot pole. It's looking like they've done some seriously shady shit working with the Russian government, and I don't think it's a coincidence that they decided to finally release a free version when these connections were noticed and major chains in the US stopped selling their products.
Bitdefender's real-world tests score just as well as Kaspersky's, according to AV-Comparatives. I'd use them.
I reported something similar months ago about another game and another user. I didn't report it to the mods which I should've but I did do a write up.
https://www.reddit.com/r/megalinks/comments/6j8qwe/pcwindows_sniper_elite_4_deluxe_editionsteampunks/djpunkq/
/u/Seylox
/u/iPhunwa2
[-] Should_have_listened | 6 points
[-] jack-rabbit-slims | 3 points
God damn, I just installed his OKAMI package.....
EDIT. WTF I was about to install his Tokyo Xanadu release as well, when I remembered that he uploaded that one as well
[-] Mrfrodough | 2 points
I almost did too but then i got fitgirls repack straight from site
[-] WerkinAndDerpin | 3 points
[-] Mrfrodough | 2 points
One of his comments is deleted and shows deleted on that comments user name. Wonder if mods finally kicked him or he deleted that reddit account.....
If you click on his username he deleted his account.
[-] Mrfrodough | 3 points
Ah. Im on mobile so its more of a pain. I probably got hit by it myself but i think malwarebytes caught it after i scanned this morning. Wasnt the only thing,hadnt scanned in a few weeks :(
Sorry to hear that, what's your active anti virus?
[-] Mrfrodough | 3 points
Windows defender.though ive considered malwarebytes premium for the active
You on Windows 10?
[-] Mrfrodough | 1 points
Ya.
I downloaded his Cuphead RAR file but when I tried to extract it with WinRar, it failed (some error). After that I didn't go through with downloading it again with AntiVirus disabled. Is there anything I need to do to protect my computer or am I safe?
I installed this game using his download. How can I remove the virus that was in it?
I already bought the game since I liked it, I just wanted to try it out
[-] confesstoyou | 2 points
I don't know about this virus in particular, and I'm no computer expert, but traditionally, I've used Malwarebytes and Bitdefender to deal with infected machines. Run Malwarebytes first and remove anything it finds. Next, install Bitdefender and run a scan. If the virus prevents running these programs, use Rkill to kill its processes and/or try running them in Safe Mode.
[-] PudendalCommodore | 2 points
Yeah this is correct, luckily i sandboxed the installation and i caught it trying to open a port in my windows firewall
Dude, seriously, nice one for the heads up, I grabbed the Okami HD post, but just deleted it from my MEGA. Thanks a lot!
[-] shadows4n1c | 2 points
some tools -
TCP View - https://docs.microsoft.com/en-us/sysinternals/downloads/
Just use the on demand, not the 30 day trial, https://www.hitmanpro.com/en-us/hmp.aspx
Sophos Virus Removal Tool
F-Secure Online Scanner
Kaspersky Virus Removal Tool
GMER
RootkitBuster
RogueKiller
Norton Power Eraser
If you have Avast, Protection/Scans/Boot Time Scan. If you have lots cracks and will be in the room for an hour, click settings and choose "Ask."
Info on the generic version of the Trojan/RAT/Dropper family, looks it has been around since as early as 2014 and the version in Cuphead was updated at least as recently as this July,
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=MSIL/Bladabindi
In light of this, what are some free/open source anti-virus/spyware scanners/protectors that are reliable? I'm currently on Avira, but times and companies change.
I use Eset NOD32 and never had problems, it's very light and it has gaming mode making more light when you game, he also detected and deleted this file as soon as I extracted rar.
It is not free but there are lot of sites/fb pages where you get trial codes for 30 days so I do that every 30 days. And on top of that I use Malwarebytes on-demand when I think I downloaded something bad, just to see if NOD32 missed something.
At least in the case of Cuphead, it's on GOG, always go with GOG downloads because the installer can verify its integrity.
Honestly the game is worth buying either way, the devs basically gambled their houses to make it, and I for one think supporting them if possible is a must.
We're still discussing on how to prevent this from happening in the future. If you have any suggestions do send us a message.
E: https://redd.it/7k3xkj
Probably a common suggestion would be giving flairs to trusted and reputable uploaders.
I would also like to suggest some kind of IP ban. i know you can't block them from accessing the site. but perhaps you can for the sub!
[-] uwotm8_888 | 3 points
Maybe a mod can use a sandbox pc to scan exe files since only few are uploaded
[-] her-jade-eyes | 1 points
thanks - glad I havent installed yet
[-] blackroseyagami | 1 points
sigh
to think i was excited to install this tonight
[-] [deleted] | 1 points
[deleted]
[-] Silverbackus | 7 points
If you've installed you need to either hit up a few different anti-virus / Malware scans or just go ahead and fresh install windows.
[-] [deleted] | 1 points
[deleted]
[-] Silverbackus | 8 points
I have limited knowledge on this but given that Port access in high on the to-do list for this one seems to indicate that you could be datamined, your Keylogs could be recorded and your accounts eventually stolen. That's not to say what WILL happen, that's just to say what could.
[-] kittyfox92 | 1 points
Yikes. I'm glad I didn't ever get around to launching this file.
[-] allnamestakennn | 1 points
Stuff like this is why I got into the habbit of opening anything remotely suspicious in sandbox.
Has helped more than once and it doesn't cost almost any effort. Can highly recommend.
[-] smalliver365 | 1 points
Shit.. I downloaded it
[-] shadows4n1c | 1 points
You found this just from a firewall alert?
Always wondering what all people use to keep tabs on things...
I know what he's spreading.. "RAT" Remote Administration Tool it can control your computer especially webcam.
[-] doctorwho6904 | 1 points
Well i'm glad that new measures have been put in. Hopefully this won't happen again.
[-] [deleted] | -11 points
[deleted]
THE MD5 CHECKSUM ISN'T THE SAME.
It most definitely should be. How do you explain that?
[-] Mrfrodough | 8 points
As others have said gog games are drm free by default and dont need a "crack". That alone kinda makes it odd.
OkamiHD is the normal IGG CODEX package, from top to bottom, scanned like 4 times with no issue. Dude was uploading files he could find for people, no clue wtf you're talking about there.
[-] RentalSuperhero | 11 points
Might want to upgrade your antivirus buddy
[-] pelito | 233 points | Dec 15 2017 12:20:14
it's a small indy studio and the game is 20 bucks. just pay for it.
permalink
[-] SpongederpSquarefap | 86 points | Dec 15 2017 13:53:48
That and it's fun as fuck with no bullshit or micro transactions
permalink
[-] unabatedshagie | -33 points | Dec 15 2017 14:38:02
Fun in the same way as getting your balls repeatedly stomped on by a sexy woman.
permalink
[-] zoomshoes | 40 points | Dec 15 2017 15:13:02
but you often have to keep paying for that
permalink
[-] sirin3 | 22 points | Dec 15 2017 15:38:28
And much more than 20 bucks
permalink
[-] [deleted] | 2 points | Dec 15 2017 15:35:01
[deleted]
permalink
[-] unabatedshagie | 6 points | Dec 15 2017 15:58:47
At least someone seemed to get it.
permalink
[-] headinsockedboy | 2 points | Dec 15 2017 23:18:16
I haven't even played the game and I saw this as a reference to the difficulty. Maybe Dark Souls corrupted me though ¯\(ツ)/¯
permalink
[-] MTFlava | 1 points | Dec 16 2017 02:25:03
Yeah that flower boss must have stomped on my balls 40 or 50 times... upvoted!
permalink
[-] modelshopworld | 85 points | Dec 15 2017 18:23:17
You know what sub you’re in, right?
permalink
[-] DanWolfstone | 18 points | Dec 15 2017 21:19:57
I mean, I get what you mean, but I really enjoy that game, I think it's worth paying for.
permalink
[-] modelshopworld | 14 points | Dec 16 2017 02:31:13
I’m just yanking your chain, I know what you mean and I agree: small market games and developers should be supported, especially if it’s being very well received by audiences
permalink
[-] iApplepet | 10 points | Dec 16 2017 09:53:07
The Pirate Code
permalink
[-] Muh_Condishuns | 1 points | Jan 02 2018 12:27:47
You still don't know what sub you're in.
permalink
[-] DanWolfstone | 2 points | Jan 02 2018 18:31:49
WAIT MAN, YOU'VE GOT THE WRONG GUY
permalink
[-] labiothan | 17 points | Dec 15 2017 22:38:44
$13USD on GOG right now!
permalink
[-] humanysta | 7 points | Dec 29 2017 14:00:32
I'm so tired of this bullshit. No, I'm on a piracy sub because I don't want to pay for stuff. I'm not here to be lectured about how it's only OK to pirate games from big companies. Fuck that. Go play moral police somewhere else.
permalink
[-] Muh_Condishuns | 5 points | Jan 02 2018 12:28:35
Here here. Tired of hypocritical pussies just looking for hypocritical upvotes myself.
permalink
[-] Muh_Condishuns | 6 points | Jan 02 2018 12:27:06
I hate when hypocrites come to piracy subs with this sentiment. Fuck off.
permalink
[-] [deleted] | -30 points | Dec 15 2017 15:26:12
[deleted]
permalink
[-] pelito | 22 points | Dec 15 2017 15:45:50
number of copies sold is their reward.
permalink
[-] dawkholiday | 18 points | Dec 15 2017 16:10:00
That's a very stupid comment. They've sold that many copies because that small Indy studio put in work they deserve to be rewarded for. This isnt EA. Use your brain before your greed son
permalink
[-] [deleted] | -13 points | Dec 15 2017 19:01:27
[removed]
permalink
[-] dawkholiday | 3 points | Dec 15 2017 19:31:31
lol
permalink
[-] headinsockedboy | 1 points | Dec 15 2017 23:22:04
You sir/ma'am, have offended me.
permalink
[-] V1rtus | -39 points | Dec 15 2017 14:47:43
That's your argument?
permalink
[-] pelito | 37 points | Dec 15 2017 14:52:28
nope. just a suggestion. you can do whatever the fuck you want.
permalink
[-] V1rtus | -10 points | Dec 15 2017 22:16:01
Geez, thanks. This game is sold to at least 1 million people, that's 1x20=20 million revenue, and that's only Steam, and only that game with no other revenue mentioned like sponsorships and merchandise sold if they have it. That's not a small studio anymore (well compared to EA it is) but generally speaking, they're not lacking money that's for sure, and a few people pirating this and promoting this great game won't hurt them much. btw it's "indie" not indy.
permalink
[-] pelito | 9 points | Dec 15 2017 22:24:59
You’re right. They’re already made loads of money. They don’t need anymore. Thank you for enlightening me.
permalink