F5F Stay Refreshed Hardware Desktop We suspect a problem. (Need assistance with triage)

We suspect a problem. (Need assistance with triage)

We suspect a problem. (Need assistance with triage)

S
SpaceEV
Junior Member
Find
37
08-06-2025, 07:58 AM
#1
My partner was attempting to explore Linux distributions by downloading ISOs, but one was only available in Japanese. They tried to obtain a translation patch, which resulted in an executable file. They launched this file inside WinRAR and encountered pop-ups that prompted them to come closer. At the moment of the pop-ups, several items appeared on the screen—AVG, Razor (a name they recognized), System Recovery Services (they thought it was adorable for a brief moment), and at least half a dozen more entries from Task Manager. I tried restarting the system into safe mode, but the admin account password no longer worked. We powered off the machine and unplugged its network cable; since it was a desktop without any Wi-Fi chip, it remained connected to the internet during the execution of the file until the safe mode shutdown. While we were working on a project together, data should still reside on the D drive, but I’m unsure what to do next. Some other systems that stayed on and connected also ran antivirus scans, showing no unusual activity. The machine ran an i7-6700K processor, and both the SATA drives and the SSD in question were present. I’m not certain about the best course of action now.
Reply
Reply
S
SpaceEV
08-06-2025, 07:58 AM #1

My partner was attempting to explore Linux distributions by downloading ISOs, but one was only available in Japanese. They tried to obtain a translation patch, which resulted in an executable file. They launched this file inside WinRAR and encountered pop-ups that prompted them to come closer. At the moment of the pop-ups, several items appeared on the screen—AVG, Razor (a name they recognized), System Recovery Services (they thought it was adorable for a brief moment), and at least half a dozen more entries from Task Manager. I tried restarting the system into safe mode, but the admin account password no longer worked. We powered off the machine and unplugged its network cable; since it was a desktop without any Wi-Fi chip, it remained connected to the internet during the execution of the file until the safe mode shutdown. While we were working on a project together, data should still reside on the D drive, but I’m unsure what to do next. Some other systems that stayed on and connected also ran antivirus scans, showing no unusual activity. The machine ran an i7-6700K processor, and both the SATA drives and the SSD in question were present. I’m not certain about the best course of action now.

Reply
Reply
G
gavin0099
Member
Find
179
08-06-2025, 07:58 AM
#2
Find an older computer lacking a network card that supports connecting to the D storage drive. After disconnecting it from the network, execute an antivirus scan on the machine.
Reply
Reply
G
gavin0099
08-06-2025, 07:58 AM #2

Find an older computer lacking a network card that supports connecting to the D storage drive. After disconnecting it from the network, execute an antivirus scan on the machine.

Reply
Reply
K
Kayzan_
Senior Member
Find
252
08-06-2025, 07:58 AM
#3
there might be options to reduce the effect if you're mistaken about the drive type. since you have a SATA to USB setup, you could check if connecting it to a different microcontroller works. see if any components are reliable and don’t require replacement.
Reply
Reply
K
Kayzan_
08-06-2025, 07:58 AM #3

there might be options to reduce the effect if you're mistaken about the drive type. since you have a SATA to USB setup, you could check if connecting it to a different microcontroller works. see if any components are reliable and don’t require replacement.

Reply
Reply
J
JakeMerkenc
Junior Member
Find
33
08-06-2025, 07:58 AM
#4
It should work on other installations provided the attacker didn't encrypt the drive.
Reply
Reply
J
JakeMerkenc
08-06-2025, 07:58 AM #4

It should work on other installations provided the attacker didn't encrypt the drive.

Reply
Reply
X
xImFizzy
Member
Find
213
08-06-2025, 07:58 AM
#5
All your hardware components appear to be functioning properly. The motherboard seems intact, and the BIOS remains unaffected by any malware.
Reply
Reply
X
xImFizzy
08-06-2025, 07:58 AM #5

All your hardware components appear to be functioning properly. The motherboard seems intact, and the BIOS remains unaffected by any malware.

Reply
Reply
A
audi497mks
Senior Member
Find
601
08-06-2025, 07:58 AM
#6
To retrieve the information on Drive D:, consider starting with a Linux Live USB and transferring the required files. Or, set up the D: drive on a Linux machine. Most malicious software struggles to move between Windows and Linux environments.
Reply
Reply
A
audi497mks
08-06-2025, 07:58 AM #6

To retrieve the information on Drive D:, consider starting with a Linux Live USB and transferring the required files. Or, set up the D: drive on a Linux machine. Most malicious software struggles to move between Windows and Linux environments.

Reply
Reply
M
MinaMoo
Member
Find
210
08-06-2025, 07:58 AM
#7
Check for signs of infection after installing Linux, such as unusual behavior or system crashes. Then, perform a BIOS flash to restore original settings.
Reply
Reply
M
MinaMoo
08-06-2025, 07:58 AM #7

Check for signs of infection after installing Linux, such as unusual behavior or system crashes. Then, perform a BIOS flash to restore original settings.

Reply
Reply
B
Bruno2910
Member
Find
138
08-06-2025, 07:58 AM
#8
During my investigation of the Linux installation, I encountered several unfamiliar components. The antivirus software—McAfee and AVG—seemed intended to replace existing protection, though no validation was performed. A full security suite called RAV was installed as well. An application named "AlmoristicsApp" appeared, along with ProW Compressor, which allowed smooth access to C and D drives. There was also a remote endpoint connection feature, possibly for communication or data exchange. A Razer utility was used, likely to install or modify system files, though the exact purpose remains unclear. After initial setup, everything functioned without issues, suggesting either rapid shutdown of threats or successful interference.

Regarding reporting, I recommend documenting each step, noting the software versions, installation order, and any anomalies observed. Include screenshots of affected interfaces and system behavior. Highlight potential risks such as unauthorized access points and password changes, especially those tied to Microsoft accounts. Share this information with community forums or security groups to help others avoid similar situations.
Reply
Reply
B
Bruno2910
08-06-2025, 07:58 AM #8

During my investigation of the Linux installation, I encountered several unfamiliar components. The antivirus software—McAfee and AVG—seemed intended to replace existing protection, though no validation was performed. A full security suite called RAV was installed as well. An application named "AlmoristicsApp" appeared, along with ProW Compressor, which allowed smooth access to C and D drives. There was also a remote endpoint connection feature, possibly for communication or data exchange. A Razer utility was used, likely to install or modify system files, though the exact purpose remains unclear. After initial setup, everything functioned without issues, suggesting either rapid shutdown of threats or successful interference.

Regarding reporting, I recommend documenting each step, noting the software versions, installation order, and any anomalies observed. Include screenshots of affected interfaces and system behavior. Highlight potential risks such as unauthorized access points and password changes, especially those tied to Microsoft accounts. Share this information with community forums or security groups to help others avoid similar situations.

Reply
Reply