I downloaded cubase patch scripts.exe
I use megesy and AudioZ for downloads.

So amazon and ebay got hacked for purchases.
Im pretty sure cubase patch scripts.exe from some random site was fake (800 megs??) for text files?
I thought it would pharse my hardware and generate TXT files.

Ok, do I need to reinstall everything?
Or can I just use a 2 week old macurium backup?

I only use magesy and AudioZ
Do I need antivirus, a VPN and or reformat?
(I restored my PC to 2 weeks ago)

 

Last edited by a moderator: Feb 18, 2025 at 8:46 PM

You reset your PC, good move. You can install this program and run it just to be safe.

AdwCleaner

Program that helps to eliminate unwanted software and browser add-ons from your PC.
www.bleepingcomputer.com/download/adwcleaner/

Stay with Audioz or Steinberg!!!
To be on the safe side, change your passwords and never open unknown file attachments in your email inbox!

 

I really dont want to reinstall 20 audio apps. most were from this site. Most were all very old.
assuming it was the cubase hardware app from a google site
also thank you!

 

Nothing beats a clean install.
That is also the time for updates.

 

I would not wipe the OS over this. That "download link" does not download anything directly. It forwards you to some typical spam webpages. This is how someone can spread browser hijacks, other spyware and "potentially unwanted programs" (pups). This is not how someone would be trying to infect machines with a virus or a trojan.

I would definitely scan the machine with something like MalwareBytes or other spyware cleanup application. I would not reinstall OS over it without a better reason than what you have showed as a problem. You could upload whatever file you got to download to VirusTotal and then leave a link to the detection results.

 

clone, it had a file called cubase patch scripts.exe that was in a .RAR it was 100Kb and when extracted was 800 gigs. I randomly clicked the bogus file desperate to update my analog synth into cubase. The rar file was also password protected

 

install your backup. and after this, make backups of your pc every day or every 2 days.

 

The file was 19 mb then the download was 14 mb
once the file is extracted it says 900mb

If you extract the contents of that file with 7zip you will see the spyware scripts for amazon and other websites.

The real scripts download is :

h$$ps://urlcod.com/2wzjQy

"
URL Removed
We're sorry, but the URL you were trying to access has been removed due to a violation of our service terms."

You only get this message and the right URL once you click download a few times so basically the scripts are not there anymore and the only thing you downloaded was the spyware payload.


Sorry but this is an exercise on looking at not only file names, file sizes and extracting data from files that look suspicious like the size
of the files that was a dead giveaway.

Many of these free downloads are actually spyware fooled as legit downloads.

 

This probably hijacked your browser cookies. Just change your passwords everywhere you can and make sure you have 2 step authentication on wherever is important. If the virus is a long-term infection, you might be able to get it out using RogueKiller. You can get it on BleepingComputer. It is an amazing tool that has saved many PCs I have serviced in the past. Make sure to pay attention to the results because it is prone to catch anything suspicious, even stuff that is considered safe (such as R2R emulators). After that, it gets more and more difficult to remove the infection, and while it is possible, you need experience to get around that.

 

Spyware, browser hijacks, and adware are almost never real ransomware, malware,virii, worms or trojans. You can remove them with a decent anti-spyware program. They do not hook into your operating system files the same way, nor do they replicate via open network shares, or propagate themselves via email. That's why I said to include the detection report.

 

the Cubase script file I downloaded from that link showes a virus. malware bytes showed nothing

 

You can read here how dangerous the Trojan is!
How to remove Win32:TrojanX-gen [Trj] https://malware.guide/adware/remove-win32trojanx-gen-trj/

 

RED FLAG cubase-patch-scripts" - what the hell is this and what is supposed to be for? There has been nothing released from any group relating to any cubase "scripts"... Nothing from steinberg relating to "patch scripts"... Given these pieces of information whatever that is should have been simply ignored.
If you have accounts that were hacked most likely a browser exploit was used to read the browser accounts/passwords file or possibly leftover cookies. Using active/passive browser exploit protections prevents a lot of bad stuff from happening before it can start. Using ccleaner regularly removes old cookies and destroys them.

If you're certain there's malware and you're going to restore from backup, WIPE the storage clean with a disk wipe tool first just to be sure.

 

Last edited: Feb 16, 2025 at 10:31 PM

cubase patch scripts are suposed to be hardware TXT files.
It was a virus I restored from 3 weeks ago a backup.
Im using all the warez audio apps and have malware bytes

cant find a good antivirus app.

 

Curious. If the download was just TEXT and nothing else you should not have had issues. There must have been something executable in there somewhere that was somehow enabled. Personally if it is not something that was released by a group and it looks suspicious on the eye test (looking at the contents of the download) and the A/V test then it gets flushed down the data toilet and secure erased. I'm betting if you looked closely at what you grabbed it most likely would have looked suspicious IF there was only supposed to be plain TXT getting downloaded.

 

Last edited: Feb 17, 2025 at 12:40 AM

The best Antivirus is G Data Internet Security.

For a complete scan without installing the software, they offer a Boot CD (Linux) in their
Download Area Just burn it or use Rufus to create a bootable USB drive and then boot
your machine from it. Sadly it's a quite old boot image with virus signatures from 6 years ago
but if you want, I can create an updated image with the signatures from today.



GData also has the best firewall you can aim for. If you set it properly, you even can block specific connection
attempts inside of a software. So for example a plugin wants to phone home to check a license,
GData will show you that attempt in between all the other attempts from the same plugin like
checking for updates or simply downloading presets or so.
That way you can block just the license check in a keygenned plugin but keep the remaining online functionality.

Among all the other Antivirus solutions, it has the highest rate (awarded) in finding malicious code
while keeping false-positives reasonably low... but it still flags most keygens & patchers as riskware.

Hint:
If you want to buy a license, do it on ebay and save yourself like ¾ of the price. I bought my license for $8

Downside is:
Everything loads a little slower than without an AV but this applies to most Antivirus solutions.

 

That should have been your first warning sign. There are some sites that claim to be software, and you download what says it's a 3 gb file and when you go to download the zip or rar on megaupload you see its 179kb you know right there its bullshit and adware.

 

This is how I know when I go to download a file it's got all those weird characters.. I know right then and there it's not legit.

 

I just checked your file.
It's an NSIS installer and it contains files with weird contents that differ per file but all files have the same extension (*.acc)
like it would be an acc audio file but if you look inside with a hex editor, it's not. The installed files also are just ~900Kb in size
so it really doesn't make sense that the executable/installer has 831MB.

In fact the size comes from 00 bytes. Besides the actual code size of 24MB, there are 807MB of empty code added
and that could be a method to prevent users from uploading the file to virustotal or similar.

Further investigation shows strings like
"Failed to copy winre.wim to the target OS" - WinRe.wim is the recovery image of Windows that is used for tasks like resetting your OS, troubleshooting or to offer options to recover data when your OS died.
"WinReSetupInstall return value"
"WinReReinstall() The system partition has enough free space"
"WinRePostBCDRepair" - this can repair or modify your boot manager
"CreateModernAppToDelete"
"Entering LogPerfPing background worker"

This file could try to play around with that image (which can be easily done using DISM commands (Deployment Image Servicing and Management tool), that is integrated into every windows installation). Most likely to implement malicious code like a root kit or so
It also seems like it contains several *.cab files and such files are used to install updates, drivers, etc. deeply into the system.
And it calls Windows Policies + the Task scheduler in several parts of the code and that is a bad sign as well.

Here is a full scan of that file:
https://www.hybrid-analysis.com/sample/0d9126948517f6e8ac0a1eae1fcc1ae395cbdae645efd6734c48527f0d182603

This is the Risk Assessment of this file:


Result, it is Malware!

 

Last edited: Feb 17, 2025 at 2:16 AM

Yes when I looked at the files it was pretty obvious what they were doing getting elevated privileges to then use the rootkit to download the payload for malware. I remember the old Brontok virus now that was a classic as it would mask itself as a 45 kb folder with the names of files on the sub directory so people would reinfect themselves over and over again by mistake.

That was the last virus I dealt with and I got pretty good at removing it from systems using a like Puppy Linux distro.