It looks like a bitcoin miner was included in the installer, and the admins on 1337x may or may not give a shit apparently. Scanned my pc and my wifes and found the same stuff the others mentioned.
According to the other comments, don't feel the need to uninstall as the miner was installed separate to the game, just give a Malwarebytes scan to get rid of the junk.
It's even worse apparently. Apparently someone looked at where the coins are going, and the coins are going to the 1337x admins, and the uploader is just getting a cut of those coins. Which explains why the admins are unlikely to really care because they're profiting off their users.
I have severe trust issues with any kind of pirated software so I basically never download it as a result, and shit like this is why. Even private trackers and "trusted" groups aren't enough for me to download most software.
Of course but it's usually pretty easy to filter out the false positives that always appear as a Trojan (because of the file modification payload) vs a crypto miner
Oh 100%. Was a dumb moment where I didn't expect it and didn't bother, and neither did a lot of other people from the looks of it. Good thing is it was something fixable in less than 5 mins and not a bigger problem.
I would completely reformat all affected machines. AVs are not perfect. Yes it sucks, but imagine the consequences of doing any form of banking on an infected machine.
No downloading much anyways, but if I were to start, how would I go about scanning the files properly? Could you recommend something to read up on the topic?
You shouldn't trust anything uploaded there by IGGGames. They've been caught before adding miners to their files. I downloaded the rune release somewhere else seeing as they were the uploader on 1337x. I only really use 1337x for fitgirl repacks.
Just popping in to say that if you enjoy the game and if you are financially able to, buy the game properly to support the developers, especially Larian Studios.
If you have a firewall like Tinywall, you can set it to block all apps from accessing the Internet unless they're explicitly allowed to. Problem solved?
I reported it on 1337x earlier today, but they aren't very responsive. Fitgirl has it listed as an upcoming repack, so hopefully not long to wait for a clean copy.
My guess is that it's an instance of some federated platform talking to lemmy, which has once been used to serve malware by one of its users. AFAIK lemmy only fetch avatars directly from instances, but it's a privacy nightmare which, admittedly easy to say for one who doesn't pay for storage space, should be mitigated with a caching mediaproxy.
The DODI repack is based on the RUNE release which I believe is clean. Another commenter claims a found Trojan but there are others who found nothing, and imo it's probably just the usual crack shenanigans.
Edit: See replies! It seems there are tainted versions of the repack out there, but there are clean ones too. Remember to keep a critical eye on your sites and uploaders in addition to your release groups. There's a useful link in a reply to me below showing what you might see if you've downloaded a bad one.
it seems like half the people I see who downloaded it say they got a tojan, and half didn't. Could it possibly be triggering only for certain people? perhaps if their specs are good enough for bitcoin mining or not? or maybe just at random? just spitballing here
I looked for this integrity check file and ran the power shell script and I don’t see it listed anywhere on my system’s roaming folder nor in the list of applications with cpu usage.
Nah they do a good job. They are having intrusive popups asking you to subscribe to their paid tier for scheduled searches and real time protection, but if you know what you want/need, the free version is alright.
Torrent galaxy rune release. However not seeing any issues? Malwarebytes scans coming up clean. No integritycheck folder in app data. No hidden process running when game running. 🤷♂️?
More than likely a false positive- they often show up as Trojans due to the payload. I saw a similar issue from the rune release off of my private tracker.
Sadly even with private sites a lot of things are taken from a public source and you occasionally run into this problem. Like some people up their ratios on these sites by using their VPN to get the public torrent and then seeding it back to the private one.