Clémence Navarro
305 replies · 589997 views
15 hours ago, throwawaydox said:Also, here is the archive I have of the uncropped/uncensored photos originally hosted by Maison Close's parent company Lovely Planet, up to about 2023. UHQ. Archive password is LovelyPlanet
There are a couple of unrelated photos I think but most of them are Maison Close marketing material
Amazing ... do you have any more uncensored, say from other shoots/models? 🤩
On 12/8/2024 at 5:48 AM, throwawaydox said:Also, here is the archive I have of the uncropped/uncensored photos originally hosted by Maison Close's parent company Lovely Planet, up to about 2023. UHQ. Archive password is LovelyPlanet
There are a couple of unrelated photos I think but most of them are Maison Close marketing material
Archive seems to contain a crypto-miner (XRM) that is rather difficult to get rid of.
It automatically installs once you decompress the archive.
The in-built Windows anti-virus does not remove the virus/trojan/miner. The virus also blocks installation of tools such as Malwarebytes.
It seems to enable the XMR miner at different times (when the computer is in standby). Considering the relative sophistication of the virus I wouldn't be surprised if gets enabled only for powerful CPUs.
Proceed at your own risk!
3 hours ago, solarpilot said:Archive seems to contain a crypto-miner (XRM) that is rather difficult to get rid of.
It automatically installs once you decompress the archive.
The in-built Windows anti-virus does not remove the virus/trojan/miner. The virus also blocks installation of tools such as Malwarebytes.
It seems to enable the XMR miner at different times (when the computer is in standby). Considering the relative sophistication of the virus I wouldn't be surprised if gets enabled only for powerful CPUs.
Proceed at your own risk!
What are we looking for .. something unusual in the process listing? And how did you remove it ? thanks 
4 hours ago, solarpilot said:Archive seems to contain a crypto-miner (XRM) that is rather difficult to get rid of.
It automatically installs once you decompress the archive.
The in-built Windows anti-virus does not remove the virus/trojan/miner. The virus also blocks installation of tools such as Malwarebytes.
It seems to enable the XMR miner at different times (when the computer is in standby). Considering the relative sophistication of the virus I wouldn't be surprised if gets enabled only for powerful CPUs.
Proceed at your own risk!
I was able to install Malwarebytes and do a scan, it found something but I'm guessing it's something else. How do I make sure I'm not infected?
SMH it's just an image archive, ESET clears it, but I'll take it down
I think there was a PDF in there maybe that's what was triggering it
On 12/8/2024 at 3:01 PM, talos72 said:Awesome!
Help, can I do something with that archive without being Premium on Gofile ?
Thanks
You would have noticed if it was activated (installed?). CPU was running at 100% (but sneakily the crypto-miner would stop working when you opened task manager), using a lot of electricity and generating a lot of heat. It blocks installation of malwarebytes (or running it if it is already installed) and several other 3rd party malware tools (e.g. ESET online scanner) and various windows services (system restore etc.). It would even try and shut down the browser when I was on the page for the tool that I used to remove it.
I suspect the crypto-miner only activates for IPs in Eastern Europe as I was only able to find info about it from resources in that region (luckily I speak some of the local languages). This may be a method to avoid quick detection. That being said, the virus payload also includes a remote-access trojan, so even if the crypto-miner is not running, it could be used to steal your data.
I did find that it adds Windows Defender exclusions for the following path:
C:\ProgramData\WindowsTasks\apphost.exe
There are several other exclusion exes for that path. "WindowsTasks" is not a real Windows folder. And that wasn't the real apphost.exe. I was not able to actually navigate to it via File Explorer while the computer was infected.
It also disabled the Windows security centre.
I found a solution via this thread in a seemingly legit looking russian-language forum. 2 caveats however:
1. The crypto-miner remover actually triggers windows defender (this is mentioned in the thread). It seems that this a generic ML-based identification. Without going into details, if you write your own program (not a virus) and if does certain things, Windows Defender will label it as the exact same "virus" (unless you submit to MS for whitelisting). USE AT YOUR OWN RISK.
2. The tool has horrible UI and isn't very clear about it's findings. You do get a log file that shows corrections if the virus was identified, but it may be that this is a generic log file (that you get even when no cleaning was done).
URL to the tool: https://www.safezone.cc/resources/av-block-remover-avbr.224/
Click the "For english-speaking users" spoiler button for a guide.
I went with [5] straight away, rebooted into "Safe Mode with Networking", ran the tool and it did remove the virus (in my case it did create a quarantine folder, maybe if you're not infected it won't).
3 hours ago, throwawaydox said:SMH it's just an image archive, ESET clears it, but I'll take it down
I think there was a PDF in there maybe that's what was triggering it
I got the infection as soon as I decompressed the archive with a licensed, fully updated copy of WinRar. Windows Defender did pop-up, but it said it had failed to clean the virus.
Hey, thanks for all the info. Quick question, I DLed the archive, opened it once, just opened one random picture and closed it. Then I deleted it since I saw here it was infected.
Am I being infected in your opinion?
I downloaded the file and did a scan with AVG before opening it. The scan turned up nothing. After I opened it I rescanned my computer (AVG again) but turned up nothing. Is the crypto-miner hiding?
Maison Close Advent Calendar - Day 10
.jpg.af36ae7e6260cb7430e7e5262ae58331.jpg)
.jpg.61d639cb4d7bc57f8668c7b6909b9aa8.jpg)
.jpg.e18a2904b3894ec9751009dcf2d2b580.jpg)
21 hours ago, throwawaydox said:SMH it's just an image archive, ESET clears it, but I'll take it down
I think there was a PDF in there maybe that's what was triggering it
The link to the host no longer works, anyway.
Is it possible to upload again?
Thx.
19 hours ago, solarpilot said:You would have noticed if it was activated (installed?). CPU was running at 100% (but sneakily the crypto-miner would stop working when you opened task manager), using a lot of electricity and generating a lot of heat. It blocks installation of malwarebytes (or running it if it is already installed) and several other 3rd party malware tools (e.g. ESET online scanner) and various windows services (system restore etc.). It would even try and shut down the browser when I was on the page for the tool that I used to remove it.
I suspect the crypto-miner only activates for IPs in Eastern Europe as I was only able to find info about it from resources in that region (luckily I speak some of the local languages). This may be a method to avoid quick detection. That being said, the virus payload also includes a remote-access trojan, so even if the crypto-miner is not running, it could be used to steal your data.
I did find that it adds Windows Defender exclusions for the following path:
C:\ProgramData\WindowsTasks\apphost.exe
There are several other exclusion exes for that path. "WindowsTasks" is not a real Windows folder. And that wasn't the real apphost.exe. I was not able to actually navigate to it via File Explorer while the computer was infected.
It also disabled the Windows security centre.
I found a solution via this thread in a seemingly legit looking russian-language forum. 2 caveats however:
1. The crypto-miner remover actually triggers windows defender (this is mentioned in the thread). It seems that this a generic ML-based identification. Without going into details, if you write your own program (not a virus) and if does certain things, Windows Defender will label it as the exact same "virus" (unless you submit to MS for whitelisting). USE AT YOUR OWN RISK.
2. The tool has horrible UI and isn't very clear about it's findings. You do get a log file that shows corrections if the virus was identified, but it may be that this is a generic log file (that you get even when no cleaning was done).
URL to the tool: https://www.safezone.cc/resources/av-block-remover-avbr.224/
Click the "For english-speaking users" spoiler button for a guide.
I went with [5] straight away, rebooted into "Safe Mode with Networking", ran the tool and it did remove the virus (in my case it did create a quarantine folder, maybe if you're not infected it won't).
I got the infection as soon as I decompressed the archive with a licensed, fully updated copy of WinRar. Windows Defender did pop-up, but it said it had failed to clean the virus.
Hey solarpilot, is this a joke?
I downloaded the zip-file and scanned it prior to and after the extraction. There was nothing detected. Also, there was no .pdf document in the archive.
Today I scanned the system top to bottom with two antimalware programs. I also scanned the system in "offline mode". Nothing has been detected.
So, what makes you think throwawaydox put malware in his zip-file? Why and how would he do that?
Also, I am really curious HOW you got all that info you've written above. It is impressive, but how did you find all that out? Are you a cybersecurity expert?
Please tell, how did you get suspicious in the first place and how can you verify that there has been malware in the .zip-file? Did I get you right that your "Windows Defender did pop-up" when extracting the file and that started the whole investigation?
Is there a method to cleary verify that there is no malware on the system?
You're writing about the path "C:\ProgramData\WindowsTasks\apphost.exe" but there is no "C:\ProgramData\WindowsTasks" folder in Windows 11.
Where and how did you see the "Windows Defender exclusions"? I have no idea where those are listed.
Thank you in advance.
.jpg.cf3e4831c575f4b1899f9403d1139547.jpg)
.jpg.1f5425cad6963bdea184a95b432dda15.jpg)
.jpg.6b5d6a629ea945d4af20f392377614e2.jpg)
.jpg.9c137c6bcd2f6376be85802c24323e39.jpg)
.jpg.d1f9ee48945863ae1b82bf741a9d528c.jpg)
Maison Close Advent Calendar - Day 12
.jpg.ccfcd43b83322ff98266b03d343c9e26.jpg)
.jpg.ae574cc89e5313467f309715316b5ba8.jpg)
.jpg.2350e90b1b8667334460ec13e0507bdb.jpg)
.jpg.35063f8156d34e1759bf8c8d6aed2a73.jpg)
.jpg.e5b24242f6a34a56010dc13fd8d00856.jpg)
.jpg.e044d51a5c9c2c4719d848d07cfd58da.jpg)
.jpg.2841b603a116ed6b33eadb3072694f96.jpg)
.jpg.93e53c2a5d630104323a6c963d575f2d.jpg)
.jpg.b2811991d6bd2a5957da7cbfbde02b8d.jpg)
.jpg.6970d8c3e1657e03a5728e6083891aee.jpg)
.jpg.063e7773751c1d87f6275380fc855bd2.jpg)
.jpg.3f950614fb722c65116548d800d0146d.jpg)
.jpg.804fcbd1d3949020911dbe36002774d5.jpg)
Maison Close
.jpg.df377f463734c3567051218fd16c765d.jpg)
.jpg.abe3ea836c81ca2f747298977af9083c.jpg)
.jpg.f671230564da114dc1758b699333097d.jpg)
.jpg.15c7fc60e802d6d77d173ad5163620de.jpg)
.jpg.8602985bd1250fae043f31fe46f835fb.jpg)
.jpg.aeb572d37e8d38f6ede7b8f4018c5e08.jpg)
.jpg.5e81e676e2b9f2bca189b928b4e6585d.jpg)
.jpg.d46db3b6fac04db482bf2d9841668370.jpg)
.jpg.9b2aad5bd72feb91b7848a0666b58922.jpg)
.jpg.44fbb050b3b92001d11dd99fa16b7b6f.jpg)
.jpg.7cb204eba97818dbc448869ffe07d970.jpg)
.jpg.7b0eeb9e78c18ebe4982ac344158e57c.jpg)
.jpg.52a75c1d5ba8236154bc4d19c70bf824.jpg)
.jpg.86fe73209cecc0a4bbebf86d07c94757.jpg)
.jpg.0c58977bbb17bddaa22ca16e293dfd34.jpg)
.jpg.ba3fdc8b43e336090a7e3a7a3826d343.jpg)
.jpg.1a8e57713eacacfe27bc4236b86162ff.jpg)
.jpg.029a8b27135d4e79face5ce480daf815.jpg)
.jpg.848609377e65274fd861ecefb3e362c0.jpg)
.jpg.30b145a68b9176ab06654f1b25b94dfc.jpg)
.jpg.5300de6f7befc5e34e5a8b8aa2438a16.jpg)
.jpg.0bb432edeed86bc8743b73471e19b3b7.jpg)
.jpg.0fbfc1a52e514660c30e51346ef723d5.jpg)
.jpg.a4f30fbfdf406b53f745a4c9be70d43b.jpg)
.jpg.ba20cc8cd7c5673b74e7f6eb8654f48f.jpg)
.jpg.c4ae02b95d8e56e2a4405bb7c5de21f9.jpg)
.jpg.c23d11e48501631400602ef77d0e945c.jpg)
.jpg.7ef4f98b70183822b6429380129ad977.jpg)
.jpg.35cf5c12607743a02558bd396f6dfd43.jpg)
.jpg.bab58eb1be81c5a581bc39262d6b086b.jpg)
.jpg.ec3929f8b44af961f666a62fbbb81ee0.jpg)
.jpg.13044ced27dfd93306fbb54fe7876f25.jpg)
.jpg.958fac994b00ef8565d5a4affb4b037b.jpg)
.jpg.066b7881f09cf22b21b65041574ff0ee.jpg)
.jpg.ff2b459f9d4bad2747d7cf8196e76abd.jpg)
On 12/10/2024 at 6:20 PM, pimpl said:Hey solarpilot, is this a joke?
I downloaded the zip-file and scanned it prior to and after the extraction. There was nothing detected. Also, there was no .pdf document in the archive.Today I scanned the system top to bottom with two antimalware programs. I also scanned the system in "offline mode". Nothing has been detected.
So, what makes you think throwawaydox put malware in his zip-file? Why and how would he do that?
Also, I am really curious HOW you got all that info you've written above. It is impressive, but how did you find all that out? Are you a cybersecurity expert?
Please tell, how did you get suspicious in the first place and how can you verify that there has been malware in the .zip-file? Did I get you right that your "Windows Defender did pop-up" when extracting the file and that started the whole investigation?
Is there a method to cleary verify that there is no malware on the system?
You're writing about the path "C:\ProgramData\WindowsTasks\apphost.exe" but there is no "C:\ProgramData\WindowsTasks" folder in Windows 11.
Where and how did you see the "Windows Defender exclusions"? I have no idea where those are listed.
Thank you in advance.
No, this is not a joke. My computer was clearly taken over and used for crypto XRM mining after I opened up the uncompressed the archive file.
Windows defender gave a warning when I uncompressed the archive, but it was not able to fix the issue and my computer was clearly compromised (couldn't install Malwarebytes, CPU was going at 100% and power consumption was ~400-500 watts).
I don't necessarily think throwawaydox put anything in the zip file.
I am not a cybersecurity expert. Just wanted to actually clean my computer and not delete everything and start from scratch, so I decided to research how I can remove this virus.
Can you guys keep this shit out of the thread? It seems like something you could be dealing with via DM. Mods, kindly clean this up, please.