What trojan that was? Can you copy-paste its name here? Check out your Kaspersky's activity history.

I'll crush all the virus claims here and today

Name was PDM:Trojan.Win32.Generic.nblk

let me give you even more information:

Event: Malicious object detected
Application: Windows Command Processor
User: DESKTOP-5NJSAEH\Peterbuilt 200
User type: Initiator
Component: System Watcher
Result description: Detected
Type: Trojan
Name: PDM:Trojan.Win32.Generic.nblk
Threat level: High
Object type: Process
Object path: E:\
Object name: vrmod_installer.bat
Reason: Behavior analysis
Databases release date: Yesterday, 2022-09-26 12:41:00 AM
MD5: 1410DCA0B5AAC129838D475063AD351A

Event: Object deleted
Application: Windows Command Processor
User: DESKTOP-5NJSAEH\Peterbuilt 200
User type: Initiator
Component: System Watcher
Result description: File deleted
Type: Trojan
Threat level: Informational
Object type: File
Object path: E:\SteamLibrary\steamapps\common\GarrysMod\vrmod\vrmod-module-master\install\GarrysMod
Object name: vrmod_installer.bat
MD5: 1410DCA0B5AAC129838D475063AD351A

PDM:Trojan.Win32.Generic.nblk is NOT an actual trojan. PDM at the viruses name means that the verdict was made by a suggestion module. Basically - there is no known trojan detected, by it suggests to be aware of the file anyway. Kaspersky AV is just feeling obliged to warn its user about it, because it detects sets of actions that might, or might not be associated with trojans, like windows registry lookups and file downloads.

If you'll take a closer look at your AV log, you'll see that it is not the module that has a trojan, it is actually the vrmod_installer.bat file, which is just an autoinstaller script. BAT files can be opened with Notepad and read as text, so if any malicious behaviour is present - you can easily check it on your own, without executing the file, or share the file with users who can make sense of BAT files, so they can give you tips about what exactly it does.

If you still don't trust the autoinstall script file, you can install the module manually.

More info on the "generic trojan" cases you can review out on the net:
- GTA5 executable file was claimed to have the exact trojan. Developers recommended to contact Kaspersky support team, instead.
- Spine app devs recommended to add their executable to ignore list.
- the Docker app, known well by app developers, was also known to be triggering the same trojan warning.

Well the "Trojan" did what a trojan would normaly do. Like I couldn't open up the start menu by pressing the Windows key and neither by clicking it, pretty much turned my screen to black except for the Kaspersky window, could not have the taskbar so I think you get it. if its not a trojan then what caused this?

Originally posted by Trashnium:

Well the "Trojan" did what a trojan would normaly do. Like I couldn't open up the start menu by pressing the Windows key and neither by clicking it, pretty much turned my screen to black except for the Kaspersky window, could not have the taskbar so I think you get it. if its not a trojan then what caused this?

Tell me more details. What you did, and what happened in consequence, please. Preferably - list all the steps you've taken, and what happened after each one.

I just tried to install the module then Kaspersky put a popup saying I had a trojan, tried to shut everything down (not the computer but the module and trojan) and then I let kaspersky delete the module and the Trojan. While Kaspersky was deleting it, pretty much my operating system shut down, couldn't do anything, my browser kept crashing pages, I couldn't open anything, could not reopen open programs when minimizing, you get the point. It was just a single Kaspersky window telling the progress of the deletion.

Originally posted by Trashnium:

I just tried to install the module then Kaspersky put a popup saying I had a trojan, tried to shut everything down (not the computer but the module and trojan) and then I let kaspersky delete the module and the Trojan. While Kaspersky was deleting it, pretty much my operating system shut down, couldn't do anything, my browser kept crashing pages, I couldn't open anything, could not reopen open programs when minimizing, you get the point. It was just a single Kaspersky window telling the progress of the deletion.

So, you've tried to use the autoinstaller script, and Kaspersky went nuts because of it?

https://www.virustotal.com/gui/url/e289119929a42432c403eda12dc4c94a283fa398995a26912b9585e2154639e6/details
According to VirusTotal, all the files inside the module's zip file are virus free. Also, according to the logs you've posted, your AV was triggered by the autoinstaller script. I saw no information about the module or the installed files being detected as viruses, so I assume the autoinstall script itself was the culprit.

Will your AV's heuristics module "see" a trojan inside the autoinstall bat file if you'll just "feed" it to the AV, instead of launching it? Or do you think it triggers AV because you launch it?

This is how autoinstaller script work:

It is basically a 99 line script, that has 5+1 entry points.
- The main entry point checks for a valid powershell version, If it is valid, it goes to the update entry point, to download and launch a fresh version of itself from "https://github.com/catsethecat/vrmod-module/raw/master/vrmod_installer.bat",
- Then it goes to the prompt entry point, that requests windows registry values for InstallPaths for 32 bit \Valve\Steam and 64bit \Valve\Steam, then it searches for the correct Gmod folder, then it prompts user with 2 options - to install/update, or uninstall.
- If install/update is chosen, it goes to install entry, where it downloads this link:
https://github.com/catsethecat/vrmod-module/archive/master.zip, prompts its hash and then prompts user once again if he wants to continue, then unzips the archive and copies everything from vrmod\vrmod-module-master\install\GarrysMod to the Gmod directory. Deletes the downloaded zip, deletes the unzipped folder and prompts user to press a button to close the window.
- If uninstall is chosen, then this list of files is removed from the Gmod's folder: garrysmod\lua\bin\gmcl_vrmod_win32.dll,
garrysmod\lua\bin\gmcl_vrmod_win64.dll,
garrysmod\lua\bin\gmcl_vrmod_linux.dll,
garrysmod\lua\bin\gmcl_vrmod_linux64.dll,
garrysmod\lua\bin\update_vrmod.bat,
bin\openvr_api.dll,
bin\openvr_license,
bin\libopenvr_api.so,
bin\linux32\libopenvr_api.so,
bin\linux64\libopenvr_api.so,
bin\win64\openvr_api.dll,
bin\win64\HTC_License,
bin\win64\libHTC_License.dll,
bin\win64\nanomsg.dll,
bin\win64\SRanipal.dll,
bin\win64\SRWorks_Log.dll,
bin\win64\ViveSR_Client.dll
Then, user is prompted to close the window.

I think it triggered the AV when I launched it, sorta. I think it detected the "Trojan" when it was installing. I selected the install/update option then agreed to the prompt before everything went to hell. Im not sure what caused the "Trojan" because it could've been an old malicious file or something like that I don't know.

So does that mean it's clean? I've scanned pretty much everything and other than the bat file not uninstalling it Malwarebytes doesn't see anything malicious.

I dont know I was using kaspersky.

Originally posted by Scrimbus:

So does that mean it's clean? I've scanned pretty much everything and other than the bat file not uninstalling it Malwarebytes doesn't see anything malicious.

First, lemme start with a little PSA:
Executing any random BAT files you can find on the internet is considered a bad security practice. You are only expected to do that if you know why and how you can trust it, or if you completely trust the source. If you have no ways to prove its safety - it's always wise to not touch it, in the first place.

Now, with this out of the way..
Kaspersky will cling onto random stuff, that has malicious potential, but is not guaranteed to be used as one. Kaspersky is not a self-conscious thing, so it cannot assume/guess what kind of data it looks at, and what usage it has. All it can look for is for malicious patterns and functions used:
I can use file download to download you a virus, or just update your app.
I can use registry read to find more weaknesses in your system.. or just read up where your Gmod is installed at.
I can use filesystem manipulation to cripple your OS.. or just remove old files of the app's previous version and replace them with a newer version.

In my opinion, this file is safe, but, just in case someone busts into Catse's github account and replaces the autoinstall script with something malicious, I say - do not trust me blindly, and also strongly advise to have ways to check thing's safety on your own.

So if I can't install the mod with the module, how can I install it? And also thanks for the cybersecurity tips too.

Originally posted by Trashnium:

So if I can't install the mod with the module, how can I install it? And also thanks for the cybersecurity tips too.

Follow this instruction inside the zip file, at vrmod-module-master.zip/vrmod-module-master/install/INSTALLATION.txt:

Right click Garry's Mod in your Steam library and press "Properties".
In the Properties window, open the "Local files" tab and press "Browse local files".
This should open your GarrysMod folder which is located in .../common/GarrysMod.
Go back one folder into that "common" folder.

Drag the GarrysMod folder that is next to this INSTALLATION.txt into that "common" folder.
(Not onto the GarrysMod folder in common)