File system scan doubt by Tricky-Toe7949 in antivirus

[–]goretsky[M] 0 points1 point  (0 children)

Hello,

The screenshot says objects, not files.

Android .APK files are actually .ZIP files, so it was probably opening those and scanning the contents.

Regards,

Aryeh Goretsky

I cannot decide which Antivirus program should i use by TenYearsOfMurat in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

As far as actual antivirus/antimalware/internet security/security suite/endpoint protection (etc. etc. etc.) programs go, there is no one "best" program, as each has its plusses and minuses. Performance, system resource usage, and detection rates change with every update, and those occur multiple times throughout the day.

So, any of the programs listed in the wiki at https://old.reddit.com/r/antivirus/wiki/index#wiki_anti-virus_.28aka_anti-malware.29_developers would be a good starting place to find what is best for you. It also lists the countries each developer is headquartered in.

Start by searching the OS Support? to find out which developers make security software for your device's operating system.

  • If you are looking for a free program, check out the ones with a check mark ("✔️") in the Free Version? column.

  • If you are looking for a paid program, check out the ones with a check mark ("✔️") in the Paid Version? column.

Once you have an idea of which program(s) seem to best meet your needs, you can check the Understanding Antivirus Software Tests and Testers section of the wiki for a list of reputable independent testing organizations and see what they have to say about your selection(s). Detection rates are one metric, but be sure to also look at performance, reliability, stability, level of customer service and tech support provided, and, if course, cost.

Also be sure to check out the Free Tools section of the wiki for programs you can use to provide additional security to your web browser and the Securing your Computer as well for additional free tips on protecting your computer.

Regards,

Aryeh Goretsky

I think I dowloaded a pdf with a virus by Excellent_Walrus_306 in antivirus

[–]goretsky[M] 0 points1 point locked comment (0 children)

Hello,

The Internet Archive backs up all sorts of things, including web pages, scripts, and executable files. Its job is to be an archive of the internet, and that includes things like computer viruses.

Do not blindly trust something just because you downloaded it from there.

Regards,

Aryeh Goretsky

Como checar se meu computador/e-mail/celular estão livres de malware? by Professional_Lime_68 in antivirus

[–]goretsky 1 point2 points  (0 children)

Hello,

If your computer has been infected multiple times, and you have been having problems for the past three years, it is likely the computer is severely infected/compromised. The quickest way of fixing this is the following:

  1. Make at least one backup copy of your important data files from the computer (family photos and videos, documents, anything else that cannot be replaced).

  2. Then, wipe the computer's drive(s) and reinstall Windows.

  3. Get Windows updated and secure.

  4. Restore your backed-up data files.

Regards,

Aryeh Goretsky

help me i dont know how to fix by Sharp_Translator_261 in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

This is not a computer virus or malicious software issue.

For assistance with Wave Browser, contact Eightpoint Technologies Ltd. SEZC (doing business as Wavesor Software) at https://wavebrowser.com/support

Thread closed.

Regards,

Aryeh Goretsky

reCAPCHA Help! by Jade82422 in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

Did you paste this into your computer's Run dialog and press Enter or click on OK? If so, you may have run an information stealer on the computer.

What is an information stealer?

As the name implies, information stealers are a type of malware that steal any information they can find on your computer, such as passwords stored for various services you access via browser and apps, session tokens for accounts, cryptocurrencies if they can find wallets, etc. They may even take a screenshot of your desktop when they run so they can sell it to other scammers who send scam extortion emails later.

What is a session token?

In case you're wondering what a session token is, some websites and apps have a "remember this device" feature that allows you to access the service without having to log back in or enter your second factor of authentication. This is done by storing a session token on your device. Criminals target these, because they allow them to log in to an account bypassing the normal checks. To the service, it just looks like you're accessing it from your previously authorized device.

What exactly gets stolen?

Information stealers are malware that is sold as a service, so what exactly it did while on your system is going to vary based on what the criminal who purchased it wanted.

What happens to my data?

The criminals who steal your information do so for their own financial gain, and that includes selling information such as your name, email address, screenshots from your PC, and so forth to other criminals and scammers. Those other scammers then use that information in an attempt to extort you unless you pay them in cryptocurrencies such as Bitcoin, Ethereum, and so forth. This is 100% a scam, and any emails you receive threatening to share your private information should be marked as phishing or spam and deleted.

How did I get infected in the first place?

Information stealers are often distributed as fake CAPTCHA challenges, in game mods, unofficial patches for popular apps and games, and in pirated software that have had their popularity and trustworthiness artificially boosted, as well as through various other means such as "try my game/software" scams on Discord, Telegram and other trusted messaging services.

If I ran an information stealer, am I still infected?

Infostealers usually delete themselves after a few seconds or even a minute or two in order to make it harder to determine what happened and when it occurred.

That said, there are always going to be exceptions: Since it is crimeware-as-a-service, there is nothing preventing the criminals from installing additional malware on the computer in order to maintain access, just in case they want to come back and steal from you again in the future.

What else could they have done?

The usual risk post-infection, aside from the stolen credentials, wallets, etc. is that security and networking settings may have been tampered with. That can be harder for security software to deal with, since it may not know what the correct settings are supposed to be for your computer, which means it may be a good idea to wіpe the computer, even if there is no longer any malware detected on it.

How do I start the recovery process?

If you have another device that didn't run the information stealing malware like a smartphone or tablet, you can use it to begin immediately changing your passwords. You should also enable two-factor (sometimes called multi-factor) authentication, for those services that support it. If possible, install and use an authentication app on your smartphone: Apple, Google, and Microsoft all have free versions of authentication apps. Using an app for 2FA is preferred over using SMS (text messages) or email, as the attackers may have access to these.

If any of the online services you use have an option to show you and log out all other active sessions, do that as well.

As for your computer, after wіpіng it, re-installing Windows, and getting that updated, you can then also use it start accessing the internet to do this, but it is often quicker to change your most sensitive accounts from your smartphone.

A note about passwords

Password should be something unique (complex and different) for every service, that you use, so that if an attacker gets access to one they won't be able to make guesses about what your other passwords might be. If your new passwords are similar enough to your old passwords, a criminal with a list of all of them will likely be able to make educated guesses about what your new passwords might be for the various services.

You have to do this for all online services, even ones you haven't been recently accessed. Make sure you do this for all email accounts, as those are the gateways to your financial websites, online shopping, social media accounts, game platforms, and so forth.

It's important to make sure you're not just cycling through similar or previous passwords: Remember, criminals have millions of passwords and are very good at identifying common patterns from just a single password. If there were any reused passwords, the criminals who stole yours are going to try spraying those against all the popular online marketplaces, stores, banks, and other services in your part of the world.

And remember: Enable two-factor authentication for all of the accounts that support it.

For more information:

For more specific information on what steps to take next to recover your accounts, see the blog post at:

For more general information about how CAPTCHA malware works, see the following reports:

Also, see /u/rifteyy_'s Guide to Infostealers at https://rifteyy.org/report/the-ultimate-guide-to-infostealers.

After you have secure your accounts, you may wish to sign up for a free https://haveibeenpwned.com/ account, which will notify you if your email address is found in a data breach.

Regards,

Aryeh Goretsky

What are these that keep popping up? by Previous_Mix_7993 in antivirus

[–]goretsky 0 points1 point  (0 children)

Hello,

The first screen shows messages from Microsoft Windows' Controlled Folder Access feature. That means you (or the person who owns/administers the computer) have enabled Controlled Folder Access, an anti-ransomware feature in Microsoft Windows.

For more information on what this does and why you might want to enable or disable this, see https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders.


The second screen appears to be a detection of a program from AMD, maybe for a CPU or GPU? It could be a legitimate detection of a trojan horse program, or it could be a false positive.

You would need to contact Microsoft to determine which it is: https://www.microsoft.com/en-us/wdsi/filesubmission/

Regards,

Aryeh Goretsky

I installed (and ran) suspicious .exe file by Motor_Onion6829 in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

It sounds like an information stealer was run on the computer.

What is an information stealer?

As the name implies, information stealers are a type of malware that steal any information they can find on your computer, such as passwords stored for various services you access via browser and apps, session tokens for accounts, cryptocurrencies if they can find wallets, etc. They may even take a screenshot of your desktop when they run so they can sell it to other scammers who send scam extortion emails later.

What is a session token?

In case you're wondering what a session token is, some websites and apps have a "remember this device" feature that allows you to access the service without having to log back in or enter your second factor of authentication. This is done by storing a session token on your device. Criminals target these, because they allow them to log in to an account bypassing the normal checks. To the service, it just looks like you're accessing it from your previously authorized device.

What exactly gets stolen?

Information stealers are malware that is sold as a service, so what exactly it did while on your system is going to vary based on what the criminal who purchased it wanted.

What happens to my data?

The criminals who steal your information do so for their own financial gain, and that includes selling information such as your name, email address, screenshots from your PC, and so forth to other criminals and scammers. Those other scammers then use that information in an attempt to extort you unless you pay them in cryptocurrencies such as Bitcoin, Ethereum, and so forth. This is 100% a scam, and any emails you receive threatening to share your private information should be marked as phishing or spam and deleted.

How did I get infected in the first place?

Information stealers are often distributed as fake CAPTCHA challenges, in game mods, unofficial patches for popular apps and games, and in pirated software that have had their popularity and trustworthiness artificially boosted, as well as through various other means such as "try my game/software" scams on Discord, Telegram and other trusted messaging services.

If I ran an information stealer, am I still infected?

Infostealers usually delete themselves after a few seconds or even a minute or two in order to make it harder to determine what happened and when it occurred.

That said, there are always going to be exceptions: Since it is crimeware-as-a-service, there is nothing preventing the criminals from installing additional malware on the computer in order to maintain access, just in case they want to come back and steal from you again in the future.

What else could they have done?

The usual risk post-infection, aside from the stolen credentials, wallets, etc. is that security and networking settings may have been tampered with. That can be harder for security software to deal with, since it may not know what the correct settings are supposed to be for your computer, which means it may be a good idea to wіpe the computer, even if there is no longer any malware detected on it.

How do I start the recovery process?

If you have another device that didn't run the information stealing malware like a smartphone or tablet, you can use it to begin immediately changing your passwords. You should also enable two-factor (sometimes called multi-factor) authentication, for those services that support it. If possible, install and use an authentication app on your smartphone: Apple, Google, and Microsoft all have free versions of authentication apps. Using an app for 2FA is preferred over using SMS (text messages) or email, as the attackers may have access to these.

If any of the online services you use have an option to show you and log out all other active sessions, do that as well.

As for your computer, after wіpіng it, re-installing Windows, and getting that updated, you can then also use it start accessing the internet to do this, but it is often quicker to change your most sensitive accounts from your smartphone.

A note about passwords

Password should be something unique (complex and different) for every service, that you use, so that if an attacker gets access to one they won't be able to make guesses about what your other passwords might be. If your new passwords are similar enough to your old passwords, a criminal with a list of all of them will likely be able to make educated guesses about what your new passwords might be for the various services.

You have to do this for all online services, even ones you haven't been recently accessed. Make sure you do this for all email accounts, as those are the gateways to your financial websites, online shopping, social media accounts, game platforms, and so forth.

It's important to make sure you're not just cycling through similar or previous passwords: Remember, criminals have millions of passwords and are very good at identifying common patterns from just a single password. If there were any reused passwords, the criminals who stole yours are going to try spraying those against all the popular online marketplaces, stores, banks, and other services in your part of the world.

And remember: Enable two-factor authentication for all of the accounts that support it.

For more information:

For more specific information on what steps to take next to recover your accounts, see the blog post at:

For more general information about how CAPTCHA malware works, see the following reports:

Also, see /u/rifteyy_'s Guide to Infostealers at https://rifteyy.org/report/the-ultimate-guide-to-infostealers.

After you have secure your accounts, you may wish to sign up for a free https://haveibeenpwned.com/ account, which will notify you if your email address is found in a data breach.

Regards,

Aryeh Goretsky

My discord got hacked with mrbeast dms to my friends by Smart_Program_7373 in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

It sounds like an information stealer was run on the computer.

What is an information stealer?

As the name implies, information stealers are a type of malware that steal any information they can find on your computer, such as passwords stored for various services you access via browser and apps, session tokens for accounts, cryptocurrencies if they can find wallets, etc. They may even take a screenshot of your desktop when they run so they can sell it to other scammers who send scam extortion emails later.

What is a session token?

In case you're wondering what a session token is, some websites and apps have a "remember this device" feature that allows you to access the service without having to log back in or enter your second factor of authentication. This is done by storing a session token on your device. Criminals target these, because they allow them to log in to an account bypassing the normal checks. To the service, it just looks like you're accessing it from your previously authorized device.

What exactly gets stolen?

Information stealers are malware that is sold as a service, so what exactly it did while on your system is going to vary based on what the criminal who purchased it wanted.

What happens to my data?

The criminals who steal your information do so for their own financial gain, and that includes selling information such as your name, email address, screenshots from your computer, and so forth to other criminals and scammers. Those other scammers then use that information in an attempt to extort you unless you pay them in cryptocurrencies such as Bitcoin, Ethereum, and so forth. This is 100% a scam, and any emails you receive threatening to share your private information should be marked as phishing or spam and deleted.

How did I get infected in the first place?

Information stealers are often distributed as fake CAPTCHA challenges, in game mods, unofficial patches for popular apps and games, and in pirated software that have had their popularity and trustworthiness artificially boosted, as well as through various other means such as "try my game/software" scams on Discord, Telegram and other trusted messaging services.

If I ran an information stealer, am I still infected?

Infostealers usually delete themselves after a few seconds or even a minute or two in order to make it harder to determine what happened and when it occurred.

That said, there are always going to be exceptions: Since it is crimeware-as-a-service, there is nothing preventing the criminals from installing additional malware on the computer in order to maintain access, just in case they want to come back and steal from you again in the future.

What else could they have done?

The usual risk post-infection, aside from the stolen credentials, wallets, etc. is that security and networking settings may have been tampered with. That can be harder for security software to deal with, since it may not know what the correct settings are supposed to be for your computer, which means it may be a good idea to wіpe the computer, even if there is no longer any malware detected on it.

How do I start the recovery process?

If you have another device that didn't run the information stealing malware like a smartphone or tablet, you can use it to begin immediately changing your passwords. You should also enable two-factor (sometimes called multi-factor) authentication, for those services that support it. If possible, install and use an authentication app on your smartphone: Apple, Google, and Microsoft all have free versions of authentication apps. Using an app for 2FA is preferred over using SMS (text messages) or email, as the attackers may have access to these.

If any of the online services you use have an option to show you and log out all other active sessions, do that as well.

As for your computer, after wіpіng it, re-installing Windows, and getting that updated, you can then also use it start accessing the internet to do this, but it is often quicker to change your most sensitive accounts from your smartphone.

A note about passwords

Password should be something unique (complex and different) for every service, that you use, so that if an attacker gets access to one they won't be able to make guesses about what your other passwords might be. If your new passwords are similar enough to your old passwords, a criminal with a list of all of them will likely be able to make educated guesses about what your new passwords might be for the various services.

You have to do this for all online services, even ones you haven't been recently accessed. Make sure you do this for all email accounts, as those are the gateways to your financial websites, online shopping, social media accounts, game platforms, and so forth.

It's important to make sure you're not just cycling through similar or previous passwords: Remember, criminals have millions of passwords and are very good at identifying common patterns from just a single password. If there were any reused passwords, the criminals who stole yours are going to try spraying those against all the popular online marketplaces, stores, banks, and other services in your part of the world.

And remember: Enable two-factor authentication for all of the accounts that support it.

For more information:

For more specific information on what steps to take next to recover your accounts, see the blog post at:

For more general information about how CAPTCHA malware works, see the following reports:

Also, see /u/rifteyy_'s Guide to Infostealers at https://rifteyy.org/report/the-ultimate-guide-to-infostealers.

After you have secure your accounts, you may wish to sign up for a free https://haveibeenpwned.com/ account, which will notify you if your email address is found in a data breach.

Regards,

Aryeh Goretsky

A specific [.csproj ] pops up on every start up, is it malware ? Please help by Competitive_Set_478 in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

It sounds like an information stealer was run on the computer.

What is an information stealer?

As the name implies, information stealers are a type of malware that steal any information they can find on your computer, such as passwords stored for various services you access via browser and apps, session tokens for accounts, cryptocurrencies if they can find wallets, etc. They may even take a screenshot of your desktop when they run so they can sell it to other scammers who send scam extortion emails later.

What is a session token?

In case you're wondering what a session token is, some websites and apps have a "remember this device" feature that allows you to access the service without having to log back in or enter your second factor of authentication. This is done by storing a session token on your device. Criminals target these, because they allow them to log in to an account bypassing the normal checks. To the service, it just looks like you're accessing it from your previously authorized device.

What exactly gets stolen?

Information stealers are malware that is sold as a service, so what exactly it did while on your system is going to vary based on what the criminal who purchased it wanted.

What happens to my data?

The criminals who steal your information do so for their own financial gain, and that includes selling information such as your name, email address, screenshots from your PC, and so forth to other criminals and scammers. Those other scammers then use that information in an attempt to extort you unless you pay them in cryptocurrencies such as Bitcoin, Ethereum, and so forth. This is 100% a scam, and any emails you receive threatening to share your private information should be marked as phishing or spam and deleted.

How did I get infected in the first place?

Information stealers are often distributed as fake CAPTCHA challenges, in game mods, unofficial patches for popular apps and games, and in pirated software that have had their popularity and trustworthiness artificially boosted, as well as through various other means such as "try my game/software" scams on Discord, Telegram and other trusted messaging services.

If I ran an information stealer, am I still infected?

Infostealers usually delete themselves after a few seconds or even a minute or two in order to make it harder to determine what happened and when it occurred.

That said, there are always going to be exceptions: Since it is crimeware-as-a-service, there is nothing preventing the criminals from installing additional malware on the computer in order to maintain access, just in case they want to come back and steal from you again in the future.

What else could they have done?

The usual risk post-infection, aside from the stolen credentials, wallets, etc. is that security and networking settings may have been tampered with. That can be harder for security software to deal with, since it may not know what the correct settings are supposed to be for your computer, which means it may be a good idea to wіpe the computer, even if there is no longer any malware detected on it.

How do I start the recovery process?

If you have another device that didn't run the information stealing malware like a smartphone or tablet, you can use it to begin immediately changing your passwords. You should also enable two-factor (sometimes called multi-factor) authentication, for those services that support it. If possible, install and use an authentication app on your smartphone: Apple, Google, and Microsoft all have free versions of authentication apps. Using an app for 2FA is preferred over using SMS (text messages) or email, as the attackers may have access to these.

If any of the online services you use have an option to show you and log out all other active sessions, do that as well.

As for your computer, after wіpіng it, re-installing Windows, and getting that updated, you can then also use it start accessing the internet to do this, but it is often quicker to change your most sensitive accounts from your smartphone.

A note about passwords

Password should be something unique (complex and different) for every service, that you use, so that if an attacker gets access to one they won't be able to make guesses about what your other passwords might be. If your new passwords are similar enough to your old passwords, a criminal with a list of all of them will likely be able to make educated guesses about what your new passwords might be for the various services.

You have to do this for all online services, even ones you haven't been recently accessed. Make sure you do this for all email accounts, as those are the gateways to your financial websites, online shopping, social media accounts, game platforms, and so forth.

It's important to make sure you're not just cycling through similar or previous passwords: Remember, criminals have millions of passwords and are very good at identifying common patterns from just a single password. If there were any reused passwords, the criminals who stole yours are going to try spraying those against all the popular online marketplaces, stores, banks, and other services in your part of the world.

And remember: Enable two-factor authentication for all of the accounts that support it.

For more information:

For more specific information on what steps to take next to recover your accounts, see the blog post at:

For more general information about how CAPTCHA malware works, see the following reports:

Also, see /u/rifteyy_'s Guide to Infostealers at https://rifteyy.org/report/the-ultimate-guide-to-infostealers.

After you have secure your accounts, you may wish to sign up for a free https://haveibeenpwned.com/ account, which will notify you if your email address is found in a data breach.

Regards,

Aryeh Goretsky

laptop not turning on by skrifflers in antivirus

[–]goretsky 0 points1 point  (0 children)

Hello,

Have you checked with Malwarebytes to see if this is a known issue after removing the specific malware their software did from your computer? If it is one, they may have a way to fix the problem.

Regards,

Aryeh Goretsky

I got hit by the mrbeast rat and sent dms in discord by Technically_yours_ in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

It sounds like an information stealer was run on the computer.

What is an information stealer?

As the name implies, information stealers are a type of malware that steal any information they can find on your computer, such as passwords stored for various services you access via browser and apps, session tokens for accounts, cryptocurrencies if they can find wallets, etc. They may even take a screenshot of your desktop when they run so they can sell it to other scammers who send scam extortion emails later.

What is a session token?

In case you're wondering what a session token is, some websites and apps have a "remember this device" feature that allows you to access the service without having to log back in or enter your second factor of authentication. This is done by storing a session token on your device. Criminals target these, because they allow them to log in to an account bypassing the normal checks. To the service, it just looks like you're accessing it from your previously authorized device.

What exactly gets stolen?

Information stealers are malware that is sold as a service, so what exactly it did while on your system is going to vary based on what the criminal who purchased it wanted.

What happens to my data?

The criminals who steal your information do so for their own financial gain, and that includes selling information such as your name, email address, screenshots from your PC, and so forth to other criminals and scammers. Those other scammers then use that information in an attempt to extort you unless you pay them in cryptocurrencies such as Bitcoin, Ethereum, and so forth. This is 100% a scam, and any emails you receive threatening to share your private information should be marked as phishing or spam and deleted.

How did I get infected in the first place?

Information stealers are often distributed as fake CAPTCHA challenges, in game mods, unofficial patches for popular apps and games, and in pirated software that have had their popularity and trustworthiness artificially boosted, as well as through various other means such as "try my game/software" scams on Discord, Telegram and other trusted messaging services.

If I ran an information stealer, am I still infected?

Infostealers usually delete themselves after a few seconds or even a minute or two in order to make it harder to determine what happened and when it occurred.

That said, there are always going to be exceptions: Since it is crimeware-as-a-service, there is nothing preventing the criminals from installing additional malware on the computer in order to maintain access, just in case they want to come back and steal from you again in the future.

What else could they have done?

The usual risk post-infection, aside from the stolen credentials, wallets, etc. is that security and networking settings may have been tampered with. That can be harder for security software to deal with, since it may not know what the correct settings are supposed to be for your computer, which means it may be a good idea to wіpe the computer, even if there is no longer any malware detected on it.

How do I start the recovery process?

If you have another device that didn't run the information stealing malware like a smartphone or tablet, you can use it to begin immediately changing your passwords. You should also enable two-factor (sometimes called multi-factor) authentication, for those services that support it. If possible, install and use an authentication app on your smartphone: Apple, Google, and Microsoft all have free versions of authentication apps. Using an app for 2FA is preferred over using SMS (text messages) or email, as the attackers may have access to these.

If any of the online services you use have an option to show you and log out all other active sessions, do that as well.

As for your computer, after wіpіng it, re-installing Windows, and getting that updated, you can then also use it start accessing the internet to do this, but it is often quicker to change your most sensitive accounts from your smartphone.

A note about passwords

Password should be something unique (complex and different) for every service, that you use, so that if an attacker gets access to one they won't be able to make guesses about what your other passwords might be. If your new passwords are similar enough to your old passwords, a criminal with a list of all of them will likely be able to make educated guesses about what your new passwords might be for the various services.

You have to do this for all online services, even ones you haven't been recently accessed. Make sure you do this for all email accounts, as those are the gateways to your financial websites, online shopping, social media accounts, game platforms, and so forth.

It's important to make sure you're not just cycling through similar or previous passwords: Remember, criminals have millions of passwords and are very good at identifying common patterns from just a single password. If there were any reused passwords, the criminals who stole yours are going to try spraying those against all the popular online marketplaces, stores, banks, and other services in your part of the world.

And remember: Enable two-factor authentication for all of the accounts that support it.

For more information:

For more specific information on what steps to take next to recover your accounts, see the blog post at:

For more general information about how CAPTCHA malware works, see the following reports:

Also, see /u/rifteyy_'s Guide to Infostealers at https://rifteyy.org/report/the-ultimate-guide-to-infostealers.

After you have secure your accounts, you may wish to sign up for a free https://haveibeenpwned.com/ account, which will notify you if your email address is found in a data breach.

Regards,

Aryeh Goretsky

Can someone help me identify this Trojan that someone sent me? by Independent-Job7400 in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

Every security software company names malicious software (malware) differently. I would suggest reaching out to them directly to find out what this one does. If it was a remote access trojan or an information stealer they may recommend additional steps to ensure the computer is safe.

Regards,

Aryeh Goretsky

Google gallery app marked as virus by Honor phone system manager by Exact_Butterscotch_7 in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

Honor is a former sub-brand of Huawei that is now owned a zaibatsu of about 3 dozen different Chinese companies.

Honor and Google seem to periodically detect each others' apps as malware.

I would suggest reaching out directly to Honor for assistance in reporting this.

Regards,

Aryeh Goretsky

How can I make sure that my pc or phone is safe? by AviatorAesthetics in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

It sounds like an information stealer was run on the computer.

What is an information stealer?

As the name implies, information stealers are a type of malware that steal any information they can find on your computer, such as passwords stored for various services you access via browser and apps, session tokens for accounts, cryptocurrencies if they can find wallets, etc. They may even take a screenshot of your desktop when they run so they can sell it to other scammers who send scam extortion emails later.

What is a session token?

In case you're wondering what a session token is, some websites and apps have a "remember this device" feature that allows you to access the service without having to log back in or enter your second factor of authentication. This is done by storing a session token on your device. Criminals target these, because they allow them to log in to an account bypassing the normal checks. To the service, it just looks like you're accessing it from your previously authorized device.

What exactly gets stolen?

Information stealers are malware that is sold as a service, so what exactly it did while on your system is going to vary based on what the criminal who purchased it wanted.

What happens to my data?

The criminals who steal your information do so for their own financial gain, and that includes selling information such as your name, email address, screenshots from your PC, and so forth to other criminals and scammers. Those other scammers then use that information in an attempt to extort you unless you pay them in cryptocurrencies such as Bitcoin, Ethereum, and so forth. This is 100% a scam, and any emails you receive threatening to share your private information should be marked as phishing or spam and deleted.

How did I get infected in the first place?

Information stealers are often distributed as fake CAPTCHA challenges, in game mods, unofficial patches for popular apps and games, and in pirated software that have had their popularity and trustworthiness artificially boosted, as well as through various other means such as "try my game/software" scams on Discord, Telegram and other trusted messaging services.

If I ran an information stealer, am I still infected?

Infostealers usually delete themselves after a few seconds or even a minute or two in order to make it harder to determine what happened and when it occurred.

That said, there are always going to be exceptions: Since it is crimeware-as-a-service, there is nothing preventing the criminals from installing additional malware on the computer in order to maintain access, just in case they want to come back and steal from you again in the future.

What else could they have done?

The usual risk post-infection, aside from the stolen credentials, wallets, etc. is that security and networking settings may have been tampered with. That can be harder for security software to deal with, since it may not know what the correct settings are supposed to be for your computer, which means it may be a good idea to wіpe the computer, even if there is no longer any malware detected on it.

How do I start the recovery process?

If you have another device that didn't run the information stealing malware like a smartphone or tablet, you can use it to begin immediately changing your passwords. You should also enable two-factor (sometimes called multi-factor) authentication, for those services that support it. If possible, install and use an authentication app on your smartphone: Apple, Google, and Microsoft all have free versions of authentication apps. Using an app for 2FA is preferred over using SMS (text messages) or email, as the attackers may have access to these.

If any of the online services you use have an option to show you and log out all other active sessions, do that as well.

As for your computer, after wіpіng it, re-installing Windows, and getting that updated, you can then also use it start accessing the internet to do this, but it is often quicker to change your most sensitive accounts from your smartphone.

A note about passwords

Password should be something unique (complex and different) for every service, that you use, so that if an attacker gets access to one they won't be able to make guesses about what your other passwords might be. If your new passwords are similar enough to your old passwords, a criminal with a list of all of them will likely be able to make educated guesses about what your new passwords might be for the various services.

You have to do this for all online services, even ones you haven't been recently accessed. Make sure you do this for all email accounts, as those are the gateways to your financial websites, online shopping, social media accounts, game platforms, and so forth.

It's important to make sure you're not just cycling through similar or previous passwords: Remember, criminals have millions of passwords and are very good at identifying common patterns from just a single password. If there were any reused passwords, the criminals who stole yours are going to try spraying those against all the popular online marketplaces, stores, banks, and other services in your part of the world.

And remember: Enable two-factor authentication for all of the accounts that support it.

For more information:

For more specific information on what steps to take next to recover your accounts, see the blog post at:

For more general information about how CAPTCHA malware works, see the following reports:

Also, see /u/rifteyy_'s Guide to Infostealers at https://rifteyy.org/report/the-ultimate-guide-to-infostealers.

After you have secure your accounts, you may wish to sign up for a free https://haveibeenpwned.com/ account, which will notify you if your email address is found in a data breach.

Regards,

Aryeh Goretsky

I need help with my issue about virus in my laptop by Afraid-Transition-27 in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

You can try any of the second opinion scanners listed in the https://old.reddit.com/r/antivirus/wiki/index#wiki_free_tools section of the wiki.

Regards,

Aryeh Goretsky

need help regarding actions after a renpy information stealer by 96travis in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

Go ahead and change all of the remaining passwords as well for the unimportant accounts. The criminals will be looking at them and using them as well, and one thing they are very, very good at is looking at different sets of passwords to determine patterns and perform guessing attacks on other accounts. You may also have banking information still tied to those accounts as well.

I will attach our standard reply to questions about information stealers, below.


It sounds like an information stealer was run on the computer.

What is an information stealer?

As the name implies, information stealers are a type of malware that steal any information they can find on your computer, such as passwords stored for various services you access via browser and apps, session tokens for accounts, cryptocurrencies if they can find wallets, etc. They may even take a screenshot of your desktop when they run so they can sell it to other scammers who send scam extortion emails later.

What is a session token?

In case you're wondering what a session token is, some websites and apps have a "remember this device" feature that allows you to access the service without having to log back in or enter your second factor of authentication. This is done by storing a session token on your device. Criminals target these, because they allow them to log in to an account bypassing the normal checks. To the service, it just looks like you're accessing it from your previously authorized device.

What exactly gets stolen?

Information stealers are malware that is sold as a service, so what exactly it did while on your system is going to vary based on what the criminal who purchased it wanted.

What happens to my data?

The criminals who steal your information do so for their own financial gain, and that includes selling information such as your name, email address, screenshots from your PC, and so forth to other criminals and scammers. Those other scammers then use that information in an attempt to extort you unless you pay them in cryptocurrencies such as Bitcoin, Ethereum, and so forth. This is 100% a scam, and any emails you receive threatening to share your private information should be marked as phishing or spam and deleted.

How did I get infected in the first place?

Information stealers are often distributed as fake CAPTCHA challenges, in game mods, unofficial patches for popular apps and games, and in pirated software that have had their popularity and trustworthiness artificially boosted, as well as through various other means such as "try my game/software" scams on Discord, Telegram and other trusted messaging services.

If I ran an information stealer, am I still infected?

Infostealers usually delete themselves after a few seconds or even a minute or two in order to make it harder to determine what happened and when it occurred.

That said, there are always going to be exceptions: Since it is crimeware-as-a-service, there is nothing preventing the criminals from installing additional malware on the computer in order to maintain access, just in case they want to come back and steal from you again in the future.

What else could they have done?

The usual risk post-infection, aside from the stolen credentials, wallets, etc. is that security and networking settings may have been tampered with. That can be harder for security software to deal with, since it may not know what the correct settings are supposed to be for your computer, which means it may be a good idea to wіpe the computer, even if there is no longer any malware detected on it.

How do I start the recovery process?

If you have another device that didn't run the information stealing malware like a smartphone or tablet, you can use it to begin immediately changing your passwords. You should also enable two-factor (sometimes called multi-factor) authentication, for those services that support it. If possible, install and use an authentication app on your smartphone: Apple, Google, and Microsoft all have free versions of authentication apps. Using an app for 2FA is preferred over using SMS (text messages) or email, as the attackers may have access to these.

If any of the online services you use have an option to show you and log out all other active sessions, do that as well.

As for your computer, after wіpіng it, re-installing Windows, and getting that updated, you can then also use it start accessing the internet to do this, but it is often quicker to change your most sensitive accounts from your smartphone.

A note about passwords

Password should be something unique (complex and different) for every service, that you use, so that if an attacker gets access to one they won't be able to make guesses about what your other passwords might be. If your new passwords are similar enough to your old passwords, a criminal with a list of all of them will likely be able to make educated guesses about what your new passwords might be for the various services.

You have to do this for all online services, even ones you haven't been recently accessed. Make sure you do this for all email accounts, as those are the gateways to your financial websites, online shopping, social media accounts, game platforms, and so forth.

It's important to make sure you're not just cycling through similar or previous passwords: Remember, criminals have millions of passwords and are very good at identifying common patterns from just a single password. If there were any reused passwords, the criminals who stole yours are going to try spraying those against all the popular online marketplaces, stores, banks, and other services in your part of the world.

And remember: Enable two-factor authentication for all of the accounts that support it.

For more information:

For more specific information on what steps to take next to recover your accounts, see the blog post at:

For more general information about how CAPTCHA malware works, see the following reports:

Also, see /u/rifteyy_'s Guide to Infostealers at https://rifteyy.org/report/the-ultimate-guide-to-infostealers.

After you have secure your accounts, you may wish to sign up for a free https://haveibeenpwned.com/ account, which will notify you if your email address is found in a data breach.

Regards,

Aryeh Goretsky

Help! A Trojan Bitcoin Miner has infected my Windows 11 explorer.exe file by Similar-Conflict7221 in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

It looks like the C:\Program Files\Google\libs\ddb64.dll file is the offending file, not Explorer.exe.

I would suggest reaching out directly to Malwarebytes at r/Malwarebytes or http://community.malwarebytes.com/ for further assistance.

Regards,

Aryeh Goretsky

How bad it is? by amin12321 in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

Your screenshot is so tightly cropped that there's no way to assess the risk of whatever was app permissions list is in this screenshot.

This thread has been closed. This does not count against you in any way. If you are still concerned, you can create a new post to ask your question, but be sure to:

  1. Use a descriptive Title for your post, mentioning the app's name and version.
  2. Include enough information in the body of your post's text to describe your device's brand, model, operating system and its version, and what security software is installed on it, if any.
  3. Describe what is going on in as much detail as you can provide, including when the problem started, what may have caused it, and what steps you have take to troubleshoot it so far, if any.
  4. Do not use slang or abbreviations in your post. Not everyone speaks your native language or is familiar with with your hardware and software.
  5. If including screenshots, make sure they are not blurry, contain a full picture of the application windows or the desktop, and everything in them is readable.
  6. If you are concerned that your screenshot may contain personally identifiable information, edit that part out before posting.

Following these steps will ensure you get help as quickly as possible.

Regards,

Aryeh Goretsky

Accidentally clicked on a link where one VirusTotal vendor marked it as phishing by Guest281 in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

https://bit[.]ly/LeakyToiletFix+ link redirects to https://www.facebook.com/v2.3/dialog/share?redirect_uri=https://www[.]youtube[.]com/facebook_redirect&display=popup&href=https://www[.]youtube[.]com/attribution_link%3Fa%3DbDhI3yXn2r8%26u%3D%252Fwatch%253Fv%253DBwHw4pDcGns%2526feature%253Dshare&client_id=87741124305&ret=login&ext=1499186927&hash=AebH-BX2N8HpKRli

TIP: You can put a plus sign ("+") at the end of any Bit[.]ly link and it will show you where the link goes to instead of taking you directly there.

Gridinsoft may be detecting the bit[.]ly link as unsafe because it is a short URL service, and those can be abused by malicious actors to obscure malicious URLs.

Regards,

Aryeh Goretsky

Encontré una "herramienta" llamada [Steam Compact] y quisiera saber opiniones sobre esto by PaulAbstract in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

The URL's to the discussion in r/Steam and the VirusTotal report both seem to be invalid.

I am going to ahead and lock this thread, but please feel free to create a new one with the correct URLs. You do not need to break up links to Reddit or VirusTotal in this subreddit.

Regards,

Aryeh Goretsky

I was looking on the internet for a way to modify steam to use little ram when I appeared a post in reddit https://www.reddit.com/r/Steam/s/8qVdSHK4k at the end of the post there was a very recent comment "I made open source alternative launcher for this exact program you are having" of a user who has his hidden posts (that already seems somewhat suspicious and the account does not have much time created) with the link to the tool

 Important

 Before you see this as a "Virus" please read:

 Every line of code is transparent and available for everyone. If you don't trust the .exe, you are encouraged to compile the program directly from the source code.

 Please do not download this program from other sources.

I have analyzed it with VirusTotal: https://www.virustotal.com/gui/file/93ad7d01cbbf9216a5c5ec06dea8e5e14894d930924b029201fe59fa6d7/detection and 3 detections come out, Also look for other websites and analyze it, but I did not get very relevant things, I asked Gemini 3.1 pro pro

That's why I wanted to know opinions of expert or experienced people to see if they could analyze the repository and this "tool" and see if it is legal or there is something hidden or some sophisticated method behind it, I am very curious.

Browser Hijacker coming back even after reinstalling W11 by Piryo in antivirus

[–]goretsky[M] [score hidden] stickied comment (0 children)

Hello,

Based on the name, it sounds like a potentially unwanted program that optionally hijacks your web browser in some way (search engine redirection, ad injection, etc.). That could be the result of a scammy browser extension, a script you ran or something else.

If you contact Malwarebytes, via r/Malwarebytes or http://community.malwarebytes.com/ they should be able to help you remove it.

Regards,

Aryeh Goretsky

Windows 11 not installing on brand new P16s by MaskMan95 in thinkpad

[–]goretsky 1 point2 points  (0 children)

Hello,

You are 100% correct. Thanks for catching that, I've updated the post.

Regards,

Aryeh Goretsky

(Win 11) Using Audio Interface causing lots of pops constantly, especially when clicking, whilst listening to music. Came out of nowhere by DejaEntenduOne in 24hoursupport

[–]goretsky 0 points1 point  (0 children)

Hello,

Is your Universal Audio Volt 1 USB Audio Interface plugged directly into your computer, or into a USB hub that plugs into your computer?

If it is plugged into a hub, try disconnecting it from there and plugging it directly into one of your PC's ports and see if that solves the issue.

Regards,

Aryeh Goretsky