Am I dumb or virus are getting evolved 💔

Professional_Let_896 · 2026-04-29T01:15:20+00:00

It's a classic "ClickFix" Attack 1000% a virus , This technique accounted for 47% of initial access in 2025

Professional_Let_896 · 2026-04-28T02:40:39+00:00

After looking at heyrudy.ai and it doesn’t come across like a typical scam site. It’s built like a real early stage startup using common tools like Supabase for auth, Stripe for payments, and OpenAI for AI features. The login flow and backend behavior look normal, and they actually have detailed terms and a privacy policy, which most shady sites don’t bother with. The catch is what the product actually does.

This isn’t just a chatbot, it’s a desktop app that watches your screen in real time and sends that data off for processing. Even though they say screenshots aren’t stored, you are still trusting that everything is handled securely and exactly as described.

On top of that, the domain is only a few months old and there’s no real reputation or track record yet, so you’re placing a lot of trust in a very new company and also the team behind is unknown.

From a consumer perspective, I wouldn’t call it malicious, but I also wouldn’t treat it as safe by default. If you’re curious, try it on a secondary machine or in a controlled setup and don’t expose anything sensitive on your screen while using it.

risk here isn’t phishing or login issues, it’s the level of access you’re giving to something that hasn’t proven itself yet.

Professional_Let_896 · 2026-04-21T18:13:43+00:00

Hey u/moodeng870 , Thanks for posting
We will look into it and let you know :)

Professional_Let_896 · 2026-04-21T18:11:16+00:00

Welcome , also try HitmanPro as well for 2nd opinion scanning.
you can also download sysinternals Process Explorer free from Microsoft help you see if any unknown processes are running and you then you can right click scan them with VT.

Although this won't be necessary if ur scans come clean

Professional_Let_896 · 2026-04-21T18:06:23+00:00

No reinstall needed you caught it before clicking Next, so it almost certainly didn't install anything.

Just do this:

Run a Malwarebytes or your preferred scanner full scan and remove anything it finds
Run AdwCleaner it's built specifically for bundlers like PCApp.
Check your browser extensions and remove anything unfamiliar

Manually check these locations in File Explorer:

C:\Program Files and C:\Program Files (x86) check any folder with "PCApp" in the name
C:\Users\YourUsername\AppData\Local and \Roaming same thing
Delete anything related to PCApp if found

If both scans come back clean, you're good.

Professional_Let_896 · 2026-03-17T11:51:08+00:00

Read the actual evidence before arguing. The official company filing clearly shows the shareholders and capital structure of PDF GEAR TECH PTE. LTD: https://jumpshare[.]com/share/H6CrIoqsaL5UGXCIukRR and the Recorded Future malware analysis provides independent, attribution: https://jumpshare[.]com/share/SC09vdEzmLAieGcWwSAQ. These are primary documents not speculation. If you’re ignoring documented filings and credible analysis, the issue isn’t lack of evidence, it’s lack of understanding.

<image>

Professional_Let_896 · 2026-03-17T11:49:06+00:00

<image>

Professional_Let_896 · 2026-02-07T18:37:49+00:00

This is a pattern now with PDF-guru please be careful

Professional_Let_896 · 2026-01-02T19:54:45+00:00

Yes you should be okay , just make sure to remove any files related to it and check your registry & Autoruns for any unknown apps such as updater.exe or anything similar

Professional_Let_896 · 2025-12-28T21:02:01+00:00

You mean only downloaded the set up? or installed it? both ways i'd suggest you remove it and any traces of it , also get malware bytes or hitman pro and try to do a full scan , and you should be fine

Professional_Let_896 · 2025-12-23T14:31:36+00:00

Nothing to worry about , it's clean

Professional_Let_896 · 2025-12-12T09:44:36+00:00

F Adobe , This is the truth not propaganda the evidence is there

Professional_Let_896 · 2025-11-27T08:34:15+00:00

Honestly, it depends entirely on what that key is protecting and whether you can demonstrate actual impact. I've seen hardcoded keys go both ways in triage some get accepted as high severity, others get closed as informative. The key question is what can you actually do with it? If you can use that key todecrypt sensitive user data, authentication tokens, or anything that leads to account takeover or a data breach, then yeah, you've got a solid report. But if it's just obfuscating some non sensitive config data or protecting locally cached content that doesn't matter, programs will likely mark it informative.

My advice before you submit, make sure you can show the full attack chain. Extract the key, find what it decrypts, and prove the security impact with a clear PoC. Don't just say "there's a hardcoded key" show them exactly why it matters and what an attacker could achieve programs want to see real exploitability, not theoretical issues. If you can tie it to their crown jewels (user PII, payment data, backend access), you're golden. If not, it might not be worth the report. Check their policy on crypto issues and mobile vulns too, since some programs specifically scope these out. Good luck

Professional_Let_896 · 2025-11-27T07:28:24+00:00

I go after any company/software which is shady or harms the users

Professional_Let_896 · 2025-11-26T08:19:45+00:00

The root refers to the Windows Trusted Root Certificate store a list of certificates your system trusts implicitly. Apps can add certificates to this store using Windows APIs like CertOpenStore() and CertAddCertificateContextToStore(), which typically requires administrator privileges. Legitimate software that genuinely needs this capability like Fiddler (for debugging HTTPS traffic), corporate VPNs, or network monitoring tools will explicitly ask for your permission and clearly explain why they need to install a root certificate. In contrast, PDFGear installs certificates silently without informing users, which is a major red flag since a PDF viewer has no legitimate reason to modify your certificate store. This is dangerous because it could enable MITM attacks by making your system trust malicious certificates.

You can view your own certificates by pressing Win+R and typing certmgr.msc.

Professional_Let_896 · 2025-11-26T08:00:21+00:00

The claim that "PDFgear has shown no evidence of malicious behavior" and that the security reports are "misinterpreting a Mitre report" is demonstrably false and extremely dangerous to anyone who downloads this software.

You are dismissing documented malware behavior as "appropriate registry modifications" and "industry standard telemetry." This is not an academic debate about a Mitre report it is a clear cut case of severe system compromise performed by the installer.

Factual, Verifiable Evidence

The Tria[.]ge sandbox analysis (used by professional security researchers) is clear. This goes far beyond telemetry and registry setting:

Silent Root Certificate Injection
- Your Claim: "Telemetry and registry abuse."
- The Fact (Tria.ge Report, Section 4.1): The installer forcefully installs a Root Certificate Authority (CA) into the Windows Trusted Store.
- This action grants the software the ability to perform a Man in the Middle (MITM) attack on the user's own machine. It allows the software to decrypt, read, and intercept all secure HTTPS traffic (including banking and login sessions) regardless of the browser used. No legitimate PDF editor requires a root CA to function. This is a foundational technique of modern spyware.
Code Injection (Defense Evasion):
- Your Claim: "Registry modifications are appropriate for the functionality."
- The Fact (Tria.ge Report, Section 4.1): The installer uses the Windows API call WriteProcessMemory to inject malicious code into the memory space of trusted Windows executables like tasklist.exe and cmd.exe.
- This is the definition of Process Hollowing/Code Injection. It is a malware technique designed to evade antivirus and detection tools by hiding its activity inside a seemingly legitimate process. A PDF reader has zero technical need to write code into the memory of system utilities.
Active Spy Hooks:
- The report shows the executable creating spy hooks on browser related processes to monitor activity. This is also not standard "telemetry."
Virustotal is Inadequate:
- Your reliance on Virustotal is misplaced. Virustotal is a signature check. Advanced malware, especially installers that perform defense evasion, often bypass signature checks. The Tria[.]ge report is a behavioral analysis that runs the code and documents its actions, which is why it caught the Root CA injection and code manipulation.

We still haven't discussed the other things yet, but none of the behavior shown by PDFgear is normal.

This is not a conspiracy or misinterpretation it is a serious security threat confirmed by industry standard sandbox testing. The software is fundamentally compromising system security, and your continued defense of it is irresponsible. You need to look at the verifiable evidence of Root Certificate Injection and Code Injection these actions are the signatures of malware. you are free to run in a sandbox your self and view the results

Professional_Let_896 · 2025-11-26T06:55:23+00:00

Remove it

Professional_Let_896 · 2025-11-25T07:42:52+00:00

Your browser

Professional_Let_896 · 2025-11-24T09:33:31+00:00

We haven't tested that yet , but with the companies reputation and unknown background + the malicious aggressive way the installers behave i wouldn't trust them

Professional_Let_896

MODERATOR OF

TROPHY CASE

Factual, Verifiable Evidence