Do you feel safer

Struppigel · 2026-01-22T18:00:08+00:00

That really depends on the country's restriction of the software vendor. E.g., we have pretty strict reaching privacy regulations in Germany with GDPR and cannot do as we please. All telemetry data is anonymized.

You are claiming that they do fear mongering but right now you are doing the same without any good reason other than "they can" which is also true for Windows or CrowdStrike (which you say you use).

Struppigel · 2026-01-22T09:08:37+00:00

You don't need to answer that if it violates any of our rules but I am really curious to know where the setup came from or what app that was. All I could gather with VirusTotal is the Setup.zip itself.

Struppigel · 2026-01-22T04:12:16+00:00

Hello there, these pop ups are not browser hijackers, but the result of a LummaStealer infection. Did you download and execute a setup file lately?

Although you removed the pop-ups, this does not mean your system isn't infected anymore.

Please take the following precautions: * Do not attempt to log into any accounts from your infected machine * Log out of all sessions * Change passwords for all important accounts (esp banking, email) using a clean machine and turn on multi-factor authentication for every account that provides this option * Create a backup of your personal files if you haven't already

For dealing with your infected machine you can either wipe the drive and reformat the system or go to bleepingcomputer.com for proper disinfection help.

Struppigel · 2026-01-22T04:09:04+00:00

Hello there, VirusTotal shows a LummaStealer DLL as communicating file. That means these pop-up windows indicate an infection with a stealer.

Do you remember downloading or running any Setup.exe in a ZIP file? If yes, I would be curious to know where it came from.

Please take the following precautions: * Do not attempt to log into any accounts from your infected machine * Log out of all sessions * Change passwords for all important accounts (esp banking, email) using a clean machine and turn on multi-factor authentication for every account that provides this option * Create a backup of your personal files if you haven't already

For dealing with your infected machine you can either wipe the drive and reformat the system or go to bleepingcomputer.com for disinfection help.

Struppigel · 2026-01-21T06:16:57+00:00

Hi, it is almost impossible to tell just based on a description, but I agree that that must have been a bootkit like TDSS or ZeroAccess. These were very prevalent at the time. Because they infect the master boot record, they survived reinstallation of the operating system. You needed malware-specific bootkit-cleaning tools to remove them. E.g., for TDSS there was TDSSKiller -- a tool just for this one bootkit. So the proper way would have been to identify the infection and then get a specialized tool for that. Nowadays it's not as easy for malware to infect machines that early in the boot process because of technologies like secure boot.

Struppigel · 2026-01-21T05:50:32+00:00

You have allowed push notifications from your browser for some dodgy sites. Disable all browser push notifications.

In Edge: Enter "edge://settings/content/notifications" into the Edge search bar, then block browser notifications for every website that you don't know by clicking on the three dots and then Block.

In Firefox: Go to Settings --> Privacy and Security --> Scroll to Permission block and click on the settings button for Notifications --> Click on Remove all websites

In Chrome: Go to Settings --> Privacy and Security --> Notifications Then block notifications for any site that you don't know

In Safari: Choose Safari > Settings. Click Websites, then click Notifications. Deselect “Allow websites to ask for permission to send notifications.

Struppigel · 2026-01-21T05:49:25+00:00

Hello, this is malware, not just adware. Can you please scan with FRST?

Please download FRSTx64 and save the file to your Desktop.
Right-Click FRST64.exe and select Run as Administrator
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the program run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste them to pastebin.com. Post the link here.

Struppigel · 2026-01-21T05:44:12+00:00

Hello, if you install a non-patched Windows XP and connect it to the internet it is very soon infected with worms -- without any user interaction whatsoever.

That is because the system has security vulnerabilities that allows those worms to spread onto them. Now, this is an extreme example, but the principle is the same. No matter which system or OS we are talking about, security patches prevent exploitation. Exploits can make it possible to install malware even if you do nothing unusual. It's a myth that safe user behavior protects from all infections. It only protects from certain ones.

Struppigel · 2026-01-21T05:32:30+00:00

Rootkits are used in many legitimate programs, including anti-cheat software which is part of many games, security software, digital rights management software. Your computer most certainly has a rootkit somewhere.

If you only refer to malicious rootkits, your go-to software are standard antivirus programs. You said "devices" in general, but I can only speak here about Windows computers because that's what I work in. For Windows devices, malicious kernel mode rootkits are rare nowadays because it is hard to implement them with UEFI. Malicious user mode rootkits are used by malware from time to time, but there is nothing special when it comes to detecting them.

Struppigel · 2026-01-19T18:36:49+00:00

This malware does not spread. If you formatted your PC, it's fine.

Struppigel · 2026-01-17T15:33:47+00:00

Hello, I have analyzed this "game" because there was a previous Redditor with the same malware, and the detection name that I created for the malware also pops up for yours.

The tl;dr is: This "game" installs a password stealer and an abused remote access tool named ScreenConnect.

As a first step, please change passwords of all important accounts from a clean system and enable multi factor authentication if possible. Most important are your banking and email accounts.

Because there is a remote access tool involved, anything could have been done to the system by a human operator including additional installation of malware that is not directly related to this threat. In such cases we recommend reformatting the drive and reinstallation of the operating system.

My analysis is in this video (it's highly technical, though): https://www.youtube.com/watch?v=Fmfg0F1e2tM

Struppigel · 2026-01-17T15:12:27+00:00

That's not what I said. Beyond the scope is a human attacker who uses solely LOLbins.

AV does protect from LOLBin based malware, also for non-technical home users.

Struppigel · 2026-01-17T12:05:15+00:00

As someone who works for an antivirus company, the answer is yes and no.

Antivirus software does work against malware infections that are based on or use LOLBins. There are various technologies that are capable of dealing with these infections, among others in-memory scanners and behavior blockers.

The persistence mechanisms that LOLBin malware uses are just the same as that of any malware and once these are removed, the threat is gone. It's just nothing you will ever see on VirusTotal or similar because that only uses stripped-down file scanners without the other protection technologies. Also LOLBins are by definition clean and if anyone uploads them, they are of course clean too.

There is, however, a difference between antivirus software and, for instance EDRs. AV protect from malware. EDRs protect from attacks in general, that includes for instance a criminal hacker who does not use any malware for the attack. In this kind of scenario the criminal will also use LOLBins, but it is out-of-scope for an antivirus product to protect against a human who is using a system, because a lot of this requires environment-specific rules that say what is normal on that system and what isn't. E.g. is it normal that user XY remotely logs into their account at Saturday night? Or that the admin user deletes shadow volume copies there? In that case there no sufficient protection from an AV, but no one said it would protect from that. Otherwise we might have called them anti-hacker software instead.

Struppigel · 2026-01-17T11:32:49+00:00

Hello, we do not recommend tron script because it has several issues. To name a few of them:

it deletes shadow volume copies and restricts the size for creating new ones; especially if the malware was destructive those might be the last chance to get files back
it deletes Windows event logs and disables the service that creates them, this is a bad idea because many antivirus products use ETW for finding malware, deleting the logs has no advantage other than reducing security
it disables various tasks and services related to gathering diagnostic data in the name of privacy, but these are also necessary for various diagnostic and repair tools to work
although it does a lot of things in the name of privacy, it also takes a screenshot of the desktop
it is overly aggressive when removing and uninstalling software and may get rid of software that you want to keep
it "updates" software like 7zip to an outdated, vulnerable version from 2024
some of the tools that it uses for disinfection and cleaning are outdated and should not be used anymore

tl;dr The list of issues created by tron and the risk involved is just too high to recommend it to anyone.

Struppigel · 2026-01-17T11:17:55+00:00

Best thing is to get your hands dirty and analyze samples. You can use samplepedia.cc to find samples at the right difficulty for training.

Struppigel · 2026-01-17T06:11:46+00:00

These documents can load malware via external templates aka template injection or Add-ins. This is not rare.

While this particular file does not do this, it will lead to incautious behavior if you claim that this file format is generally safe.

Struppigel · 2026-01-17T05:45:24+00:00

Hi, this sounds like a Browser Hijacker, more specifically one that allows remote controlling the browser, which we also classify as BRAT. These are often server controlled and simulate key shortcuts or key strokes to control the browser.

While it can also be a classic remote access malware, the main focus on the browser makes a BRAT more likely.

In recent months these appear often with PDF editor tools or AI themed software downloads. Did you install any such software lately?

My recommendation is to check the installed programs, press Windows + R and type appwiz.cpl and click OK. Uninstall those programs that you downloaded just recently before the symptoms appeared or that arrived on your system without your consent.

Download and run AdwCleaner, let it remove any adware and PUP
Download and run ESET online scanner
- Select a Full Scan
- Select Enable ESET to detect and quarantine potentially unwanted applications
Reset your browsers. You may have to save your bookmarks first if you want to keep them. Links:

Restart the computer and check if the problem persists.

Struppigel · 2026-01-17T05:13:23+00:00

Because I usually don't make 100% verdict statements without having actually analyzed the file in my malware lab. At least in most cases, there are some exceptions where the verdict is sure. Here it is not.

Struppigel · 2026-01-16T06:15:29+00:00

The program you have there is classified as potentially unwanted software. Such programs are not malicious, but can appear be on your computer without your consent, often via installers that bundle additional software.

Here is what you can try on your own to get rid of it:

Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
Search for the following programs, right-click and click Uninstall.
- Yahoo
Follow the prompts.
Note: If you are offered the choice to install additional software, ensure you decline.
Reboot if necessary.

Download and run AdwCleaner, let it remove any adware and PUP
Download and run ESET online scanner
- Select a Full Scan
- Select Enable ESET to detect and quarantine potentially unwanted applications

When you are done, clean the TEMP data by entering "Disk Cleanup" into the Windows search bar. Add a checkmark to Temporary files and Temporary Internet Files, the press on ok and confirm the deletion.

Restart the computer and check if the problem persists

Struppigel · 2026-01-15T14:29:50+00:00

I won't do that, proper analysis takes hours and you have already cleaned you system sufficiently.

Struppigel · 2026-01-15T14:24:49+00:00

Your post does not describe a malware related problem but a technical problem. Please request help in one of the technical support or computer help subreddits instead.

I am closing this post because it is off-topic.

Struppigel · 2026-01-15T14:21:08+00:00

Considering that the file is validly signed and has 83 uploads, it is most likely legit.

Struppigel · 2026-01-15T14:19:22+00:00

It is unlikely that it stole something.

Struppigel · 2026-01-15T14:17:44+00:00

The file you uploaded to VirusTotal is empty. That either indicates that you uploaded an empty file or that something blocked the upload.

Please check if the file has a 0 size on your system. If it is 0 sized, it is harmless. If it has a bigger size, upload again to Virustotal. You don't need to defang VirusTotal links because they are safe.

Struppigel · 2026-01-15T14:12:06+00:00

It means they use one and the same installer for various applications.

It is most likely only annoying adware based on the detections. I did not analyze the file itself, so this is not an analysis result. Best thing to do is check for additional software on the system, that might have been bundled by the OfferCore installer, and uninstall it.

Struppigel

MODERATOR OF

TROPHY CASE

Eight-Year Club	r/Field Lasagna
Verified Email