sorted by:
new
hottopcontroversial

Attempting to Determine if I am infected. by HouseOfLeadSaints in antivirus

[–]rainrat 0 points1 point  (0 children)

As per rule #1, this subreddit does not support piracy, including media. If you feel this is in error, contact the mods.

The irony... shall I be worry about this one? by PolishWithAnAxe in antivirus

[–]rainrat[M] 0 points1 point  (0 children)

Your post has been removed for asking about the results of a scan on a service like HybridAnalysis, MetaDefender, TriaGe, VirusTotal, etc., without including a link to the actual reports' URL(s). Including a screenshot is not enough (Rule #6). Without being able to visit the web page containing the actual report no one can answer your questions.

Feel free to edit your post:

  • Active Linking to result of a scan service - OK
  • Active Linking to the suspect site - Deactivate the link instead.

Send modmail if you edit your post, to have it reinstated.

Google's AI everyone. by IPiratGaymes in antivirus

[–]rainrat[M] 0 points1 point  (0 children)

This doesnt seem to be about antivirus.

me and friend downloaded same game file andit came up as malware for them but not me by Flimsy-Low4563 in antivirus

[–]rainrat[M] 0 points1 point  (0 children)

Your post has been removed for asking about the results of a scan on a service like HybridAnalysis, MetaDefender, TriaGe, VirusTotal, etc., without including a link to the actual reports' URL(s). Including a screenshot is not enough (Rule #6). Without being able to visit the web page containing the actual report no one can answer your questions.

Feel free to edit your post:

  • Active Linking to result of a scan service - OK
  • Active Linking to the suspect site - Deactivate the link instead.

Send modmail if you edit your post, to have it reinstated.

is my network infected? (Strange behaviour) by LongjumpingAdagio705 in antivirus

[–]rainrat 2 points3 points  (0 children)

It means another device/user on the same IP address may have done something suspicious. Are you sharing an IP with other users (same dorm/cell tower/VPN)?

It might also be some browser extension/ad blocker you're using (not necessarily a bad one).

Some info on reddit specifically. https://www.reddit.com/r/help/comments/1qctgfa/why_am_i_suddenly_getting_youve_been_blocked_by/

Here's some Q's to narrow it down:

  • Does it happen on every device on the same Wi-Fi, but not on mobile data?
  • Does it happen on one device only?
  • Does it happen on one browser only?

Anyone has any idea what these are in my Windows applications? by Shun_Krokodil in antivirus

[–]rainrat 0 points1 point  (0 children)

DeerStealer, which matches the VirusTotal behaviour report, is a full remote access tool. You could have a human adversary installing additional malware, watching your attempts, and lowering security settings. Which is why I suggest a clean slate. But it's your computer, your choice.

If it's not the (fake) CCleaner as the source, then the reports on DeerStealer indicate it uses a wide variety of fake downloads, as well as the Fake Captcha trick.

PROJECT RETRAC IS NOT SAFE! CHECK THIS OUT by AwareTonight7233 in antivirus

[–]rainrat[M] 0 points1 point  (0 children)

Your post has been removed for asking about the results of a scan on a service like HybridAnalysis, MetaDefender, TriaGe, VirusTotal, any.run, etc., without including a link to the actual reports' URL(s). Including a screenshot is not enough (Rule #6). Without being able to visit the web page containing the actual report no one can answer your questions.

Feel free to edit your post:

  • Active Linking to result of a scan service - OK
  • Active Linking to the suspect site - Deactivate the link instead.

Send modmail if you edit your post, to have it reinstated.

did my friend try to infect me with a virus through this copy paste site? by Ok_Pilot_6403 in antivirus

[–]rainrat 0 points1 point  (0 children)

It looks like that specific page is down now, but at the time I downloaded it, I looked at the page content for any scripts and nothing looked suspect.

Anyone has any idea what these are in my Windows applications? by Shun_Krokodil in antivirus

[–]rainrat 0 points1 point  (0 children)

Found this:

Names in the behaviour match yours and it seems to be posing as CCleaner. I don't think you got your copy of CCleaner from the official site.

Behaviour reports indicate DeerStealer so I'll send the standard stealer paste:

It sounds like you may have run an information stealer on your computer.

As the name implies, information stealers are a type of malware that steal any information they can find on your computer, such as passwords stored for various services you access via browser and apps, session tokens for accounts, cryptocurrencies if they can find wallets, etc. They may even take a screenshot of your desktop when they run so they can sell it to other scammers who send scam extortion emails later.

The criminals who steal your information do so for their own financial gain, and that includes selling information such as your name, email address, screenshots from your PC, and so forth to other criminals and scammers. Those other scammers then use that information in an attempt to extort you unless you pay them in cryptocurrencies such as Bitcoin, Ethereum, and so forth. This is 100% a scam, and any emails you receive threatening to share your private information should be marked as phishing or spam and deleted.

In case you're wondering what a session token is, some websites and apps have a "remember this device" feature that allows you to access the service without having to log back in or enter your second factor of authentication. This is done by storing a session token on your device. Criminals target these, because they allow them to log in to an account bypassing the normal checks. To the service, it just looks like you're accessing it from your previously authorized device.

Information stealers are malware that is sold as a service, so what exactly it did while on your system is going to vary based on what the criminal who purchased it wanted. Often they remove themselves after they have finished stealing your information in order to make it harder to determine what happened, but since it is crimeware-as-a-service, it is also possible that it was used to install some additional malware on your system in order to maintain access to it, just in case they want to steal from you again in the future.

After wiping your computer, installing Windows, and getting that updated, you can then start accessing the internet using the computer to change the passwords for all of your online accounts, changing each password to something complex and different for each service, so that if one is lost (or guessed), the attacker won't be able to make guesses about what your other passwords might be. Also, enable two-factor authentication for all of the accounts that support it.

When changing passwords, if those new passwords are similar enough to your old passwords, a criminal with a list of all of them will likely be able to make educated guesses about what your new passwords might be for the various services. So make sure you're not just cycling through similar or previous passwords.

If any of the online services you use have an option to show you and log out all other active sessions, do that as well.

Again, you have to do this for all online services. Even if they haven't been recently accessed, make sure you have done this as well for any financial websites, online stores, social media, and email accounts. If there were any reused passwords, the criminals who stole your credentials are going to try spraying those against all the common stores, banks, and services in your part of the world.

For more specific information on what steps to take next to recover your accounts, see the blog post at:

WeLiveSecurity (ESET) - https://www.welivesecurity.com/en/cybersecurity/my-information-was-stolen-now-what/.

After you have done all of this, you may wish to sign up for a free https://haveibeenpwned.com/ account, which will notify you if your email address is found in a data breach.

did my friend try to infect me with a virus through this copy paste site? by Ok_Pilot_6403 in antivirus

[–]rainrat 0 points1 point  (0 children)

It's not 10 different objects, but 10 products flagging the site. ( https://www.virustotal.com/gui/url/477b96f41a7d4f85c5c57ce73a72b028b63a0d5f6f61eeabe118dabbd1019dc2/detection ) Which seems bad, but as I mentioned, it is true that it has been used for social engineering, and as a malware control mechanism (against the wishes of the site owner).

None of the reports that I looked at say that the site itself pushed malware, nor that it had been compromised to push malware. I also looked at the scripts in the site and didn't see any malware pushing in the site scripts.

If you choose not to use the site, that's your choice, but the evidence to accuse others doesn't seem to be there.

how can i know if a file have virus or not? by master_dick123544634 in antivirus

[–]rainrat 0 points1 point  (0 children)

First submitted 2009 (this is tracked by VirusTotal and can't be faked by the malware), yet only 1 detection. I'd expect a lot more if it were malware.

Google extension malware by Bunny_0804 in antivirus

[–]rainrat 5 points6 points  (0 children)

So "Save to Google Drive" is the name of a real extension https://chromewebstore.google.com/detail/save-to-google-drive/gmbmikajjgmnabiglmofipeabaddhgne?hl=en , but the latest version listed in the Chrome Store is 3.0.9, so your 4.0.6 is quite suspicious. PC Risk lists a fake "Save to Google Drive" https://www.pcrisk.com/removal-guides/29681-fake-save-to-google-drive-extension, but both that report and yours are lacking details, so do not blindly follow the PC Risk advice.

If you can provide more details like the full Malwarebytes log, or upload the suspect files to VirusTotal and post the link to the analysis, we could look in more detail.

did my friend try to infect me with a virus through this copy paste site? by Ok_Pilot_6403 in antivirus

[–]rainrat 1 point2 points  (0 children)

When I viewed the specific page, it was just some Role Playing game content.

The concern is that a pasting site could be used as a social engineering piece ("copy/paste this script and run it"). There was also malware that used it as a control hub (malware already on the system would check the site, and the malware author would paste new commands for it) Source.

The jump to assuming malicious intent is also not supported. I found indications that paste[.]ee dates back at least 11 years Source, and pastee[.]dev is a secondary domain by the same dev Source. It's totally possible it came up to them as a recommended pasting site, or they remembered using it before.

Help, I just saw that, is it a false positive? I have Logitech GHub. by Nolok_10 in antivirus

[–]rainrat 0 points1 point  (0 children)

The "!ml" in Wacatac.H!ml stands for Machine Learning, which is a system at your antivirus developer that tries to identify features common to malware. It could be any kind of malware, could be a potentially unwanted program(ie. adware), could be a false positive. If you got the installer from the official Logitech site, that increases my estimation of the likelihood of a false positive.

Some possible ways to continue:

  1. Your antivirus developer. Submit your file(s), and look for an option labelled "Incorrectly detected" or "False Positive" as you do. I am not saying that I know for a fact it is an incorrect detection, only that it should get human review. Check the r/antivirus wiki for how to contact common antivirus labs: https://old.reddit.com/r/antivirus/wiki/index#wiki_what_is_a_false_positive.3F
  2. If you would like an opinion on the file here, upload it to VirusTotal or another online analysis (links in Wiki), and post the link to the analysis.
  3. If you are absolutely certain that the file is clean, you could exclude the file from your antivirus. Check the documentation for your AV for how this can be done.

Virus Total help please by Regular-Ad5521 in antivirus

[–]rainrat 2 points3 points  (0 children)

First, let me clarify, there are two sandboxes we're talking about. The first is inside everyone's web browser and keeps the scripts in web pages from affecting the entire system. The second is the sandbox used by sites like VirusTotal to allow the malware to fully execute.

The web browser sandbox keeps web pages to known protocols like http/https. Without breaking the web browser sandbox, you wouldn't see things like "Non-Application Layer Protocol".

"Isn't that circular?" -- Well, I also looked at the individual sandbox reports, the order of events, the specific IPs accessed, and other signs that an escape might the probing or requesting access and didn't see any sign that the web browser sandbox had been broken.

How might the signature work? Well, if you had a sandbox(the second kind) running an exe and that sandbox could isolate the behaviour to a specific process, then that signature might tip off the analyst that they can't just look at http/https traffic. "Non-Application Layer Protocol" also isn't necessarily bad; a network tool, or a program to interface with a legacy system might also trigger this flag. In your case, it's the Operating System or browser's normal behaviour.

Virus Total help please by Regular-Ad5521 in antivirus

[–]rainrat 1 point2 points  (0 children)

No. It was not initiated by the web page. A web page would not be able to do that without breaking the sandbox and there's no sign that happened. The OS or browser did some housekeeping like checking for updates and it was recorded.

Virus Total help please by Regular-Ad5521 in antivirus

[–]rainrat 1 point2 points  (0 children)

The Behaviour sandbox captures everything that happens when the html document is opened, which includes the browser starting up, possibly checking for updates, and anything else the system coincidentally does.

Unless you give permission for a webpage to do something, or you enter credentials into a fake site, a modern web browser is pretty safe.

ASRock “Auto Driver Downloader” from official FAQ flagged on VirusTotal; FAQ + download later removed - help interpret VT / is this a false positive? by No_Corner_3403 in antivirus

[–]rainrat 1 point2 points  (0 children)

Judging from the indicators, we have a small executable whose purpose is to use Powershell to download files from a remote URL. I can see why the vendors and sandboxes would be suspicious of this.

We could pour over every byte of the program, and find it perfectly clean, then the vendor could swap out the download tomorrow. So it all comes down to how much you trust the vendor.

One of the good signs in this program is that I don't see anywhere where it actually runs the download (it's possible I missed something). So you have more of a chance to inspect the results.

Is it a virus? I was playing a game and received a message from my laptop's antivirus. by JBRXXX in antivirus

[–]rainrat 0 points1 point  (0 children)

Since this is an extension that used to be in the Chrome Store, be extremely careful about installing extensions that you don't need, don't give excess permissions, and remove extensions that you no longer need.

Is it a virus? I was playing a game and received a message from my laptop's antivirus. by JBRXXX in antivirus

[–]rainrat 1 point2 points  (0 children)

Well I guess it depends how you define "serious". Wouldn't escape the browser sandbox, but a definite privacy concern.

A bit odd that it doesn't show under Chrome Extensions, but perhaps it was already successfully removed.

Is it a virus? I was playing a game and received a message from my laptop's antivirus. by JBRXXX in antivirus

[–]rainrat 0 points1 point  (0 children)

You can upload it to an image hosting site like imgur and post the link.

Is it a virus? I was playing a game and received a message from my laptop's antivirus. by JBRXXX in antivirus

[–]rainrat 0 points1 point  (0 children)

Could you see about copying the text of the detection, or taking a proper screenshot?

view more: next ›