Threat Summary

Unwanted programs like Snackarcin are usually less dangerous than trojan malware, though I wouldn’t recommend ignoring them. Since it can deploy other unwanted programs, it all gains cumulative effect, turning the system into a mess. Moreover, apps that this PUA installs may install other unwanted programs on their own, proliferating like bunnies and creating a cascade of browser hijackers and system modifications.

What is PUADlManager:Win32/Snackarcin?

PUADLManager:Win32/Snackarcin is a detection name that Microsoft Defender uses to flag a downloader of unwanted programs. Usually, it is an installer of a program that contains a specific code, which makes it connect to a remote server and download other programs. The abbreviation “PUADl” at the beginning of the detection name is, in fact, self-explanatory: Potentially Unwanted Program Downloading Manager. This type of threat falls into the broader category of malware threats that security software actively monitors.

Among other detections of this type, Snackarcin stands out by the type of a program that carries the said code. According to the user reports, this detection appears on mods or mod engines for Minecraft, downloaded from a third party website. Although completely safe by design, they were modified by a person who uploaded it. This, exactly, is what Microsoft Defender is not happy about. The range of the unwanted programs it can install is vast, I will show my tests later on.

The said mods and mod engines are not the only possible program type that backs the PUADlManager:Win32/Snackarcin. Review of the actual samples show quite a few shady utilities that contain bundler code. Visual tweakers for Windows, screen time control tools, system optimizers – they always were less than trustworthy. These types of programs often serve as delivery mechanisms for more serious threats, similar to other software bundling schemes we’ve analyzed.

PUADlManager:Win32/Snackarcin Runtime Analysis

To have a better understanding of what Snackarcin is, I run a sample on a virtual machine. It appears to have only a few visible signs that something phishy is going on: the installer had no “usual” windows, and asked to install 7-zip at the end. However, shortly after, the obvious issues appeared.

Without a single notification from the installer, it injected Tesla Browser, a known adware-like rogue browser, and a PC App Store. The latter tries to look like what it sounds, but is in fact akin to adware, that adds promotions to system windows. Both of them are particularly obtrusive in their presence: starting with the system, notifications that pop on top of all apps, the default browser changed to Tesla, and so on. This behavior is typical of spyware-like programs and adware removal scenarios. This, however, is not the complete list of unpleasant things Snackarcin is capable of.

To target the bundled programs, PUADLManager:Win32/Snackarcin collects basic system information. This is represented in its activity logs: the installer accesses the registry keys and system config files:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
C:\Windows\System32\WinTypes.dll

This provides Snackarcin with the information about the system version and location, which most likely defines what kind of unwanted apps will it install. Having this data, the bundler connects to the command server (C2) and retrieves the PUAs. C2 addresses are usually built into each sample.

TCP 20.99.186.246:443
TCP 192.229.211.108:80
TCP 23.216.147.64:443

One thing that looks disturbing to me is the occasional usage of command line calls to svchost.exe and wuapihost.exe. These two system processes are capable of hosting the execution of other apps, and, what’s more important, DLLs. For that reason, they are often exploited by dropper malware, particularly for launching injected malware that has a form of a DLL file. Considering the aforementioned networking behavior, nothing stops Snackarcin from downloading and launching more dangerous threats through these legitimate Windows processes.

C:\Windows\System32\wuapihost.exe -Embedding
C:\Windows\System32\svchost.exe


Impact on System Performance and Security

PUADlManager:Win32/Snackarcin creates multiple negative impacts on infected systems beyond just installing unwanted programs. The bundled applications consume system resources, slow down startup times, and create persistent background processes that affect overall performance. Users often report significant browser slowdowns, unexpected pop-ups, and changed homepage settings similar to other virus-related attacks.

From a security perspective, Snackarcin creates vulnerabilities by establishing network connections to remote servers and potentially downloading additional payloads. The ability to execute system processes like svchost.exe and wuapihost.exe means it could theoretically be used to deploy more serious threats including InfoStealer malware or ransomware variants.

The networking behavior also raises privacy concerns, as the software can potentially collect system information, installed programs lists, and user behavior data to send back to command servers. This data collection often happens without explicit user consent and may violate privacy regulations in many jurisdictions.

Prevention and Best Practices

Preventing PUADlManager:Win32/Snackarcin infections requires careful attention to software sources and installation practices. Always download programs from official websites or reputable software repositories. Gaming modifications, in particular, should come from trusted modding communities with established reputations, as gaming-related PUAs are increasingly common.

When installing any software, especially system utilities or gaming modifications, read installation prompts carefully and opt for custom installation when available. Many bundlers hide their payload installations in “quick” or “recommended” installation options. Enable Windows Defender real-time protection and keep your security software updated to catch PUA detections before installation completes.

Be particularly cautious of software that promises system optimization, PC cleaning, or performance enhancement. These categories frequently contain potentially unwanted bundlers and serve as common distribution vectors for threats like Snackarcin. If you encounter fake virus alerts or suspicious system warnings, they may be attempting to trick you into installing similar PUA threats.

How to remove PUADlManager:Win32/Snackarcin?

I recommend using GridinSoft Anti-Malware to remove PUADLManager:Win32/Snackarcin. As you could have seen from the analysis above, it does quite a lot of changes in the system, and may install pretty much any other programs or even malware. That’s why a dedicated malware removal utility is pretty much a must.

Download and install GridinSoft Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click “Advanced mode” and see the options in the drop-down menus. You can also see extended information about each detection – malware type, effects and potential source of infection.

Click “Clean Now” to start the removal process.

Additional Manual Cleanup Steps

After running GridinSoft Anti-Malware, perform these additional cleanup steps to ensure complete removal of PUADlManager:Win32/Snackarcin components:

1. Check and Reset Browser Settings: If Tesla Browser or other unwanted browsers were installed, reset your default browser settings. Remove any suspicious browser extensions and restore your preferred homepage and search engine using the browser settings options or the Reset Browser Settings in the GridinSoft Anti-Malware.

2. Review Installed Programs: Open Windows Settings > Apps & Features and look for recently installed programs you don’t recognize, especially PC App Store, Tesla Browser, or suspicious system optimization tools. Uninstall any unwanted applications found during this review.

3. Clear Temporary Files: Use Windows Disk Cleanup or a third-party cleaner to remove temporary files and cached data that may contain remnants of the unwanted programs. This helps ensure no leftover components remain on your system.

4. Scan with Windows Defender: Run a full system scan with Windows Defender as a secondary check. While GridinSoft Anti-Malware is more comprehensive for PUA removal, Windows Defender may catch any remaining components or related threats.

Conclusion

PUADlManager:Win32/Snackarcin represents a significant threat to system security and user experience, despite being classified as “potentially unwanted” rather than malicious malware. Its ability to download and install multiple unwanted programs creates a cascade effect that can severely compromise system performance and security.

The key to protection lies in prevention: download software only from trusted sources, avoid third-party mod repositories, and maintain updated security software with real-time protection enabled. When installing any software, especially system utilities or gaming modifications, always choose custom installation options and read prompts carefully.

If you’ve encountered this threat, prompt removal is essential. Use comprehensive security tools like GridinSoft Anti-Malware rather than relying solely on Windows Defender, as PUA threats often require specialized detection and removal capabilities.

For additional protection against similar threats, consider reading our guides on detecting OfferCore bundlers, understanding InstallCore threats, and recognizing online scam patterns. Stay informed about system optimization scams and maintain good cybersecurity hygiene to protect your system from future infections.

Frequently Asked Questions (FAQ)

What does PUADlManager:Win32/Snackarcin mean?

PUADlManager:Win32/Snackarcin is Microsoft Defender’s detection name for a potentially unwanted application that downloads and installs other unwanted programs. “PUADl” stands for “Potentially Unwanted Application Download Manager,” indicating its primary function as a software bundler that connects to remote servers to retrieve additional programs without explicit user consent.

Is PUADlManager:Win32/Snackarcin dangerous?

While not as immediately dangerous as ransomware or banking trojans, PUADlManager:Win32/Snackarcin poses significant risks to system security and user privacy. It can install browser hijackers, adware, and other unwanted applications that compromise system performance. More concerning is its ability to execute system processes that could potentially be exploited to install more serious malware in the future.

How did PUADlManager:Win32/Snackarcin get on my computer?

Most users encounter PUADlManager:Win32/Snackarcin through modified Minecraft mods downloaded from third-party websites, bundled system optimization tools, or fake PC cleaning utilities. The threat often comes disguised as legitimate software but contains additional code that downloads unwanted programs after installation. It may also arrive through software bundling, where legitimate programs are packaged with unwanted additions.

Can I ignore the PUADlManager:Win32/Snackarcin detection?

No, you should not ignore this detection. While it may seem less threatening than traditional malware, PUADlManager:Win32/Snackarcin can significantly degrade system performance and create security vulnerabilities. The unwanted programs it installs often lead to browser hijacking, persistent advertisements, and potential privacy breaches. Additionally, its network connectivity capabilities mean it could potentially download more serious threats.

Will Windows Defender remove PUADlManager:Win32/Snackarcin automatically?

Windows Defender will detect and quarantine PUADlManager:Win32/Snackarcin, but it may not remove all associated components and installed programs. The bundler often installs multiple applications before detection occurs, requiring manual cleanup or specialized anti-malware tools to completely remove all unwanted components. A comprehensive scan with dedicated security software is recommended for complete removal.

What programs does PUADlManager:Win32/Snackarcin typically install?

Common programs installed by PUADlManager:Win32/Snackarcin include Tesla Browser (an adware-laden browser), PC App Store (promotional software), 7-zip (legitimate but used as cover), and various system optimization tools. The specific programs may vary based on the command server configuration and your system’s characteristics, but they typically focus on browser modification and system advertising.

How can I prevent future PUADlManager:Win32/Snackarcin infections?

Prevent future infections by downloading software only from official sources, avoiding third-party mod repositories, reading installation prompts carefully, and choosing custom installation options when available. Keep Windows Defender enabled with real-time protection, avoid system optimization utilities from unknown publishers, and maintain updated security software that can detect PUA threats before they install.

The post PUADlManager:Win32/Snackarcin: What Is It and How to Remove? appeared first on Gridinsoft Blog.

What is HackTool:Win64/GameHack!rfn?

HackTool:Win64/GameHack!rfn is a specialized hacking tool designed specifically for 64-bit Windows operating systems. Microsoft’s Windows Defender identifies it as a security threat that can manipulate game memory, bypass anti-cheat protections, and potentially execute malicious code. While the primary advertised purpose is to enable game cheats, this tool presents significant security risks beyond simply gaining unfair advantages in games.

The primary distribution channels for HackTool:Win64/GameHack!rfn include pirated software packages, cracked games, and deceptive download sites. This distribution pattern is consistent with the broader category of hacking tools, which frequently accompany unauthorized software to enable bypassing of licensing mechanisms. Cybersecurity forums and community discussions on platforms like Reddit frequently report these tools bundled with pirated games, creating a significant security risk for users who download such content.

Origins and Functionality

Game hacking tools are primarily designed to alter video game behavior by manipulating game memory and code execution. Their core capabilities include:

• Memory manipulation – Scanning and modifying game memory values to alter health points, ammunition, in-game currency, or other resources
• Anti-cheat bypassing – Circumventing security measures designed to prevent cheating
• “Extrasensory perception” (ESP) hacks – Providing information not normally available to players
• Wallhacks – Allowing visibility through in-game obstacles like walls
• Custom HUDs (Heads-Up Displays) – Overlaying additional information about player locations or status

Legitimate software like Cheat Engine can be used for these purposes in single-player games. However, when deployed in multiplayer environments or bundled with additional malicious functionality, these tools become serious security threats. A particularly concerning aspect is that many game hacking tools request or require users to disable their antivirus or security software to function properly. This creates a perfect opportunity for attackers to deliver additional malware to an unprotected system.

Technical Analysis

Security analysis of HackTool:Win64/GameHack!rfn reveals capabilities that extend far beyond simple game cheating. This tool exhibits sophisticated behaviors including:

• Dropping and deleting files
• Establishing connections to external command and control servers
• Self-deletion after execution to evade detection
• Extensive registry modifications
• Tampering with system identification values

The behavior pattern of HackTool:Win64/GameHack!rfn is similar to related threats such as HackTool.Win64.GameHack.AH. These variants often arrive as secondary payloads dropped by other malware or through direct downloads from malicious websites. A notable characteristic is the tool’s self-deletion mechanism that activates after execution, making it difficult to detect and analyze through conventional means.

Registry Modifications

The tool makes several significant changes to the Windows registry, including modifications to:

• BuildGUID
• DigitalProductId4
• ProductId
• InstallDate
• RegisteredOwner
• DigitalProductId
• MachineGuid

Additionally, it deletes the registry key HKEY_CURRENT_USER\Software\Microsoft\Direct3D\WHQLClass, which can affect graphics rendering and potentially create system instability.

File System Activities

The malware performs various file system operations, including:

• Removing files from the user’s temporary directory (%TEMP%), including:
• desktop.ini
• ntuser.sys
• Deleting entire folders such as:
• %User Temp%\CR_E83EE.tmp
• %User Temp%\acrocef_low
• %User Temp%\Adobe_ADMLogs

These activities can compromise system stability and security by altering critical system identification values and tampering with temporary files that might be needed by other applications.

Network Communications

Analysis of network traffic associated with this threat reveals attempts to contact remote servers, likely for:

• Command and control communications
• Exfiltration of stolen data
• Downloading additional malicious payloads
• Verifying license status of the cheating tool

Security Risks and Consequences

The presence of HackTool:Win64/GameHack!rfn on a system poses multiple severe security and legal risks:

1. Data theft – The tool may collect sensitive information such as login credentials, payment details, or personal information
2. Remote system compromise – External threat actors could gain unauthorized access to the affected system
3. Secondary infections – The tool can serve as a delivery mechanism for additional malware
4. System instability – Registry and file modifications can cause system crashes or application failures
5. Legal consequences – Use of cheating tools violates the Terms of Service for most games and may result in account bans
6. Financial losses – Potential theft of sensitive financial information or game account credentials with monetary value

Beyond the technical risks, the tool is frequently associated with illegal activities such as software piracy, which can lead to legal repercussions. Additionally, community discussions on platforms like Quora and Reddit frequently highlight negative experiences with these tools, including data breaches and account compromises.

For example, a Reddit discussion about the related HackTool:Win32/Gamehack.E!MSR shows multiple users reporting the detection in cracked games, with subsequent account bans and system issues.

Complete Removal Guide for HackTool:Win64/GameHack!rfn

While Windows Defender typically identifies and quarantines this threat, complete removal can be challenging due to the tool’s sophisticated evasion tactics and system modifications. For comprehensive removal, follow this step-by-step guide:

Method 1: Manual Removal (Advanced Users)

1. Boot your computer in Safe Mode with Networking
2. Open Windows Defender Security Center
3. Go to “Virus & threat protection” and run a full scan
4. Check the quarantine and remove all detected threats
5. Open Registry Editor (regedit.exe) and check for modifications to:
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
   • HKEY_CURRENT_USER\Software\Microsoft\Direct3D
6. Use Task Manager to identify and terminate any suspicious processes
7. Delete suspicious files from the Temp directory
8. Restart your computer in normal mode
9. Run another full scan to confirm removal

Method 2: Automated Removal (Recommended)

For more effective and thorough removal, we recommend using specialized anti-malware software. GridinSoft Anti-Malware is particularly effective against this threat due to its advanced detection capabilities and ability to restore modified system components.

1. Download GridinSoft Anti-Malware from the official website
2. Install the program (temporarily disable Windows Defender during installation if needed)
3. Launch the application and update the malware definitions
4. Perform a full system scan
5. Allow the software to quarantine and remove all detected threats
6. Use the additional tools to check for registry modifications
7. Restart your computer to complete the removal process

Post-Removal Steps

After removing the threat, take these additional precautions:

• Change passwords for your gaming accounts, email, and other sensitive services
• Enable two-factor authentication where available
• Update your operating system and all installed applications
• Review your installed programs and remove any suspicious software
• Scan for and repair any damaged system files using the System File Checker (sfc /scannow)

Prevention Tips

To avoid future infections with game hacking tools and similar threats:

• Purchase games legally from authorized retailers and digital distribution platforms
• Never disable your antivirus software, even temporarily, for game-related purposes
• Be skeptical of “free” cheats or game hacks – they almost always contain malware
• Keep your operating system and security software updated with the latest patches
• Use strong, unique passwords for your gaming accounts
• Enable two-factor authentication for additional protection
• Be cautious of links shared in gaming forums or chat applications related to game modifications

Remember that using game hacking tools is not only a security risk but also violates the Terms of Service for most games. This can result in permanent account bans, loss of purchased content, and exclusion from gaming communities.

Conclusion

HackTool:Win64/GameHack!rfn represents a significant security threat that extends beyond its advertised game-cheating capabilities. Its ability to modify system components, potentially steal sensitive information, and facilitate additional malware infections makes it a serious risk to system integrity and user privacy.

By following the removal steps outlined in this guide and implementing the recommended prevention measures, you can effectively eliminate this threat and protect your system from similar infections in the future. Remember that maintaining a legitimate software environment is the most effective defense against these types of threats.

The post HackTool:Win64/GameHack!rfn – Game Hacking Malware appeared first on Gridinsoft Blog.

OneStart Browser Overview

OneStart is a browser built on the Chromium open-source project, marketed as an AI-assisted tool that integrates features like a ChatGPT widget, a desktop toolbar, and seamless switching between AI engines such as Google AI, Bing, and others.

According to its official page, it aims to streamline online experiences with lightning-fast performance and customization options like light and dark modes. However, its legitimacy is debated, with security sites classifying it as a Potentially Unwanted Application (PUA) due to distribution methods.

Its official blog (OneStart.ai is Not A Malware And Here’s Why) defends its safety, claiming rigorous security assessments by tools like VirusTotal and no flags as malicious software (in fact has). It emphasizes user consent for installation, but user reports suggest otherwise, highlighting a discrepancy between claims and experiences.

How Users Get Infected with OneStart Browser?

Research indicates OneStart browser is often distributed through software bundling, a common tactic where it’s included with other downloads without clear user consent. This can occur via freeware sites, Peer-to-Peer networks, or deceptive sites, especially when users rush through installations using “Quick/Simplified installation” settings.

It’s installed unknowingly, bundled with other software, leading to confusion about its origin. This method increases the risk of inadvertently allowing unwanted programs, and user reviews on platforms echo similar experiences of unexpected installations.

What’s Wrong With OneStart Browser?

There are several concerns surrounding OneStart, making it a problematic application for many users. One of the primary issues is its unwanted installation. Many users find it on their systems without explicit permission, often due to software bundling. This classifies it as a Potentially Unwanted Program (PUP).

During installation, the program requires you to check the EULA box. However, along with this checkbox, two checkboxes are immediately placed against the items “Auto start when logging into Windows” and “run in the background”. Although you can remove the two checkboxes afterward, not every user can think of doing so.

The program alters browser settings, such as resetting the default search engine, frequently without user consent. Another major concern is search query redirection. When users perform searches, their queries are first routed through onestart.ai before reaching Yahoo. This raises significant privacy concerns, as it suggests potential data collection.

In addition to these issues, OneStart is known for injecting unwanted advertisements and opening new tabs with promotional content. These ads can sometimes promote scams or even malicious software, further compromising user security. Some sources have even labeled this browser as a trojan, citing its ability to track user data, including browsing histories and personal details, which could then be sold to third parties.

The controversy surrounding OneStart is reflected in user forums and reviews. While some users appreciate its AI features, many others report system slowdowns and unwanted behavior, reinforcing its reputation as a questionable program. How about VirusTotal, vendors are divided in their opinions. At the time of writing, 12 anti-malware vendors have marked the OneStartInstaller.msi installer as potentially unwanted software or Generic Application Downloader.

How to Remove?

Theoretically, OneStart browser should be rather easy to remove manually, through the Windows interface. But a considerable share of users say it refuses to go away, returning errors at the attempt to uninstall it. There are also quite solid suspicions that the browser may get installed along with other unwanted programs that should be removed as well.

That is the reason why I recommend running a scan with GridinSoft Anti-Malware. It shows excellent performance in removing questionable software, and will not let any strange apps in afterwards. Download it by clicking the banner below, and run a Standard scan: it will be optimal for OneStart browser removal.

If you are willing to try the manual removal of OneStart browser, open the list of installed programs (Start → Settings → Apps → Installed apps), scroll to OneStart, click the three dots on the right and select Uninstall. These steps should remove the unwanted browser from the system. Yet if the method fails, or you suspect other PUPs are present on your computer, feel free to use GridinSoft Anti-Malware to get your system as good as new.

The post OneStart Browser appeared first on Gridinsoft Blog.

According to a 2024 report by Cybersecurity Insights, potentially unwanted applications (PUAs) accounted for 25% of all detected threats, with a 15% increase from the previous year. This highlights the growing importance of being vigilant against such applications.

What is “Keep Awake”?

According to Gridinsoft’s research, “Keep Awake” is a PUA that can be installed on your system without your explicit consent, often bundled with other software or through deceptive installation methods. While it may claim to keep your system awake, its actual activities are more sinister. It can consume excessive CPU and memory resources, leading to slow system performance and frequent crashes. Additionally, it has the capability to collect sensitive user data, such as browsing history and location, without your consent, raising significant privacy concerns. The application also delivers intrusive advertisements and may redirect you to dubious websites, increasing the risk of downloading further unwanted or harmful applications.

How Does “Keep Awake” Get Installed?

“Keep Awake” can be installed in several ways, often without the user’s full awareness or consent. Common methods include:

• Software Bundling: It may be bundled with other legitimate software, and during the installation process, users might inadvertently agree to install “Keep Awake” by not reading the fine print or deselecting optional components.
• Deceptive Ads: Clicking on misleading advertisements or pop-ups can lead to the installation of “Keep Awake” without clear user notification.
• Exploiting Vulnerabilities: Drive-by downloads or exploiting security flaws in your system or browser can result in the automatic installation of “Keep Awake”.

Detecting “Keep Awake”

Detecting “Keep Awake” can be straightforward if you know what to look for. Here are some common symptoms that may indicate its presence on your system:

Keep Awake disguising itself as “Node.js JavaScript Runtime” in Windows Task Manager as:

Manual Removal of “Keep Awake”

Before proceeding with manual removal, it’s important to note that this method can be complex and may not completely eliminate all traces of the application. For a thorough and safe removal, we recommend using Gridinsoft Anti-Malware. However, if you prefer to attempt manual removal, follow these steps:

1. Uninstall from Control Panel:

   Go to the Control Panel, select “Programs and Features,” and look for “Keep Awake” or any similarly named program. Uninstall it if found.

2. Delete Associated Files:

   “Keep Awake” may leave behind files that need to be manually deleted. Common locations include:

   C:\Program Files (x86)\Keep Awake
C:\Program Files\Keep Awake


   Delete all files and folders related to “Keep Awake”.

3. Remove Registry Entries:

   “Keep Awake” might have entries in the Windows Registry. To remove them, open the Registry Editor (regedit.exe) and search for keys related to “Keep Awake”. Delete any found keys. Be cautious, as incorrect modifications to the registry can harm your system.

After manual removal, it’s crucial to scan your system with Gridinsoft Anti-Malware to ensure that all remnants of “Keep Awake” are removed and to protect against future threats.

Thorough Removal with Gridinsoft Anti-Malware

While manual removal can be effective, it’s not always comprehensive, and there’s a risk of missing some files or registry entries. Gridinsoft Anti-Malware is designed to detect and remove a wide range of threats, including PUAs like “Keep Awake”, ensuring your system is completely clean and protected.

Here’s how to use Gridinsoft Anti-Malware to remove “Keep Awake”:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Gridinsoft Anti-Malware not only removes “Keep Awake” but also provides ongoing protection against future threats, making it an essential tool for maintaining your system’s security and performance.

Prevention Tips

Preventing the installation of “Keep Awake” and other PUAs involves being cautious and following best practices for safe browsing and software installation. Here are some tips to keep in mind:

• Download from Trusted Sources: Only download software from reputable websites and official app stores.
• Read Installation Prompts: Carefully read and understand what you’re agreeing to during software installations. Deselect any optional components that you don’t need.
• Keep Software Updated: Regularly update your operating system, browser, and other software to patch security vulnerabilities.
• Use Strong Antivirus Software: Install and regularly update a reliable antivirus program like Gridinsoft Anti-Malware to detect and block threats.
• Be Wary of Ads and Pop-ups: Avoid clicking on suspicious advertisements or pop-ups, especially those that promise too-good-to-be-true offers.

Conclusion

“Keep Awake” is a PUA that can compromise your system’s performance and your privacy. By following the steps outlined in this guide, you can effectively remove it and protect your system from similar threats in the future. Remember, for a thorough and safe removal, Gridinsoft Anti-Malware is the recommended solution.

Stay informed and stay safe online. Have you encountered “Keep Awake”? Share your experience in the comments below!

FAQs

Q: Is “Keep Awake” a virus?

A: “Keep Awake” is classified as a potentially unwanted application (PUA), not a virus. However, it can exhibit behaviors similar to malware, such as data collection and adware.

Q: Can I safely keep “Keep Awake” if I need a tool to prevent my system from sleeping?

A: It’s generally not recommended to keep “Keep Awake” due to its unwanted behaviors. There are legitimate, safe alternatives available for preventing your system from entering sleep mode.

Q: Will removing “Keep Awake” fix all performance issues on my system?

A: Removing “Keep Awake” should help improve system performance if it was the cause of the issues. However, if there are other underlying problems, you may need to perform additional troubleshooting.

The post Removing Unwanted “Keep Awake” Application: A Comprehensive Guide appeared first on Gridinsoft Blog.

EpiStart (EpiBrowser) Overview

EpiStart, also known as EpiBrowser, is a rogue web browser based on the open-source Chromium project. Unlike conventional browsers, it does not function as a typical search tool, but instead forces users through a fake search engine (epibrowser.com). This site lacks the ability to generate search results independently and ultimately redirects users to legitimate search engines such as Yahoo.

On their official website, the developers of this pseudo-browser claim partnership with Yahoo. That, however, does not restrict them from collecting all possible user information upon every search query. That redirect through the EpiBrowser website is made for exactly this purpose.

The classification of EpiBrowser as a Potentially Unwanted Application (PUA) stems from its questionable distribution tactics and intrusive behavior. Many users report encountering this browser unexpectedly, which raises concerns about its installation methods. Additionally, rogue browsers like EpiStart can engage in data collection, potentially harvesting browsing history, login credentials, and financial details. The data may then be shared or sold to third parties, further heightening privacy risks.

How did I get EpiBrowser?

EpiBrowser has its own official website, though funnily enough, there is no downloading link on it. The page is purely decorative, with minimal info about the web browser itself, and some concerning information on its data handling practices. The developers openly claim collecting tons of user data, and holding it for whatever time period they want.

To understand the whole picture, it’s worth starting with the distribution and installation process of this software. Many users get EpiStart installed unknowingly, often through software bundling. For example, many Reddit users complain about this thing appearing after running some questionable program installers.

Another common distribution method involves deceptive pop-up ads and misleading websites. Some users may be tricked into downloading EpiBrowser after seeing fake alerts claiming their current browser is outdated or insecure. Clicking on such messages often initiates the installation of unwanted software without explicit user consent. Similarly, some ads can execute scripts that download and install unwanted apps or even malware automatically when clicked.

What’s Wrong?

EpiStart (EpiBrowser) functions by hijacking users’ web activity. Upon installation, it alters system settings to make itself the default browser. Unlike traditional browser hijackers that modify an existing browser’s configuration, EpiStart circumvents these limitations by being a standalone application. This means that even if users attempt to reset their browser settings, EpiStart remains unaffected, maintaining control over search queries and web navigation.

The main feature of this rogue browser is its forced redirection. It has its own search tool. But this tool cannot process search queries by itself. So, when users attempt to conduct searches, they are first led to epibrowser.com, a fake search engine. This intermediary page then forwards users to Yahoo or other search providers, depending on factors such as geolocation. The presence of a fake search engine suggests that EpiStart may be designed to generate revenue through affiliate marketing or ad fraud schemes.

Additionally, the browser has the potential to function as adware. Advertising-supported software typically injects excessive ads into web pages, displaying pop-ups, banners, and in-text advertisements. These ads may not always be safe—some could lead to phishing sites, promote deceptive software, or even trigger silent downloads of more unwanted applications.

EpiStart may also collect browsing data, including visited websites, cookies, search queries, and other user-specific information. Such data is often used for targeted advertising but can also be exploited for malicious purposes if shared with third-party advertisers or cybercriminal networks.

How To Remove EpiBrowser?

If a user discovers EpiStart on their computer, they may be able to uninstall it through standard removal methods. However, some Reddit users have reported difficulties in doing so, suggesting that EpiStart may employ persistence techniques to resist deletion. What’s worse, spreading ways this browser utilises suggests there could be much more unwanted programs.

In such cases, running a system scan with security software like GridinSoft Anti-Malware is advisable to detect and remove any hidden components. Download it by clicking the banner you see below and run a Full Scan, to clean every last corner of your computer.

To avoid installing unwanted applications like EpiStart, users should always download software from official sources and verify its legitimacy before proceeding with installation. Using “Custom” or “Advanced” settings instead of “Quick” installation allows users to review optional components and decline unnecessary add-ons. Additionally, users should remain cautious while browsing, as intrusive ads often disguise themselves as legitimate content.

The post EpiBrowser (EpiStart) appeared first on Gridinsoft Blog.

Is Opera GX Malware?

First and foremost, Opera GX is a legitimate, secure browser, a product of Opera Software, headquartered in Norway. Its official website provides the latest safe version for download, and there is nothing wrong with it. This browser was originally created to improve the user experience for gamers. It attracts users with unique features unavailable in the classic Opera version and other browsers.

However, like many popular programs, Opera GX has become a disguise for malware distribution via modified versions found on untrustworthy sites. These versions appear similar to the legitimate one, but include malicious changes scripts that compromise user data and security. Hackers quite literally rewire the browser to act in a way they want.

Spreading approach for these altered versions is rather interesting. Users are lured to fake human verification pages, where they see an offer to run a script or download a file. In either case, the user ends up with the installation file of what looks like Opera GX. But in reality, they install malicious software with their own hands.

The other method involves installing this browser unknowingly as “recommended software,” often bundled with cracked games or programs. Handymen who create those cracked versions deceptively label OperaGX as “author recommended software”. Sometimes they feature normal versions of this browser; we described one of such cases in a dedicated article.

Malicious Activity

To understand what is wrong with the malicious version of Opera GX, let’s examine its behavior. Visually, the malicious installer is identical to the legitimate one, so users won’t notice any difference during installation or even after launch.

The main issue is that once installed, this impostor version of Opera GX begins functioning like spyware. It can read data from other browsers, including passwords, session tokens and cookies. Then, it transfers all the data to the command server – an action that was never present in the normal version.

As shown, the most concerning actions occur in the background. Today, nearly all browsers can import data (like passwords) from other installed browsers, but they do so after installation and only with user consent. In our case it happens at the stage of program installation, even before the user sees the browser window for the first time. Such sensitive data may – and will – be used against the user in different attack scenarios.

How to detect and remove a malicious version of Opera GX?

Unfortunately, there is no way to visually determine if a file is malicious. If you downloaded the installer from the official website, it should be safe. However, if Opera GX came from an unknown source, or in a software bundle, that is a definite red flag.

To scan the system for fake software or outright malware, I recommend using GridinSoft Anti-Malware, which is effective in detecting even stealthy threats. To do so, follow the steps below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Opera GX appeared first on Gridinsoft Blog.

PUA:Win32/Webcompanion Overview

PUA:Win32/Webcompanion is a Microsoft Defender detection associated with a potentially unwanted program called Adaware Web Companion. This program, developed by Lavasoft, is positioned as a malicious link blocker. Thus, it filters traffic completely and if it finds a site dangerous, it blocks access to it, acting as an Internet Security module. However, it has gained notoriety and is classified as potentially unwanted software.

Adaware Web Companion is not a malicious program by itself, but given its distribution method and the actions it performs on the system, there are quite solid reasons why it can be considered as unwanted.

Although Adaware Web Companion has an official website, like most unwanted programs it is distributed as bundleware, as additional “recommended” software bundled with other programs. And, when uninstalling the main program which installed the PUA:Win32/Webcompanion, the latter is not removed but remains in the system.

As for its actions, it can redirect traffic, search queries, and sometimes even change the start page and search engine after installation. While it does not always make these changes, it did so in our tests, and user reviews indicate that such cases happen more often than not. Changes generally depend on various factors such as the program version, user’s IP address, geographical location, and presence of anti-malware software on the system (which we will revisit later).

Technical Analysis

When downloaded from the official website, the installation process appears ordinary and unremarkable. However, most users acquire it unintentionally as part of bundled software with other programs.

After installation, the program runs in the system tray and continues operating quietly, making it unlikely that the user will notice it.

Let’s examine this program’s inner workings to understand its operation. So, start with the installation process: the program has an online installer that downloads the necessary files to the C:\Program Files (x86)\Lavasoft\Web Companion\ folder.

During installation, it checks a selection of system values, mostly ones responsible for browser and system configurations:

• HKLM\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies: Checking managed system resource policies.
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome: Checking if Google Chrome is installed.
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName: Getting the display name of Google Chrome to confirm the exact version installed.
• HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: Checking internet policy settings to adapt to network configurations and policies.

By checking these keys, the PUA:Win32/Webcompanion ensures compatibility and optimizes performance based on system’s settings.

It then unpacks its files to \AppData\Local\Temp\ folder – a directory normally inaccessible for the user. This is a common way unwanted programs are used to soft-lock the user from manually deleting the program. Still, it is possible to reach the directory and remove it from here – I will show you how to do this in the removal section.

One unusual aspect here is the program’s check of the anti-malware status (last active process). Depending on the outcome of this check, PUA:Win32/Webcompanion may adjust its behavior accordingly. For instance, it may refrain from loading additional modules.

Execution

Following installation, PUA:Win32/Webcompanion starts with changing browser properties. It switched Edge, Chrome and all other browsers installed on the test machine to the “managed by your organization” mode. This way, it restricts the user from applying any changes to browser settings.

Afterwards, WebCompanion starts doing its dirty job. In our tests, it installed malicious browser extensions, specifically one of browser hijacker type. We made a separate publication on this PrimeLookup extension – it is a rather sticky malware that can severely interfere with your browser activities.

Activity

Although Web Companion doesn’t perform data theft, it does collect basic information on user activity for advertising and marketing purposes. For instance, data like browsing activity, visited websites, and product preferences are sent to the developers’ servers to tailor more relevant advertisements.

Is PUA:Win32/Webcompanion False Positive?

PUA:Win32/Webcompanion can occasionally result in a false positive detection, as seen in various Reddit posts. However, this is generally an exception rather than the rule. In most cases, it is a real detection related to the aforementioned program. While some versions may run on your system without issues, others might trigger Defender alerts, especially after updates. If you’ve knowingly installed Adaware Web Companion, you can safely ignore the Defender alert.

On the other hand, if you didn’t install this application yet receive a PUA:Win32/Webcompanion detection alert, consider running a full system scan. For thorough system cleanup, consider using GridinSoft Anti-Malware. This tool can remove existing threats and protect against future ones. Download it by clicking the banner below and run a Standard scan – it will do the rest.

Manual Removal Steps

You can also remove PUA:Win32/Webcompanion manually. This process is similar to uninstalling any other program, with the additional steps of manually resetting browsers and clearing files from the temporary folder. Let me give you a step-by-step instruction.

• Step 1. Open Start and select Settings. Next, select Apps from the left menu, then click on Installed apps.

• Step 2. Scroll down to find Web Companion, click the three dots next to it, and select Uninstall. Follow the instructions until the process is complete.

• Step 3. Next, open Explorer and in the top address bar, type %temp% and press Enter. This will open your Windows temporary files folder.

• Step 4. Press CTRL + A to select all items in the folder, then right-click and choose the Recycle Bin icon or press the Del key on your keyboard.

The post PUA:Win32/Webcompanion appeared first on Gridinsoft Blog.

Detection Overview

PUA:Win32/DNDownloader is a heuristic detection of potentially unwanted software associated with the LDPlayer app. This program is a free Windows-based Android emulator developed by the Chinese company XuanZhi. In general, the emulator itself is not harmful, while programs that are installed along with it are.

Although LDPlayer has an official website, VirusTotal search results indicate that PUA:Win32/DNDownloader is distributed through malicious websites, often disguised as popular programs, mobile game clients, or cracked mobile apps. Common disguises include popular games and software for some specific tasks.

Terraria

Roblox.client

Brawlstars

Pokemongo

Mobile.legends

Standoff2

Pixlink.camera

Instagram.followers.unfollowers

Minivideos.videodownloader

This is only a small sample of the software under which users have encountered Win32/DNDownloader under the guise of. Additionally, the installation process typically includes prompts to install extra software.

PUA:Win32/DNDownloader Analysis

Let’s take a closer look at this unwanted software. The first red flag is that Defender detects it as soon as the installation file is downloaded. This detection is warranted, and here’s why. During installation, PUA:Win32/DNDownloader persistently attempts to install additional bundled software.

LDPlayer Installation process

LDPlayer Installation process

LDPlayer Installation process

The programs included in this bundle are typical for unwanted software of this kind—namely, Opera and 360 Total Security. I’ve encountered other unwanted software that also tries to install these two programs.

Technical Details

Although PUA:Win32/DNDownloader may seem harmless at first glance, its behavior on the system indicates otherwise. The first red flag is that it reads mutexes on the system. The program looks for the Local\__DDDrawCheckExclMode__ mutex and if it does not find it, it creates it and several others:

{EE8B94A3-D811-458B-A446-AF28FA10E845}
MUTEX_LDPLAYER
\Sessions\1\BaseNamedObjects\MUTEX_LDPLAYER
\Sessions\1\BaseNamedObjects\{EE8B94A3-D811-458B-A446-AF28FA10E845}

This behavior is typical of a malicious program, or at least something phony, but not legitimate software. During installation, PUA:Win32/DNDownloader employs techniques like obfuscation to avoid static and dynamic analysis, and it checks for a virtual environment by verifying the following values:

\HARDWARE\DESCRIPTION\System\BIOS
\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName
\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer

While a hardware check may be justifiable for optimizing emulator performance, checking for anti-malware software is unusual for standard programs. It checks the following registry keys:


\SOFTWARE\AVAST Software\Avast
\SOFTWARE\Wow6432Node\AVAST Software\Avast
\SOFTWARE\AVG\AV
\SOFTWARE\Wow6432Node\AVG\AV
\SOFTWARE\Avira\Browser
\SOFTWARE\Wow6432Node\Avira\Browser
\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
\SOFTWARE\WOW6432Node\McAfee

It also modifies certain registry values related to system protection and OneDrive. Otherwise, despite these red flags, LDPlayer performs its intended function.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.101\CheckSetting
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\LastUpdate

Is PUA:Win32/DNDownloader False Positive?

Yes, PUA:Win32/DNDownloader can be a false positive detection. Since this is a heuristic detection, it relies on behavior analysis rather than exact signatures. This means that machine learning may occasionally misinterpret certain behaviors. This is also true for the program files it extracts during installation.

For example, on 06/14/2024, some VirusTotal analyses and comments indicated that the files Roboto-Regular.otf and NotoSans-Regular.otf contained DcRat (DarkCrystal RAT). However, upon re-analysis on 10/29/2024, no malware was detected in these files.

Conversely, this detection is associated with the LDPlayer program specifically, which Microsoft Defender flags in most cases upon download. Although the latest version from the official website does not currently trigger a detection, this could potentially change in the future.

How To Ensure Your PC is Clean From PUA:Win32/DNDownloader?

The LDPlayer itself is not malicious; however, the additional software it attempts to install can pose security risks.

To ensure your PC is clean, start by running a full scan with Gridinsoft Anti-Malware. This security tool is designed to detect and remove potentially unwanted applications (PUAs) like DNDownloader, which may infiltrate your system through bundled downloads or malicious ads. After the scan, review and remove any detected items to eliminate potential risks. Finally, activate real-time protection to prevent similar threats from sneaking into your system in the future.

The post PUA:Win32/DNDownloader appeared first on Gridinsoft Blog.

MediaGet Virus Overview

PUABundler:Win32/MediaGet is a detection of potentially unwanted software associated with the program MediaGet, a BitTorrent client with Russian origin. The program was originally positioned as a torrent client, it now functions more like a player for pirated content.

The main problem is that MediaGet installs a range of unwanted programs, which an inexperienced user may struggle to cancel. This is accomplished through the use of tricks, which I’ll talk about later.

Although the program has its own official website, in most cases the user receives it as “recommended software”, bundled with other free programs. Alternatively, they may be recommended to use it on websites that, once again, spread unlicensed software of different kind. Once again: the program is not inherently malicious, it is the additional software it installs that may have undesirable and sometimes malicious properties.

Even if the user uninstalls MediaGet, the additional software is not removed along with it, and some items are not displayed in the list of installed applications, which makes it very difficult to remove them. Because of these factors, the program has received the status of potentially unwanted software and even a separate classifier PUABundler:Win32/MediaGet.

How dangerous is it?

To avoid making unconfirmed claims, I decided to get my own experience with PUABundler:Win32/MediaGet behaves, although on a virtual machine instead of a live system. The first thing that catches your eye is that Microsoft Defender immediately flags the downloaded file from the official website. The random character string in the file name appears to be a failed attempt to prevent detection back at the download stage.

MediaGet detected as unwanted app

PUABundler:Win32/MediaGet detection popup

I selected “Allow” in the Defender menu and started installing the program. The first red flag was the program’s offer to provide the device’s resources in exchange for an ad-free experience. I agree, I’m not sorry to share the resources of my gaming PC for the sake of a scientific experiment. We’ll return to this point later; for now, let’s continue with the installation.

Next, the installer offers to install the web browser Opera. The problem is that there is a big green “Accept” button and a small gray “Decline” button. At first glance it may seem that the Decline button is inactive, but if you click on it the next installation screen appears with the next item of “recommended software”.

This time, we see 360 Total Security installing – a Chinese antivirus notorious for being hard to remove from the system. Remember at the beginning I talked about the tricks that we would come to later? I was referring to this exact trick with the “inactive” Decline button, which an inexperienced user might not notice and click Accept.

Additional software

Additional software

After launching we can see an average client for watching pirated movies/cartoons/serials etc. Although the authors of the program do not mention the program’s origin anywhere on its official website, the presence of buttons of Russian services like VK (Vkontakte) and OK (Odnoklassniki) indicates the program’s Russian origin and target audience.

In addition, this is not the first incident related to this program. It was previously reported that the program does have Russian roots. This is also due to the fact that most legitimate services in Russia are either blocked or non-functional.

MediaGet interface

Russian social media links

Additional Payload

As for the additional programs MediaGet installs along the way, the Opera browser and 360 Total Security antivirus were fairly typical over several consecutive runs. But I would like to take a closer look at the payload that PUABundler:Win32/MediaGet installs to allocate PC resources to third parties. This is the file highsocks.exe, which is added to autorun after installation and runs with the system.

Remarkably, after uninstalling MediaGet, this file remains in the system and still works. Moreover, it is not in the list of installed applications, making it difficult for the user to detect and remove.

I decided to have a closer look at this file in more detail. Apparently, this program makes the victim’s device a proxy server. Alongside with that, highsocks.exe injects itself into the legitimate system process WMIADAP.EXE and also terminates the svchost.exe process with the parameter WerSvcGroup. The program also executes the shell command:

C:\Windows\System32\wuapihost.exe -Embedding

This could indicate an attempt to mask its activity. The program is primarily running in memory rather than on disk, which suggests that this is an attempt to avoid detection by antivirus tools. But well, all the technical details aside, I can confidently say that this program is proxyware.

Collecting System Information

In addition to the above activities, highsocks also collects certain system information, including language and region settings:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MUI\UILanguages
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MUI\UILanguages\PendingDelete
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NLS\Language
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option

Although this information might have legitimate uses, when combined with other red flags, it appears more like unwanted activity. This information can also be used to prevent execution in certain “friendly” territories, which is standard practice for malware.

How To Remove PUABundler:Win32/MediaGet

Although PUABundler:Win32/MediaGet is not malware in the truest sense of the word, its monetization and installation methods are not fully clear and secure. As for removing the program and its traces, this can be difficult without specialized tools. I recommend using GridinSoft Anti-Malware, as it is an advanced anti-malware solution that will help you clean your system of unwanted software in two clicks. Just follow the instructions below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post PUABundler:Win32/MediaGet appeared first on Gridinsoft Blog.

As history shows software developers like Rostpay have already made a name for themselves in the digital marketplace as builders of unwanted software. But due to the pursuit of free software, users are taking risks that expose the security of their systems and devices.

What is PUABundler:Win32/Rostpay?

PUABundler:Win32/Rostpay is the name for a potentially unwanted program detected by Microsoft Defender. This complex software is usually distributed bundled with other applications, often without the user’s explicit consent. Such programs may include various components such as adware, browser toolbars, pseudo-system optimizers, and else.

As I wrote above, Rostpay developers bundle their free programs with unknown and almost always uncoordinated software. On the Web, a lot of users complain that numerous unwanted programs are installed in parallel with the installation of programs developed by this company.

Another part complains about the troubles these programs create. In other words, Rostpay’s software is not particularly effective, creating just a pale resemblance of real work. Its removal can also be complicated and require additional software. This results into considering such software an unwanted program.

PUABundler:Win32/Rostpay Analysis

Samples for analysis were not difficult to find – you just need to download programs from the developer Rostpay. I opted for Tesla Browser and Driver Hub for the analysis, downloaded and installed them.

Win32/Rostpay #1 – Driver Hub

Driver Hub is a software solution ostensibly designed to check and update outdated drivers on your system. But there are pitfalls here that spoil the overall picture. When we open the setup file, we see the next message:

As I’ve mentioned above, PUABundler:Win32/Rostpay usually comes with bundled software, and this checks out in my test with Driver Hub. Instead of Yahoo, the offered programs may differ depending on the product you install and your location.

What did not happen to me, but was an often point of user complaints after Rostpay activity is various system troubles. People particularly tell about Internet connectivity issues, keyboard input problems, and similar bugs. Most probably, they are the outcome of the installation of a faulty driver – at least, these symptoms sound like driver issues.

That is one major problem with any “driver updater” software – they barely have the most recent and correctly working drivers for all hardware. All attempts to create such a thing fail for one reason – it is too much of a hardware out there. And Driver Hub is no exception.

Win32/Rostpay #2 – Tesla Browser

Tesla Browser is yet another thing detected as PUABundler:Win32/Rostpay. According to the advertising promises, it is a web browser that offers an improved surfing experience on the Internet. However, not everything is as rosy as it seems at first glance. The first questionable thing pops up during the installation: the offer to install an unrelated program.

Though, Tesla Browser itself can come in the very same bundle, hidden as a “recommended software”. Such unwanted programs spread quite literally through budding: one contains 2 others, and each of them in turn install another two. So yes, one unwanted program can make a mess that will be hard to ignore.

The biggest problem with the Tesla Browser is that it can act as adware or a browser hijacker. Forget about what they promise on the website – no “advanced security features” or “regular updates”. This browser can redirect your queries to a random search engine, and display modified search results, filled with promotions. And even when you do not use it, the pop-ups with offers to install plug-ins or other stuff will keep popping up in other browsers.

Removing Win32/Rostpay and other PUAs from PC

Video Removal Guide for PUABundler:Win32/Rostpay:

I recommend GridinSoft Anti-Malware, which will easily remove all remnants of Win32/Rostpay and all the garbage installed with it. And in general, the program will provide a decent real-time protection of your system.

Download and install GridinSoft Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post PUABundler:Win32/Rostpay appeared first on Gridinsoft Blog.

PUA:Win32/GameHack Overview

PUA:Win32/GameHack is a generic Microsoft Defender detection for potentially unwanted programs (PUAs) associated with cheats or game hacking tools. While these programs are not always truly malicious, they can pose security risks or violate the terms of service of legitimate software. Also, the use of such software can lead to game or system instability, as not all of such programs are tested well enough. However, the main danger is that these programs can spread other malware or serve as a vector for its distribution.

The main reason for this is that using these tools requires disabling the system’s security software. This gives the green light to any threats that are contained in the GameHack. The file may contain encrypted or compressed data, which allows you to evade detection or conceal its true functionality. Some versions modify or create registry keys, which may as well serve as a cover for malicious activities.

Technical Analysis

Let’s examine how PUA:Win32/GameHack behaves on the target system. For the test sample, I have chosen Solara.dir, a cheat for one popular cubic game. When the executable file is launched, the system process rundll32.exe is accessed by several instances of the cheat.

"C:\Windows\system32\rundll32.exe"
"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\Solara/Microsoft.Web.WebView2.Core.dll",#1
"C:\Windows\system32\rundll32.exe" "C:\Users\<USER>\AppData\Local\Temp\Solara/Microsoft.Web.WebView2.WinForms.dll",#1

The first thing the app does is check the system for a virtual environment or sandbox. It checks some values in the system, including:

\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Main Functionality

Next, the chosen cheat performs its primary function. It uses an archiver to unpack the files of a cheat:

"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Desktop\Solara.Dir.zip"
C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\t1244hhg.u4j" "C:\Users\user\Desktop\Solara.Dir.zip"

Most files are unpacked into a temporary directory, into a randomly named folder. The latter is a rather concerning behavior: programs rarely use such strange names:

C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara
C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara\Microsoft.Web.WebView2.Core.dll
C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara\Monaco\combined.html
C:\Users\user\AppData\Local\Temp\t1244hhg.u4j\Solara\Monaco\fileaccess

Further, the GameHack program then executes scripts using the Command Prompt. It primarily targets the files that it has just dropped, but the functionality of such requests closely resembles what dropper malware can do.

"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\<USER>\AppData\Local\Temp^" && C:\Windows\system32\wscript.exe ^"C:\Users\<USER>\AppData\Local\Temp\Solara/Monaco/fileaccess/index.js^"
"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\<USER>\AppData\Local\Temp^" && C:\Windows\system32\wscript.exe ^"C:\Users\<USER>\AppData\Local\Temp\Solara/Monaco/fileaccess/node_modules/accepts/index.js^"
"C:\Windows\system32\cmd.exe" /c "cd ^"C:\Users\<USER>\AppData\Local\Temp^" && C:\Windows\system32\wscript.exe ^"C:\Users\<USER>\AppData\Local\Temp\Solara/Monaco/fileaccess/node_modules/array-flatten/array-flatten.js^"

These manipulations with Command Prompt are accompanied by the calls to several other elements. Once again, I cannot see a sign of malicious activity in this case, but it is as edgy as it can get.

C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

After these commands, the cheat can inject its code into the game process, adding features that give the player an unfair advantage. These features might include the ability to fly, unlock all inventory, or other advantages that give the player an unfair edge over others. Once again, I’d emphasize that such actions go against the rules of the vast majority of games.

Is PUA:Win32/GameHack False Positive?

Sometimes GameHack can be a false positive detection. In most cases, this is because of how anti-cheat solutions operate. Anti-cheat systems often work at the low-level of the system, injecting their code into the game process, checking the integrity of files, and analyzing network traffic. In other words, anti-cheat systems can use similar methods as cheats, which can trigger anti-malware detections.

False positive detections typically disappear quickly, unlike real hacks, as the developers promptly contact anti-malware vendors to resolve these issues. In addition, they can inform users about it on official platforms and advise them to add the game folder to the exceptions, which can be a practical solution.

How To Remove PUA:Win32/GameHack?

If you encounter a GameHack detection and suspect it’s not a false positive, here’s what you can do. You can use GridinSoft Anti-Malware to help you get rid of this and other threats, just follow the instructions below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Frequently Asked Questions

The post What is PUA:Win32/GameHack? appeared first on Gridinsoft Blog.

PUABundler:Win32/DriverPack Overview

PUABundler:Win32/DriverPack is a detection from Microsoft Defender, associated with the eponymous DriverPack Solution program. Initially, it was a program developed by a Russian author for automatic driver installation on Windows XP. However, since Windows began carrying all the necessary drivers in the installation, driver updaters have become useless. Moreover, the fact that a program operates with drivers creates significant security threats and thus should undergo diligent checks.

And that is where DriverPack shows its dark nature. Over time, it started installing additional software during its own installation – so-called software bundling. Today, DriverPack is synonymous with a bunch of unwanted and sometimes malicious software that can easily brick a freshly installed Windows. This is evidenced by many users on the Internet who have decided to take the easy way out and use DriverPack to install drivers. After using this program, at best, users get a bunch of garbage in the system. At worst, certain devices or system components may malfunction or fail.

Why is PUABundler:Win32/DriverPack Dangerous?

To understand why using DriverPack is dangerous, it’s important to understand its operation. The first version of DriverPack was a standalone installer that installed drivers on devices that don’t have ones. But these days, this program tries to update existing drivers on the system – an edgy approach, if you ask me. The problem is that the program sources newer drivers from questionable places. This may result in aforementioned failures across the system, but, what is worse – it is a direct malware risk.

Another issue is the unwanted software bundled with PUABundler:Win32/DriverPack. Regardless of the user choice, DriverPack installs its services, injects advertisements all across the system, and modifies browser homepages in all browsers. For the latter, instead of the standard search and homepage, DriverPack sets Internet-start.net (see the scan report) as the default homepage and search engine. Although the official website claims to cooperate with antivirus vendors, users tend to see a different picture.

User Experience

I decided to simulate a clean OS setup and driver installation using DriverPack (sample analysis report) in fully automatic mode. This allowed me to get a complete opinion on what PUABundler DriverPack is. There are several red flags that appear even before the installation, but more are to come.

The first warning sign is the claim about false positives from certain antiviruses on the main page. Although this may be the case, false positives are normally a temporare occasion. You should not expect a legit program being detected as unwanted or malicious on a continuous basis, otherwise it is not an occasional situation and a real detection. And the claim on the website suggests that the latter is true. During the launch and operation of the installer itself, Microsoft Defender really flagged PUA presence in the system.

And, sure enough, the described changes to the web browser popped up. PUABundler:Win32/DriverPack modified the homepage and the default search engine. The latter, in turn, shows questionable search results, which is a rather straightforward phishing risk: by manipulating the results, fraudsters behind the search engine can push malicious results to the top. The unwanted program does all this to generate revenue through ads and user redirects, not for the convenience of users. And these ads are the reason why some of the DriverPack samples are tagged as adware.

Technical Analysis

Let’s now examine the technical aspects of this unwanted software. I analyzed a copy downloaded from the official website. Notably, it has 53 out of 75 detections on VirusTotal, and the reason is obvious. During installation, PUABundler:Win32/DriverPack leverages the Mshta.exe process, typically used to execute HTML applications. It then loads an executable from AppData\Local\Temp into a temporary folder and executes the following command:

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\\AppData\Local\Temp\wgulwvl5\wgulwvl5.cmdline"
"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\DriverPack\run.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} --sfx "software.exe"

During installation, DriverPack checks the system’s software and hardware components by going through certain registry keys. This is a standard procedure for such programs, designed to locate drivers, so it is barely a bad sign. And even if we suppose a malicious intent, the worst thing this data may be used for is to distinguish this system from the others.

HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

Suspicious network activity

First thing DriverPack modifies during execution is firewall settings – mostly to let its own executable files communicate with the remote servers. Still, the fact that the developer does not specify the source of the drivers, it is not a great thing to have such an all-encompassing access.

"C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall delete rule name="DriverPack aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\\AppData\Roaming\DRPSu\temp\run_command_26701.txt""
netsh advfirewall firewall delete rule name="DriverPack aria2c.exe"
rundll32 kernel32,Sleep
"C:\Windows\System32\cmd.exe" /c "netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Program Files (x86)\DriverPack\tools\aria2c.exe" || echo Done & call echo Done %^errorLevel% > "C:\Users\\AppData\Roaming\DRPSu\temp\run_command_45238.txt""
netsh advfirewall firewall add rule name="DriverPack aria2c.exe" dir=in action=allow program="C:\Program Files (x86)\DriverPack\tools\aria2c.exe"

Payload

PUABundler:Win32/DriverPack utilizes the aria2c.exe utility to download several strangely-named files. This is rather concerning, as such a filename leaves no clue on what is the purpose of it and what are the possible effects.

"C:\Windows\SysWOW64\mshta.exe" "C:\Program Files (x86)\DriverPack\run.hta" --sfx "c99687e9829de410b66ad7006b0604c3fddb4582050ce205c1d00ff9f309e6b8.exe"
C:\Program Files (x86)\DriverPack\run.hta --sfx "c99687e9829de410b66ad7006b0604c3fddb4582050ce205c1d00ff9f309e6b8.exe"
C:\Program Files (x86)\DriverPack\start.bat "c99687e9829de410b66ad7006b0604c3fddb4582050ce205c1d00ff9f309e6b8.exe"

This represents just a fraction of what DriverPack downloads. During installation, it downloads the bundled applications – several browsers, a strange copy of Avast antivirus, and the “widgets” for the DriverPack itself. As there is no way to disable the installation of these bundled apps, this is just another concerning element of that program.

C:\Program Files (x86)\DriverPack\Tools\driverpack-wget.exe
C:\Program Files (x86)\DriverPack\programs\AvastAntivirusA.exe
C:\Program Files (x86)\DriverPack\programs\downloader_elements.exe
C:\Program Files (x86)\DriverPack\programs\downloader_browser.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverPack\DriverPack.lnk

During execution, the shell displays a “virtual assistant” that occasionally speaks to the user. Nothing really malicious here, but it may be spooky to someone who did not expect a program installer to have sound effects. And overall, there are more than enough problems for the DriverPack to be considered a dangerous thing.

How To Remove DriverPack?

Manual removal of PUABundler:Win32/DriverPack is not really an option, so I recommend an automated removal with GridinSoft Anti-Malware. Follow the guide below to get your system cleaned of DriverPack PUA and all other malicious elements that may be present.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post PUABundler:Win32/DriverPack appeared first on Gridinsoft Blog.