Win32/InstallCore may not look like a serious threat, but the effects of its activity are not pleasant either. Unwanted programs, adware, junk apps – this PUA is not picky about things it spreads. It is a serious threat to users that requires attention and removal.

Protect your computer against unwanted software! GridinSoft Anti-Malware will detect the most dodgy and tricky of them before they can mischief you. Get yourself reliable protection

What is PUADlmanager Win32/InstallCore?

PUADlmanager Win32/InstallCore is the name for the detection of a program that packages additional software with the main one. It is not a stand-alone program, but rather an application on top of the program installer. Once you launch such infused installer, InstallCore is up, too, ready to perform its dirty deeds.

The prefix “PUADlmanager” (PUA Downloading Manager) says clearly about this property. The thing InstallCore tries to accomplish is downloading and installing things in the background, without user’s permission. This way, ones who spread the program try to monetize their effort. Typically, those apps are unwanted programs of some sort and adware.

Things like Win32/InstallCore are often spread embedded into pirated software. Some of the freeware program may contain this, too, particularly ones from platforms like Softonic, Download.com and FileHippo.

Is InstallCore a False Positive?

As far as I recon, false positives of PUADlmanager Win32/InstallCore can occur in several cases. One of the users on the Information Security Stack Exchange forum noted that it can be related to security signature updates or in case of installing third-party software. This is not always a threat, but rather belongs to the “gray” category, as it is not as dangerous as malware.

Another example of a false positive was discussed on the JDownloader Community forum, where Microsoft Defender mistakenly detected malware in the JDownloader.exe file. In this case, the JDownloader developers reported the false positive and asked users to report it as well, confirming that JDownloader does not contain malware. There was also a discussion on the Microsoft forum about a false positive on the Five Nights at Freddy’s game installer.

Antivirus programs regularly update their malware signature databases. Sometimes, new signatures can mistakenly classify safe files or programs as malicious. However, users may not pay attention to additional programs that are offered for installation along with the main software. If such additional software falls into the PUA/PUP category, Microsoft Defender will detect it as such.

How does PUADlmanager Win32/InstallCore affect my computer?

As I wrote above, the danger of PUADlmanager is that it downloads and installs numerous unwanted programs without users’ concent and knowledge. Most of them may have unpredictable consequences for the computer and user data. To test the thing, I’ve found several examples of apps that Microsoft Defender detected as Win32/InstallCore.

In one instance, the app had no real functionality, being just a shell with an attractive interface. It was advertised as software to help download files, particularly from torrents, but didn’t really provide any real features. This became clear when I discovered that despite promises of advanced features for an additional fee, the program actually provided no utility and could perform suspicious activities on my PC.

However, uselessness is not the only issue here. As soon as I pressed the “Install” button, numerous other programs started to appear. Driver updaters, “free” VPNs, system tuners – plenty of them. Their sheer volume made the virtual machine I was running the test on exceptionally slow.

One more thing that was definitely an effect of InstallCore activity is advertisements flooding the websites. It looks like aside from the unwanted programs, this PUA also brought an adware of some sort. Irrelevant advertisements both in the browser and system tray kept popping up until the malware removal.

On top of that, the browser started opening the pages which demand installing some questionable browser plugins. Among other things, I’ve noticed a well-known plugin, called Dragon Angel. This thing works as a browser hijacker, and is usually promoted in this exact way. Though, it may be a lesser evil here, as browser plugins can also work as infostealers and crypto hijackers.

Overall, PUADlmanager Win32/InstallCore is not a severe threat by any measures. But the effects of its activity are nowhere near pleasant, too: they make the system hard to use, distract you with ads, and potentially compromise the computer for further infections. This should be removed as soon as possible.

How to remove PUADlmanager Win32/InstallCore from PC?

To prevent PUADlmanager Win32/InstallCore, it is recommended to use a reliable antivirus software capable of detecting and removing all malware components. GridinSoft Anti-Malware offers an effective solution to detect and eliminate this kind of threats, providing comprehensive system protection.

Manual removal of InstallCore and related unwanted programs is possible, but it requires some knowledge and can be a time-consuming process. To prevent infection, it is important to avoid downloading programs from unverified sources, do not open suspicious email attachments.

The post PUADlmanager Win32/InstallCore appeared first on Gridinsoft Blog.

Usually, these unwanted programs are distributed as “recommended software” in freeware, shareware or cracked installers. The name “Packunwan” stands for the unwanted program that uses packing, which makes the analysis more complicated. Programs detected with this name are almost always some no-name tools or duplicates of other programs.

Protect your computer against unwanted software! GridinSoft Anti-Malware will detect the most dodgy and tricky of them before they can mischief you. Get yourself reliable protection

PUA:Win32/Packunwan Overview

The PUA:Win32/Packunwan is a potentially unwanted application (PUA) detection. However, the analysis of samples collected on the Web revealed much more malicious functionality. Due to the diverse nature of reports, it is challenging to ascertain their precise behavior without in-depth analysis. At the same time, this unwanted program was not attributed to any known developer or company, leading to speculation that these programs may be of dubious origin.

While PUAs are not necessarily viruses, they can still be disruptive and pose security risks. Packunwan typically displays unwanted advertisements on your computer. It can also track your browsing activity and change your browser settings. Among the most noticeable is the change to your homepage or search engine.

On the other hand, the behavior of this program is in fact far beyond “showing unwanted ads”. Reviewing the sample shows that it collects way too much system information, which in combination with packing and detection evasion makes it look fishy. The overall activity of Packunwan can lead to compromised privacy and malware injection.

Packunwan Technical Analysis

As I’ve just said, while analyzing Packunwan malware samples, I’ve seen a lot of questionable actions. In particular, it collects way too much info about the system. Not enough to call it a spyware, but still more than I would consider acceptable. Also, its networking is outright strange, bordering with what you would expect from dropper malware. Even though not all samples were like this, there was a consistent behavior pattern.

Launch & System Discovery

Upon execution, the reviewed Packunwan sample checks the computer’s location settings for no obvious reason. This is the standard behavior for a malware, but not a “driver updater”. To do this, it queries the registry for specific values related to country code configurations.

After that, the program starts gathering system information. By checking the selection of registry entries and system functions querying, it retrieves the list of installed software, OS information and system drivers. The latter is needed for the functionality of the “driver updater”, but can also be useful to discover whether the system is a virtual machine.

One anti-analysis trick that I am sure about is checking the disk info through the registry query. The malware checks SCSI registry keys, which uncover whether it is a virtual disk space created by a sandbox environment or a virtual machine. SCSI technology is not supported these days, and it is unlikely for a geek who tries to play with geriatric hardware to use questionable apps.

HKLM\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001
HKLM\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000

Persistence and Detection Evasion

PUA:Win32/Packunwan uses various obfuscation techniques to dodge the detection. As its name implies, its files are packed, i.e. compressed and encryted. The sample I reviewed encrypted data using RC4 PRGA. Additionally, it attempts to conceal itself by creating files in user directories with extensions that do not match the file type. It at the same time disguises the payload as a part of the “driver updater” files.

For persistence, the program creates Windows services and adds entries to Registry Run keys/startup folders. While being a rather widespread step, it remains effective, especially in poorly-protected systems. Packunwan also does not allow you to opt out the startup from the interface – a common practice among unwanted programs.

Network Communications

I’ve mentioned that Packunwan is usually distinctive for its networking activity. Though, not every sample had that much of strange things happening in the background as the one I had a deeper look on. Throughout a short period of time, it performs consequent access to the remote server. You can see the example of one of these messages below:

Sure enough, driver updaters should get the drivers they are about to install somewhere. But as far as I’m aware, not even a single program creates that much chaos in networking logs. It is either a poor software design, or the attempt to conceal something by blending it into this mess.

How To Remove PUA:Win32/Packunwan

You will need an antimalware tool to remove PUA:Win32/Packunwan. I recommend GridinSoft Anti-Malware – it will be the optimal solution in such a case. You should run a full scan, whether it is an adware PUA or a dropper. It might take a little longer, but it will guarantee a more effective cleaning.

The post PUA:Win32/Packunwan appeared first on Gridinsoft Blog.

As history shows software developers like Rostpay have already made a name for themselves in the digital marketplace as builders of unwanted software. But due to the pursuit of free software, users are taking risks that expose the security of their systems and devices.

Protect your computer against unwanted software! GridinSoft Anti-Malware will defend your system any time, in any circumstances, by your mere command. Get yourself reliable protection

What is PUABundler:Win32/Rostpay?

PUABundler:Win32/Rostpay is the name for a potentially unwanted program detected by Microsoft Defender. This is complex software that is usually distributed bundled with other applications, often without the user’s explicit consent. Such programs may include various components such as adware, browser toolbars, pseudo-system optimizers, and else.

As I wrote above, Rostpay developers bundle their free programs with unknown and almost always uncoordinated software. On the Web, a lot of users complain that numerous unwanted programs are installed in parallel with the installation of programs developed by this company.

Another part complains about the troubles these programs create. In other words, Rostpay’s software is not particularly effective, creating just a pale resemblance of real work. Its removal can also be complicated and require additional software. This results into considering such software an unwanted program.

PUABundler:Win32/Rostpay Analysis

Samples for analysis were not difficult to find – you just need to download programs from the developer Rostpay. I opted for Tesla Browser and Driver Hub for the analysis, downloaded and installed them.

Win32/Rostpay #1 – Driver Hub

Driver Hub is a software solution ostensibly designed to check and update outdated drivers on your system. But there are pitfalls here that spoil the overall picture. When we open the setup file, we see the next message:

As I’ve mentioned above, PUABundler:Win32/Rostpay usually comes with bundled software, and this checks out in my test with Driver Hub. Instead of Yahoo, the offered programs may differ depending on the product you install and your location.

What did not happen to me, but was an often point of user complaints after Rostpay activity is various system troubles. People particularly tell about Internet connectivity issues, keyboard input problems, and similar bugs. Most probably, they are the outcome of the installation of a faulty driver – at least, these symptoms sound like driver issues.

That is actually one major problem with any “driver updater” software – they barely have the most recent and correctly working drivers for all hardware. All attempts to create such a thing fail for one reason – it is too much of a hardware out there. And Driver Hub is no exception.

Win32/Rostpay #2 – Tesla Browser

Tesla Browser is yet another thing detected as PUABundler:Win32/Rostpay. According to the advertising promises, it is a web browser that offers an improved surfing experience on the Internet. However, not everything is as rosy as it seems at first glance. The first questionable thing pops up during the installation: the offer to install an unrelated program.

Though, Tesla Browser itself can come in the very same bundle, hidden as a “recommended software”. Such unwanted programs spread quite literally through budding: one contains 2 others, and each of them in turn install another two. So yes, one unwanted program can make a mess that will be hard to ignore.

The biggest problem with the Tesla Browser is that it can act as adware or a browser hijacker. Forget about what they promise on the website – no “advanced security features” or “regular updates”. This browser can redirect your queries to a random search engine, and display modified search results, filled with promotions. And even when you do not use it, the pop-ups with offers to install plug-ins or other stuff will keep popping up in other browsers.

Removing Win32/Rostpay and other PUAs from PC

I recommend GridinSoft Anti-Malware, which will easily remove all remnants of Win32/Rostpay and all the garbage installed with it. And in general, the program will provide a decent real-time protection of your system.

Uninstalling Win32/Rostpay as well as other software that was installed together without your permission is possible in manual mode. However, there is a risk that you will not be able to clean all the elements that unwanted programs leave in the system. Their sheer volume can also make the removal process a rather time-consuming endeavour. High-quality antivirus software will facilitate this process and save you time.

The post PUABundler:Win32/Rostpay appeared first on Gridinsoft Blog.

Dragon Angel Overview

Dragon Angel is a malicious browser extension that can appear in Chrome browsers. It usually appears as a result of adware activity on the system. For example, unwanted programs like Chromstera or Chromnius after installation can offer this extension to the main browser. Users complain about it continuously appearing unless the source of the problem – the malignant browser – is removed.

The purpose for such plugins is search query redirection. Frauds who stand behind it force every single search request that you do to go through their servers. By forming a digital fingerprint of their victims, they earn money after selling it to third parties. I’ve did a comprehensive analysis of Dragon Angel, and found a couple of really interesting details – so read on.

Dragon Angel Detailed Analysis

Dragon Angel appears on your device due to the activity of unwanted software. It is often the result of potentially unwanted software that comes bundled with freeware or software cracks. Although most installers allow you to cancel installing additional software, unscrupulous developers may remove this option.

Search Redirects

Once installed, the extension changes the homepage and some browser settings. It also forcibly redirects all search queries through Dragonboss search engine. It eventually ends up on a legit search engine page, usually Yahoo or Bing, but during these redirections, the said search engine will collect the info about your request. Also, the search results after such a multi-step operation are different from what you would get after a direct request to the search systems.

What this means is the victims will see promotions instead of relevant search results. These promos mostly contain sponsored websites – gambling, adult sites or marketplaces who paid for the ads. At the same time, this advertising can lead to phishing websites or malware downloading pages.

Difficulties With Removal

The biggest problem for the average user is that Dragon Angel uses self-defense measures. After installation, the malware modifies registry settings to disable the ability to remove extensions from the browser or change homepage settings. This eventually leads to the infamous “Managed by Your Organization” error in Chrome, and complete inability to remove the extension.

According to the feedback from users who have encountered this plugin, the severity of this problem forces users to reset their PCs. This is the ultimate solution, but it will result in data loss, and feels like hunting sparrows with a tank gun. Fortunately, I have a solution to that problem without data loss. We will discuss it next.

Not by Dragon Angel Alone

During the analysis, I found other extensions from this “developer” called Dragon Honey and Dragon Search. All of them share the same logo, and the same purpose – redirecting user queries through their own search engine. However, this is not the last finding of my research.

The exact same “developer” has another project called Chromnius Browser. It is a browser based on Chromium core, obviously, and does not feature any remarkable qualities. Promotions say that Chromnius is a Web browser that provides better security while browsing online by blocking pop-ups and tracker cookies. Though a closer analysis clearly shows that Chromnius is just yet another adware that tries to look as web browser. It can infect other browsers, send pop-up notifications without user concent and redirect search queries.

How To Remove Dragon Honey

First, I strongly recommend scanning your device for malware. This will neutralize software that modifies system settings. To do this, download GridinSoft Anti-Malware and run a full scan. This will find the malware that initiates browser manipulation. In addition, GridinSoft Anti-Malware allows you to reset your web browser settings entirely in one click. This is especially useful if previous methods have failed.

Next, if you see this “Managed by your organisation” message when opening the browser menu in Google Chrome, there are two ways to remove Dragon Honey; we will look at them now. The first one is automatic and will work for most users. To regain control of the browser, you must follow these instructions to download the file and run it as an administrator. This will remove the entry from the registry, which will not allow you to change the browser settings.

The second method involves all the same, only in manual mode. To do this, press Windows + R on your keyboard, type “regedit“, and select the OK button

Copy the following path and paste it into the address bar, and press Enter:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

Select the Chrome key from the left pane of your Registry Editor. Right-click on the Chrome policy you want to remove and select Delete.

The post Dragon Angel Malicious Browser Extension appeared first on Gridinsoft Blog.

PUA:Win32/Vigua.A Overview

PUA:Win32/Vigua.A is a generic detection associated with unwanted software positioned as a system optimizer. Usually, it falls under scareware definition – an app that finds many issues in the system and requires purchasing the full software version to fix them. Alternatively, such apps offer to fine-tune the system “to get better performance”, asking for a pay for useless or dangerous functionality.

Despite the beautiful interface and convincing messages, the effectiveness of such software is very questionable. The fact is that often, all these “issues” or “improvements” do not exist, and all this is done to force the user to buy the full version of the program. Moreover, such applications can sometimes harm the system or even lead to BSoD. However, this is not the only harm that Vigua can cause.

I’ve performed my own analysis of several samples of unwanted programs that Microsoft detects as Vigua.A. The findings are, well, disturbing, but not particularly new. Let’s get into things one by one.

Vigua.A Analysis

The unwanted software that falls under this detection name is rather similar, so all the characteristics below are more or less applicable to the majority of Vigua.A samples out there. Moreover, a couple of samples I’ve picked up for this analysis are related to no-name tools, meaning that they barely have any online footprint.

Spreading

Although some PUAs have their “official websites”, users almost always get them unwillingly. Vigua.A often comes as “recommended software” with freeware or pirated programs, in a form of software bundle. This is already enough to call it unwanted software, as security vendors considered this distribution method dangerous long ago. Yet moving on uncovers even more interesting details.

Fake Issues and System Tuning

As I said above, PUA:Win32/Vigua.A just mimics the operation, without any real action. Before making changes to the system, legit system optimizers usually let you see each action and decide whether to perform it or not. Vigua shows only the number of errors found without details and offers to fix them in one click. It is impossible to find out what is going on “under the bonnet” of the program, as the source code is closed, and the entire course of action is unclear.

Another type of PUAs that fall under this detection name is pseudo system optimizers. They promise to “improve” the user experience by removing alleged bloatware and disabling the non-needed functionality. The issue is that both samples of this category that I’ve tested did not say what exactly they change, same as the scareware from above.

And here is the main issue: when the program disables whatever it thinks is unnecessary, chances are – it will disable a thing you actually need. This will eventually lead to a selection of really unpleasant circumstances, both for your user experience and overall system stability. Once again – quite a few Vigua.A samples are not even publicly available; they are no-name software with no one responsible for possible issues.

Browser Data Collection & Exfiltration

Now, let’s discuss a part about PUA:Win32/Vigua.A that worries me more than futile functionality or no control over the changes. According to the analysis, PUA:Win32/Vigua.A collects information about the user’s network activity. This information includes browser activity, history, requests, etc. On top of that, unwanted programs collected basic system info, probably to fingerprint the system.

List of data collected by Vigua.A

Such information is still not comparable to what information stealing malware will collect. Nonetheless, sharing information with untrustworthy software vendors is 100% a bad option. It is hard to predict how they will use this data, but most probably, it would be sold to the advertising network. Sure, these networks collect info about us anyway, though at least we consent for this – which is barely the case when it happens to Vigua.

Is PUA:Win32/Vigua.A False Positive?

In some cases PUA:Win32/Vigua.A can be a false positive. This is due to programs’ behavior, particularly their ability to change low-level system settings. For example, Microsoft Defender can falsely detect legitimate miners such as NiceHash. Another category of software that sometimes receives this detection as false positive is torrent clients. Two particular of the latter are qBitTorrent and Transmission – both open-source and totally safe.

Overall, programs that can manage hardware settings or call to one directly and do not have proper certificates can easily get the Vigua detection. If you’ve got something that fits this description, don’t haste with deleting it. Perform a double check using our free Online Virus Scanner tool: it will give you a much needed second opinion for this case.

How to Remove PUA:Win32/Vigua.A?

To remove unwanted software like PUA:Win32/Vigua.A, I’d recommend using GridinSoft Anti-Malware. Although seeing the Vigua detection is not a sign of a severe malware running, I would not hesitate with removing it. As it often gets to the system in a software bundle, there is a chance of numerous other unwanted software present on your computer. Run a Standard scan, and let it finish – this will repel any questionable element in the system.

The post PUA:Win32/Vigua.A appeared first on Gridinsoft Blog.

What is Taskbarify?

Taskbarify is a Windows utility classified as a Potentially Unwanted Application (PUA). As for functionality, officially, this program has one function – changing the appearance of the taskbar. Taskbarify has an “official” website, but most users acquire it unintentionally. The main sources of this app on users’ systems are bundling it with pirated software or displaying it through suspicious banners. This creates one more risk: the appearance of this app may be a sign of numerous other unwanted apps running in the background.

The main reason for Taskbarify categorization as an unwanted program is its proxyware module. In other words, it can use the bandwidth of the victim’s Internet connection to provide proxy server services. This enables the app to intercept network requests, potentially compromising privacy and security. Together with the complicated uninstallation ways, , this all creates a halo of ill fame around the program.

Why is Taskbarify unwanted?

Let’s take a closer look at how this thing works. The official website claims the app is clean as a tear, has no hidden functions, and does not load the system.

However, the license agreement says otherwise. The text states that the program can be a proxy and use your device’s resources, under the said Globalhop SDK. Moreover, this SDK is included in the application installation by default without explicitly disclosing its usage and impacts on the user’s system on a separate prompt.

The functionality of the exact app is… questionable. Visually, Taskbarify adds transparency to the taskbar, which enhances its look, but that’s it. Promised “spyware uncovering” or “full control” are pretty hard to witness, to be honest. Also, the built-in description (see the screenshots below) lies about the program being available in all regions: by setting the VPN region to Moldova, I’ve managed to make it return a “something went wrong” error.

Suspicious Behavior

The first problem is that the app does not obtain user consent on using traffic. The latter reduces the consumer’s security posture caused by sharing internet resources. Taskbarify reads system certificate settings, security settings of web browsers, and Windows trust settings. The app does not display explicit notification about the potential risks in security posture related to sharing network connection when the app is installed.

Aside from the privacy risks associated with proxyware, the activity of such a module itself may cause issues with bandwidth and system performance. For weak devices, a constant traffic flow may take quite a bit of CPU time, leading to the rest of the applications being laggy and unresponsive. Also, the sheer volume of traffic used by proxyware can turn into significant financial losses for the users of metered connections.

Impossible to Close

Another red flag is the pseudo-closing of an application. If the user finds the application icon in the tray, right-clicking it, and selects “Quit”, the application will disappear. However, by opening the Task Manager , you can see it running in the background without the tray shortcut. This means the application can cease modifying the taskbar’s “core functionality” but continue running as a proxy server in the background.

Difficulties With Removal

Unlike most programs usually installed at “C:\Program Files\”, Taskbarify’s default installation folder is “%AppData%\Local\Programs\”. Since this directory is hidden by default, it virtually eliminates manual removal by the average PC user. Moreover, some users are having trouble uninstalling Taskbarify with the built-in uninstaller, which indicates that the application is trying to avoid removal or recover the app.

How To Remove Taskbarify?

It is possible to uninstall Taskbarify manually, but tricky installers may cause problems and revert the uninstallation. Also, as I’ve mentioned in the introduction, this app often comes as a part of a software bundle, and is installed along with numerous other unwanted programs. To get rid of all this in just a couple of clicks, I recommend using GridinSoft Anti-Malware.

A Standard scan will be enough. GridinSoft program will check the entirety of the system volume – this is where all the unwanted programs typically reside. Give it time to finish, and your system will be as good as new.

The post Taskbarify Unwanted Application appeared first on Gridinsoft Blog.

What is Win32/Wacapew.C!ml?

Program:Win32/Wacapew.C!ml is a heuristic detection designed to detect a suspicious program. However, it is not a specific virus or malware. Microsoft Defender uses this type of detection to identify a wide range of questionable applications. All programs detected with this name typically exhibit suspicious properties. These include the ability to read and modify specific file properties, download data from remote servers, and rename themselves, which may indicate malicious behavior.

While these functions are barely enough to be sure about the program’s intentions, in the situations when other detection systems can neither prove nor deny the detection, the Defender is obligated to show the Wacapew.C!ml detection. It is more like “I don’t like this program” rather than “It is malicious”.

Among the typical examples of software detected as Wacapew are self-made applications or sketchy applets found on the Web. For instance, Microsoft Defender may flag a Python script converted into an EXE file as Wacapew for the request of admin privileges. Malware creators commonly use this conversion process, hence the suspicion arises.

Is It false positive?

Since detection with an “ml” ending means the use of an AI detection system, there is a possibility of it being a false positive. This adds on top of the blurry definition the Wacapew detection stands for. Normally, other detection systems should reject or approve the detection, leading to a different detection name or no detection at all. This, however, is not how it works in this case.

If Microsoft Defender detects a legit program with this name, be sure that you’re dealing with a false positive detection. But if you are not sure about the affected file’s origins and genuinity, consider scanning it with our Free Online Virus Scanner. It will analyze the file using its own detection systems, and give you a verdict whether the file is any dangerous, or not.

Win32/Wacapew.C!ml Examples

The most prominent example of Wacapew detection is the Ollama model AI installer. Users online recon that the reason here is its similarity with Inno Setup-based installers. Inno Setup is a free installer for Windows programs that uses the eponymous script language and allows developers to fine-tune the installation process. However, besides the Inno installers, antivirus software detects installation files created with PyInstaller. In this case, the trigger is the lack of a file signature.

Another striking example is users’ files, such as architectural 3d models created with Enscape. GitHub also contains reports that downloaded files made in this program are detected as Win32/Wacapew.C!ml. In addition to all the above, such detections are not rare in pirated software. Since most of the latter is packaged with the said Inno Setup and may also have other questionable properties, Microsoft Defender starts showing the detection.

As you can see, any file without a proper signature and/or with something that may resemble a questionable one about it may trigger the Wacapew detection. Nonetheless, I would not recommend you to ignore the detection completely, as sometimes it can point at a genuinely dangerous app.

How to Remove Win32/Wacapew.C!ml?

Unfortunately, some users have problems with Win32/Wacapew.C!ml removal. In some cases, Defender fails to remove malware, showing notifications for files no longer on the device. To make sure your device is clean, I recommend using GridinSoft Anti-Malware. It will detect and remove Wacapew and find other malware. It can also work with Windows Defender to create an additional line of defense.

The post Win32/Wacapew.C!ml Detection Analysis & Recommendations appeared first on Gridinsoft Blog.

Why is uTorrent detected as uTorrent_BundleInstaller?

While being totally legitimate in its original form, uTorrent has some pitfalls to avoid. The main issue here is that it comes bundled with other software that is considered adware or potentially unwanted programs. Let’s look at what I’ve found during my research.

When installing the software itself, the application contacts a third-party offer provider before getting the user’s consent:

During the installation process, it offers to install several unrelated applications. Apart from being of dubious relevance, their banners do not provide a noticeable choice between installing and declining. This format is clearly intended to confuse the user and “soft coerce” the installation. Furthermore, users repeatedly complain of uncoordinated software.

In addition to the mentioned problems, there is evidence that together with uTorrent additionally installed a program such as EpicScale. It uses the idle time of your computer’s processor for its own needs. The idle capacity, according to the company, is used for solving various mathematical calculations and even mining cryptocurrencies.

Large amount of adware

Using uTorrent is often accompanied by a lot of annoying advertising windows and pop-ups. Annoying ads appear not only in the client window but also start to appear when using a PC. This is not only annoying for the user, but can also become a source of malware risk.

Unwanted programs like those presented by uTorrent_BundleInstaller can cause problems for users. They are especially known for changing browser settings, displaying advertisements or collecting data without their consent. In addition there is a user-confirmed fact that ads initiated by uTorrent uses an exploit to install malware.

Security vulnerabilities

In 2018, researchers discovered a vulnerability in uTorrent’s web interface that allowed attackers to remotely execute code on a user’s computer. This could have been used to attack users who downloaded and ran the uTorrent client with open Internet access.

$ curl -si http://localhost:19575/users.conf
HTTP/1.1 200 OK
Date: Wed, 31 Jan 2018 19:46:44 GMT
Last-Modified: Wed, 31 Jan 2018 19:37:50 GMT
Etag: "5a721b0e.92"
Content-Type: text/plain
Content-Length: 92
Connection: close
Accept-Ranges: bytes

localapi29c802274dc61fb4 bc676961df0f684b13adae450a57a91cd3d92c03 94bc897965398c8a07ff 2 1

Of course, after the wave of complaints raised by users, this vulnerability was fixed. But nobody guarantees that such an incident will happen again, especially considering uTorrent’s already dubious reputation.

Three uTorrent Installers – Why and for What?

One interesting fact: on the uTorrent website you can download not one, but three different installers, all of the same version. The difference between the web and desktop versions is obvious, but there are two desktop versions. They are downloaded from different links, and the only visible difference is smaller file size.

Perhaps the difference between the three versions of the uTorrent installation file is what additional programs or changes are included in each of them. These changes may be minimal and may touch, for example, pre-installed settings or advertising modules included in the client. Considering that their build times differ by mere seconds, they are unlikely to come from different developers. However, even such a small change may allow you to bypass detection by some antivirus vendors, or at least change the detection name.

How to remove PUABundler:Win32/uTorrent_BundleInstaller and unwanted programs?

If you have installed uTorrent and skipped the installation without paying attention to what it offers to install, it is rather probable that you have a lot of unwanted software installed in your system. Consider checking the list of installed apps and browser extensions, and remove anything you do not remember installing. This stuff may be related to PUABundler:Win32/uTorrent_BundleInstaller.

But since the unwanted programs often aim at making manual removal harder, I recommend using GridinSoft Anti-Malware. This program can remove the unwanted software brought by PUABundler:Win32/uTorrent_BundleInstaller effortlessly. Just run a Standard scan and let it finish – it will take care of everything.

What to use instead?

In general, given the risks associated with torrents as a source of software and uTorrent as an application, I would advise you to exercise caution when using it. Consider choosing from well-established alternatives that won’t monetize with intrusive ads and cryptocurrency mining. I particularly recommend sticking to free open source programs, as their form allows for more transparency and community control.

• Deluge is a minimalistic BitTorrent client. It supports many plugins to extend its functionality, and has a rather big community that will help out should things go wrong.
• Transmission – BitTorrent client is known for its ease of use on macOS and Linux platforms. It has a simple interface and rather good performance.

The post PUABundler:Win32/uTorrent_BundleInstaller appeared first on Gridinsoft Blog.

What is PUA:Win32/Softcnapp?

PUA:Win32/Softcnapp is a detection name of an unwanted program, coined by Microsoft Defender. It usually denotes a program with actual functionality that nonetheless has some issues that can make it unwanted. For instance, such issues could stem from the promotions built into the app’s interface, or offerings of additional software. Still, Microsoft does not uncover the exact meaning of their detects, leaving analysts with hypotheses only.

Unwanted programs may be applications that have actual functionality, but some of their properties raise questions. Excessive telemetrics and advertisements, bundled software installation, intrusions to other programs’ files – although not critical, these things can make the user experience unpleasant. And this is what the Softcnapp detection is most likely meant to notify users about.

PUA:Win32/Softcnapp Viber False Positive

On March 10, 2024 a massive wave of complaints from users appeared, stating that Microsoft Defender started detecting the desktop Viber messenger client with the PUA:Win32/Softcnapp name. The messenger client has recently adopted a new installer, which is supposed to be a culprit. It seems some of the functionality of the upgrade makes the Defender suspicious.

While the program itself is totally legit, there are a couple of things that confused me and made me think the detection is not completely false. The thorough analysis on several different machines shows that the behavior of Viber is not 100% ideal and legit. In particular, the program now offers to install a VPN service without a word about whether this is required or not. Also, some of the frameworks used in the app are not listed correctly, but that is a lesser evil. And overall, it does not look like this is the reason for the Defender detection to appear.

There are several other legit programs that are known for being detected with the PUA:Win32/Softcnapp name. Same as Viber, they are legitimate, but Microsoft Defender has another opinion. People complain that this detection appears on Miro, NZXT CAM, and even AnyDesk applications. Therehence, more often than not, it is a false positive.

How to Remove Softcnapp detection?

Removing PUA:Win32/Softcnapp may require using anti-malware software. When Microsoft Defender shows this detection on Viber or another legitimate app, all you need to do is to add the affected program to the whitelist. Usually, Microsoft fixes the false detection in a matter of days. However, the actions are different when you’re not sure about the affected program.

In situations where you cannot recognize whether the detected app is legit, I recommend running a scan with GridinSoft Anti-Malware. This effective and easy to use program will provide the second opinion and reveal whether you have anything to worry about, or not.

The post PUA:Win32/Softcnapp Detection Analysis & Description appeared first on Gridinsoft Blog.

What is PUABundler:Win32/FusionCore?

PUABundler:Win32/FusionCore is the detection name for a tool used for bundling additional applications with the main one. Initially, it was used to make the monetization of free software easier. But, nowadays it is mostly used for spreading unwanted software like adware, browser plug-ins, and pseudo-effective apps.

If you see the detection of PUABundler:Win32/FusionCore, it means that a software installer you’ve downloaded is infused with this bundler. Although it is not highly dangerous, having it running in the system is not desirable, and can end up with malware injection. Because of this, and also due to the hidden information about such installation methods, software bundling is considered an unwanted practice.

Is PUABundler:Win32/Fusioncore a false detection?

There is always a possibility for an antivirus detection to be false. Win32/Fusion core is not an exclusion, and it is particularly known to pop up on Android emulators. A particular apps users complain to have problems with is Nox APP Player.

It is not clear whether the app is 100% trustworthy or not. Some users suppose that this detection is due to the way the emulator displays ads. However, the detection itself is related to the operational file, i.e. there can barely be any code corresponding to the FusionCore description.

Win32/FusionCore Threat Analysis

The Win32/FusionCore operates in a unique way as it does not cause direct harm to the system. When executed, it installs additional software without the user’s consent, leading to unwanted changes in system settings or behavior. The symptoms of PUABundler:Win32/FusionCore infection I’ve encountered during the research include:

• A significant increase in the number of pop-ups and banners that appear when browsing the Internet. These ads began appearing on websites where they were previously absent, disrupting the experience. Such a change is typical for adware activity.

• Unwanted software brought by Win32/FusionCore has permanently changed the browser homepage and default search engine settings. We found that the browser now opens to a different homepage or that search queries are redirected through unfamiliar search engines.
• The system’s performance and Internet connection bandwidth become noticeably worse due to the large number of junk apps running on it. This is to be expected on a test system that I set up to correspond a weak computer build.
• Win32/FusionCore itself made unauthorized changes to system settings. In particular, it modified the Windows registry and changed security settings.

How to Remove PUABundler:Win32/FusionCore?

Removing PUABundler:Win32/FusionCore from an infected system requires a comprehensive approach. Here are the steps to effectively remove Bundler FusionCore:

1. Run a full system scan with a reliable antivirus software. We highly recommend Gridinsoft Anti-Malware. It can easily detect and remove PUABundler:Win32/FusionCore and related threats.
2. Reset your browser settings. You can either do this manually through your browser settings or use GridinSoft Anti-Malware to do it for you. With the program, you can reset all your web browsers in just a few clicks, saving you a significant amount of time.
3. It is important to use caution when downloading and installing programs from the Internet to prevent further infection. Always choose official or trusted sources and avoid unreliable or suspicious sites. In addition, choose selective or advanced installation mode whenever possible and avoid any additional or recommended components that could potentially contain PUPs.

The post PUABundler:Win32/FusionCore appeared first on Gridinsoft Blog.