Gridinsoft Security Lab

Werfault.exe is a system process used to collect information about program errors, which helps diagnose and resolve issues to improve the user experience. In certain cases, it can repeatedly crash, displaying an error message, and also be used by malware. What is Werfault.exe? Werfault.exe is a Windows Error Reporting (WER) process. It is responsible for handling error reporting in Windows operating systems. WerFault.exe was first released on 11/08/2006 for Windows Vista and is still present in Windows 10 and 11.…

JsTimer is a malicious browser extension detected in various browsers, predominantly targeting users through dubious websites. This extension engages in peculiar behavior by blocking access to the Chrome Web Store, which, although seemingly trivial at first, raises significant concerns when paired with other similarly distributed extensions. Malicious browser extensions are not a novel threat; however, the year 2024 marks a notable resurgence in their use as effective tools in cybercrime arsenals. JsTimer, like the Funny Tool Redirect extension, is notorious…

PUA:Win32/GameHack is potentially unwanted software associated with tools used for hacking games or gaining unfair advantages over other players. This category typically includes cheats, trainers, and other software that injects itself into other processes. PUA:Win32/GameHack Overview PUA:Win32/GameHack is a generic Microsoft Defender detection for potentially unwanted programs (PUAs) associated with cheats or game hacking tools. While these programs are not always truly malicious, they can pose security risks or violate the terms of service of legitimate software. Also, the use…

Funny Tool Redirect is a malicious browser extension that you may see installed in your browser. It spreads through dodgy websites and does a rather unusual mischief: blocking access to the Chrome Web Store. While being not a big deal at a first glance, its unwanted appearance, along with other extensions (like JsTimer) that spread in that way makes the situation concerning. Malicious browser extensions are far from being a new type of threat. Nonetheless, 2024 seems to be the…

Win64/Reflo.HNS!MTB is a detection of a malware sample that aims at stealing confidential information. It usually spreads through game mods and works as quietly as possible. That virus may belong to any malware family, as it is a behavioral detection of a specific action that it does in the system. Win64/Reflo.HNS!MTB Overview Trojan:Win64/Reflo.HNS!MTB is a heuristic detection used by Microsoft Defender to detect a specific type of malware. This malware is a type of spyware and can actively collect sensitive…

Analysis shows a hike in the number of malicious pop-ups that come from Check-tl-ver websites. It is a rather common strategy of aggressive marketing that aims to spam users after forcing them to allow sending notifications from the aforementioned websites. Let’s figure out what this scam is, and how to stop Check-tl-ver pop-ups. What are check-tl-version pop-up notifications? Pop-up notifications from Check-tl-version sites are a spam campaign that aims to earn money from pay-per-view and pay-per-click advertisements. There is an…

Trojan:PowerShell/CoinStealer.RP!MTB is a detection of Microsoft Defender, that normally flags malware that can steal cryptocurrency wallets. You may see it popping up after downloading a program from the Web or running a dodgy PowerShell script. More precisely, it collects credentials of different applications, and crypto wallets are among its primary targets. The Stealthiness of this malware makes it hard to delete manually, so in this post, I will show you how to remove it. Trojan:PowerShell/CoinStealer.RP!MTB Virus Detection Overview Trojan:PowerShell/CoinStealer.RP!MTB detection…

PUABundler:Win32/DriverPack is potentially unwanted software that claims to install or update drivers. In fact, it floods the system with unwanted software and changes browser settings without the user’s consent. In this post, I will explain the dangers behind this unwanted app and show the ways to remove it from the system. PUABundler:Win32/DriverPack Overview PUABundler:Win32/DriverPack is a detection from Microsoft Defender, associated with the eponymous DriverPack Solution program. Initially, it was a program developed by a Russian author for automatic driver…

“Virus Alert (05261)” is a scam pop-up message you can see on a website that looks like a Microsoft page, but with a strange URL. It tries convincing people about their system being in trouble. As proof of it, they show a banner saying about outdated apps, incorrect privacy settings, and more critical problems. The banner eventually demands calling a helpline, which appears to be a contact of fake tech support. Fake Microsoft support is a rather popular fraudulent scheme,…

Altisik Service is a malicious coin miner that usually installs and runs on the target system without the explicit consent of the PC owner. It disguises itself as a Windows service, which makes it difficult to stop or remove. Let’s have a closer look at how this malware operates and how to delete it from the system. Altisik Service Overview Altisik Service is a malicious coin miner masquerading as a legitimate Windows process. It is used for hidden illegal cryptocurrency…

Movidown is an Unwanted Application that initially mimics a utility for controlling fan speed. However, beneath this shell, it has the capabilities of a dropper malware, which it right away uses to deploy browser hijackers. This functionality, together with the deep access to the system, creates potential risks for much more severe malware to get into the system. Movidown Overview Movidown is a potentially unwanted program (PUA) that markets itself as a utility for controlling fan speeds. But when something…

“Managed by your organization” is a line that appears when the web browser is attacked by browser hijackers. This malware abuses a legitimate Chrome policy to make itself impossible to delete. And it turns out to be pretty effective – without a special approach, all browser plugins remain untouchable after this line appears. In this post, I will show you how to remove the “Managed by your organization” thing with a simple instruction. Managed by your organization – what is…