I Got Malware from Fiverr (Windows 10) — Complete Detection, Removal & Prevention Guide

3/28/2026

I Got Malware from Fiverr (Windows 10) — Complete Detection, Removal & Prevention Guide

Downloading files from freelance marketplaces is part of daily work — but it also comes with hidden risks. Recently, I encountered malware after downloading a file from Fiverr. What looked like a simple tool turned out to be a persistent info-stealer running from AppData.

This guide is a complete, real-world walkthrough: how I detected it, how I removed it safely on Windows 10, and how you can protect your accounts and systems going forward.

⚠️ Quick Summary (TL;DR)

  • Suspicious path:
C:\Users\samad\AppData\Local\24a9d781\unit-cotool
  • Malware added itself to startup (persistence)
  • Likely info-stealer (targets passwords, cookies, sessions)
  • Fully removable with manual cleanup + offline scan
  • Passwords must be changed after removal

🚨 How the Infection Happened

The infection came from a downloaded file (likely an .exe or bundled script). These often appear as:

  • “helper tools”
  • “optimized builds”
  • “cracked utilities”
  • zipped project files with hidden executables

Once executed, the malware:

  1. Extracted itself into a random AppData folder
  2. Created a startup entry
  3. Began running silently in the background

🔍 Key Signs of Malware (What to Look For)

1. Random Folder in AppData

C:\Users\YourName\AppData\Local\24a9d781\
  • Random string folder name = 🚩 red flag
  • Legit apps rarely use meaningless hashed folders like this

2. Suspicious Executable / Tool Name

unit-cotool
  • Not a known software
  • No publisher / no install record

3. Startup Persistence (Critical)

Registry location:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder

Entry found:

unit-cotool.lnk

➡️ This ensures the malware runs every time Windows starts

🧠 What This Malware Likely Does

This pattern strongly matches info-stealer malware, which can:

  • Extract saved passwords from browsers
  • Steal session cookies (bypass login)
  • Access autofill data
  • Capture system info
  • Send data to remote servers silently

⚠️ No visible symptoms in most cases.

🧹 Step-by-Step Removal Guide (Windows 10)

Follow these steps carefully.

✅ Step 1: Disconnect Internet

Prevent further data transmission:

  • Turn off Wi-Fi or unplug LAN

✅ Step 2: Delete Malware Files

  1. Press Win + R
  2. Enter:
%localappdata%
  1. Locate and delete:
24a9d781

If deletion fails:

  • Restart in Safe Mode
  • Delete again

✅ Step 3: Remove Startup Persistence

🔹 Registry Cleanup

  1. Open regedit
  2. Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
  1. Delete:
unit-cotool.lnk

🔹 Startup Folder

  1. Press Win + R
  2. Enter:
shell:startup
  1. Delete any suspicious shortcuts

🔹 Task Manager Startup

  • Open Task Manager → Startup tab
  • Disable unknown entries

🔹 Task Scheduler (Important)

  1. Run:
taskschd.msc
  1. Check for:
  • Random task names
  • Paths pointing to AppData
  1. Delete suspicious tasks

✅ Step 4: Run Microsoft Defender Offline Scan

This step is essential.

  • Open Windows Security
  • Go to Virus & threat protection
  • Click Scan options
  • Select Microsoft Defender Offline scan
  • Restart and scan

This detects hidden malware missed by normal scans.

✅ Step 5: Secondary Malware Scan

Use one additional scanner:

  • Malwarebytes (Free)
  • ESET Online Scanner

Run a full scan and remove all threats.

If your website has been affected or is running slow after cleanup, our SanganiWeb Technical Virtual Assistant service can help restore speed and fix underlying issues.

🔐 Why You Must Change Passwords

Even after removal, your credentials may already be stolen.

Info-stealers commonly access:

  • Email accounts
  • Fiverr / Upwork
  • GitHub repositories
  • Hosting panels (cPanel, Cloudflare, Vercel)

🔑 Priority Order:

  1. Email (most important)
  2. Fiverr / Upwork
  3. Google / Microsoft
  4. Developer tools (GitHub, servers)
  5. Banking (if used on that PC)

Also:

  • Enable 2FA
  • Log out of all sessions

🛡️ How to Prevent This in Future

❌ Never Run Unknown Executables

Avoid:

  • .exe, .bat, .cmd, .scr
  • especially from ZIP files

✅ Ask for Source Code

Instead of tools:

  • Request GitHub repo
  • Review code manually

🔍 Scan Before Opening

Use:

  • Windows Defender
  • Online tools (like VirusTotal)

🧠 Watch for Red Flags

  • Random folder names in AppData
  • No publisher info
  • No official website

💼 For Freelancers (Important)

Even trusted platforms can contain risky uploads.

Best practice:

Treat every downloaded file like it could be unsafe.

📊 Real Impact (If Ignored)

If left untreated, this type of malware can lead to:

  • Account takeovers
  • Unauthorized transactions
  • Website defacement
  • Client data leaks
  • Reputation damage

✅ Final Thoughts

This wasn’t ransomware or a full system compromise — but it was still serious.

The key lesson:

If something installs itself in AppData with a random name and adds a startup entry, treat it as malware immediately.

Acting quickly made the difference.

❓ Frequently Asked Questions

Is this a virus or trojan?

Most likely a trojan-based info-stealer.

Can antivirus remove it completely?

Yes — but only after:

  • Manual cleanup
  • Offline scan

Do I need to reinstall Windows?

Not necessary in this case, if all steps are followed.

Is Fiverr unsafe?

No — but files shared by users can be risky.

🔗 Final Advice

If you’re a developer or freelancer:

  • Stay cautious with downloads
  • Keep your system clean
  • Always verify before executing

Stay safe and keep building.

Comments