Adware Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 12 Sep 2024 18:45:03 +0000 en-US hourly 1 https://wordpress.org/?v=85905 200474804 Free-tl Pop-Up Virus https://gridinsoft.com/blogs/free-tl-pop-up-virus/ https://gridinsoft.com/blogs/free-tl-pop-up-virus/#respond Thu, 12 Sep 2024 15:57:07 +0000 https://gridinsoft.com/blogs/?p=27022 Analysis shows a hike in the number of malicious pop-ups that come from Free-tl websites. It is a rather common strategy of aggressive marketing that aims to spam users after forcing them to allow sending notifications from the aforementioned websites. Let’s figure out what this scam is, and how to stop “Free tl” pop-ups. What… Continue reading Free-tl Pop-Up Virus

The post Free-tl Pop-Up Virus appeared first on Gridinsoft Blog.

]]>
Analysis shows a hike in the number of malicious pop-ups that come from Free-tl websites. It is a rather common strategy of aggressive marketing that aims to spam users after forcing them to allow sending notifications from the aforementioned websites. Let’s figure out what this scam is, and how to stop “Free tl” pop-ups.

What are Free-tl pop-up notifications?

Pop-up notifications from Free-tl sites are a spam campaign that aims to earn money from pay-per-view and pay-per-click advertisements. There is an entire chain of such sites, created by the same group of cybercriminals and existing for the same purpose. Frauds who stand behind all this lure people into pressing the “Allow notifications” button that appears as soon as one enters the site. This demand may be framed as a form of captcha, DDoS protection, or the like.

List of domains involved in a scam

URL Registered Scan report
Free-tl-100-a.buzz 2024-09-12 Report
Free-tl-100-b.buzz 2024-09-12 Report
Free-tl-100-c.buzz 2024-09-12 Report
Free-tl-100-d.buzz 2024-09-12 Report
Free-tl-100-e.buzz 2024-09-12 Report
You can conduct your investigation using our Inspector API by performing a search with the key “Free-tlhere.

One particular source of the redirections to Free-tl sites is by browsing sites with illegal or explicit content. Websites that host pirated movies or games, adult sites – clicking anything on such pages may trigger the redirection to the scam site that will ask you to allow notifications. That twisted form of cooperation is what makes me warn people against using such sources of software and movies.

Allow notifications request free-tl site
Example of the “Allow notifications” page

Interesting thing about the pop-up spam sites is that they work only after the redirection. Simple checks show that opening the scam page requires a correct link. Visiting the root domain, without the additional parameters in the URL, will return either a 404 error or a boilerplate that says the URL is for sale.

How dangerous are Free-tl pop-ups?

Once the user allows notifications from one of the Free-tl websites, it bombards them with pop-ups. These notifications appear in the system tray, offering gambling, adult sites, or trying to scare the user by saying the system is infected. Clicking on a pop-up will send the user to a website with questionable content. It is also common to see phishing pages promoted in such a way, which forms the main concern of this pop-up spam.

free-tl-100-a.buzz
Example of a fake antivirus warning that the “Free tl” site can send

Another angle of the problem is the offer to install some questionable software to solve non-existent problems. You might encounter a so-called Microsoft tech support scam page or a site that pretends to scan your PC, falsely reporting that there are hundreds of malicious programs running at the moment. To make it harder for the user to quit, scammers make these sites open in a full-screen mode, so there is no visible way out. Of course, unless someone presses the Escape button.

But scams and phishing aside, the key issue with all this is the fact that constant pop-ups are extremely annoying. Because of the way Windows shows notifications, they will appear on top of any app that is currently running. It’s simply hard to concentrate on your task when you constantly hear and see banners popping up one after another. And, well, it will be quite an embarrassing moment when your boss walks by while there is a pop-up with hot girls around you on the screen.

How to remove Free-tl pop-ups?

It is possible to remove the pop-up source manually, through the browser interface. For this, go to your browser settings, find notification settings and remove all the sites that are listed as ones that can send notifications. Reload the browser to apply the changes.

There is also the second step – malware removal. It is possible that the Free-tl pop-ups appearance is caused by the activity of adware or browser hijackers. These two malware types often cause redirections, and may alter web browser settings to their needs. For that reason, I recommend scanning the system with GridinSoft Anti-Malware: it will clear whether there is something malicious on your device, or not. Download it, install and run a Standard scan: this will check the places where the said malware typically keeps its files.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Free-tl Pop-Up Virus appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/free-tl-pop-up-virus/feed/ 0 27022
Check-tl-ver Pop-Up Virus https://gridinsoft.com/blogs/check-tl-ver-pop-up-virus/ https://gridinsoft.com/blogs/check-tl-ver-pop-up-virus/#respond Mon, 02 Sep 2024 15:51:02 +0000 https://gridinsoft.com/blogs/?p=22377 Analysis shows a hike in the number of malicious pop-ups that come from Check-tl-ver websites. It is a rather common strategy of aggressive marketing that aims to spam users after forcing them to allow sending notifications from the aforementioned websites. Let’s figure out what this scam is, and how to stop Check-tl-ver pop-ups. What are… Continue reading Check-tl-ver Pop-Up Virus

The post Check-tl-ver Pop-Up Virus appeared first on Gridinsoft Blog.

]]>
Analysis shows a hike in the number of malicious pop-ups that come from Check-tl-ver websites. It is a rather common strategy of aggressive marketing that aims to spam users after forcing them to allow sending notifications from the aforementioned websites. Let’s figure out what this scam is, and how to stop Check-tl-ver pop-ups.

What are check-tl-version pop-up notifications?

Pop-up notifications from Check-tl-version sites are a spam campaign that aims to earn money from pay-per-view and pay-per-click advertisements. There is an entire chain of such sites, created by the same group of cybercriminals and existing for the same purpose. Frauds who stand behind all this lure people into pressing the “Allow notifications” button that appears as soon as one enters the site. This demand may be framed as a form of captcha, DDoS protection, or the like.

List of domains involved in a scam

URL Registered Scan report
Check-tl-ver-u99-a.buzz 2024-10-09 Report
Check-tl-ver-u99-b.buzz 2024-10-09 Report
Check-tl-ver-u99-c.buzz 2024-10-09 Report
Check-tl-ver-u99-d.buzz 2024-10-09 Report
Check-tl-ver-u99-e.buzz 2024-10-09 Report
Check-tl-ver-u99-f.buzz 2024-10-09 Report
Check-tl-ver-u99-g.buzz 2024-10-09 Report

One particular source of the redirections to check-tl-version sites is by browsing sites with illegal or explicit content. Websites that host pirated movies or games, adult sites – clicking anything on such pages may trigger the redirection to the scam site that will ask you to allow notifications. That twisted form of cooperation is what makes me warn people against using such sources of software and movies.

Allow notifications request check-tl-ver site
Example of the “Allow notifications” page

Interesting thing about the pop-up spam sites is that they work only after the redirection. Simple checks show that opening the scam page requires a correct link. Visiting the root domain, without the additional parameters in the URL, will return either a 404 error or a boilerplate that says the URL is for sale.

How dangerous are Check-tl-version pop-ups?

Once the user allows notifications from one of the check-tl-version websites, it starts bombarding them with pop-ups. These notifications appear in the system tray, offering gambling, adult sites, or trying to scare the user by saying the system is infected. Clicking on a pop-up will send the user to a website with some rather questionable content. It is also pretty common to see phishing pages promoting in such a way, which forms the main concern of having this pop-up spam.

Check-tl-ver pop-up notification
Example of a fake antivirus warning that the check-tl-ver site can send

Another angle of the problem is the offer to install some questionable software to solve non-existent problems. You might encounter a so-called Microsoft tech support scam page or a site that pretends to scan your PC, falsely reporting that there are hundreds of malicious programs running at the moment. To make it harder for the user to quit, scammers make these sites open in a full-screen mode, so there is no visible way out. Of course, unless someone presses the Escape button.

But scams and phishing aside, the key issue with all this is the fact that constant pop-ups are extremely annoying. Because of the way Windows shows notifications, they will appear on top of any app that is currently running. It’s simply hard to concentrate on your task when you constantly hear and see banners popping up one after another. And, well, it will be quite an embarrassing moment when your boss walks by while there is a pop-up with hot girls around you on the screen.

How to remove Check-tl-version pop-ups?

It is possible to remove the pop-up source manually, through the browser interface. For this, go to your browser settings, find notification settings and remove all the sites that are listed as ones that can send notifications. Reload the browser to apply the changes.

There is also the second step – malware removal. It is possible that the check-tl-version pop-ups appearance is caused by the activity of adware or browser hijackers. These two malware types often cause redirections, and may alter web browser settings to their needs. For that reason, I recommend scanning the system with GridinSoft Anti-Malware: it will clear whether there is something malicious on your device, or not. Download it, install and run a Standard scan: this will check the places where the said malware typically keeps its files.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Check-tl-ver Pop-Up Virus appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/check-tl-ver-pop-up-virus/feed/ 0 22377
Movidown Unwanted Application https://gridinsoft.com/blogs/movidown-pua/ https://gridinsoft.com/blogs/movidown-pua/#respond Tue, 20 Aug 2024 14:18:21 +0000 https://gridinsoft.com/blogs/?p=26344 Movidown is an Unwanted Application that initially mimics a utility for controlling fan speed. However, beneath this shell, it has the capabilities of a dropper malware, which it right away uses to deploy browser hijackers. This functionality, together with the deep access to the system, creates potential risks for much more severe malware to get… Continue reading Movidown Unwanted Application

The post Movidown Unwanted Application appeared first on Gridinsoft Blog.

]]>
Movidown is an Unwanted Application that initially mimics a utility for controlling fan speed. However, beneath this shell, it has the capabilities of a dropper malware, which it right away uses to deploy browser hijackers. This functionality, together with the deep access to the system, creates potential risks for much more severe malware to get into the system.

Movidown Overview

Movidown is a potentially unwanted program (PUA) that markets itself as a utility for controlling fan speeds. But when something gets 54/74 detections on VirusTotal, you know there’s more to the story. In reality, this utility has a darker side – it primarily functions as a loader for browser hijackers and adware. Movidown typically gets into the computer without the user’s explicit consent, often through deceptive methods like installers with hidden add-ons, misleading ads, or links on dubious websites.

Virustotal scfeenshots
Movidown detections on the Virustotal

Once installed, Movidown does more than adjust fan speeds as advertised. It collects basic system information (fingerprinting) and alters browser settings. While it isn’t a virus in the traditional sense, it may and will disrupt the browsing experience and create phishing risks. Among other things, it can lead to frequent redirects to dangerous or malicious sites, and even phishing pages. They, in turn, may attempt to steal personal information or trick the user into downloading actual malware.

Technical Analysis

Let’s have a closer look on how Movidown behaves on a compromised system to better understand its nature. As mentioned earlier, it is a utility for controlling fan speeds, so some of its actions within the system might seem logical. For instance, the first thing it does after launching is check the system’s hardware for signs of a virtual environment. Malicious programs often do this check, though it is also normal for hardware management utilities. Movidown checks the following system locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir

This isn’t an exhaustive list, but such checks can serve both legitimate and malicious purposes. The utility’s need for low-level access to hardware justifies these actions. Though further checks are more concerning, as the utility checks Microsoft Defender settings.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
C:\Program Files (x86)\Windows Defender\MpClient.dll
C:\Program Files (x86)\Windows Defender\MpOAV.dll
C:\Program Files (x86)\Windows Defender\MsMpLics.dll

Payload Delivery

Unlike a typical dropper malware, this unwanted app follows a slightly different scenario. Normally, a dropper connects to a command server, fetches the current configuration, and then downloads the payload. Movidown virus, in turn, does so immediately upon activation. It appears to have a configuration file embedded into the structure, so all the malicious actions happen without additional steps. It loads a couple of randomly-named files to different folders, including C:\ProgramData – a directory that is hidden by default.

C:\ProgramData\jewkkwnf\jewkkwnf.exe
%SAMPLEPATH%\66b9e7f54cf7b_pro.exe

In this case, ExtreamFanV6.exe is the utility itself, while jewkkwnf.exe is the unwanted software, which functions as a browser hijacker with adware components. Although it’s not fully-fledged malware, technically, Movidown can deliver any type of malicious software.

Establishing Persistence

The next step involves the unwanted software establishing persistence for itself and the payload it have downloaded. For that purpose, it adds itself to the startup processes using Task Scheduler. It also places copies of its files to several directories across the disk.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6
schtasks /create /f /RU "" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
schtasks /create /f /RU "" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk

The first registry key adds the utility to startup, while the second and third tasks ensure the payload is activated every time the system starts and every hour, with the highest privileges. It’s important to note that while the utility is capable of reading keyboard input, this functionality isn’t inherently malicious — it’s necessary for the operation of “hotkeys”.

C2 Connection

During execution, Movidown communicates with several command servers and tries to get what appears to be certificates. While being a legitimate purpose, this may also be the way to provide deployed malware with a certificate, so it will stay under the radar of security software.

TCP 204.79.197.203:443
TCP 77.105.164.24:50505
TCP 23.59.198.43:443
GET http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt 200
GET http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c 200

It’s also worth noting that this unwanted app contacts a server at 77.105.164.24, which is based in Russia. Software itself and any information about it on the Web says nothing about it, so it is worth keeping in mind.

How to Remove Movidown

Removing the Movidown utility itself is straightforward—you can uninstall it using the standard Windows “Installed apps” menu. However, the unwanted software it installs alongside itself can be more challenging to remove. I recommend using GridinSoft Anti-Malware, as this solution will allow you to remove Movidown in just a few clicks. It will also provide long-term protection against any kind of malicious software, and also from network threats. ВеTo remove this unwanted software, follow the instructions below:

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post Movidown Unwanted Application appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/movidown-pua/feed/ 0 26344
How To Stop McAfee Pop-ups https://gridinsoft.com/blogs/mcafee-popups-chrome-stop/ https://gridinsoft.com/blogs/mcafee-popups-chrome-stop/#comments Sat, 29 Jun 2024 08:47:57 +0000 https://gridinsoft.com/blogs/?p=11201 It’s a good tone to be concerned about safety on the Internet. It’s ok when you have antivirus software installed, and it sometimes sends you a threat alert. However, getting notifications from an application you don’t use or haven’t even installed is a reason to think twice. For example, you may have heard of McAfee,… Continue reading How To Stop McAfee Pop-ups

The post How To Stop McAfee Pop-ups appeared first on Gridinsoft Blog.

]]>
It’s a good tone to be concerned about safety on the Internet. It’s ok when you have antivirus software installed, and it sometimes sends you a threat alert. However, getting notifications from an application you don’t use or haven’t even installed is a reason to think twice. For example, you may have heard of McAfee, which some programs offer to install as additional software, so many people are not confused by alerts from that application. Seeing such notifications too often can negatively affect your online experience. So, let’s review some tips and tricks that help you to stop McAfee pop-ups on Chrome.

What are McAfee Pop-ups? Is It McAfee Scam?

McAfee Fake Notice
This is what a fake notice looks like. A web address that differs from the official www.mcafee.com is a red flag

McAfee pop-up notifications can be divided into two types: legitimate ones, which are sent by a browser extension, and fake ones, which are sent by adware installed on the system. But how to stop them? Suppose you have deliberately installed a McAfee browser extension. In that case, it is expected that you will see pop-up notifications from it. On the other hand, if you have no McAfee installed as the app or the browser extensions in Chrome, these are probably fake McAfee pop-ups. Next, we’ll figure out how to disable unwanted pop-up notifications in Chrome and solve the problem of fake notifications.

McAfee subscription has expired
McAfee Subscription Has Been Expired scam website
Fake Virus Alert From Mcafee
Fake Virus Alert From Mcafee

How to Stop McAfee Pop-ups on Chrome?

You can use Incognito mode in Chrome, temporarily removing the pop-up notifications from McAfee. However, if you need to block them completely, you can do so in Chrome’s notification settings. Alternatively, you can restore Chrome’s default settings. However, if you need to keep all your saved data and browser settings, we have several other options listed below.

Block notifications from McAfee

First, you can block push notifications from any site in Chrome, including the McAfee site. This is the most straightforward action you can take to hide all pop-up notifications from McAfee.

  1. Click the three vertical dots, then “Settings“.
    Step 1
  2. Click “Privacy and security” ⇢ Site Settings.
    Step 2: Privacy and security
  3. Select the “Notifications” option.
    Step 3: Notifications
  4. Select “Don’t allow to send notifications“.
    Step 4: Don’t allow to send notifications
  5. Click the “Add” button next to the “Not Allowed to Send Notifications” section.
    Step 5: Add button
  6. In the “Add Site” window, add the website URL for what you want to stop receiving notifications and click “Add“. In this case, it is a McAfee site.
    Alternatively, click the “Extra Actions” button (three vertical dots) next to the specific site and click “Remove“.

Remove the McAfee Chrome extension

If the first method didn’t work, and you still get the pop-up notifications from McAfee when you open Chrome, chances are that your system is infected by adware. However, to be sure, you can uninstall the McAfee Chrome extension. If necessary, you can always reinstall it later from the Chrome Web Store.

  1. Launch the Chrome app. Click the three dots in the top right corner.
    McAfee Pop-ups on Chrome
  2. Then select More Tools ⇢ Extensions.
    Pop-ups on Chrome - Extensions
  3. Turn off the McAfee Extensions button.
    Pop-ups on Chrome - Turn Off
  4. Restart the Chrome app and make sure it’s not running. Or, click the “Remove” button on the McAfee extension to remove it from Chrome.
McAfee scam email is a dangerous form of phishing scam that centers around your account with this antivirus vendor.

Scan Your System for Viruses

It is possible for malware to force the appearance of the McAfee pop-ups and the consequent Subscription Expired page. In particular, adware and browser hijackers are two malware types that do this nasty trick particularly often. They bring profit to their masters by throwing users of infected systems to unwanted websites, with the fake McAfee sites being just one of the examples. And to get rid of the malware, the anti-malware software scan is needed.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post How To Stop McAfee Pop-ups appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/mcafee-popups-chrome-stop/feed/ 3 11201
PUA:Win32/Presenoker https://gridinsoft.com/blogs/pua-win32-presenoker-adware/ https://gridinsoft.com/blogs/pua-win32-presenoker-adware/#respond Thu, 27 Jun 2024 11:09:30 +0000 https://gridinsoft.com/blogs/?p=21717 PUA:Win32/Presenoker is an adware designed to make money by showing intrusive advertisements and collecting data. This malware can take control of your web browser and send you to advertising pages. The majority of them will be questionable, without even a slight tint of relevance. It is often disguised as legitimate cracked software, driver finder, or… Continue reading PUA:Win32/Presenoker

The post PUA:Win32/Presenoker appeared first on Gridinsoft Blog.

]]>
PUA:Win32/Presenoker is an adware designed to make money by showing intrusive advertisements and collecting data. This malware can take control of your web browser and send you to advertising pages. The majority of them will be questionable, without even a slight tint of relevance.

It is often disguised as legitimate cracked software, driver finder, or tweaker. This malware can also steal some information.

PUA:Win32/Presenoker Overview

PUA:Win32/Presenoker is adware designed to generate revenue through intrusive advertisements. In addition to malvertising, it can steal users’ data, including search history, cookies, and other sensitive information. Although it collects basic system information, it is only about fingerprinting the system; it does not touch passwords or session tokens. Almost all instances of this malware are connected to websites that redirect users to advertising pages. While some pages it advertises are legitimate, others are questionable, significantly degrading the user experience.

PUA:Win32/Presenoker detection window screenshot
PUA:Win32/Presenoker detection window

PUA:Win32/Presenoker often spreads under the guise of cracked legitimate software, tricking users and infiltrating their devices without their consent. The malware also masquerades as a laptop driver finder or tweaker. However, almost anything downloaded that is not from an official website can lead to Presenoker infection.

Presenoker Technical Analysis

Let’s break down its behavior based on the PUA:Win32/Presenoker sample analysis. As I said above, malware infiltrates the system under the guise of legitimate software. In our case, it is a free but Windows kernel research tool.

Once on the system, malware seeks persistence. To do so, it performs standard actions—it creates driver files, adds appropriate registry entries, and obtains the necessary permissions. Among the latter is the ability to modify the kernel to execute programs at system startup.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\bajejyicthbeby.sys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\bhrzxcfdwsfytp.sys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\boalxrinybzftbduk.sys

The malware created multiple registry entries for each file to ensure its drivers and services were loaded in “Minimal Safe Mode”, a diagnostic mode of Windows with only essential functions.

C2 Communication

Presenoker takes multiple HTTP requests made to various URLs, including ww1.epoolsoft[.]com and www.epoolsoft[.]com, suggesting communication with a command-and-control (C2) server. TCP connections are established to several IP addresses on ports 80 and 443, indicating potential communication with external servers.

TCP 63.143.32.86:80
TCP 64.190.63.136:80
UDP a83f:8110:0:0:6076:c7a:e801:0:53

The malware probably receives adverts through some channels (opening some of these addresses redirects to the advertised websites).

Malicious Advertising

As I said before, the primary purpose of this malware is advertising. Usually, these ads often promote online scams, unreliable or hazardous software, and malware. When clicked on, some ads can execute scripts to install or download software without the user’s consent.

In rare cases, users will see what looks like a legitimate internet search website like Yahoo or Bing, but with changed results. The URLs below are the intermediary sites that appear in the URL bar during this redirection. It looks like they gather the information about the search queries and God knows what else.

http://www.epoolsoft.com/PCHunter_StandardV1.56=DE8D8650A2322F6FBD61DC24EA6CE9703EDC1C1ABBA4523E236D3DE26CFD2B49C08503DEEA5AEDF515739967BDA959FD
http://ww1.epoolsoft.com/?sub1=39aa0efd-0311-11ef-af09-729c7805264a
http://www.epoolsoft.com/pchunter/pchunter_free

This website contains links that, when clicked on, will redirect you using adsensecustomsearchads.com

Redirect address screenshot

Defense Evasion

Malware may use IsDebuggerPresent and SetWindowsHookExW to evade detection and employ hooking techniques. The PE file has a section (not .text) that is highly probable to contain compressed code using a zlib compression ratio of less than 0.011. It also checks for debuggers, including window names and unique Hardware/Firmware, and can detect virtual machines. Moreover, it may use evasive loops to hinder dynamic analysis and check whether the current process is under debugging.

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

As the name says, these keys contain BIOS information. That is enough data to understand whether the system is a virtual machine or some other modified environment.

How To Remove PUA:Win32/Presenoker?

To remove PUA:Win32/Presenoker you need to use a powerful antimalware solution. GridinSoft Anti-Malware will be an excellent choice to clean your system from unwanted software. In addition to cleaning, this solution will prevent future infections on your device.

GridinSoft Anti-Malware main screen

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Scan results screen

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Removal finished

The post PUA:Win32/Presenoker appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pua-win32-presenoker-adware/feed/ 0 21717
Advanced Window Manager https://gridinsoft.com/blogs/advanced-window-manager/ https://gridinsoft.com/blogs/advanced-window-manager/#respond Mon, 20 May 2024 15:57:49 +0000 https://gridinsoft.com/blogs/?p=22210 Advanced Window Manager is a potentially unwanted software that floods the user’s system with advertisements. Its pretends to be a tool that adds new functionality to Windows, but in fact redirects search queries, tracks user’s Internet activity and shows advertisements. Typical ways of this program distribution are software bundling and malvertising. Advanced Window Manager Overview… Continue reading Advanced Window Manager

The post Advanced Window Manager appeared first on Gridinsoft Blog.

]]>
Advanced Window Manager is a potentially unwanted software that floods the user’s system with advertisements. Its pretends to be a tool that adds new functionality to Windows, but in fact redirects search queries, tracks user’s Internet activity and shows advertisements. Typical ways of this program distribution are software bundling and malvertising.

Advanced Window Manager Overview

Advanced Window Manager is an unwanted adware-like program. Despite positioning itself as a useful utility, its main task is to bombard the user with ads. At the same time, the program most often advertises fraudulent or malicious things, putting the user at serious risk. Clicking on the promotions that this Window Manager shows may redirect the user to a rogue website that inadvertently downloads other potentially unwanted software.

Advanced Window Manager file screenshot
Advanced Window Manager file

Another undeclared feature is collecting information about a user’s Internet activity. This data includes search queries, entered URLs, geodata, and IP addresses, which will then be sold to third parties. Advanced Window Manager is usually distributed as add-on software in bundles of other programs. Since the software is not very stealthy, the user can see the process (or several) in the Task Manager.

Detailed Analysis

Let’s analyze how Advanced Window Manager behaves in the system to understand its true nature. It arrives through the installer, that precedes the original program, and does some basic system check. During installation, the unwanted software extracts the following files to a temporary folder on the system:

C:\Users\Admin/AppData\Local\Temp\7zS4E1438CD\setup_install.exe
C:\Users\Admin/AppData\Local\Temp\7zS4E1438CD\libcurlpp.dll.
C:\Users/Admin/AppData/Local/Temp/7zS4E1438CD/libstdc++-6.dll.
C:\Users\Admin/AppData\Local\Temp\7zS4E1438CD\libcurl.dll.

It also resets some files, including:

%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll
%WINDIR%\System32\rundll32.exe.
C:\Users\AppData\Local\Temp\7zSC8C4B203\metina_5.exe.
C:\Users\AppData\Local\Temp\7zSC8C4B203\metina_6.exe.

Installation

Once installed, Advanced Window Manager (sample on VirusTotal) starts performing its main task – flooding the user’s system with ads. It checks the following registry value, which is responsible for regionalizing the system to install more “relevant” programs.

\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM\Ime File
\Registry\Machine\Software\Policies\Microsoft\System\DNSclient

After that little check, the malware connects to its command server. In my case, one of the requests that followed the original connection installed an unwanted program called Ultra Media Burner. It most likely depends on the results of the aforementioned geolocation check.

GET http://limesfile.com
GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/UltraMediaBurner.exe
GET http://estrix.xyz/addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=139

Additional Checks & Persistence

Being a rather regular sample of adware, Advanced Window Manager performs a series of system checks to determine system’s location. By checking the values of several registry keys, the malware obtains the networking information. It is unlikely that it has any sort of geofence, so this data is mainly needed to target the advertisements correctly.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\InterfaceSpecificParameters\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig

After that, the malicious program edits another set of registry keys related to Windows services and drivers. This is where it gains persistence by adding the values that will associate its files with some of the drivers/services in the system.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MpKsl9a97d018\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MpKslcbc6775c\Parameters

Scheduler screenshot
Advanced Window Manager adds itself to the Scheduler

Advertising, Search Redirects and Browser Hijacking

After all the preparations, Advanced Window Manager starts acting as adware or browser hijacker. The most common scenario after installing this kind of software is browser hijacking. PUA changes the homepage and search engine to the one it advertises (usually Bing or Yahoo). It is also common to see a no-name engine like Chromstera as the homepage/search engine. In this case, all queries go through the above service, and the forced change of search engine is effective until the first restart of the browser.

Suspicious ads in the browser screenshot
Suspicious ads in the browser

In addition to irrelevant search results, adware fills pages with ads and pop-ups, which makes it very difficult to use. The third aspect of a browser hijacker is collecting telemetry about the user. Although such software does not usually steal passwords or other sensitive information, it redirects all search queries through its server, thereby collecting general analytics about the user.

How To Remove Advanced Window Manager?

To remove Advanced Window Manager, you should use an advanced anti-malware tool. GridinSoft Anti-Malware is a great option. Run a Full scan, wait for it to finish, and follow the prompts.

Advanced Window Manager

You may also need to reset your web browsers. To do this, open the Tools tab and select Reset Browser Settings. In addition, I recommend that you enable the Internet security module, which protects against Internet threats. To do this, go to the Protect tab and activate the Internet Security checkbox.

The post Advanced Window Manager appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/advanced-window-manager/feed/ 0 22210
Scareware: How to Identify, Prevent and Remove It https://gridinsoft.com/blogs/what-is-scareware/ https://gridinsoft.com/blogs/what-is-scareware/#respond Tue, 14 May 2024 18:50:38 +0000 https://gridinsoft.com/blogs/?p=7733 Scareware is a widespread Internet fraud scheme that intimidates victims into buying unnecessary or harmful software taking advantage of their ignorance. Scareware usually exploits fears of having a computer virus on a machine and persuades users to purchase fake security software. Here we’ll regard how this spoof works and how not to get fooled by… Continue reading Scareware: How to Identify, Prevent and Remove It

The post Scareware: How to Identify, Prevent and Remove It appeared first on Gridinsoft Blog.

]]>
Scareware is a widespread Internet fraud scheme that intimidates victims into buying unnecessary or harmful software taking advantage of their ignorance. Scareware usually exploits fears of having a computer virus on a machine and persuades users to purchase fake security software. Here we’ll regard how this spoof works and how not to get fooled by it. Among other things, we’ll touch on threats associated with scareware.

What is Scareware?

Scareware is a scam that plays on fears of inexperienced users. Although computer viruses are an obsolete type of malware, and you will hardly catch one nowadays even if you try, they remain a horror story for people. And the least you know about a threat, the easier it can scare you.

Both trustworthy and scam security products are promoted via advertising. An advertisement of a good solution will respect the customer and make stress on qualities and features of the promoted program. In the worst case – it will explain that there are many threats out there on the Web, and each endpoint needs protection. The scareware, on the contrary, will try convincing you that your computer is already infected with malware. Moreover, pushy ads will insist on immediate installation of the program they represent, as if it were a last chance to cure your pc.

Scareware Banner
An example of a flashing scareware pop-up banner.

The profitability of the scheme is understandable. People get scared, buy the program and feel like the defenders of their computer system. Perhaps later, the apprehension will come that they just threw away their money, but they will no longer be able to get it back. There are usually many victims of such deception, and that is the very thing on which the scam relies.

Sadly, losing money is not the worst thing that can happen. Sometimes such malvertising used as a filter: whoever bought into this definitely does not have an actual antivirus. Accordingly, those agents who do business on the distribution of adware and malware can safely install a bunch of harmful programs on the victim’s device.

How Scareware Works

It all starts with a person suddenly seeing an advertising banner on some website. The banner itself looks like an automatic notification. Novice users may not even understand that they are dealing with an advertisement.

The message usually says that a scan of the user’s computer was carried out, which found infection with dangerous malware. Already here, a knowledgeable person could have laughed because not only is it impossible to scan the device so quickly, but it would also be problematic to do it remotely without preliminary procedures.

But charlatans deal with inexperienced people and therefore continue their psychological attack. The banners usually include very serious-looking malware names, tables, codes, etc. The more serious the picture looks, the stronger the effect. In all its appearance, the message tries to appear automatic. You can see, for example, this caption: “threat level: high“, as if the same plate could give out a reassuring “low“.

Scareware Fake Scan Results
Scareware often renders fake scan results with frightening namedropping.

Such schemes are generally built on a series of psychological techniques. Intimidation is only the first of them. The use of colors plays with the victim’s emotions. Red stands for anything related to threats. As soon as the “rescue” program enters the scene, a soothing blue or green color appears. This feeling of possible safety encourages the user to make a purchase. In addition, the price is low. Most scareware schemes rely on the possibility of quick payments combined with a vast number of buyers.

Alternative Scams

There may be more time-consuming schemes for the crooks. For example, they might launch a massive campaign offering free device scans. To take one, the user must first download the software, the functionality of which will be limited until the program is purchased. So that this payment is still made, the scan will produce frightening results. This approach counts on more educated users.

By the way, the scope of scareware is not limited to the security sector. You can imagine other types of scareware, such as cleaners, that will scare users by saying: “look, a little more, and your system will get so clogged with the garbage that the device will start freezing.” The advertised program will be able to delete unused applications, temporary files, etc.

The programs in question can remain completely fake without an iota of the promised functionality. All “treatment” of the device, just like the initial intimidation, can be just a visual effect.

What are The Threats?

Theoretically, the victim of scareware could get lucky, and the only problem would be the wasted money. But more often than not, a deceptive program will leave an unpleasant payload behind. Its severity may vary. In fact, it corresponds to the degree of danger from the unwanted or overtly malicious software that scareware can fetch onto the victim’s computer. In most cases, installing a scareware application will decrease the PC’s running speed. We’ll be coming from the guess that scareware developers want understandable profit from their victims, not reduced to the price of the application.

This goal implies infecting the device with either of the malware types:

  • Adware is a class of relatively harmless unwanted applications. They flood users with ad banners, modify browsers’ settings, add ad links on webpages, etc.
  • Spyware is a more significant threat. Hidden software collects information about the system and the user’s activity to send it to people who can commercially benefit from having it. o
  • Miners are the programs that steal computing resources of the victim’s machine and throw them at mining cryptocurrency (for somebody else, of course.) The injured side will also be surprised by the electricity consumption rate.
  • Cybercriminals can add the infected device to the botnet, a controlled network, to perform certain activities on the web unbeknownst to the user.
  • Ransomware is probably the worst case. This malware encodes all data files on the victim’s computer, and the only chance to get them back is to buy a key from the racketeers.

Criminals can drop many other types of malware into the unaware victim’s system. However, those are more suitable for targeted attacks and require hackers’ special attention. The malware mentioned above can work and bring profit automatically.

Scareware: How to Identify, Prevent and Remove It

How not to be fooled by scareware?

  • Install an modern antivirus software. GridinSoft Anti-Malware is one of the best solutions on the market due to the combination of technical efficiency and cost-effectiveness. Its virus libraries are regularly updated so that whichever malware becomes recognized in the world, Anti-Malware will know how to deal with it. The program can perform a deep scanning, work in on-run protection mode, and be a security measure for safe Internet browsing.
  • Know right before you get scammed. The scareware schemes work only because of people’s ignorance. You don’t need to be a hacker or even an advanced user. Just take a simple course on Internet surfing from someone more experienced in it.
  • Don’t visit dubious websites and avoid clicking on ad banners whatsoever. You can hardly encounter malicious advertising, which scareware surely is, on trustworthy websites like Google, Youtube or Facebook. It’s not that you should limit your surfing to these three sites, but they can serve as an example of a trustworthy website appearance. As soon as you see ad banners popping up all around you, flashing and glaring, proceed with great caution if you need to.
  • Install ad-blocking software. It goes as an extension to your browser that blocks advertising banners from rendering. It might save you a lot of nerve cells.
  • If you happen to buy a scareware product, make sure you remove it as you usually remove an application. In Windows, press Start > Settings > Apps > Apps & Features Choose the app you want to remove, and then select Uninstall. After removing the scareware, carry out an antivirus scan to get rid of any accompanying malware.

The post Scareware: How to Identify, Prevent and Remove It appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/what-is-scareware/feed/ 0 7733
Pornographic Virus Alert From Microsoft https://gridinsoft.com/blogs/pornographic-virus-alert-from-microsoft/ https://gridinsoft.com/blogs/pornographic-virus-alert-from-microsoft/#respond Tue, 14 May 2024 13:11:10 +0000 https://blog.gridinsoft.com/?p=5212 Microsoft shows you the banner which states that your PC is infected with a “Pornographic virus”? It seems that someone wants to involve you in a popular online tech support scam, called “Pornographic virus alert from Microsoft”. But how can they do it with a single banner? That article will show you the whole mechanism… Continue reading Pornographic Virus Alert From Microsoft

The post Pornographic Virus Alert From Microsoft appeared first on Gridinsoft Blog.

]]>
Microsoft shows you the banner which states that your PC is infected with a “Pornographic virus”? It seems that someone wants to involve you in a popular online tech support scam1, called “Pornographic virus alert from Microsoft”.

But how can they do it with a single banner? That article will show you the whole mechanism and will also explain why this notification appears so obsessively.

Pornographic virus alert from Microsoft: How it works and why is it malicious?

Once upon a time, after opening the browser, you may see the banner which says that your PC is infected with awful viruses. As you can suppose by the name of this alert, it also states that this virus got on your PC from pornographic websites. To eliminate this malware, “Microsoft” offers you to contact their support by the number they specified in the text. As they assure you, you cannot fix your computer without calling support. And here is the first suspicious element – times when the viruses may get into the PC exactly after opening the website are gone.

It was possible at the beginning of the ’00s when the browsers were raw and had a huge amount of vulnerabilities. One of these security breaches allowed to start of file downloads and installations without the user allowance. But hold on, here are more interesting moments.

Pornographic virus alert from Microsoft banner
The appearance of pornographic virus alert from Microsoft banner

Calling the support as a sign of the malevolency of this banner

First thing is the number this banner offers as an official Microsoft helpline to reactivate your Windows. It is completely different from the one which is published on the Microsoft website. When you call this number, you will hear a “support” that will offer you to grant him remote access to your PC. Sometimes, such action is needed – when some of the program components are working wrong on the specific PC configuration. But when we are talking about the viruses, which are already detected (as the banner says), the need for a remote connection to your PC is very questionable.

Finally, things are getting really ridiculous. The support checks your PC and then says that you really have a lot of viruses. To remove them, you need to install a perfect solution they can offer you only today – an unknown (or low-trusted) antivirus. They can send you a link or even install it themselves, using the remote control. Installing the unknown software was never a pleasant experience. And all these strange moments surely show that this thing is not one you can trust. Usually, the program this “support” offers you is an example of typical scareware. This sort of program mimics the antivirus app and shows you tons of false detections.

The total possible danger of pornographic virus alert from Microsoft

Let’s count. The first danger the user carries is remote access. The user who gets the ability to manage your PC can do everything literally – delete your files, modify your settings, install any programs from any sources – he is a king now. Granting remote access must always be well-weighted because of the dangers it carries. Nonetheless, a lot of users ignore that security rule and give access to anyone who offers help.

Pornographic Virus Alert From Microsoft

Moving on. Scareware may look like a considerably non-dangerous but annoying app. But let this app stay active in your system for about 30 minutes, and you will not be able to use the PC as usual. Because of its malevolent nature, this unwanted program randomly blocks the elements of important applications. Hence, you can’t use the program as usual. To remove these “malicious and vulnerable items”, you need to purchase the full version of this pseudo-antivirus. Moreover, you can’t uninstall a program as usual – through the application list. Manual removal or antimalware software usage is the only option.

Scareware blocked the Photoshop
Example of Scareware

Danger #0. Source malware.

And the last one, which must be the first. I have missed mentioning the initiator of that event – adware. The pornographic virus alert from Microsoft cannot appear independently on your PC. Access to this page will just be blocked by the web browser you use. So, it is quite easy to conclude that something changed your browser configuration and networking settings to show you this banner every time you open your web browser. Adware is a kind of virus that usually does the same, that’s why I supposed it’s present. The way you get this virus on your PC may be different, and you can read the removal guide in that post. Fortunately, the adware can easily be removed with anti-malware software.

The thing you can do to get rid of the banner at the moment is to close the browser window or reboot the PC. Radical ways, but pretty effective against this sort of scam. Usually, that banner does not have any “close” buttons at the top right corner. Don’t worry – the notifications that “Microsoft Locked This Computer” are 100% lies. Still, neither viruses nor companies can block the computer through the Chrome browser. To prevent the browser appearance it is better to avoid using dubious sites. Things like torrent trackers or sites for YouTube videos downloading may redirect you to other pages, and this nasty thing is just among them.

The post Pornographic Virus Alert From Microsoft appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pornographic-virus-alert-from-microsoft/feed/ 0 5212
PUA:Win32/Conduit https://gridinsoft.com/blogs/pua-win32-conduit/ https://gridinsoft.com/blogs/pua-win32-conduit/#respond Mon, 06 May 2024 14:46:26 +0000 https://gridinsoft.com/blogs/?p=21894 PUA:Win32/Conduit is a potentially unwanted application that performs suspicious activity with the browser. It changes the homepage and search engine and installs extensions. It is distributed through hacked software or under the “recommended software” guise. PUA:Win32/Conduit Overview PUA:Win32/Conduit (also goes by PUAAdvertising:Win32/Conduit) is a potentially unwanted application belonging to Conduit Search. One of Conduit’s characteristic… Continue reading PUA:Win32/Conduit

The post PUA:Win32/Conduit appeared first on Gridinsoft Blog.

]]>
PUA:Win32/Conduit is a potentially unwanted application that performs suspicious activity with the browser. It changes the homepage and search engine and installs extensions. It is distributed through hacked software or under the “recommended software” guise.

PUA:Win32/Conduit Overview

PUA:Win32/Conduit (also goes by PUAAdvertising:Win32/Conduit) is a potentially unwanted application belonging to Conduit Search. One of Conduit’s characteristic features is unwanted activity on the user’s device. It installs additional software and changes current web browser settings without the user’s knowledge, which makes it a typical representative of a browser hijacker. At the same time, it is not easy to remove all this.

PUA:Win32/Conduit detection window screenshot
PUA:Win32/Conduit detection window

Conduit PUA usually changes the browser’s homepage and search engine to search.conduit[.]com without the user’s consent. It also installs a toolbar in some browsers, which can lead to unsolicited redirects to websites containing adverts or malware. In addition, Conduit often collects information about a user’s online activity, such as the history of websites visited, search queries entered, etc. As a result, this information may be used without the owner’s permission for fraudulent purposes or shared with third parties.

Technical Analysis

Let’s see how this infection behaves, using the example of a sample that masquerades as a ScreenHunter screen capture application.

The malware, represented by %SAMPLEPATH%\19a6fab0b940ce5a1334a9ec80aeae1e1d585a15d9eccc5cbc75ec972edd1269.exe, accepts command line arguments to control its behavior. It links many functions at runtime on Windows: This indicates that the malware dynamically links libraries and functions during runtime, making it harder to detect statically.

Persistence And Privilege Escalation

Next, the malware establishes persistence by creating an undocumented autostart registry key:

HKEY_CURRENT_USER\Software\Wisdom-soft\toolbar

The malware stores files in the Windows startup directory to ensure its execution upon system boot. Attempting to load missing DLLs can be observed, indicating potential evasion techniques or ensuring the malware’s functionality. It dropped the following files to the %USERPROFILE%\AppData\Local\Temp\ folder:

~GLH0002.TMP
GLCAB3D.tmp
GLKAB48.tmp
GLH0007.TMP
GLC46CA.tmp

Conduit creates a process in suspended mode, suggesting code injection techniques for more stealthy execution. This tactic is often used by dropper malware.

Defense Evasion

As for evading detection, it’s standard for unwanted apps – Conduit encodes data using XOR to encode data, potentially to obfuscate its activities and evade detection. It also uses software packing techniques to compress and encrypt its executables, making analysis and detection more difficult.

Unwanted Activity

Installs an Internet Explorer URL search hook. This allows it to monitor and intercept web traffic, potentially capturing user browsing habits or sensitive information. Next, the application installs browser toolbars and helper objects to integrate the malware with the Internet Explorer browser by installing toolbars and browser helper objects. Such modifications can lead to unwanted browser behavior, including redirections, intrusive advertisements, and user data compromise.

Conduit toolbar and homepage screenshot
Conduit toolbar and homepage

Additionally, by modifying registry keys and values that belong to the web browser, Conduit malware adds one more layer of persistence and detection evasion. These tricks allow the unwanted program to keep working even if something deletes the files from autostart values/folders. To achieve this, malicious program plays with the following registry keys:

HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS
HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS

How To Remove PUA:Win32/Conduit?

To remove PUA:Win32/Conduit, it is best to use an advanced solution. GridinSoft Anti-Malware is the best option because, in addition to removing unwanted software, it will reset web browsers in a couple of clicks. Moreover, GridinSoft Anti-Malware will provide your device with proactive protection.

PUA:Win32/Conduit

The post PUA:Win32/Conduit appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/pua-win32-conduit/feed/ 0 21894
SMApps Virus https://gridinsoft.com/blogs/smapps-virus/ https://gridinsoft.com/blogs/smapps-virus/#respond Tue, 09 Apr 2024 10:40:16 +0000 https://gridinsoft.com/blogs/?p=21176 SMApps is a malicious program that aims at spreading illegal promotions. It mainly attacks browsers by changing settings and redirecting search queries from Google to suspicious sites. Possible distribution methods are standard: malicious adverts and dodgy sites with hacked software. This malware uses different detection evasion, anti-analysis, and persistence tactics. Although primarily positioned as adware,… Continue reading SMApps Virus

The post SMApps Virus appeared first on Gridinsoft Blog.

]]>
SMApps is a malicious program that aims at spreading illegal promotions. It mainly attacks browsers by changing settings and redirecting search queries from Google to suspicious sites. Possible distribution methods are standard: malicious adverts and dodgy sites with hacked software.

This malware uses different detection evasion, anti-analysis, and persistence tactics. Although primarily positioned as adware, it can deliver other adware-like applications and log keystrokes.

Personal cybersecurity is more important than ever. GridinSoft Anti-Malware will remove present threats and shield your system against possible new ones. 👉🏼 Get yourself proper protection

SMApps Overview

SMApps is malware that falls under the designation of adware and browser hijackers. This malware mainly targets altering web browser settings, mainly ones around search engines and homepages. After typing a search query on Google.com, a redirect to Bangsearch[.]pro occurs instead of the expected search results.

Registry keys screenshot
Registry entries of SMApps

Aside from Bangsearch, SMApps can promote literally any other engine, depending on who pays. Even when it throws the user to Yahoo or Bing, the results appear to be altered and may contain harmful content. In addition, fake search systems often collect sensitive user data, to a much bigger extent than more usual search providers.

At first glance, it may appear to be just annoying, as the majority of adware viruses. However, this is different. Detailed analysis has shown that SMApps can steal sensitive information from the victim’s device and redirect search queries. It can capture keystrokes, collect process information, and install additional payload (usually other adware). This thing’s removal is tricky regardless of the infection path because the malware uses various tricks to avoid this. I’ve made my analysis of this threat, finding all the tricks it does in the infected system – you can see it below.

Pop-ups Smapps
Pop-up notification spam – one of the outcomes of SMApps

Key spreading places for SMApps virus are websites that distribute hacked software, and malicious ads. Shady pages with add-ons or mods to popular games do their contribute to this malware spreading. Moreover, this thing can spread by itself, replicating the files to USB drives, effectively acting like a worm, so be careful with what you plug into your USB port.

Technical Analysis

It was not hard to retrieve the sample of SMApps – malware analysis platforms are filled with its samples. This one was some kind of a hack for Roblox, which checks up with what I’ve found about spreading ways. Let’s peek into its internals and in-system activities.

Initial Access

The Initial Access stage involves SMApps using various methods to gain a foothold in the target system. In the next stage, attackers may use Windows Management Instrumentation to query sensitive video device information or check if an antivirus program is installed. This acts as both system fingerprinting and analysis/VM evasion step:

IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

This is often done to detect virtual machines. It also queries the firmware table information and checks if the current process is being debugged. Additionally, it queries disk information to detect virtual machines. To hinder dynamic analysis, the program may contain medium and long sleep (>= 30 seconds and >= 3 minutes respectively) and use evasive loops.

Persistence & Privilege Escalation

SMApps gains persistence via creating or modifying Windows services, registry run keys, and startup folders.

It calls for Windows Installer to arrange its further execution, hiding the window through the command line arguments.

"C:\Windows\system32\msiexec.exe" /I "C:\Users\\AppData\Local\Temp\tmphphvtapd" /qb ACCEPTEULA=1 LicenseAccepted=1

To gain more persistence and additional privileges, this program calls for Windows Error Reporting service. This trick is rather popular these days, as it abuses the ability to relaunch the process with top privileges without calling for a UAC window.

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7280 -ip 7280
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3300 -ip 3300

Command Server Connection, Additional Installations

As for communications with C2, SMApps use FTP protocol and a list of pre-determined addresses to connect to. In my case, the 162.250.124.82:21 address was a primary server. However, the connection cannot boast of any rich logs – malware just sends the info about the infected system. However, more interesting stuff surfaced after giving the thing to run in the background.

As I said above, SMApps can act as a dropper. It dropped two files after installation:

IdealWeightOperator.exe
IdealWeightService.exe

These two malicious programs are pretty much the same as SMApps itself in terms of functionality. They change browser settings on top of what the original thing does, promoting questionable sites and spawning unwanted ads. Even though these threats are not really severe, the fact that it is capable of doing so is concerning.

How To Remove SMApps?

To remove SMApps, you need an effective antivirus solution. I recommend GridinSoft Anti-Malware as it will help remove this malware without much effort. Users report problems with removing this malware with the manual approach, therehence a specialized tool is required. GridinSoft program will also allow you to reset your browser in two clicks. This is especially effective when the browser has been interfered with by adware.

SMApps Virus

The post SMApps Virus appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/smapps-virus/feed/ 0 21176