Windows Archives – Gridinsoft Blog

Critical Windows TCP/IP Vulnerability Uncovered, Patch Now

Stephanie Adlam — Thu, 15 Aug 2024 19:16:11 +0000

A critical vulnerability has been discovered in the Windows TCP/IP stack that allows unauthenticated remote code execution (RCE). This vulnerability can be exploited remotely by sending specially crafted IPv6 packets to the target system. Successful exploitation could allow an attacker to execute arbitrary code on the target system and affects all supported versions of Windows and Windows Server.

Windows TCP/IP RCE Vulnerability Impacts All Systems with IPv6 Enabled

Researcher XiaoWei from Kunlun Lab has reported the discovery of a critical remote code execution vulnerability in the Windows TCP/IP stack. The vulnerability, identified as CVE-2024-38063, carries a CVSS score of 9.8 and can be exploited without user interaction (zero-click). While details are scarce at the time of writing, it is known that an attacker can send IPv6 packets containing specially crafted payloads to the target system. CVE-2024-38063 affects all supported versions of Windows 10, 11, and Windows Server. It should be explicitly noted that the issue affects only IPv6 users, as it is impossible to send the said crafted v6 packets to an IPv4 address.

“Considering its harm, I will not disclose more details in the short term… The bug triggers before firewall handling the packet”.

Still, the research uncovers that CVE-2024-38063 leads to a buffer overflow. As a result, it allows an attacker to execute arbitrary code at the SYSTEM privileges level on the target system. This could potentially result in full control over the compromised system. Also, I expect to see more details as time goes on and the patch is installed on more systems, so the researcher can release the info with less risk.

Impact of such a vulnerability may have been tremendous, if Microsoft decided to ignore it or just missed it as a whole. These days, IPv6 is not that widespread, but experts around the world consider it to be the future of the Internet. And now, imagine the hackers being able to deploy malware to any device, any time without any user interaction. This is what could have happened should this flaw appear a decade later, after the global IPv6 introduction.

Microsoft’s Response and Mitigation

Microsoft noted that this is not the first vulnerability of this kind, and attackers have actively exploited previous ones. The company anticipates that attackers will eventually develop exploits to take advantage of this vulnerability. Fortunately, Microsoft already offers a fix in the form of its latest, August 2024 Patch Tuesday update. Additionally, organizations are advised to monitor network activity and implement network segmentation. These measures are intended to limit lateral movement of the threat in the event of a system compromise.

Microsoft also suggested a temporary workaround involving the disabling of the IPv6 protocol. However, the issue lies in the fact that IPv6 is enabled by default on most systems, and some Windows components rely on it. Disabling IPv6 could, therefore, disrupt the functionality of other Windows components.

The post Critical Windows TCP/IP Vulnerability Uncovered, Patch Now appeared first on Gridinsoft Blog.

Shortcut Virus

Stephanie Adlam — Wed, 03 Jul 2024 05:51:37 +0000

Shortcut Virus, is a malicious program that messes up with files on the disks. It is a rather old type of threat, that targets to mischief the user, rather than get any profit. There could be several ways to solve the issue – manual as well as with the use of specialized software.

What is Shortcut Virus?

Shortcut Virus is a type of malware that makes the data look as lost, turning all the files into shortcuts. The virus modifies the file structure on a USB drive, replacing real files and folders with shortcuts with the same icons and names. This tricks the user and causes the virus to launch when they try to open the file. However, the original files are usually hidden or moved to a hidden partition.

The virus spreads primarily through USB devices and automatically copies its executable file to the device. This file is usually saved in the root directory of the USB drive and disguised as a safe, familiar file using common icons and names such as “My Documents” or “Recycle Bin”. It also actively uses the autorun functionality via the Windows registry. This allows it to run malicious code as soon as the device is connected to the computer. The “.lnk” files are a key element of this process, as they can be executed automatically and mask the launch of the malicious executable.

Some users want to re-use old drives, that potentially contain this malware. But for many, it is a risk to plug it into their current computer and infect it. And that leaves the question: how to safely recover files or format a hard drive?

Question from a user on a Reddit forum.

How Is Shortcut Virus Dangerous?

Shortcut Virus poses a serious threat to users who regularly use removable media. The main dangers associated with this virus include:

The worst part is that the virus can also hide or delete the original files on the USB drive. This often results in the loss of important information that may be difficult or impossible to recover.
Shortcut Virus easily and stealthily spreads from one device to another, infecting all USB devices connected to the infected computer.
Shortcut Virus can function as a Trojan by collecting user’s personal data such as passwords, financial information and other sensitive data.
Once on system disks, the virus can disable or compromise a computer’s security, making the system more vulnerable to other malicious attacks.

How to remove Shortcut Virus?

Shortcut Virus removal requires a careful approach to not only get rid of the virus but also to restore access to the original files.

Step 1: Disable USB device autorun

To prevent the virus from automatically starting when USB devices are connected, disable USB device autorun:

Open “Registry Editor” (press Win + R, type regedit and press Enter).
Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer path.
Create or modify a DWORD value named NoDriveTypeAutoRun and set the value to 0xFF to disable autorun for all disk types.

Step 2: Cleanup the registry

Since the virus can create registry entries to run automatically, you need to clean the registry:

Open “Registry Editor” (press Win + R, type regedit and press Enter).
Navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Remove any suspicious values that may run malicious files on system startup.

Step 3: Manually Removal

Several commands can be used to manually remove Shortcut Virus via Command Prompt, including cleaning malicious files:

Open “Command Prompt” (Type cmd in the search box and click “Run as administrator” to open elevated Command Prompt.).
The virus often hides the original files and replaces them with shortcuts. To display them:
attrib -h -r -s /s /d G:\*.*
“G:\” – the drive letter of your USB device.
First, remove any shortcuts that the virus has created. These shortcuts may be the source of the infection:
del G:\*.lnk
Next, remove malicious executable files that are usually hidden in the USB root or system folders:
del G:\*.exe
Check the C:\Windows\, C:\Windows\System32\, and C:\Users\[username]\AppData folders for malicious files and delete them.

Be very careful when using the command line, especially when working with uninstall commands and registry editing. Incorrect actions may cause damage to the system.

Shortcut Virus Remover

To remove Shortcut Virus, one of the most effective approaches is to use specialized antivirus software that can detect and remove complex malware. One of the recommended tools for this task is Gridinsoft Anti-Malware.

Gridinsoft Anti-Malware features fast scanning speeds and the ability to detect various types of malware, including Shortcut Virus. It also provides in-depth system and USB device scanning. This allows you to detect and remove hidden and standalone viruses that may not be noticed by standard antiviruses.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

Download Anti-Malware

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Shortcut Virus appeared first on Gridinsoft Blog.

Windows Defender Security Warning

Stephanie Adlam — Tue, 02 Jul 2024 09:14:36 +0000

Have you ever encountered a Windows Defender security warning pop-up while browsing? This type of malicious activity is designed to trick you into contacting scammers. Fortunately, you can quickly get rid of it. Here, we will explain how to remove this scam and protect yourself from other viruses.

What is the Windows Defender Security Warning?

This warning is the result of scareware or a phishing scam. Its purpose is to redirect you to a webpage that visually resembles the official Microsoft website. However, the URL does not match the official site. The page may display a message claiming that your computer is infected with malware and that you need to contact a support agent by phone to fix the problem.

Windows Defender Security Warning scam example. Red flags are highlighted in the picture.

Unfortunately, the notification looks like a legitimate Windows message, making it especially dangerous – many users may not even attempt to verify i= on Google. Scammers commonly make the pop-up as convincing as possible so that people don’t suspect anything is wrong. The provided phone number will likely connect you to a fraudulent call center. The agent may try to get you to install malware to infect your computer, steal your personal information, or demand money for fake services.

Why is the Windows Defender Security Warning False?

At first glance, you might mistake this for a legitimate warning from Windows Defender. However, if you’re familiar with Windows Defender, you’ll notice differences from a genuine notification. Therefore, please do not call the phone number provided in the window because it is not a real alert. Here’s why:

It’s not the Windows Defender interface. Windows Defender, also known as Windows Security, is a built-in Windows application with a different interface. It will never display a browser pop-up or webpage; it uses system notifications instead.
Strange text and typos. A banner or page showing a Microsoft Defender alert often contains strange text designs and grammatical and stylistic errors, which sharply contrast with the short and informative Defender notifications.
Microsoft never provides contact numbers for users. Users can contact Microsoft support through the “Get Help” application if they encounter problems.

This Windows Defender security alert is flawed in both format and content. It’s often a low-level phishing scam aiming to sell a rogue antivirus service, which can harm your computer. In some cases, you might not be able to close the alert or switch to other applications.

Causes of the Windows Defender Security Warning

There are several reasons why you might see a Windows Defender security warning. Here are the most common ones:

You clicked on an ad that redirected you to a fake site.
You visited a hacked website that redirected you to a fraudulent page.
You have a malicious program installed on your device, often a result of adware activity.

There are also many other ways you could be exposed to fraud, depending on various factors, such as the external devices you share with others. Simply closing the window may not solve the problem, especially if adware is causing it. The pop-up message may appear every time you open your browser.

How to Remove the Windows Defender Security Warning

Since the Windows Defender security warning appears in your browser, most actions to get rid of it are related to your browser. These steps can help resolve the issue of Windows Defender security warning pop-ups:

Force close and reopen your browser.
If the problem with redirecting to a fraudulent page persists, reset your browser (instructions below) or reinstall the browser completely.
If this continues, you may have adware or a PUP (potentially unwanted program) installed on your computer, and you need to remove it.

If you’re unsure which installed application is causing the pop-up notifications, install antivirus software to detect and remove the infection from your computer.

How to Clear the Browser from the Windows Defender Security Warning

Resetting your browser settings is one of the first steps to eliminate the Windows Defender security warning scam. Here are the instructions for different browsers:

Remove the Windows Defender Scam from Chrome

Click on the three vertical … in the top right corner and Select Settings.
Select Reset and Clean up and Restore settings to their originals defaults.
Click Reset settings.

Remove the Windows Defender Scam from Firefox

Click the three-line icon in the upper right corner and select Help
Select More Troubleshooting Information
Select Refresh Firefox… then Refresh Firefox

Remove the Windows Defender Scam from Microsoft Edge

Press the three dots
Select Settings
Click Reset Settings, then Click Restore settings to their default vaues.

Remove the Windows Defender Scam from Safari

Open the terminal (press ⌘ Command + Spacebar to open the spotlight, type “terminal” and press “Enter”)
Enter these commands one at a time. Execute each command by pressing “Enter” after copying it into the terminal:

rm -Rf ~/Library/Caches/Metadata/Safari; rm -Rf ~/Library/Caches/com.apple.Safari; rm -Rf ~/Library/Caches/com.apple.WebKit.PluginProcess; rm -Rf ~/Library/Preferences/Apple\ -\ Safari\ -\ Safari\ Extensions\ Gallery rm -Rf ~/Library/Preferences/com.apple.Safari.LSSharedFileList.plist; rm -Rf ~/Library/Preferences/com.apple.Safari.RSS.plist; rm -Rf ~/Library/Preferences/com.apple.Safari.plist; rm -Rf ~/Library/Preferences/com.apple.WebFoundation.plist; rm -Rf ~/Library/Preferences/com.apple.WebKit.PluginHost.plist; rm -Rf ~/Library/Preferences/com.apple.WebKit.PluginProcess.plist; rm -Rf ~/Library/PubSub/Database; rm -Rf ~/Library/Safari/*; rm -Rf ~/Library/Safari/Bookmarks.plist; rm -Rf ~/Library/Saved\ Application\ State/com.apple.Safari.savedState;

What to Do if the Problem Persists?

If you have followed all the steps above and still see this warning every time you use a web browser, it is a clear sign that malware is still on your computer. You can use professional antimalware software such as GridinSoft Anti-Malware to scan your computer and remove any viruses or malware found. After taking such drastic measures, the antimalware software will remove and neutralize more dangerous cyber threats that could cause severe damage to your files.

Download Anti-Malware

How to Avoid Scams like the Windows Defender Security Warning

As mentioned earlier, the Windows Defender security warning scam is not the only threat you may encounter on your computer. There is much more severe malware on the Internet, and as a prudent user, you should take every precaution to avoid them. Here are some basic tips:

Ensure your OS and apps are up to date
Only download apps from official websites
Avoid clicking on random links without knowing where they will take you
Don’t download suspicious apps
Do not open attachments in suspicious emails
Use an ad blocker to block malicious ads
Use advanced antivirus software

Your computer should now be clean and free of Windows Defender scams. To prevent this from happening again, practice good online hygiene to protect yourself from fraud. Perform regular scans and use malware protection to stop threats before they happen.

The post Windows Defender Security Warning appeared first on Gridinsoft Blog.

5 Methods to Fix Computer Keeps Freezing

Stephanie Adlam — Thu, 20 Jun 2024 15:20:10 +0000

Have you ever been in the middle of a project when your computer suddenly freezes? Maybe the cursor stops moving, or you get the dreaded blue screen of death, forcing you to restart. If this sounds familiar, don’t worry! While it’s frustrating, you can often fix these issues yourself. The key is to understand why your PC might be freezing and then take steps to prevent it.

This article will show you what to do if your computer keeps freezing for no obvious reason.

Why does my computer keep freezing?

There are some reasons why your computer keeps freezing or works poorly. Usually, it is a software problem, or too many apps are running on your computer simultaneously, which causes it to hang. We will not consider the option with weak hardware, where the system initially ran slowly. However, additional problems, such as a lack of hard disk space or issues with drivers, can also prevent it from working correctly.

So, what to do when you encounter the problem that a Windows PC freezes randomly?

Check if your computer is entirely dead-locked

To understand if your computer is completely frozen, you can try to move the mouse cursor over the screen. If it doesn’t move, your PC is locked and requires a forced reboot. You can also try pressing the “Caps Lock” button on your keyboard, this is another possible solution to computer crash randomly problems. If the Caps Lock indicator lights up, it’s probably a software problem and can be solved with the Windows Task Manager.

So, to do this, press Ctrl+Alt+Del and select the frozen program, then press End Task. However, if the Caps Lock indicator doesn’t work, your computer is dead-locked, and you need to restart your computer. Desktop computers may be rebooted with a button on a system unit, perhaps this will help to avoid computer freezing completely.. If you have a laptop, press the power button for ~10 seconds, forcing your PC to shut down.

Software Issues When Computer Keep Freezing

Software issues are the most common cause of my PC freezing randomly. At some point, the software loses control of the application or tries to run the application in a way that the Windows operating system does not recognize. This often happens when trying to run old programs in new versions of Windows or vice versa. Updating the software and the OS usually corrects the PC freezing problem. However, in some cases, reinstalling the application is the most effective way to deal with occasional software-related hangs.

Sometimes errors in running programs cause memory leaks. This happens when objects in a heap are no longer used. However, the garbage collector cannot remove them from memory; thus, they remain there unnecessarily. A memory leak is not good because it blocks memory resources and reduces system performance over time.

Check for Running Resource-Intensive Software

Sometimes, programs will remain running in the background even after you end working with them. This particularly true for different sort of virtual machines: they can stay in the background, showing no activity, while taking significant amount of your CPU and memory. Particular names to seek for in Task Manager are “Vmmem” (or “Vmmemvsl”), “VirtualBox”, “Vmware-vmx” or the like. Stopping them will give a huge relief to your hardware.

Check for Malware and Viruses

Computer freezes and crashes can be signs that your computer is infected. In some cases, malware loads your system by running dozens of processes in the background, consuming your computer’s RAM and causing it to freeze. It is often coin miners’ work, as it is their typical behavior – overloading the system, leaving no resources for other applications. In contrast, viruses can corrupt system files, without which the system cannot work correctly. As a result, this can cause blue screens of death. If your PC keeps freezing after rebooting, we recommend checking it for viruses with a our security solution.

Download Anti-Malware

Processor overheating

Because computers are susceptible to heat, a room without air conditioning on a 90-degree day can negatively affect your computer’s performance. You can tell if your PC is overheating by listening to your laptop or desktop computer’s internal fans. Suppose the cooling is running too loud or louder than usual. In that case, you should dust your PC and replace the thermal paste on the processor.

However, there is the opposite situation when the processor is overheating, and the cooling does not work, i.e. fans are silent. In this case, you should carefully inspect the coolers, maybe they are faulty, or contact is lost, listen further if your computer locks up randomly. At best, the processor will start to throttle, and at worst, overheating can lead to a complete shutdown. Next, get some air circulation in the room and ensure the CPU vents are not clogged with dust. If the problem with the PC keeps freezing is gone, that was the reason for the issue.

Multitasking Issues

Each program on your computer requires some internal and external (hardware) resources to run. If you run multiple programs simultaneously, your computer may need more memory or processing power. Therefore, run programs only as required to reduce the chance of being short on resources.

We also recommend checking the program autorun settings and disabling the autorun of unnecessary applications. This will significantly speed up the startup of your laptop. To do this, run the task manager, go to the “startup applications” tab, and disable unnecessary applications.

Some programs can write themselves into the autorun without your knowledge. You can now control this.

Driver Issues

Drivers directly affect the performance of your PC and can cause the computer to constantly freeze. If application drivers are corrupt or outdated, applications cannot appropriately interact with your hardware. Most modern operating systems get drivers from the Windows Update Center after installation, but drivers are rarely updated there. This is especially true for drivers for graphics adapters. For example, suppose your PC has powerful hardware but works slowly in graphics applications. In this case, we recommend downloading and installing the latest video driver from the manufacturer’s website. In most cases, this will solve the problem of poor performance in applications and the PC freezes for a few seconds.

Computer Keep Freezing? Lack of RAM!

Lack of memory is often the cause of occasional freezes. Unfortunately, you cannot solve this issue programmatically. However, you can try increasing the memory dump. The easiest way to check for insufficient RAM is to run a Windows memory diagnostic. Below are the steps to update your RAM:

Open the Start menu and type in Windows Memory Diagnostic Tool in the search box.
Click on it. This will reboot your system and check out your memory. It will also notify you if it finds any problems.

If no errors are found, there is probably nothing wrong with the memory. Most likely, your system and applications don’t have enough RAM. Consider upgrading your PC. At the very least, try adding RAM to fix the problem. You can find out if your system has enough RAM by running Task Manager and opening the Performance tab. If your device’s RAM is more than 70% used, you should add RAM to your device.

If you have a desktop PC, everything is as simple as possible. You just need to find out what type of memory you have installed. To do this, you need to open Task Manager, go to the tab performance, and click on memory.

Usually, the type of memory installed is displayed here, but sometimes it is not.

If your memory type is not displayed there, use special utilities, such as AIDA64.

AIDA64 interface.

If you have a laptop, google your model to find out what RAM it uses. However, not all laptops allow you to expand RAM because, in compact models, this memory is soldered onto the motherboard and is physically impossible to replace.

Hardware issues that lead to the computer freezing

A more severe problem is a hardware issue, where a particular computer component is not working correctly or is malfunctioning. This can happen for some reasons, such as overheating or excessive dust buildup on components inside the computer. For example, as trivial as it sounds, a mouse or keyboard cord can become damaged over time, and a wireless device can have a dead battery. For the past few years, all computers have been equipped with high-speed SSD drives, but older machines have obsolete hard disk drives.

If your device has an older hard drive, we recommend replacing it with a faster SSD. This is guaranteed to give a significant performance boost to your PC. Although SSDs, if used correctly, can last quite a long time, and there will be no problems with their work if the SSD fails, it stops working completely.

How to Fix Computer Keeps Freezing

Are you facing the problem that “computer keeps freezing randomly”? In addition to the tips above, you can apply some of the following valuable techniques to minimize the risk of your computer freezing frequently:

Method #1. Clean up Windows Temporary Files

Microsoft Windows uses a cache to store temporary files to access them quickly. In addition to the fact that these files take up extra space, they can also interfere with Windows, causing performance issues. If you clear the cache folder, you can remove all unneeded files that may have been created in the past. And may have caused your OS to hang. To clear the Windows cache files, follow these steps:

Press Win+R and type or paste “%temp%” in the Run window to open the temporary cache folder.
Please select all the files with the CTRL+A key combination and then permanently delete them. You can use the disk cleanup tool by clicking start and typing “disk cleanup” in the search box.
In the window that opens, select the drive where the OS is installed (by default, it’s the C drive). Then, choose the types of data you want to delete in the next window. If you have very little space, you can select all of them.

Method #2. Check The Disk For Malfunctions

Suppose the hard drive’s response speed is not up to standard. In that case, Windows may not be able to access it at the necessary rate, and this causes the hard drive to freeze between access intervals. In addition, fragmentation errors may occur on the hard drive due to a PC crash or abnormal termination. Windows has a built-in tool to help you identify and fix disk problems. Another step that will help eliminate the problem is that my computer is hanging again and again. To do this, follow these steps:

Right-click Start and select Terminal (Administrator).
Type or paste “chkdsk” at the command prompt and press Enter.

This will start checking your hard drive for malfunctions using the Windows command line. Sometimes Windows will need to reboot to complete the check. When the utility finishes, it will notify you of any disk errors.

Method #3. Run Defragmentation

Defragmentation is reorganizing the data stored on your hard drive so that pieces of data line up continuously. It picks up all the parts of data that are scattered across your HDD and puts them back together in an orderly, neat, and clean fashion. To do so:

Open My Computer
Right-click on the desired drive and choose Properties.
Click the Tools tab.
Click Optimize
When the window appears, click Optimize.

As a result, defragmentation increases your computer’s performance by reducing the time it takes to access data and allows you to use your storage more efficiently.

Method #4. Run Memory Check

If you suspect your computer has memory problems, you can run the Windows Memory Diagnostics utility by completing the following steps:

Press Windows + R key combinations and type mdsched.exe in the input box. Then press Enter.
Click Restart now and check for problems (recommended) to check for problems immediately (If you want to check later, click “Check for problems the next time I start my computer”).
Windows will restart and you will get the following window showing the progress of the check and the number of passes it will run on memory. It might take several minutes for the tool to finish.

Method #5. Run System File Checker

Sometimes computer keeps freezing randomly due to corrupted or missing system files. Fortunately, the OS has a system file checker that should help you restore the original files. With any luck, it will automatically fix your problem. To use this tool, run the command line as administrator and type or paste the following command:

sfc /scannow

Windows will scan its files, and if it finds a corrupt or missing file, Windows will try to fix it automatically.

No matter how well you maintain your PC, all systems hang at some point. This can happen due to issues with operating system updates, as seen with some of the recent updates for Windows 10. For example, the October 2023 update, known as KB5031356, experienced significant installation issues due to the 0x8007000d error, which prevented successful update completions and led to other operational challenges like slow performance and reboot loops.

However, understanding what causes your computer to hang can help you prevent problems and troubleshoot problems in the future. We hope that the methods described above have helped you to solve the Windows freeze problem so that you can get back to using your device comfortably. Suppose none of the above solutions did help to solve the problem with computer keeps freezing. In that case, your PC likely has a hardware problem that requires further investigation. In this case, you can apply to the service center, where qualified specialists will be able to find and fix the problem.

The post 5 Methods to Fix Computer Keeps Freezing appeared first on Gridinsoft Blog.

RegAsm.exe

Stephanie Adlam — Thu, 13 Jun 2024 20:40:23 +0000

The RegAsm.exe process is an important component of the Windows operating system associated with the .NET Framework. This utility is designed to register .NET assemblies in the Windows registry, allowing COM clients to call managed applications. Let’s analyze its functionality and see whether malware can abuse it.

What is RegAsm.exe?

RegAsm.exe (Assembly Registration Tool) is a command line utility that provides users and developers with the ability to register CLR (Common Language Runtime) assemblies in the Windows Registry. The main function of this utility is to create registry entries that link COM class identifiers and interfaces to the corresponding .NET classes. Thanks to this process, it is possible to use functionality written in .NET languages (e.g., C# or VB.NET) in applications developed in unmanaged languages (e.g., C++). This expands the possibilities of integrating different software.

How does it work?

The process is run via use Visual Studio Developer Command Prompt and Visual Studio Developer PowerShell using the following syntax:

RegAsm.exe assembly_name.dll [options]

Here “assembly_name” is the file name of the assembly to be registered.

Possible “options” include:

/codebase – adds information about the assembly location to the registry, which allows CLR to find the assembly by its path;
/tlb – creates a type library (TLB file) for the assembly, which is necessary to use it as a COM object;
/registered – uses only versions of types already registered in the registry;
/unregistered – removes information about the assembly from the registry.

Can RegAsm.exe be a Virus?

Although RegAsm.exe itself is a legitimate Microsoft utility for registering Windows builds. Its name can be used by malware to disguise its activity. It is a common method used by viruses and other types of malware to call themselves by the names of legitimate system files. This is done in order to confuse the users and antivirus programs.

Finding this process in Task Manager is not so easy. RegAsm.exe is launched only to perform build registration and terminates immediately afterwards. Therefore, its presence in the Task Manager will be very brief. In such a case, the user may simply not notice this process if they do not look at the Task Manager exactly at the moment of its execution.

Malware may create or download a file named RegAsm.exe (not original, obviously) in an inappropriate location (such as in a user’s folder or temporary folders) and run it from there to avoid detection. To figure out if RegAsm.exe process is legitimate or malware, there are a few steps you can take:

1. Checking the location of the file:

The default location of the RegAsm.exe file on Windows 10/11 systems depends on the version number of the Microsoft .NET Framework.

Default is:
C:\Windows\Microsoft.NET\Framework64\[version]\RegAsm.exe
(“version” – is the version of the .NET Framework, for example, v4.0.30319 for .NET Framework 4.5 and above.)

File location in Windows 11

To verify the presence and exact location of RegAsm.exe on your computer, you can use the search function in Windows Explorer or run the following command at the command line (CMD):

dir C:\ /s /b | findstr RegAsm.exe

This command will also search for the RegAsm.exe file across the entire C drive, showing full paths to files that match the search criteria. If the file that you’ve encountered in the Task Manager has a different location, this may be a sign of malicious activity.

2. Digital signature verification:

Legitimate Microsoft files usually have a digital signature indicating their origin. Checking the file signature in the properties can show whether the file is edited or not.

Properties of RegAsm.exe file

Also RegAsm.exe can be used by attackers to register malicious assemblies on the system. Malicious code registered as a COM server can be invoked by other applications, potentially compromising the system. It is especially dangerous if an attacker gains access to an account with administrative privileges.

Can I remove RegAsm.exe from my PC?

Uninstalling RegAsm.exe is not a recommended action, as it is a standard and important component of Microsoft .NET Framework in the Windows system registry. This action may disrupt the functionality of applications that depend on this utility and may cause software errors on computer.

But if you are absolutely sure that RegAsm.exe has been modified or replaced by a malicious program, then you can remove the malicious copy of the file. However, you should not remove the legitimate utility itself.

The best way to remove malware is to use antivirus software, which can also scan for and remove other threats. GridinSoft Anti-Malware is such software. It will easily find the suspicious file and remove it.

Download Anti-Malware

The post RegAsm.exe appeared first on Gridinsoft Blog.

AcroTray.exe

Stephanie Adlam — Thu, 13 Jun 2024 05:56:07 +0000

The Acrotray.exe process is one of the important components provided by Adobe Systems. This process is associated with Adobe Acrobat software and often starts automatically when the Windows operating system starts. However, not every user knows what this process is, what it is for and whether it is safe. Let’s do a complete technical analysis of this process, its functionality, and security.

AcroTray.exe – What is it?

AcroTray.exe is an executable file that is part of the Adobe Acrobat software. This process supports PDF-related functions such as document conversion, creation, and editing directly from the desktop without having to open the Adobe Acrobat program itself. In addition, AcroTray.exe helps manage licenses and updates for Adobe products. That function is critical for enterprise users who must have all the latter up-to-date.

WIndows start-up configuration

The Acrotray.exe process usually starts at system startup and runs in the background, providing quick access to Adobe features. This may include integration with various applications such as Microsoft Office, where Acrotray.exe acts as an intermediate layer that facilitates the export and import of PDF documents. Technically, the process is a safe and important element for users of Adobe products, but its presence constantly in active processes may raise questions about the appropriateness of its use.

Main Functionalities:

The ability to convert documents to PDF format from various applications such as Microsoft Office (Word, Excel, and others) without opening Adobe Acrobat.
Help with managing the printing of PDF documents. Participates in setting up print options and selecting options right before printing. This improves the quality and accuracy of printed documents.
Automated update checks for Adobe Acrobat and other Adobe components.
Management for various plug-ins and add-ons for Adobe Acrobat, ensuring that they work properly and interact with the main program.
Informer functions, providing notifications of new features, offers, or changes to Adobe services.

Acrotray.exe is Missing – Fixing Guide

The problem with the missing Acrotray.exe file can be a major nuisance for Adobe Acrobat and Adobe Reader users. The absence of this file can cause the program to not work properly, errors during startup or while performing certain functions such as viewing PDF documents or printing them. Here are a few steps you can take to resolve this issue:

Program Recovery can via Control Panel help you recover missing files, including Acrotray.exe.

Close the Adobe Acrobat program and all Acrobat processes from Task Manager.
Then open “Control Panel” → “Programs” → “Programs and Features” → “Uninstall a program” and click “Adobe Acrobat DC”.
Press “Change” and choose “Repair” in the dialog box.
After the program repair is complete, restart your PC.

In case repair did not help, reinstall the program. For this, uninstall the program in the same Control Panel and restart the computer. Install Adobe Acrobat downloaded from the official website.

AcroTray.exe – Is it a Virus?

As I wrote above, AcroTray.exe is a completely legitimate file. Still, like with any other executable file, its name may be taken by a virus or other malware. To make sure that AcroTray.exe is safe, you should check its location. The correct path to the file should be in the folder:

C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroTray.exe
– for modern versions of Adobe Acrobat

C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\AcroTray.exe
– for older versions of Adobe Acrobat (11 and under)

Another way to understand whether the Acrotray process is legit is checking the location and digital signature of the file.

To authenticate AcroTray.exe, you can use Task Manager:

To do this, press the key combination: Ctrl+Shift+Esc

In the list of processes, find the process with the name AcroTray.exe. Right-click on the process of interest in the list. Select “Open file location“. This action will automatically open the folder where the process executable is located.

Right-click on the AcroTray.exe file and select “Properties“.

Click the “Details” tab and check the file information such as description, file size and digital signature. Legitimate Adobe files are usually digitally signed by Adobe Systems Incorporated.

Attackers may use the name AcroTray to disguise their malware – a common trick for backdoors and coin miner malware. If you find the AcroTray.exe file in an unusual location, such as AppData\Roaming or AppData\Temp folder, or its behavior is suspicious (such as excessive use of system resources), it may be a sign of infection.

Scan your system for viruses

On the other hand, if you want to completely uninstall AcroTray.exe, you can uninstall the entire Adobe Acrobat package if you don’t need it. To do this, open “Control Panel” → “Programs and Features“, find Adobe Acrobat and select “Uninstall“.

Nevertheless, to make sure that AcroTray.exe file is safe, it is recommended to perform an antivirus scan. One reliable tool for this purpose is Gridinsoft Anti-Malware. This antivirus specializes in detecting and eliminating various types of malware, including those that can hide under the guise of legitimate system files.

Download Anti-Malware

The post AcroTray.exe appeared first on Gridinsoft Blog.

Microsoft Patches Critical MSMQ Vulnerability

Stephanie Adlam — Wed, 12 Jun 2024 15:23:57 +0000

In the latest Patch Tuesday, on June 11, 2024 Microsoft disclosed fixing a substantial number of flaws, including a remote code execution vulnerability in Microsoft Message Queuing (MSMQ). It plagues the selection of Windows and Windows Server versions, including ones that reached end of life to the moment. At the time, no exploitation facts were detected, though it is always the matter of time for this to happen after the official disclosure.

Critical MSMQ RCE Vulnerability Fixed

In the second Patch Tuesday of July 2024, Microsoft reported about fixing 51 vulnerabilities. Among them, one particular flaw draws attention, mainly due to the excessively high CVSS rating of 9.8. The flaw in MSMQ affects a huge selection of Windows and Windows Server versions, starting from Windows Server 2008.

Vulnerability coined CVE-2024-30080 sits in the way MSMQ server handles the messages. Due to an improper behavior of the memory used in the request handling, it is possible to make the server run the code from the message. Message Queuing system is a built-in Windows messaging protocol that allows communication between applications that are running on different machines in the same network. A hacker can send a specially crafted message, that will force MSMQ on the receiving end to execute code, ingrained into the message.

Remote code execution flaws are among the most severe vulnerabilities, due to the variety of effects they can lead to. This one, however, has its severity buffed even more due to how easy it can be exploited. Adversaries do not need any authentication, so CVE-2024-30080 may easily become an entry point. Even though there are no known exploitation cases, as I’ve said in the introduction, they will likely appear – and even Microsoft acknowledges this.

Microsoft Releases Fixes for CVE-2024-30080

As the vulnerability was disclosed within the course of a Patch Tuesday, it immediately got a fix. Microsoft offers an update to all affected Windows versions, even ones that have already reached end of life. For consumer versions, they start from Windows 10 1607 – one of the earliest major updates to W10.

List of updates for consumer Windows editions that contain a fix for MSMQ vulnerability

How dangerous is it for home users? Not really. MSMQ is an optional feature that system administrators will activate during the setup of the messaging system. It is not likely for home users to have this thing present in the system in any way. However, this may not be true for someone who moved their office workstation home, keeping all the settings unchanged. In any case, installing security updates for Windows as they appear is a good practice.

The post Microsoft Patches Critical MSMQ Vulnerability appeared first on Gridinsoft Blog.

Program:Win32/Uwamson.A!ml

Stephanie Adlam — Thu, 16 May 2024 20:27:49 +0000

Win32/Uwamson.A!ml is a specific name of a Microsoft Defender detection. This designation indicates that the suspicious program or file scanned by the antivirus has characteristics of malware. That is, the program has characteristics that are typical of viruses and other malware. Moreover, it can often be a false positive detection. Let’s look at it in more detail for this purpose.

What is Win32/Uwamson.A!ml?

Program:Win32/Uwamson.A!ml is a generic detection name assigned by Microsoft Defender to suspicious programs running on your system. This detection appears because the affected program or file may be associated with a malicious program. It is often distributed with software that is designed to repair the system. Installed in the background this virus can gain remote access to the computer and sensitive information. This may include attempts to change system settings, stealthy code execution, or attempts to contact remote servers without the user’s permission.

Win32/Uwamson.A!ml is often found in legitimate miners such as NiceHash because they utilize your computer’s high performance to mine cryptocurrency. Some of them may be compromised or used without the user’s consent – that may be the reason why Defender is not happy about them. However, it is worth remembering that not all miners are safe and some of them may contain hidden malicious components.

Is Win32/Uwamson.A!ml False positive Detection?

It is possible that antivirus software mistakenly detects programs as Win32/Uwamson.A!ml. In fact, they may be completely safe and do not pose a threat. This can happen, for example, if a program has some characteristics similar to malware, but is actually legitimate and safe.

Also, this specific detection may be false due to the presence of the “!ml” tag at the end. This tag indicates that the file was detected by the AI module, which uses machine learning to analyze it. Although this is a modern and effective way to combat new and unknown threats, it can sometimes generate false positives if the detections are not confirmed by static signatures.

How to remove Win32/Uwamson.A!ml from my PC?

To remove Win32/Uwamson.A!ml, I recommend using GridinSoft Anti-malware. Malware of this type can cause unobtainable processes on your PC. Therefore, it is best to use advanced software to remove it. GridinSoft Anti-Malware is able to thoroughly scan every part of your system and even destroy the most stealthy malware.

The post Program:Win32/Uwamson.A!ml appeared first on Gridinsoft Blog.

Broom Cleaner App (Virus Removal)

Stephanie Adlam — Tue, 23 Apr 2024 10:16:27 +0000

Broom Cleaner is an unwanted program that at first glance seems to be a safe tool for cleaning and optimizing your computer. However, in reality, once installed, it performs unwanted changes to system settings, shows ads, or even installs additional unwanted programs. This can cause significant disruption to your computer and leak confidential information. Let’s see in practice whether this is the case.

What is Broom Cleaner?

Broom Cleaner is a potentially unwanted program (PUP) that is often distributed under the guise of a computer system cleaning and optimization utility. It can get on the user’s computer through a bundled installation with other free programs that are downloaded from the Internet. Often, such programs, including Broom Cleaner, are advertised as tools that can supposedly improve your PC’s performance by speeding it up by removing old and unnecessary files or registry errors.

In reality, once installed, Broom Cleaner starts aggressively displaying ads. It can also install additional potentially unwanted programs (PUPs) and change browser settings without the user’s knowledge. Also, collecting sensitive information is a significant problem. Broom Cleaner can record information about user activities, including browsing history, activity hours, location, search queries, etc.

Alternative way for this thing to get into the system is to be installed along with another app, in the form of a software bundle. It in fact prevails over the installation from the official website. The majority of users report even being unaware of this program’s site. This is yet another factor that makes GridinSoft define it as unwanted.

Testing

To make my conclusions regarding Broom Cleaner more relevant, I’ve done some testing on my Windows 10 virtual machine. I downloaded the program’s installation file from the official website, which seemed quite professional and convincing.

Broom Cleaner main web page

But I was interested in the fact that the site offers other software from the same developer. However, all links go to the same download link. In the end, it spreads the very same Broom Cleaner installer file.

Broom Setup file

The downloaded file is not an installation file and when you open it, the program starts immediately and offers different modes of pseudo-scanning the system.

Upon completion of the “scan”, Broom Cleaner offered to remove the errors and “garbage” it found. However, this required purchasing the full version of the program. The results seemed far-fetched and unreasonable. Also, the program seems to be bugged: it does not always complete the scan, getting stuck at some random point. Possibly, this was due to the use of a virtual machine, but a well-designed program should be agnostic to the environment in any case.

I decided to check some of the “registry errors” specified by the program manually using Windows Registry Editor and found that most of them either do not exist or are normal, non-affecting values. In addition, after installing Broom Cleaner, I started noticing more frequent ads and pop-ups in my browser, as well as changes to my search engine and homepage settings that I had not seen before.

So, the conclusion. The program acts as a typical PUP, using pseudo-scanning methods to mislead the user and then offer paid services. The results of the scan and the proposed “solutions” to the problems did not correspond to the real state of my system.

Is Broom Cleaner a Virus?

Technically, Broom Cleaner is not a virus in the common sense of the word. On the other hand, its functionality indicates that it is a potentially unwanted program. Such programs can seriously disrupt system operation, reduce computer performance, and even cause data loss.

Broom Cleaner cannot copy itself or spread from one computer to another. But its “infection” occurs as a result of installation of other programs or user clicking on malicious ads. Aside from that, its actions may include many malicious operations that interfere with normal computer operation and personal data protection.

How to remove a Broom Cleaner?

Manual removal of Broom Cleaner and similar potentially unwanted programs is possible, yet is rather tedious. This process includes not only removing the program itself through the control panel but also the need to carefully examine and terminate related processes in Task Manager. As the thing often comes together with other unwanted programs, cleaning the system will involve doing same actions for them, too. All this is not only time-consuming, but also risky, as improper deletion of system files can lead to further malfunctions in the operating system.

For regular users who do not have in-depth knowledge of information security, it may be more appropriate to use specialized malware removal software. One effective antivirus tool is GridinSoft Anti-Malware. It has deep scanning capabilities and can effectively remove programs that regular antivirus software may not notice.

The post Broom Cleaner App (Virus Removal) appeared first on Gridinsoft Blog.

PC Accelerate

Stephanie Adlam — Wed, 17 Apr 2024 09:14:23 +0000

PC Accelerate is a questionable software that is presented as a useful utility designed to optimize your computer’s performance. In reality though, this software can do more harm than good. Installing such applications often leads to unintended consequences, from system slowdowns to serious security threats.

Unwanted programs become more and more sophisticated, aiming at confusing users. GridinSoft Anti-Malware knows exactly who is who. Repel the unwanted programs with GridinSoft

What is PC Accelerate?

PC Accelerate is a potentially unwanted program that mimics a legitimate PC tuning utility. The program is presented as a useful tool for system optimization, but in reality often leads to the opposite results. This application can be installed on the user’s computer without their explicit consent. It may occur as part of a hidden batch installer of other software. Once in the system, this program starts aggressively displaying advertising notifications and suggestions to “improve system performance”, which may mislead the user.

PC Accelerate suggests improving the system

On paper, this program offers analyzing your system and cleaning unnecessary files. However, the results of such “analysis” are often exaggerated or falsified to create the need to purchase the full version of the program. Though even after purchase, the program may offer various “optimizations” such as changing registry settings or disabling unused Windows services. Users have noted that in some cases such changes may actually degrade system performance or stability.

PC Accelerate may be installed on the user’s computer together with other software, especially free applications and utilities that are downloaded from the Internet. During installation of the main program, the user may accidentally agree to install PC Accelerate without noticing the fine print in the installation terms and conditions. On some forums, users note that sometimes such software is installed even without their consent and warning.

Testing

The ordinary case from the user perspective is to see PC Accelerate to spontaneously start, and immediately switch to “scanning”. It looks like the developers did not carry much about optimizing the program, as this scanning made my virtual machine extremely sluggish.

After that process, the program typically displays a bunch of problems. Not in my case though – now this app shows that everything is fine. To get more relevant screenshots, I was forced to give it a go on a live machine instead of the VM. Further analysis shown that this unwanted program runs several check-ups upon startup, including the virtualization check. I suspect this is related to the “clean” result in my tests.

When the user clicks on the “Fix Issues Now” button, the program simply throws them to a purchase page on the dev’s website

When it does find the problems, the most interesting part kicks in. It obtrusively asks to buy a full version of the app, in order to fix these issues. Skipping or rebooting barely helps – the thing begin to appear shortly after. After the click on the “Fix button”, the program opens the website with the license purchase page.

Shady Distribution Policy

The business model of this program raises serious ethical and legal questions. On one hand, the official website of the company offers only the paid version of the program. On the other hand, there is also a “free version” of PC Accelerate that continues to be distributed through various unofficial sources. These are the bundled installers I’ve mentioned above.

The developer seems to be aware of the existence of this free version, but makes no explicit move to officially recognize or support it. This opens the door to various abuses, with the main one being the said intrusive promotion of a license. Considering the questionable functionality, I suppose this all is arranged exclusively to confuse the users. Also, it will require quite an effort from authorities to prove this fraud, as for all the free version cases frauds can just say “it’s not us”.

Is PC Accelerate a Virus?

PC Accelerate is not a virus, its actions can cause significant harm. It is a potentially unwanted program that uses methods similar to those of viruses, such as replication and masquerading as other programs. The main problem is that this soft can be installed on computers without users’ explicit consent and use deceptive methods to spread itself. This poses certain risks to data privacy and system stability.

How to Remove PC Accelerate?

Uninstalling PC Accelerate can be a difficult task due to the ingrained nature of this program in the system. And mostly manual removal does not result in solving the problems that unwanted program brought to your device. This application may change your browser settings. And you will need to check the settings and reset them if necessary.

To make sure that all PC Accelerate components and other possible malware have been removed, it is recommended to run a full system scan with a reliable antivirus software. And in this case, GridinSoft Anti-Malware will help. Which can effectively detect and remove threats such as PC Accelerates and do a browser reset.

Note! If uninstalling or cleaning fails, you can try restoring the system to the restore point created before installing PC Accelerate.

The post PC Accelerate appeared first on Gridinsoft Blog.