What is Taskbarify?

Taskbarify is a Windows utility classified as a Potentially Unwanted Application (PUA). As for functionality, officially, this program has one function – changing the appearance of the taskbar. Taskbarify has an “official” website, but most users acquire it unintentionally. The main sources of this app on users’ systems are bundling it with pirated software or displaying it through suspicious banners. This creates one more risk: the appearance of this app may be a sign of numerous other unwanted apps running in the background.

The main reason for Taskbarify categorization as an unwanted program is its proxyware module. In other words, it can use the bandwidth of the victim’s Internet connection to provide proxy server services. This enables the app to intercept network requests, potentially compromising privacy and security. Together with the complicated uninstallation ways, , this all creates a halo of ill fame around the program.

Why is Taskbarify unwanted?

Let’s take a closer look at how this thing works. The official website claims the app is clean as a tear, has no hidden functions, and does not load the system.

However, the license agreement says otherwise. The text states that the program can be a proxy and use your device’s resources, under the said Globalhop SDK. Moreover, this SDK is included in the application installation by default without explicitly disclosing its usage and impacts on the user’s system on a separate prompt.

The functionality of the exact app is… questionable. Visually, Taskbarify adds transparency to the taskbar, which enhances its look, but that’s it. Promised “spyware uncovering” or “full control” are pretty hard to witness, to be honest. Also, the built-in description (see the screenshots below) lies about the program being available in all regions: by setting the VPN region to Moldova, I’ve managed to make it return a “something went wrong” error.

Suspicious Behavior

The first problem is that the app does not obtain user consent on using traffic. The latter reduces the consumer’s security posture caused by sharing internet resources. Taskbarify reads system certificate settings, security settings of web browsers, and Windows trust settings. The app does not display explicit notification about the potential risks in security posture related to sharing network connection when the app is installed.

Aside from the privacy risks associated with proxyware, the activity of such a module itself may cause issues with bandwidth and system performance. For weak devices, a constant traffic flow may take quite a bit of CPU time, leading to the rest of the applications being laggy and unresponsive. Also, the sheer volume of traffic used by proxyware can turn into significant financial losses for the users of metered connections.

Impossible to Close

Another red flag is the pseudo-closing of an application. If the user finds the application icon in the tray, right-clicking it, and selects “Quit”, the application will disappear. However, by opening the Task Manager , you can see it running in the background without the tray shortcut. This means the application can cease modifying the taskbar’s “core functionality” but continue running as a proxy server in the background.

Difficulties With Removal

Unlike most programs usually installed at “C:\Program Files\”, Taskbarify’s default installation folder is “%AppData%\Local\Programs\”. Since this directory is hidden by default, it virtually eliminates manual removal by the average PC user. Moreover, some users are having trouble uninstalling Taskbarify with the built-in uninstaller, which indicates that the application is trying to avoid removal or recover the app.

How To Remove Taskbarify?

It is possible to uninstall Taskbarify manually, but tricky installers may cause problems and revert the uninstallation. Also, as I’ve mentioned in the introduction, this app often comes as a part of a software bundle, and is installed along with numerous other unwanted programs. To get rid of all this in just a couple of clicks, I recommend using GridinSoft Anti-Malware.

A Standard scan will be enough. GridinSoft program will check the entirety of the system volume – this is where all the unwanted programs typically reside. Give it time to finish, and your system will be as good as new.

The post Taskbarify Unwanted Application appeared first on Gridinsoft Blog.

How Does DLL Search Order Hijacking Work?

Researchers detect a novel DLL search order hijacking variant. It leverages the way Windows loads DLLs and executables. This technique exploits applications that don’t specify the full path of required DLLs, using a predefined search order. Attackers, in turn, manipulate this feature by placing malicious DLLs in prioritized directories​​. This technique is not new, and it is known that some TAs have used it during cyberattacks. There were quite a few of them:

By forcing trusted apps to execute malicious DLLs, threat actors can achieve unauthorized access, execute arbitrary code. At the same time, their activities remain concealed by legit processes.

Proof of Concept

Security experts conducted a Proof of Concept (PoC) to demonstrate this. The team used Process Monitor to identify potential vulnerabilities. They set filters for outcomes like “PATH NOT FOUND” and “NAME NOT FOUND,” specifically targeting the “NOT_A_SYSTEM_FOLDER_MS” directory, a custom folder on the desktop used for research purposes.

Next, they placed a custom DLL to be injected using the hijacking technique alongside an executable designed to execute and monitor binaries in the WinSxS folder. By running their custom tool, researchers identified binaries like “ngentask.exe” and “aspnet_wp.exe” in the WinSxS folder that attempted to search for their respective DLLs in the “NOT_A_SYSTEM_FOLDER_MS” directory.

The PoC involved launching a command line from a shell using “NOT_A_SYSTEM_FOLDER_MS” as the current directory. This action led the targeted binary to execute the researchers’ custom DLL instead of the legitimate one. The team renamed their custom DLL to match the expected name of the legitimate DLL file. They confirmed the successful injection of their custom DLL into the “ngentask.exe” process using Process Explorer.

Windows SxS, DLL Loading – What Are They?

The Windows WinSxS folder (short for Windows Side by Side) is a critical component of Windows. It is located at C:\Windows\WinSxS, and its primary function is to store multiple versions of important system files and Dynamic Link Libraries (DLLs). This capability is essential for maintaining system compatibility and integrity, mainly when updating Windows.

However, this trust is what the new DLL hijacking technique exploits by targeting files within the WinSxS folder to execute malicious code, thus bypassing traditional security measures. In normal operations, applications use a predefined search order to locate and load the necessary DLLs. However, this process becomes vulnerable when applications do not specify the full path to these DLLs. Attackers exploit this by placing malicious DLLs in directories that are searched before the legitimate ones, leading the application to load and execute malicious code inadvertently.

Detection Opportunities and Recommendations

To address this exploitation method, experts suggest focusing on parent process analysis. This includes looking for unusual processes invoking binaries from the WinSxS folder and monitoring the activities of these binaries, especially their network communications and file operations. This approach can help identify any abnormal behavior indicative of an ongoing attack​​.

In addition, it’s crucial to use comprehensive security measures like anti-malware solutions and firewalls. Antivirus software can detect and neutralize many types of malware, including those that might be introduced via DLL hijacking. On the other hand, firewalls help monitor and control incoming and outgoing network traffic.

The post DLL Search Order Hijacking Technique Bypasses Protection appeared first on Gridinsoft Blog.

PoolParty Process Injection Exploits Windows Mechanisms

The initial presentation of the techniques, along with further analysis, reveals a chain or simple yet genius tricks. As it comes from the name, PoolParty plays with Windows thread pool. It is an internal mechanism that orchestrates system functions execution during the application runtime. Let’s dig into the details a little bit.

There is an object in Windows called “worker factory” – a thing responsible for managing the number of worker threads. The latter, as I’ve said above, are used to execute system functions needed for the programs to operate. Each process running in the system eventually gets its own worker factory, with a set of worker threads needed to run it.

The system itself offers the ability to dump the info of a chosen worker factory, including the start routine value. It is possible to simply substitute this value with the one needed to run the malware, for example – a malicious shellcode. Through the same worker factory calls, it is possible to speed up the process by initiating the start routine execution when needed rather than waiting when the system runs it.

Thread Pool Attacks

Another edge of the attack targets not the workers and worker factories, but thread pools. Those are, essentially, strings of tasks the system should perform; a to-do list for the workers, one may say. Through playing with specific properties of work item types, it is possible to feed a malicious task to the task list for workers.

As there are separate types of queue for regular, timer and asynchronous jobs, devs can fine-tune the execution flow of the program. Or, in the case of malicious exploitation, the fine-tuning is applied to malware execution. Depending on the type of job, the way of injection differs, becoming the most complicated on timer jobs. But nonetheless, all three types of jobs remain the attack surface – and there is not much EDR solutions can do about it.

Are PoolParty Injects Dangerous?

Indeed, they are. Process injection is a bread and butter of pretty much every malware launching procedure. A malicious program in the form of an executable file is nowadays a rare sight: they mostly come as DLLs or portable executable files. But to the moment all the techniques used to launch such malware were researched to the last tiny bit. Hollowing, duplicating, thread hijacking – we know not only its mechanism, but also the ways to counteract it.

The latter, however, is not the story about PoolParty injection methods. This vile eight is researched, but is successfully ignored even by top-rated EDR solutions. And those are security solutions called to protect enterprises and have the biggest protective capabilities – leave alone the effectiveness of user-oriented antivirus programs.

Therehence, it is extremely important to follow the preventive techniques against malware injection. Giving it zero chances to even appear in your system means it cannot do such tricks as PoolParty are. Among such are effective network protection, content disarming utilities, firewalls, and email protection solutions. However, security essentials like privileges limitation or access control will work out as well. Even having the way to detect such threats, it will be great to avoid their appearance in the first place.

The post PoolParty Injection Techniques Circumvent EDR Solutions appeared first on Gridinsoft Blog.

Information security experts have published a PoC exploit for a privilege escalation vulnerability in the Win32k driver that was fixed in May.

Let me remind you that this bug received the identifier CVE-2023-29336 (7.8 points on the CVSS scale) and was discovered by Avast researchers. CVE-2023-29336 has been reported to affect systems running Windows 10 and Windows Server 2008, 2012, and 2016.

Back in May, Avast specialists warned that they had already recorded attacks on CVE-2023-29336, but nothing concrete was reported about them.

We also wrote that Exploits for Vulnerabilities in Three Popular WordPress Plugins Appeared on the Network, and also that Thousands of GitHub Repositories Spread Malware That Is Disguised as Exploits.

Also the information security specialists pointed out that A PoC Exploit Is Already Available for a Critical RCE Problem in Fortinet Products.

In turn, the US Cybersecurity and Infrastructure Security Agency (CISA) added this issue to its catalog of known exploitable vulnerabilities (KEV), and urged organizations to install patches by May 30, 2023.

Now, a month after the release of the patch, analysts from Numen have published full technical information about the vulnerability, as well as a PoC exploit for Windows Server 2016.

Experts say that although the vulnerability is not suitable for attacks on Windows 11, it poses a significant risk to older versions of the OS, including older versions of Windows 10, Windows Server and Windows 8.

In their report, the researchers explain that they experimented with various memory manipulation techniques, exploit triggers, and memory read/write functions, which ultimately helped them create a working exploit that provides reliable privilege escalation to the SYSTEM level.

A demonstration of the exploit is shown in the video below.

Overall, the researchers concluded that exploiting CVE-2023-29336 does not appear to be particularly difficult and is likely to remain a security risk to older systems.

Numen engineers advise system administrators to watch for anomalous offset read/write operations or related window objects, which may indicate active exploitation of CVE-2023-29336 for local privilege escalation.

The post Information Security Experts Published a PoC Exploit for a Vulnerability in Win32k appeared first on Gridinsoft Blog.

Windows Key Code Is Not Valid And Seems Pirated – Is that true?

First and foremost – no. The banner with this statement is a scam – the one which aims to make you call the fake tech support. Notifications about the invalid licence key are accompanied by even stranger notices about malware detection and accounts ban. Though, let me explain all things in their order.

Despite having a pretty straightforward licence control system, Microsoft does not have any licence warnings in the web browser. This, however, is not that clear for people who never had to deal with the licence in Windows. As you can see on the screenshot above, hackers mimic the Microsoft official website, setting it as the background. However, the key accent is made on a banner which states strange (to say the least) things. Somehow they conjoined the “Windows key is invalid”, “Banking trojan detected” and “accounts may be banned” prompts on the same frame. And, as it usually happens in such scams, there is a phone number you should call to receive “tech support”. To force your interaction with the page, hackers open this page in the fullscreen mode, making it impossible to switch to another tab.

The banners on the background you can interact with also contain similar claims. Though, their contents are as questionable as on the “main” message.

Text of scam banners

A lot of users are not aware of how Windows licences work, even though this OS is dominant on the market. Most often, they purchase the device with pre-installed Windows – and never open the licence activation tab. Though some people activate it using third-party utilities that actually hack the Windows Key Management Service. Such an activation approach is illegal, as you may suppose, and the keys used for that trick are getting banned by Microsoft from time to time. These two things are two bearing points of the Windows Key Code Is Not Valid And Seems Pirated scam.

Is it dangerous?

As any other tech support scam, it is at best threatening to your personal information. In the phone call, pseudo tech support managers will ask you about email, name, surname, phone number, or even home address. Such data is invaluable for further phishing attempts or doxxing. Though, it is not the worst case scenario.

In some situations, fake support will ask you to give them remote access to your system. Crooks may ask you to install specific software for that purpose, even when you already have one. Then, this “support team” may perform whatever gnarly thing they want – but most often it is an installation of a rogue antivirus or some other questionable program. Further, this program(s) will likely start demanding you to pay.

Remember what I’ve told you about a third-party remote access tool? Such a disguise is perfect for malware that aims at remote access, particularly backdoors and remote-access trojans. Threat actors may also offer a spoofed downloading link, which gives out a malicious copy instead of a genuine program. Following any of such links is pretty risky, especially considering that fake support managers never disdained spreading malware in their campaigns.

How did the Windows Key Code Is Not Valid scam appear?

The main way this page appears in your web browser is related to adware activity. This malware type is exceptionally widespread, as it brings money to its masters by showing unwanted ads in the infected systems. In this case, it operates with an entire scam scheme. By opening the website with Windows Key Code Is Not Valid And Seems Pirated scam, malware tries to bait the victim to catch the rascals on the phone. These crooks will do the rest – and kindly reward guys who lead adware for “good” jobs.

What should I do?

1. Close the Windows Key Code Is Not Valid page

Malware tries to make the scam page look like an overlaying banner. However, it isn’t – in fact, you see just a website opened in a fullscreen mode. Quit to the normal view using the Esc button and close the tab as usual. In the cases when the website blocks the input keys (it happens sometimes), it is possible to use Task Manager to close up the tab. Call for the latter using Ctrl+Shift+Esc key combination – the site cannot intercept it. Then, find the task that corresponds to the browser where the banner appeared and kill the process.

2. Run anti-malware software scan

As I’ve told above, the Windows Key Code Is Not Valid scam site cannot appear without outside interference. Most probably, you have an adware or browser hijacker running in the system. Aside from this exact page, you could also have noticed excessive ads appearing on all websites you visit, strange browser behaviour and changed search engine. All these things are definite symptoms of adware activity. I’d recommend GridinSoft Anti-Malware as a superior software for solving such issues. Use it to scan your system and remove all the intruders.

3. Reset browser settings

Even though adware is not a very complicated malware, it still applies a lot of changes to your system to provide sustainability. Living with these changes in place is not the best option, as they will most likely affect your browser performance and experience. There is a manual way to reset browser settings, but I’d recommend using GridinSoft Anti-Malware for that purpose: it can reset all browsers together in one click.

The post What is “Windows Key Code Is Not Valid And Seems Pirated”? appeared first on Gridinsoft Blog.

What is the Windows Defender security warning?

Windows Defender security warning is the result of scareware or phishing scam. Its task is to redirect you to a page that looks visually like the official Microsoft website. However, its URL does not correspond to the original. The page can display a message saying that your computer is infected with malware and that you need to contact a support agent by phone to fix the problem.

Unfortunately, the notification looks like a legitimate Windows message, and that’s why it’s so dangerous – many users may not even try to prove it in Google. A common tactic of scammers is to make the pop-up as convincing as possible so that people don’t suspect anything wrong. Either way, the phone number will likely direct you to a fraudulent call center. The agent will either try to get you to install malware to infect your computer, steal your personal information, or demand money for fake services.

Why is the Windows Defender security warning false?

At first glance, you might mistake this as a warning from Windows Defender. However, if you use Windows Defender, you know it differs from genuine notification. Therefore, please don’t call the phone number in the window because it is not a real alert. Why?

• It’s not the Windows Defender interface. Instead, Windows Defender, also known as Windows Security, is a built-in Windows application with a different interface. It will never show you a browser pop-up or page. It prefers system pop-ups instead.
• Strange text and typos. A banner or page that shows you a Microsoft Defender alert commonly contains strange text design and grammatical and stylistic errors. It sharply contrasts with short and informative Defender notifications.
• Microsoft never leaves contact numbers for users. Instead, users can contact Microsoft support using the “Get Help” application if they encounter problems.

This Windows Defender security alert is flawed in both format and content. It’s often a low-level phishing scam that aims to sell said rogue antivirus service, which, in turn, can harm your computer. Although in some cases, you will not be able to close the alert or switch to other applications.

Causes of the Windows Defender security warning

There are several reasons why you see a Windows Defender security warning. Here are the most obvious ones:

• You clicked on an ad that redirected you to a fake site.
• You visited a hacked website that redirected you to a fraudulent page.
• The presence of a malicious program installed on your device. Most often, this thing is an effect of adware activity.

There are also many other ways you could be exposed to fraud, depending on various things, such as the external devices you share with someone. Simply closing the window may not solve the problem, especially when adware is guilty of this. The pop-up message may appear every time you open your browser.

How to remove Windows Defender security warning

Since Windows Defender security warning appears in your browser, most of the actions you must take to get rid of it are related to your browser. These actions can solve the problem of Windows Defender security warning pop-ups.

• Forcibly close and reopen your browser.
• If the problem with redirecting to a fraudulent page persists, reset your browser (more instructions below) or reinstall the browser completely.
• If this is still happening, you may have adware or some PUP (potentially unwanted program) installed on your computer, and you need to remove it.

Suppose you do not know which of the installed applications is causing the pop-up notifications. Then, you can install antivirus software to detect the infection’s source and remove it from your computer.

How to clear the browser from the Windows Defender security warning

Resetting your browser settings is one of the first things you should do to eliminate the Windows Defender security warning scam. The following instructions tell you how to do this in different browsers:

Remove the Windows Defender pop-up from Chrome

1. Click on the three vertical … in the top right corner and Select Settings.

2. Select Reset and Clean up and Restore settings to their originals defaults.

3. Click Reset settings.

Remove the Windows Defender pop-up from Firefox

1. Click the three-line icon in the upper right corner and select Help

2. Select More Troubleshooting Information

3. Select Refresh Firefox… then Refresh Firefox

Remove the Windows Defender pop-up from Microsoft Edge

1. Press the three dots

2. Select Settings

3. Click Reset Settings, then Click Restore settings to their default vaues.

Remove the Windows Defender pop-up from Safari

1. Open the terminal (press ⌘ Command + Spacebar to open the spotlight, type “terminal” and press “Enter”)
Open the terminal in Safari

2. Enter these commands one at a time. Execute each command by pressing “Enter” after copying it into the terminal:


rm -Rf ~/Library/Caches/Metadata/Safari;
rm -Rf ~/Library/Caches/com.apple.Safari;
rm -Rf ~/Library/Caches/com.apple.WebKit.PluginProcess;
rm -Rf ~/Library/Preferences/Apple\ -\ Safari\ -\ Safari\ Extensions\ Gallery
rm -Rf ~/Library/Preferences/com.apple.Safari.LSSharedFileList.plist;
rm -Rf ~/Library/Preferences/com.apple.Safari.RSS.plist;
rm -Rf ~/Library/Preferences/com.apple.Safari.plist;
rm -Rf ~/Library/Preferences/com.apple.WebFoundation.plist;
rm -Rf ~/Library/Preferences/com.apple.WebKit.PluginHost.plist;
rm -Rf ~/Library/Preferences/com.apple.WebKit.PluginProcess.plist;
rm -Rf ~/Library/PubSub/Database;
rm -Rf ~/Library/Safari/*;
rm -Rf ~/Library/Safari/Bookmarks.plist;
rm -Rf ~/Library/Saved\ Application\ State/com.apple.Safari.savedState;


What to do if the problem persists?

If you have done all the above steps and still see this warning every time you use a web browser, it is a clear sign that malware is still on your computer. You can use professional antimalware software such as GridinSoft Anti-Malware to scan your computer and remove viruses and malware found. After taking such drastic measures, Anti-Malware will remove and disarm much more dangerous cyber threats that could cause severe damage to your files.

How to avoid scams like Windows Defender Security Warning

As mentioned earlier, the Windows Defender security warning scam is not the only threat you may encounter on your computer. There is much more severe malware on the Internet, and you, as a prudent user, should take every precaution to avoid them. Here are the basic ones:

• Ensure your OS and apps are up to date
• Only download apps from official websites
• Please don’t click on random links without knowing where they will take you
• Don’t download suspect apps
• Do not open attachments in suspicious emails or attachments
• Use an ad blocker to block malicious ads
• Use an advanced antivirus solution

Your computer should now be clean and free of Windows Defender scams. To prevent this from happening again, follow online hygiene to protect yourself from fraud. Perform frequent scans and use malware protection to stop it before it happens.

The post How to Remove Windows Defender Security Warning Scam appeared first on Gridinsoft Blog.

Why does my computer keep freezing?

There are some reasons why your computer keeps freezing or works poorly. Usually, it is a software problem, or too many apps are running on your computer simultaneously, which causes it to hang. We will not consider the option with weak hardware, where the system initially ran slowly. However, additional problems, such as a lack of hard disk space or issues with drivers, can also prevent it from working correctly. In this article, we will give you step-by-step instructions on what to do when you encounter the problem that Windows freezes randomly.

Check if your computer is entirely dead-locked

To understand if your computer is completely frozen, you can try to move the mouse cursor over the screen. If it doesn’t move, your PC is locked and requires a forced reboot. You can also try pressing the “Caps Lock” button on your keyboard, this is another possible solution to computer crash randomly problems. If the Caps Lock indicator lights up, it’s probably a software problem and can be solved with the Windows Task Manager. So, to do this, press Ctrl+Alt+Del and select the frozen program, then press End Task. However, if the Caps Lock indicator doesn’t work, your computer is dead-locked, and you need to restart your computer. Desktop computers may be rebooted with a button on a system unit, perhaps this will help to avoid computer freezing completely.. If you have a laptop, press the power button for ~10 seconds, forcing your PC to shut down.

Software issues that make your computer keep freezing

Software issues are the most common cause of my PC freezing randomly. At some point, the software loses control of the application or tries to run the application in a way that the Windows operating system does not recognize. This often happens when trying to run old programs in new versions of Windows or vice versa. Updating the software and the OS usually corrects the PC freezing problem. However, in some cases, reinstalling the application is the most effective way to deal with occasional software-related hangs.

Sometimes errors in running programs cause memory leaks. This happens when objects in a heap are no longer used. However, the garbage collector cannot remove them from memory; thus, they remain there unnecessarily. A memory leak is not good because it blocks memory resources and reduces system performance over time.

Check for Malware and Viruses

Computer freezes and crashes can be signs that your computer is infected. In some cases, malware loads your system by running dozens of processes in the background, consuming your computer’s RAM and causing it to freeze. It is often coin miners’ work, as it is their typical behavior – overloading the system, leaving no resources for other applications. In contrast, viruses can corrupt system files, without which the system cannot work correctly. As a result, this can cause blue screens of death. If your PC keeps freezing after rebooting, we recommend checking it for viruses with a reliable security solution.

Processor overheating

Because computers are susceptible to heat, a room without air conditioning on a 90-degree day can negatively affect your computer’s performance. You can tell if your PC is overheating by listening to your laptop or desktop computer’s internal fans. Suppose the cooling is running too loud or louder than usual. In that case, you should dust your PC and replace the thermal paste on the processor.

However, there is the opposite situation when the processor is warm, and the cooling does not work, i.e. fans are silent. In this case, you should carefully inspect the coolers, maybe they are faulty, or contact is lost, listen further if your computer locks up randomly.. At best, the processor will start to throttle, and at worst, overheating can lead to a complete shutdown. Next, get some air circulation in the room and ensure the CPU vents are not clogged with dust. If the problem with the PC keeps freezing is gone, that was the reason for this issue.

Multitasking

Each program on your computer requires some internal and external (hardware) resources to run. If you run multiple programs simultaneously, your computer may need more memory or processing power. Therefore, run programs only as required to reduce the chance of being short on resources. We also recommend checking the program autorun settings and disabling the autorun of unnecessary applications. This will significantly speed up the startup of your laptop. To do this, run the task manager, go to the “startup applications” tab, and disable unnecessary applications.

Driver issues

Drivers directly affect the performance of your PC and can cause the computer to constantly freeze. If application drivers are corrupt or outdated, applications cannot appropriately interact with your hardware. Most modern operating systems get drivers from the Windows Update Center after installation, but drivers are rarely updated there. This is especially true for drivers for graphics adapters. For example, suppose your PC has powerful hardware but works slowly in graphics applications. In this case, we recommend downloading and installing the latest video driver from the manufacturer’s website. In most cases, this will solve the problem of poor performance in applications and the PC freezes for a few seconds.

Lack of RAM

Lack of memory is often the cause of occasional freezes. Unfortunately, you cannot solve this issue programmatically. However, you can try increasing the memory dump. The easiest way to check for insufficient RAM is to run a Windows memory diagnostic. Below are the steps to update your RAM:

1. Open the Start menu and type in Windows Memory Diagnostic Tool in the search box.

2. Click on it. This will reboot your system and check out your memory. It will also notify you if it finds any problems.

If no errors are found, there is probably nothing wrong with the memory. Most likely, your system and applications don’t have enough RAM. Consider upgrading your PC. At the very least, try adding RAM to fix the problem. You can find out if your system has enough RAM by running Task Manager and opening the Performance tab. If your device’s RAM is more than 70% used, you should add RAM to your device.

If you have a desktop PC, everything is as simple as possible. You just need to find out what type of memory you have installed. To do this, you need to open Task Manager, go to the tab performance, and click on memory.

If your memory type is not displayed there, use special utilities, such as AIDA64.

If you have a laptop, google your model to find out what RAM it uses. However, not all laptops allow you to expand RAM because, in compact models, this memory is soldered onto the motherboard and is physically impossible to replace.

Hardware issues that lead to the computer freezing

A more severe problem is a hardware issue, where a particular computer component is not working correctly or is malfunctioning. This can happen for some reasons, such as overheating or excessive dust buildup on components inside the computer. For example, as trivial as it sounds, a mouse or keyboard cord can become damaged over time, and a wireless device can have a dead battery. For the past few years, all computers have been equipped with high-speed SSD drives, but older machines have obsolete hard disk drives. If your device has an older hard drive, we recommend replacing it with a faster SSD. This is guaranteed to give a significant performance boost to your PC. Although SSDs, if used correctly, can last quite a long time, and there will be no problems with their work if the SSD fails, it stops working completely.

Related Content for Users:
“Safari Can’t Establish a Secure Connection to the Server” – have you ever run into this problem? Very often it is the freezing of the computer that provokes this.

Tips to Prevent PC Freezes Randomly

Are you facing the problem that “my PC freezes randomly”? In addition to the tips above, you can apply some of the following valuable techniques to minimize the risk of your computer freezing frequently:

Clean up Windows temporary files

Microsoft Windows uses a cache to store temporary files to access them quickly. In addition to the fact that these files take up extra space, they can also interfere with Windows, causing performance issues. If you clear the cache folder, you can remove all unneeded files that may have been created in the past. And may have caused your OS to hang. To clear the Windows cache files, follow these steps:

1. Press Win+R and type or paste “%temp%” in the Run window to open the temporary cache folder.

2. Please select all the files with the CTRL+A key combination and then permanently delete them.

You can use the disk cleanup tool by clicking start and typing “disk cleanup” in the search box.

In the window that opens, select the drive where the OS is installed (by default, it’s the C drive). Then, choose the types of data you want to delete in the next window. If you have very little space, you can select all of them.

Check the hard disk for malfunctions that can make my computer keep freezing.

Suppose the hard drive’s response speed is not up to standard. In that case, Windows may not be able to access it at the necessary rate, and this causes the hard drive to freeze between access intervals. In addition, fragmentation errors may occur on the hard drive due to a PC crash or abnormal termination. Windows has a built-in tool to help you identify and fix disk problems. Another step that will help eliminate the problem is that my computer is hanging again and again. To do this, follow these steps:

1. Right-click Start and select Terminal (Administrator).

2. Type or paste “chkdsk” at the command prompt and press Enter.

This will start checking your hard drive for malfunctions using the Windows command line. Sometimes Windows will need to reboot to complete the check. When the utility finishes, it will notify you of any disk errors.

Run Defragmentation

Defragmentation is reorganizing the data stored on your hard drive so that pieces of data line up continuously. It picks up all the parts of data that are scattered across your HDD and puts them back together in an orderly, neat, and clean fashion. To do so:

1. Open My Computer
2. Right-click on the desired drive and choose Properties.
   
3. Click the Tools tab.
4. Click Optimize
   
5. When the window appears, click Optimize.
   

As a result, defragmentation increases your computer’s performance by reducing the time it takes to access data and allows you to use your storage more efficiently.

Run the system file checker

Sometimes my Windows keeps freezing randomly due to corrupted or missing system files. Fortunately, the OS has a system file checker that should help you restore the original files. With any luck, it will automatically fix your problem. To use this tool, run the command line as administrator and type or paste the following command:

sfc /scannow

Windows will scan its files, and if it finds a corrupt or missing file, Windows will try to fix it automatically.

No matter how well you maintain your PC, all systems hang at some point. It could simply be a problem with the operating system, as happened with the 2017 Windows 10 update. However, understanding what causes your computer to hang can help you prevent problems and troubleshoot problems in the future. We hope that the methods described above have helped you to solve the Windows freeze problem so that you can get back to using your device comfortably. Suppose none of the above solutions did help to solve the problem with your PC freezing. In that case, your computer likely has a hardware problem that requires further investigation. In this case, you can apply to the service center, where qualified specialists will be able to find and fix the problem.

The post Why Does My PC Keep Freezing and How to Fix It appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Hackers hide MageCart skimmers in social media buttons.

Experts remind that the Witchetty hack group is associated with the Chinese group APT10 (aka Cicada). One of the latest cyber-espionage campaigns by cybercriminals began in February 2022 and targets governments in the Middle East, as well as the stock exchange in Africa. This campaign is still ongoing.

Experts noticed that this time the hackers have expanded their malicious toolkit and began to use steganography in attacks: they hide the XOR-encrypted backdoor in the old bitmap of the Windows logo.

Image in which hackers hid malware

Thanks to this disguise, the file with the backdoor is placed in an unnamed cloud service, and not on the group’s control server, since security solutions do not detect a malicious payload in it.

Witchetty attacks begin with attackers gaining access to the victim’s network using the ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities), which is used to inject web shells on vulnerable servers.

The attackers then download and extract the backdoor hidden in the image file, which allows:

1. perform actions on files and directories;
2. start, enumerate or kill processes;
3. modify the Windows registry;
4. download additional payloads;
5. steal files.

Witchetty also uses a special proxy utility that forces the infected computer to act “as a server and connects to the C&C server acting as a client, and not vice versa.”

Other culprit tools include a custom port scanner and a custom system pinning utility that adds itself to the registry under the guise of an NVIDIA display core component.

The post Hack Group Witchetty Hides Malware in the Windows Logo appeared first on Gridinsoft Blog.

The bug is related to a bypass of the information disclosure patch (CVE-2021-24084) released by Microsoft engineers in February this year. This month, cybersecurity researcher Abdelhamid Naseri, who initially discovered the problem, noticed that the vulnerability was not fully fixed and can be used to gain administrator rights.

0patch confirms that by using the method described in the blog of researcher Raj Chandel, combined with a bug discovered by Abdelhamid Naseri, it is possible to be able to run code as a local administrator.”

While Microsoft has likely already taken notice of the researchers’ reports, the company has yet to fix the bug, meaning especially systems running Windows 10 (with the latest security updates from November 2021) are still vulnerable to attacks.

Fortunately, two specific conditions must be met for implementation of vulnerability. Firstly, system protection must be enabled on drive C and at least one restore point must be created. Second, at least one local administrator account must be activated on the computer, or the credentials of at least one member of the Administrators group must be cached.

While Microsoft prepares patches, 0patch has already released unofficial free updates for all vulnerable versions of Windows 10 (Windows 10 21H2 also supports 0patch). Let me remind you that 0patch is a platform designed for such situations, there are zero-day fixes and other unpatched vulnerabilities to support products that are no longer supported by manufacturers, custom software, and so on.

The fixes are already available and apply to the following Windows versions:

• Windows 10 v21H1 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v20H2 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v2004 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v1909 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v1903 (32-bit and 64-bit) with updates for November 2021;
• Windows 10 v1809 (32-bit and 64-bit) with May 2021 updates.

Experts point out that the bug does not apply to Windows Server (since there are simply no problematic functions), there is simply no access to work or study there), and the bug does not apply to Windows 10 version 1803 and earlier versions. The point is that Access to work or study works there in a different way.

The post Unofficial fixes released for 0-day issue in Windows Mobile Device Management Service appeared first on Gridinsoft Blog.

The journalists write that they have already tried the exploit in action and were able to open the command line with SYSTEM privileges using an account with Standard privileges.

And posted a video demonstration:

This month, as part of Patch Tuesday, Microsoft patched the Windows Installer privilege escalation vulnerability CVE-2021-41379. This problem was discovered by cybersecurity researcher Abdelhamid Naceri, who has now reported that the patch can be bypassed, and the vulnerability then transforms into a more serious problem.

Naseri has already posted a PoC exploit for the new 0-day issue on GitHub, highlighting that the bug is dangerous for all supported OS versions. Naseri explains that while it is possible to configure Group Policy to prevent Standard users from performing MSI installer operations, a new vulnerability can bypass this policy.

When reporters asked Naseri why he publicly disclosed information about a serious 0-day vulnerability, he replied that he was disappointed with the decrease in the size of rewards in Microsoft’s bug bounty program.

Let me remind you that recently we also wrote about another vulnerability in Windows 10 that could allow gaining administrator privileges.

The post Cybersecurity researchers published an exploit for Windows that allows escalating privileges appeared first on Gridinsoft Blog.