GraceWire is yet another highly risky Trojan threat that targets Windows Users. This malicious program acts as a info-stealer, once successfully invaded any system. However, the threat is not newly detected and hence been used by various groups to run malicious campaigns.
For instance, the info-stealer has been used by cyber-criminals in various surveillance acts. Even a malicious group named “Evil Corp”, also known as “Dridex” used this threat as a hacking tool. Now a threat group named CHIMBORAZO is using a novel tactics to send out phishing excel document.
|Description||GraceWire is an info-stealer that steals logins credentials, crypto wallets data and more sensitive details of the target system.|
|Occurrence||Freeware downloads via unofficial websites, infected external devices, spam email attachments, software cracking tools, or other Trojan droppers.|
|Symptoms||Drained CPU performance, unknown processes running, strange browser activities, or anti-virus detecting some threats but not able to locate them.|
Run The Scan tool Now– To eliminate GraceWire virus from your computer.
The Distribution campaign
In the recent campaign, the Microsoft has identified a new Excel malware campaign that spread the GraceWire Trojan. The campaign is known as Dudear, that uses a “novel” tactics to skip traditional antivirus scans and other security solutions installed on the system.
As per Microsoft’s statement, CHIMBORAZO, a cyber-criminal group, is behind the distribution of an infected Excel document. The malware infects the victim’s computer with GraceWire, a password-stealing Trojan.
To make it look legit, the malware asks the user to fill out a CAPTCHA form. Often CAPTCHA is used to confirm is the user is human or not. However, the hackers in the current campaign conceals the malware behind the CAPTCHA form. This makes it essential for the user to click on it and further download it manually.
The group has distributed the infected Excel file using phishing campaigns and embedded web links.
In many scenarios, the phishing emails link out to redirect sites. In some cases, it contains malicious HTML codes or attachments.
GraceWire Attack Motives
Once the system is infected with GraceWire-info stealer, it may show no early sign of infection. As such these malware run in the background and execute various malicious operations. Being a data-stealer program, it aims to steal various sensitive information stored in the host machine.
- Steals login credentials like usernames and passwords) of online banking accounts;
- May use key-loggers to record users online and offline activity;
- Targets data and other information stored in the browsers, social networking sites, file-sharing apps and so on;
- Extract cryptocurrency wallets information to make fraudulent transactions.
The collected information can be shared with authors of the threat via establishing communication to C2 servers. These information are later used by cyber-criminals for fraudulent transactions, identity frauds, more phishing scams, crypto-currency wallet transaction and so on. Although, it is not possible to suspect the presence of such threat on the system.
However, if you have recently opened such phishing emails then you may have GraceWire Trojan active on the system. Thus, you should quickly remove GraceWire virus from your computer.
How to Remove GraceWire
The removal process of GraceWire is tough like any other virus. It can leave you puzzled as it does too many modifications to the system internal settings. This may take enough time and patience to do it manually. That even may not ensure you complete removal.
Thus, it is advised to scan the infected computer with reputable anti-malware program to detect and remove GraceWire Virus.
“Windows OS: Use Anti-Malware To Scan And Remove GraceWire (Recommended)”
SpyHunter is a giant among the security programs that use advanced threat detection technology to remove any sort of Adware/PUPs, Browser hijacker, Trojans, Rootkits, Fake system optimization tools, worms, and rootkits. It not only remove threats but provides rigorous 24/7 protection from any unsolicited programs, vulnerability or rootkits attacks.
Steps To Perform System Scan with SpyHunter
- Once the program is installed successfully, the SpyHunter 5 Anti-malware program will launch automatically. If it does not then locate the SpyHunter icon on the desktop or click on “Start” ? “Programs” ? Select “SpyHunter”.
- Now, To start the scan click on the “Home” tab and select “Start Scan Now” button. The program will now start scanning for GraceWire and other associated programs.
- The scan will report will all the details of the result about GraceWire along with system errors, vulnerabilities and malware found.
- Once you have found GraceWire as shown in the screenshot below:
- To select an object for removal, just select the checkbox at the left of the object and click on “Next“. You can select or deselect any objects displayed in the “Malware,” “PUPs” or “Privacy” tabs. We have included a convenient “Select All” feature that will allow you to select or deselect all objects displayed in a specific tab. To utilize this feature, simply select the checkbox at the left in the specific tab (9).
- Once you have selected which objects you would like to remove, click the “Next” button.
If you want to know more about it, you are welcomed to check out the full review of SpyHunter 5.
How To Remove GraceWire Manually From Windows OS
To Remove GraceWire, follow these steps:
For our readers to understand, we have put our best possible solution that can help to remove this threat. But we suggest you to only try this if you are familiar with system configurations, registries keys and its subkeys values and also boot settings.
While performing the manual solution, be enough cautious and if you get confused at any point of time, them leave it and take the help of powerful anti-malware program to detect and remove the virus. This will not only ensure safe removal of GraceWire but also restore default system settings.
Method 2: Remove GraceWire Virus Using System Restore Procedure. (Advanced option)
Method 1: Remove GraceWire Manually From Windows OS (Safe Mode)
For Windows XP and 7:
- Click on the “Start menu“, then on click the arrow next to “Shut Down.” Select Restart. (Just as you normally Restart your PC).
- Once the computer screen is powered on, immediately start tapping “F8” key till you see “Advanced Boot Options” screen. if you don’t enter to the boot screen, then restart the process again and press F8 while the PC is restarting.
- Here, you need to choose “Safe Mode with Networking“ option and press “enter” key to troubleshooting windows. As later on, you need to access the internet.
- And you will now see the login screen. Now log in with your Administrator Account.
NOTE: To get back to your normal windows configuration, you need to repeat steps 1-3 and select Start Windows Normally.
- For Windows 10: Click Start –> Power and then hold the Shift key on your keyboard and click Restart.
- For Windows 8/8.1: Press the “Windows key + C“, and then click “Settings“. Click “Power“, hold down the Shift key on your keyboard and then click “Restart“.
- From here steps are same for Windows 10 and 8.
- Click Troubleshoot.
- Click Advanced options.
- Click Startup Settings.
- Click Restart.
- After your computer restarts, select Safe Mode with Networking.
- Enter your Administrative username and password to start Windows in Safe Mode with Networking.
NOTE: To get back to normal Windows configuration you need to Click Start –> Power and then click Restart.
Kill GraceWire Process From Task Manager
- Press “Window key+ R” and type “taskmgr”.
- Now once the task manager window opens, perform these steps:
- Under the process tab, check for the suspicious program still running;
- If you find it, right click on the name and select “Open file location”;
- Then click on “End Task”;
- Now go to the file location window opened and select the program and delete that file.
Disable GraceWire suspicious program from startup.
It is very important to remove GraceWire program, from auto-launch when the system boots. As if not removed, then it will not allow you to remove the malicious programs completely from the infected system. And there is very much chances that it will again repair its files and be active on your system.
Disabling this will allow you to completely get rid of any unwanted program.
To Disable Auto-Startup For GraceWire Program:
For Windows Xp and older version:
- Press “Windows key+R” that will open the run box. Within the search field type “msconfig” and hit enter that will launch “System Configuration” window.
- Next, click on the “Startup” tab to see the list of programs which are set to auto-launch with the computer boot.
- Now browse the list to locate the programs related to GraceWire. To disable it, un-check the boxes next to the program names, you want to remove from start up. And choose “Disable All” click “Apply” and “OK.”
For Windows 8, 10 and newer versions:
This feature is available within the Task manager window. So open it and switch to “Start Up Tab.”
- Click on the GraceWire or other harmful program, then click “Disable” button appearing at the bottom of the window.
Remove GraceWire And Other Harmful Program From Computer
- In the taskbar, click on the “Search” icon. And Type “Apps And Features;”
- When the “Apps And Features” window opens, you can see the list of applications installed;
- Go through it carefully and search for Presearch.org or other apps that looks suspicious to you. If you don’t remember to install yourself;
- If you find such, click on it to expand; And click on “Uninstall”.
- Repeat for all such apps.
If the program does not allow you to remove it, or says the program is running in the background. Then you need to first finish the task from the task manager.
Remove GraceWire using HitmanPro.Alert
HitmanPro.Alert is an advanced anti-malware program that takes on proactive approach towards threat behavior and its activities. Its cloud-based scanning technique is deeply scans the system to the possible locations where threats mostly resides.
Running HitmanPro.Alert on your computer will provide your real-time status, checks the browser integrity and alerts or any suspicious activity. So that you can have a safe browsing and online transactions. Read the full review of HitmanPro.Alert here.
Steps To Install And Run HitmanPro.Alert
- Click on the provided link to download HitmanPro.Alert anti-malware;
- Now, open the download folder or where your program is downloaded to locate “hmpalert3”;
- Click on it, to begin the installation;
- It will ask your User Account control, if prompted click on “yes”;
- The download should begin shortly. HitmanPro.Alert window will appear, where you need to choose the options:
Choose Protection level as Maximum
And tick the other boxes and finally click on “Install”.
HitmanPro.Alert only takes 5MB of your memory and is very quick to install.
- After the installation is complete, the scan will start. First scan may take up some minutes, as it will scan the whole computer.
- The scan results are displayed. Carefully look down the list. You can here, the scan has found 1 Riskware and thousands of traces which can be risky.
- You can select the threat to delete, quranantize, ignore or, mark as safe. If you want to remove all the threats, then simply click on the “Next” button below.
- HitmanPro.Alert first creates a restore point and then starts the removal process. This helps to recover from any damage.
So, now you are done, with the removal process with HitmanPro.Alert.
Method 2: Remove GraceWire Virus Using System Restore Procedure. (Advanced option)
Another method is a manual way to get rid of GraceWire which is through System Restore. If you don’t know much about this process, then read here. Click here to perform System Restore in Windows OS.
Safe Mode with Command Prompt (Follow the above steps and choose Safe Mode with Command Prompt option from boot setting.)
To Reboot your computer to “Safe Mode with Command Prompt”
Windows 7 / Vista / XP
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart.
- Now select Troubleshoot –> Advanced options –> Startup Settings and finally press Restart.
- Once your computer becomes active, select “Enable Safe Mode with Command Prompt” in Startup Settings window.
Windows 10 / Windows 8
- Click Start –> Restart –> OK.
- When your computer becomes active, start pressing “F8″ multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
To Restore your system to default settings as it was prior to the attack of GraceWire Virus
- Once the Command Prompt window appears, type “cd restore” and press Enter.
- Now again type “rstrui.exe” and hit Enter button;
- It will show up a new window, now click on “Next” and select your restore point that should be prior to the attack of GraceWire threat or any other point you want. Click on “Next”.
- Now click on “Yes” to confirm the system restore.
Once the system restore to your selected date is done, then you need to restart your computer normally.
You should Download effective anti-virus program and scan your computer to ensure successful removal of any threat.
Best Practices To avoid Such Infections
- Keep a secure firewall for the system. This will help block any unwanted internet connections to your device.
- Do not open spam mail attachments from unknown sender. This is the common way through which malicious programs intrude inside. Thus, we should be cautious while getting mails from non-trusted sources.
- Keep the software program updates, so that it does not have any security patches.
- Be very cautious while downloading any freeware from third-party websites. Always download software programs from official websites. Thus avoiding any accidental download of Adware/PUPs.
- Do not use public wi-fi for online transactions, as they are not fully secure and can infect the device.
- Use a powerful anti-virus program that will keep track of the security.
By following the above tips, you can avoid viruses or unwanted programs entering on your computer. Hope this article is helpful to you.