Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Sunday, May 24, 2015

How to Remove Locker Virus and Restore Encrypted Files

Locker is a file-encrypting ransom virus (ransomware) that encrypts your files using RSA-2048 encryption algorithm so they are not accessible and repairable without the unique encryption key. I've seen a few different versions of this ransomware so far: Locker v5.52, Locker v3.30, Locker v4.55, Locker v4.81 and Locker v2.60. Basically, it's the same ransomware only with different version numbers. I bet there are even more versions out there but I'm not quite sure why cyber criminals decided to do this. Anyway, no matter which version you have installed on your computer, it's the same ransomware. It does encrypt your files, it's not a joke. If you don't have backups you might be in trouble. This vicious malware is most definitely something that you would be well advised to finding out more about so that you are better able to protect yourself from an attack. It is also extremely useful to know why you shouldn't give in to ransomware's demands and what to do if you have been infected.


Locker virus payment page:


It demands to pay 0.1 BTC and gives information on how to buy Bitcoins. There's also a payment address which is unique for every victim.

What does Locker ransomware do?

You have probably already guessed that the clue to unlocking the way ransomware works is in its name. Locker has been created to kidnap your files or data, freeze them and make them inaccessible or unusable. After doing this the program will send you an updated version of the old fashioned ransom note, demanding that you pay 0.1 BTC (about $25) for your files to be released or unlocked. Once you've paid (which, by the way, you shouldn't – more of that in a minute) you will be sent a code that allows you to unlock your encrypted files. But when we say 'you will be sent' don't take that at face value as many cyber criminals using Locker ransomware will not bother to send you anything, simply taking your money and disappearing, never to be heard of again. And don't think you'll be able to negotiate with them either – these types of people don't tend to have a customer care helpline.

And that's not all...

So that they can ensure you will be more likely to pay, victims of Locker will turn the fear factor up to eleven. You're already wondering if you're ever going to see your files and the data they contain again, but to pile even more stress upon you, many of these so called ransom notes will either tell you that they have been sent by a law enforcement agency, such as the FBI or CIA, or tell you that the unlock code will become invalid and your files destroyed if you don't pay by a certain date. In this case, cyber criminals give you 3 days to pay the ransom. The Locker ransom program says:

All your personal files on this computer are locked and encrypted by Locker [ver]. The encrypting has been done by professional software and your files such as: photos, videos, and cryptocurrency wallets are not damaged but just not readable for now. You can find the complete list with all your encrypted files in the files tab.

The encrypted files can only be unlocked by a unique 2048-bit RSA private key that is safely stored on our server till [date]. If the key is not obtained before that moment it will be destroyed and you will not be able to open your files ever again.

Obtaining your private unique key is easy and can be done clicking on the payment tab and pay a small amount of 0.1 BTC to the wallet address that was created for you. If the payment is confirmed the decryption key will be sent to your computer and the Locker software will automatically start the decrypting process. We have absolutely not interest in keeping your files encrypted forever.

You can still safely use your computer, no new files will be encrypted and no malware will be installed. When the files are encrypted Locker [ver] will automatically uninstall itself.

It's very similar to BitCryptor ransomware. It shows time remaining, lists all the encrypted files and gives you a personal Bitcoint wallet address.

What do I do? Pay the fine and make the problem go away?

It's not a good idea but if you really really care about the files, pay the ransom, although no guarantee that you'll get the files back. Besides, by paying you'll be perpetuating cyber crime. Instead, follow the removal guide below on how to salvage your data and clean your computer ASAP. There are a few tools that can help you to restore at least some of your files without paying a ransom. Even though, there's no guarantee that these tools will help you, there's also no reason not to try them out. Who knows, maybe you will be the lucky one. Good luck and be safe online!


Written by Michael Kaur, http://deletemalware.blogspot.com

IMPORTANT! Before running anti-malware software and trying to restore your files COPY the encrypted files, your Bitcoin wallet address (see under Payment tab) and %PROGRAMDATA%\rkcl, %PROGRAMDATA%\tor, %PROGRAMDATA%\steg or %PROGRAMDATA%\Digger folder (with files) to external hard drive, CD/DVD or a USB flash key. You should have these in case you decide to pay the ransom or someone creates a decryption tool.



The ransomware is also known to disable certain system features like system restore, delete shadow copies, and prevent the uninstalling of software. This makes it incredibly difficult to remove it or roll back to solve the issue.


Step 1: Removing Locker and related malware:


Before restoring your files from shadow copies, make sure Locker virus is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.





IMPORTANT! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. Also, try to disable bclock.exe using Process Explorer.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by Locker virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Try to recover at least some of your files with Recuva software. It's a free file recovery tool.

Method 4: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Read more

Thursday, May 21, 2015

Delta-homes Removal Guide

Delta-homes is a browser hijacker that modifies your web browser settings and changes your home page and default search engine to http://www.delta-homes.com. It can seem like it's getting harder and harder to spend any amount of time online and not put yourself in harm's way of being infected by malware or a virus. With online attacks now big business for the thousands of phishers, scammers and other cyber criminals, it's harder than ever before to stay safe. And unlike before when avoiding infection meant simply avoiding illegal downloads, pirated software and adult content websites, now anything, everything and everyone is fair game in an attacker's eyes.

Browser hijackers

Just one more thing that have been designed to cause us irritation when we're browsing the internet, delta-homes and similar browser hijackers, search engines that will, without warning, take the place of your existing ones. You'll log on to your computer only to find that delta-homes.com has got rid of your existing one for you and replaced it. That'd be fine if the replacement home page was better than your original - or at least equal to it in functionality – but that won't be the case. After all, the major search engines and operating systems know what they're doing when it comes to giving you search capabilities – more so, I'm willing to bet, than some bedroom programmer/spammer. Unlike most browser hijackers, it displays different home pages for users from different regions, in other words it has a pretty decent localization module. However, that's not really useful and probably won't convince you to use it instead of Google or Bing. Besides, it's actually a pseudo search engine because it redirects users to govome.inspsearch.com and other websites that simply grab search results from Yahoo or Google.


If you've had a new delta-homes home page foisted upon you, chances are you're wondering how to stop it from happening again in the future. Well unfortunately there is no great catch all answer to the problem but, of course, there are a number of practical steps you can take; exercising more caution when you're using the internet being just one of them.

Of course, installing a good anti-malware program on your PC is your first line of defense in the war against online parasites and this will stand you in far better stead of staying safe when you're connected to the World Wide Web. However the problem is that when it comes to browser hijackers, the fact that they are designated potentially unwanted can lead many anti-malware solutions to be fooled by them and view them as potentially wanted instead. It's two sides of the same coin.

What does delta-homes do?

It has quite a few unappealing features. Delta-homes might download adware onto your PC so that you'll be subjected to non-stop pop-up adverts. It generally makes your computer run more slowly and it can cause your internet connection to slow down or keep crashing too. And of course, as mentioned a moment ago, one of its very favorite things to do is to hijack your browser and and change your home page to delta-homes. And in the majority of cases, these browser hijackers are merely a means for manipulating your web searches and redirecting them to websites that the browser hijacker's programmers wants you to visit instead of the destination you were aiming for.

How does delta-homes end up on your PC?

Delta-homes is normally packaged with other programs, meaning when you download Program A you could also be downloading a browser hijacker! The solution: read license agreements properly and check or uncheck boxes mentioning add-ons.

How do I remove delta-homes?

Delta-homes removal can be a tedious task. It modifies browser settings and also makes modifications to Windows registry. Hopefully, the removal guide below will help you to remove this browser hijacker from your computer. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Delta-homes Removal Guide:


1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this browser hijacker from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this infection. Hopefully you won't have to do that.





2. Uninstall delta-homes related programs from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove eSave Security Control, GoPlayer, Desk 365 and any other recently installed application. It won't be listed as delta-homes.com in the currently installed programs list. So, either look for applications mentioned here or try to remember what software you installed recently. It's probably the culprit.



Simply select the application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove delta-homes from Google Chrome:

1. Click on Customize and control Google Chrome icon. Select Settings.




2. Click Set pages under the On startup.


Remove delta-homes.com by clicking the "X" mark as shown in the image below.



3. Click Show Home button under Appearance. Then click Change.



Select Use the New Tab page and click OK to save changes.



4. Click Manager search engines button under Search.



Select Google or any other search engine you like from the list and make it your default search engine provider.



Select delta-homes.com from the list and remove it by clicking the "X" mark as shown in the image below.



5. Right-click the Google Chrome shortcut you are using to open your web browser and select Properties.

6. Select Shortcut tab and remove "http://www.delta-homes.com...." from the Target field and click OK to save changes. Basically, there should be only the path to Chrome executable file. Nothing more.




Remove delta-homes from Mozilla Firefox:

1. In the URL address bar, type about:config and hit Enter.



Click I'll be careful, I promise! to continue.



In the search filter at the top, type: delta-homes



Now, you should see all the preferences that were changed by delta-homes. Right-click on the preference and select Reset to restore default value. Reset all found preferences!




4. Right-click the Mozilla Firefox shortcut you are using to open your web browser and select Properties.

5. Select Shortcut tab and remove "http://www.delta-homes.com...." from the Target field and click OK to save changes. Basically, there should be only the path to Firefox executable file.




Remove delta-homes in Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons.



2. Select Search Providers. First of all, choose Live Search search engine and make it your default web search provider (Set as default).

3. Select delta-homes.com and click Remove to remove it. Close the window.

4. Right-click the Internet Explorer shortcut you are using to open your web browser and select Properties.

5. Select Shortcut tab and remove "http://www.delta-homes.com...." from the Target field and click OK to save changes. Basically, there should be only the path to Internet Explorer executable file.



6. Finally, go to ToolsInternet Options and restore your home page to default. That's it!
Read more

Wednesday, May 20, 2015

Remove isp-survey.com pop-up (Uninstall Guide)

I'm going to take a shot in the dark and guess that you want to learn a little bit more about isp-survey.com pop-ups or phishing scam. Well you've come to the right place as I'll tell you how it winds its way on to your computer and most importantly how to get rid of it.

If you're constantly getting isp-survey.com pop-ups then your computer is infected with adware and probably some other potentially unwanted programs. Most adware and potentially unwanted programs come bundled with free programs, files and apps – and as most of us don't really give more than a second thought to downloading things from online, that means that we are all putting ourselves at risk of an adware infection, as well as even more serious types of malware and viruses. Adware that displays isp-survey.com pop-ups can be packaged as an add-on to almost anything, including TV series, music, games, and software, not to mention the myriad of apps that we are all addicted to! If you've noticed that after downloading some tempting freebie, you have then been subjected to isp-survey.com then you have already been infected by adware.


Why does adware exist?

Adware usually comes with freeware and shareware – i.e. programs that are given away or files that are shared for no cost. The programmer or owner of the program or file is looking for a way to make the effort of creating the program, or even sharing the file, worth their while – financially. For people who create free software or apps for a living, they need to find a way to recoup their production costs – and they do this by creating and selling or using adware. Adware can be used in different ways. Isp-survey.com pop-up survey is just one of them. The problem is that such pop-ups are very often misleading and promote questionable products or services. The domain name itself is misleading enough. What is more, scammers tend to trick users into revealing certain information that is usually valuable to them or can be sold to third-party companies. For example, scammers can ask you to answer a few quick questions and then ask for your phone number.

Are there any other ways adware can be installed?

I'm afraid so. Adware that displays isp-survey.com and similar popups might also end up installed on your PC if you visit a website that has been compromised by an adware program due to lax security. Simply being unfortunate enough to have been in the wrong place at the wrong time can enable adware to be automatically installed.

Can I remove adware myself and stop annoying pop-ups?

The good news is that most adware programs are fairly easy to remove, even with a very basic knowledge of how your computer works. You can actually find programs online that will help you uncover and remove adware from your machine. Do be careful though as hackers and cyber criminals are not averse to creating fake removal or anti-malware programs that will simply infect your computer with something even nastier than adware once installed. Therefore make sure you know the names of a couple of reputable tools by reading relevant internet forums or asking a technically minded friend or co-worker.

How can I protect myself from adware?

For a start you need to make sure your anti-malware software is fully up to date and has the newest patches. Malware – and adware – are big business and programmers are constantly finding new ways in which to infect us. That means that your anti-malware program needs to be equipped to handle the latest threats as they hit the internet. If it's already too late and you just want to stop annoying isp-survey.com pop-ups and remove adware from your computer, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Isp-survey.com Pop-ups Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.





2. Remove isp-survey.com pop-ups related programs from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • Glass Bottle
  • GoSave
  • Active Discount
  • SaveNewaAppz
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.

Remove isp-survey.com pop-ups related extensions from Google Chrome:

1. Click on Chrome menu button. Go to ToolsExtensions.



2. Click on the trashcan icon to remove Glass Bottle, Active Discount, MediaPlayerV1, Gosave, HD-Plus 3.5 and other extensions that you do not recognize.

If the removal option is grayed out then read how to remove extensions installed by enterprise policy.




Remove isp-survey.com pop-ups related extensions from Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Click Remove button to remove Glass Bottle, Active Discount, Gosave, MediaPlayerV1, HD-Plus 3.5 and other extensions that you do not recognize.

Remove isp-survey.com pop-ups related add-ons from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.



2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Read more

Tuesday, May 19, 2015

Remove 1-844-534-8203 Debug Malware Error Pop-up (Uninstall Guide)

1-844-534-8203 phone number is being used by "tech support" scammers. Such fake pop-up messages are very common and they all are trying to achieve the same goal - to scare you into thinking that your computer is infected with malware. If you keep getting 1-844-534-8203 pop-up warning from microsoftsecurities.info and similar websites then your computer is indeed infected but not with debug malware error 895-system 32.exe virus as scammers would say but with adware and probably some other potentially unwanted programs. Adware and potentially unwanted programs come packed with freeware and popular software downloads that did not adequately disclose that other software would be installed along with it. Once installed, adware or a PUP adds a few browser extensions and add-ons which wait for commands form control and command servers and then begin to display misleading ads and 1-844-534-8203 pop-ups that usually say:

There is a .net frame work file missing due to some harmful virus.
debug malware error 895-system 32.exe failure
Please contact Microsoft technicians to rectify this issue.
Please do not open internet browser for your security issue to avoid data corruption on your registry of your operating system. Please contact Microsoft technicians at
Tollfree Helpline at 1-844-534-8203.


How did I get a Potentially Unwanted Program or adware on my computer?

Most PUPs find their way on to your computer by the art of deception, or more accurately by being sneakily bundled with another program, tool, application, or file. The publisher of this software or download might be fully aware that a Potentially Unwanted Program is packaged with their product, but oftentimes they are just as an unwitting party to the scourge of the PUP as the rest of us.

The programmers who create and disseminate PUPs are well aware that most of us wouldn't forsake add-on that displays 1-844-534-8203 pop-ups for their inferior product, so they have to use these underhand installation methods instead.

Are Potentially Unwanted Programs dangerous?

PUPs, despite their surreptitious ways and means of installing themselves, are not usually thought to cause you any great harm. Having said that, though, they can be extremely annoying! Especially, 1-844-534-8203 pop-ups saying that your computer is infected. PUPs are not malware or viruses but when you take into consideration the fact that you don't want to see misleading adverts on oyur computer, the fact that the PUP doesn't give you a choice in the matter is seen by many as to be almost as bad.

How to defend yourself from 1-844-534-8203 pop-ups

But what of those annoying traits we just mentioned? Well Potentially Unwanted Programs can cause your computer to run more slowly, make your internet connection crash, harass you with pop up adverts, and redirect your searches to websites that the programmer wants you to visit – which is the main reason for the PUP being created in the first place. How to defend yourself? Follow the simple steps below:

Don't use random sites to download software – always use the owner's site or a well known reputable provider
Want to view a video clip but it's telling you that you need a new media player? Don't download it – these are prime PUP stomping grounds.
Ensure your computer's security patches are the latest versions and that you have the most up-to-date versions of all software and programs that you're running on your PC installed

If it's already too late and your computer has been infected by adware, then please follow the steps in the removal guide below. If you have questions, please leave a comment down below. I will be more than happy to help you. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



1-844-534-8203 Pop-ups Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.





2. Remove 1-844-534-8203 pop-up related programs from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • CrazyScore
  • LyricsSay-1
  • Websteroids
  • BlocckkTheAds
  • HD-Plus 3.5
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove 1-844-534-8203 pop-ups from Google Chrome:

1. Click on Chrome menu button. Go to ToolsExtensions.



2. Click on the trashcan icon to remove CrazyScore, LyricsSay-1, Websteroids, Quiknowledge, HD-Plus 3.5 and other extensions that you do not recognize.



If the removal option is grayed out then read how to remove extensions installed by enterprise policy.




Remove 1-844-534-8203 pop-ups from Google Chrome:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Click Remove button to remove CrazyScore, LyricsSay-1, Websteroids, Quiknowledge, HD-Plus 3.5 and other extensions that you do not recognize.




Remove 1-844-534-8203 pop-ups from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.



2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Read more