Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Tuesday, September 1, 2015

Remove SAPE.Heur.9BDD4 Malware (Uninstall Guide)

SAPE.Heur.9BDD4 is a heuristic detection designed to generically detect newly released malicious files. It belongs to the W32.SAPE.Heur.2 malware family. If you have spotted multiple randomly named DLL files on your computer that you have no recollection of installing you may, quite justifiably, be wondering what on earth is going on, and where they came from. After all, if YOU didn't install them, then who did? Well, I'm going to break it to you, not very gently, that you were in fact responsible for these unidentified files! This is something known as malware. I'm talking about every computer user's potential enemy. SAPE.Heur.9BDD4 normally stealth installs itself on your computer by piggy backing on another program – something that you are intentionally downloading or upgrading. However, the worst part is that this malware can actually allow cyber criminals to access your computer.

Other ways that this malware can infect you

As well as this aforementioned piggy backing, such malicious programs have a couple of other tricks up their sleeve: some will be installed by what is known in techy circles as a 'drive-by installation', which is when you visit a website that has been compromised by the W32.SAPE.Heur.9BDD4 malware, and they then pass the infection on to you. That's why you should always make sure that you have the latest version of the Windows installed on your computer and that your anti-virus program is fully updated.

One of these teo installation methods are dealt with in different ways: obviously if you have just bought a used desktop or laptop, you should check what is pre-installed before you start using it. That way you can uninstall anything you don't like the look of. In the case of malicious programs that come bundled with other software, mostly Trojan horses, the trick to avoiding these is to carefully read End User License Agreements when installing or upgrading programs. Make sure you know exactly what you are installing by checking the small print and making sure that agreement boxes are not already checked or unchecked in favor of an add on. Unfortunately there is not a lot you can do about being hit at random by a drive by installation. If you are not so sure if the file you are going to run is malicious upload it to VirusTotal and see if it comes up with anything suspicious.

How to spot SAPE.Heur.9BDD4

On the plus side, if you do have this malware installed on your machine, it is fairly obvious. Your %Temp% folder will be full of randomly named DLL files. Your anti-virus program may pick them up but because it's a pretty new threat it may fail to permanently remove them. Luckily, there are few tools specifically designed to remove such malware.

What does it actually do?

Such malicious programs as SAPE.Heur.9BDD4 are not only seriously harmful but also cause a number of Windows problems. Some will bombard you with pop-up adverts but the majority of them will install that new toolbar and make using your computer unfamiliar. These tool bars are rarely as advanced as the ones we are used to using and will have scant capabilities. They also have an extremely irritating habit of sending you to websites that you don’t want to visit. As you can see, it's possible to allow a remote access to your computer and even hijack your web browser and display adverts. Needles to say, you should get rid of it immediately.

How do I remove SAPE.Heur.9BDD4?

If your computer is already infected and you can't seem to get rid of this high risk malware, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



SAPE.Heur.9BDD4 Malware Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






NOTE: If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. If you don't know how to do that, please watch this video.

2. Download and run TDSSKiller. Press the button Start scan for the utility to start scanning.



3. Wait for the scan and disinfection process to be over. Then click Continue. Please reboot your computer after the disinfection is over.



Read more

Monday, August 31, 2015

Remove 02037002205 Scam Pop-up Message (Uninstall Guide)

02037002205 phone number usually appears on a hoax virus message alert supposedly from Norton, together with a very loud warning noise, indicating that your computer is infected with Trojan.DealPly and SpyWare.bot. Scammers use rsc.cdn77.org website to display such scam pop-up alerts. It says WARNING: Your Chrome browser and your PC may have critical security vulnerabilities. Call 02037002205 now for immediate assistance. If you keep getting this hoax virus message live every ten minutes or so even if you reset your web browser settings then your computer is probably infected with browser hijackers and likely some other potentially programs. But definitely not a Trojan horse as this fake virus warning wants mislead you. Most users would think that it's not a big deal and simply close the window. However, it's actually can cause some serious troubles to your computer, especially when it comes packed with other malware. We all need to know how to protect our computers from all of the online nuisances (even fake security alerts) and dangers that are out there and if you're like us and you are getting sick and tired of constantly being on the lookout for the next big scary malicious software, computer virus or unwanted program then you need to take real steps to look after your best interests. And if you've already fallen prey to one of the aforementioned internet nasties then you'll certainly be well aware of just how annoying and disruptive – and not to mention dangerous - they can be.


You would be right in thinking that there are differing levels of seriousness when it comes to malware and viruses, some are merely irritating like the 020-3700-2205 scam pop-up window, while others can raid your bank accounts or destroy your personal data, however, we can probably all agree on one thing, and that is that we really do not want to waste our time and energy dealing with them. Especially when we don't really know what a certain program's intention is and what harm it could cause.

What are browser hijackers?

At the lower end of the malware scale is something called a browser hijacker. And although it is true that browser hijackers and potentially unwanted programs that display fake virus alerts are not as menacing as something like ransomware, spyware or a Trojan Horse, that doesn't mean you should ignore them if you have one installed on your computer.

Many people get duped by the mention of 'potentially' in the title however don't forget that on the flip side of every potentially unwanted program, there is also the chance that it is 'actuall' unwanted by some people. And that will pretty much include everyone who runs into a potentially unwanted program or a browser hijacker!

What do browser hijackers do?

The truth is, however, that your computer is infected with a browser hijacker. Or if it's a stand alone window then your computer is infected with a potentially unwanted program that displays 02037002205 tech support number and suggests you to call for help. Don't call the number because scammers just want money from you and will put on a program that will make a mess of your system. Some variants can stake their claim on your computer by hijacking your browser and installing their own toolbar as a replacement for your existing one. They may also replace your homepage or search engine too with one of their own. If you're thinking that browser hijackers are an invasion of our privacy, then you wouldn't be far from the truth.

Why do Potentially Unwanted Programs change your toolbar?

The reason that such fake pop-up windows exist is to convert calls to sales. This 02037002205 phone number may belong to the person who developed the browser hijacker or it could be owned by a third party. Therefore, if you've found this fake security alert pop-up, I suggest you close it right away before you go nuts! And of course, scan your computer for malware because you certainly have one installed on your computer - a browser hijacker. If your computer has been infected by this malware, please follow the steps in the removal guide below. If you have questions, please leave a comment down below. I will be more than happy to help you. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



02037002205 Scam Pop-up Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






2. Remove browser hijacker related programs from your computer using the Uninstall a program control panel (Windows 7). Go to the Start Menu. Select Control PanelUninstall a Program.

If you are using Windows 8 or 10, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • Magical Find
  • GoSave
  • Extag
  • SaveNewaAppz
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove 02037002205 pop-up ads related extensions from Google Chrome:

1. Click on Chrome menu button. Go to More ToolsExtensions.




2. Click on the trashcan icon to remove Magical Find, Extag, Gosave, HD-Plus 3.5 and other extensions that you do not recognize.

If the removal option is grayed out then read how to remove extensions installed by enterprise policy.



3. Then select Settings. Scroll down the page and click Show advanced settings.


4. Find the Reset browser settings section and click Reset browser settings button.


5. In the dialog that appears, click Reset. That's it!


Remove 02037002205 pop-up ads related extensions from Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools MenuAdd-ons.




2. Select Extensions. Click Remove button to remove Magical Find, Extag, Gosave, MediaPlayerV1, HD-Plus 3.5 and other extensions that you do not recognize.


Remove 02037002205 pop-up ads related add-ons from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.




2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Read more

Sunday, August 30, 2015

Remove Inline hook win32k.sys (Uninstall Guide)

Inline hook win32k.sys is a rootkit that can pose a serious threat to your PC and the data stored on it. If you have it installed on your computer you will certainly know about it as it wastes no time in corrupting your data, writing over your hard drive, rendering files useless or inaccessible and creating instability in your operating system. In order to stay up to date and current with the world of malware, we are going to take a closer look at this rootkit infection. This is a thoroughly unpleasant piece of malware that rubs salt into the wound by appearing to be harmless, convincing you of its innocence, and then in reality, doing you untold damage.

But just how does Inline hook win32k.sys rootkit infect your PC, what does it do once it is up and running, and how can you protect yourself from it?


Like most of us, you probably don't think you put yourself at risk unwittingly and you may even consider yourself somewhat impenetrable or not easily fooled. The passwords that you choose are the right combination of letters and numbers, your top notch anti-virus software is always bang up to date, and you wouldn't dream of opening an email or instant message attachment if you don't know the sender. And that is all very good stuff indeed, however, the sad fact is that rootkits are very, very good at playing on even the most cynical of natures and even worse, they force you into playing a part in their execution too. Such malicious software usually arrives in the form of an unwanted download or as code illegally injected into a legitimate website without the webmaster's knowledge. It can also be received as an email attachment or an instant message from an untrusted source. It can also come packed with Trojan horses, mostly Trojan downloaders.

Inline hook win32k.sys detection indicates that there is a hidden program on your computer with potentially malicious behaviors. Otherwise, why would someone wanted to hide it deep inside your operating system? The answers is pretty obvious, cyber criminals want to gather personal information or even gain a remote access to your computer without your consent. This rootkit installs itself for auto run at Windows startup. It even creates and alternative data steam and injects code into system files. Then it performs some HTTP requests mostly to look up an external IP address and to send PC information as well as receive further commands from control and command server. When such rootkit is installed on your computer you can expect anything to be downloaded and installed onto your PC. It can be spyware, Trojan horses or even adware. Certain variants of Inline hook win32k.sys infection tries to change proxy and DNS servers and redirect all your traffic through web servers controlled by cyber criminals. As a result, they can see what websites you visit and what search queries you make. Such information is very useful and can be used for ad injection and simply sold to third parties.

Inline hook win32k.sys removal can be complicated as you can't simply locate the malicious file and delete it. As a matter of fact, your anti-virus program may not be able to remove it either. To do so, you will have to use a few tools designed to remove rootkits and other deeply embedded malware. If your computer is already infected and you can't seem to get rid of this dangerous rootkit, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Inline hook win32k.sys Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






NOTE: If you are using Internet Explorer and can't download anti-malware software because "Your current security settings do not allow this file to be downloaded" then please reset IE security settings and try again.

2. Download and run TDSSKiller. Press the button Start scan for the utility to start scanning.



3. Wait for the scan and disinfection process to be over. Then click Continue. Please reboot your computer after the disinfection is over.



Read more

Friday, August 28, 2015

Remove LaSuperba Ads Malware (Uninstall Guide)

LaSuperba is a malicious software program that has been created to display adverts labeled "Ads by LaSuperba" and "Powered/optimized by LaSuperba". These adverts aim to generate a high click through rate in order to increase sales and drive traffic to the website belonging to the advert's owner. Naturally, it is also a source of income for the adware's programmer too.

You've no doubt heard of adware already, as let's face it; it's pretty hard to escape from its blatant form of online marketing. But what is advertising supported software in reality, and more importantly, can it have any unpleasant side effects on your PC?

The dark side of adware

The main thing that many people have against adware is that it collects data about your internet browsing habits. At the point of installation, the adware will also install a component on your computer which monitors which websites you visit. It tracks which products or services that you visit within any given site and then uses this information to display adverts that are related to the products you have been looking at. Sometimes you'll even see ads for the exact same items.


Other problems and issues that LaSuperba can have on your PC

There are a few other issues connected with, and caused by, our friend adware. One of the most downright irritating is the software's propensity for displaying LaSuperba pop up and pop under adverts. Unlike the targeted adverts you are seeing, these often bear no similarity to products or services that you are genuinely interested in – in fact they are often quite the opposite and are usually for websites that encourage gambling or any other distasteful, unwanted, or downright illegal content.

Another big problem is that thanks to the adware constantly tracking what you are looking at on the internet and transmitting the data back to the programmer, it is gobbling up your PC's resources, including memory and storage space. And that's not all, because, outrageously, it uses your internet connection to relay this information, which can cause your internet speed to slow down, even to the point where pages won't open or your browser keeps crashing.

Is that enough problems to be going on with? Well, we have one more for you: adware can also cause conflict between the other programs you have installed on your computer which makes them – and subsequently your computer's security – unstable.

Okay, I've heard enough - how do I protect myself from LaSuperba installing itself on my PC?

It normally comes packaged as a bundle with another software program or application. Which is why, to stop it at its source, you should be careful what you download, and where you download it from. When you do install something make sure you read the small print and check for any add-ons – adware will normally be mentioned. In addition to this downloading an anti-adware program is always a good idea to be on the safe side.

How to get rid of LaSuperba ads?

To remove this adware from your computer and stop LaSuperba ads, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



LaSuperba Ads Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






2. Remove LaSuperba related programs from your computer using the Uninstall a program control panel (Windows 7). Go to the Start Menu. Select Control PanelUninstall a Program.

If you are using Windows 8 or 10, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • LaSuperba
  • GoSave
  • Extag
  • SaveNewaAppz
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove LaSuperba related extensions from Google Chrome:

1. Click on Chrome menu button. Go to More ToolsExtensions.




2. Click on the trashcan icon to remove LaSuperba, Extag, Gosave, HD-Plus 3.5 and other extensions that you do not recognize.

If the removal option is grayed out then read how to remove extensions installed by enterprise policy.



3. Then select Settings. Scroll down the page and click Show advanced settings.


4. Find the Reset browser settings section and click Reset browser settings button.


5. In the dialog that appears, click Reset. That's it!


Remove LaSuperba related extensions from Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools MenuAdd-ons.




2. Select Extensions. Click Remove button to remove LaSuperba, Extag, Gosave, MediaPlayerV1, HD-Plus 3.5 and other extensions that you do not recognize.


Remove LaSuperba related add-ons from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.




2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Read more

Thursday, August 27, 2015

Restore_files.txt and .abc Extension Ransomware Removal Guide

As you are reading this, it is probably safe to assume that you are as aware of the myriad of malicious software programs that are hell bent on penetrating every corner of our PCs' operating systems in their attempt to scam us out of money, trick us into handing over our personal details and sometimes even just scare us for the fun of it.

There are so many scams, cons, tricks and attacks out there that it can feel like just the simple act of logging onto your computer could trigger a nightmare scenario. And the sad fact is that it actually can. With that in mind, we're going to take a look at one of those malware programs that use scare tactics to get you to hand over your hard earned cash: TeslaCrypt ransomware. Although not quite as widely discussed as some other types of malware, ransomware is a particularly unpleasant program and one that you shouldn't be tempted to ignore, just because it is not as well known. Once you read what it can do, we think you will agree!

Restore_files.bmp content:


What is TeslaCrypt?

It's a crypto-virus that encrypts your files and appends the extension .abc to the file name of the encrypted files. It also drops restore_files.txt ransom note in each folder and the same information in a HTML file and even BMP file. The ransom note says:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

You may not have heard of ransomware but have you heard of cryptoviruses or cryprotrojans? These are all names for the same thing – all equally frightening sounding too. And if you're wondering just what it is that TeslaCrypt ransomware can do, the name will probably give it away. It 'kidnaps' the files or data that you have stored on your computer, holds them to ransom – in other words it encrypts them so that you cannot open them - and then tells you that you will need to pay a ransom in order to regain access to your files. Allegedly you will be sent a code to unlock the files once you have made the payment. But here's the truth: many ransomware programmers will happily accept the payment, or ransom, and leave you high and dry without bothering to send you the code.

Ransomware's scare tactics

To increase the chances of you making payment the ransom note that you receive is often designed to look official – and they can be very convincing. The 'kidnapper' knows that you are far more likely to be scared into paying if their notification comes, not from some shadowy third party, but from a law enforcement agency – the FBI or MI5 for example – depending on where your IP address shows you are. However, not all variants of this ransomware use care tactics. Your ransom note can be slightly different but it's still the same TeslaCrypt ransomware. Certain variants adds a few random letter to restore_files.txt file name for example: restore_files_fgrtl.txt but that really doesn't change anything. It's still the same crypto-virus.

The wording will tell you that you are under investigation for downloading pirated software or files, or for visiting an illegal website and if you pay the fine you’ll be off the hook. It's utter nonsense of course and whatever you do, do not pay a penny.

Ways that TeslaCrypt can infect your computer

There are a few ways that ransomware can infect you so you do need to be careful. It can be embedded within the code of a compromised website, it may be disseminated by email or chat apps, or it can come bundled with another program or download. All every day things that we take for granted when we are online. Once installed, it modifies the Internet Explorer Zone Settings stop you from downloading anti-malware software. It sets security settings to high which means you can't download any executable files. Luckily, this can easily fixed by resting security settings. What is more, it terminates Windows Task Manager, Registry Editor and some other Windows tools that are usually very helpful when dealing with malware. For this reason, you may have to restart your computer in safe mode with networking or only safe mode and try to download anti-malware software from there. Or if you know how to remove Windows registry values you can delete these:

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
{installation ID} = "%Application Data%\svc{random letters}.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
{installation ID} = "%Application Data%\svc{random letters}.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnabledLinkConnections = 1

How to get my files back?

If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .abc. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing TeslaCrypt (restore_files.txt) ransomware and related malware:


Before restoring your files from shadow copies, make sure the TeslaCrypt is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. If you don't know how to do that, please watch this video.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by TeslaCrypt (restore_files.txt) virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Read more

Wednesday, August 26, 2015

Remove MW_ IN FILES and KK_ IN YOUR DOCUMENTS Ransomware and Restore Encrypted Files

A new variant of Trojan-Ransom.NSIS.ONION.air ransomware has been detected which encrypts your files and leaves MW_ IN FILES.txt or KK_ IN YOUR DOCUMENTS.txt ransom notes in each folder. All the encrypted files have MW_ or KK_ prefixes, for example MW_report.docx or KK_mysongg.mp3. Cyber criminals claim that in order to obtain a program which will decrypt your files you need to pay 3 or 4 bitcoins to a unique bitcoin wallet address. Unlike CryptoWall or CTB-Locker, this ransomware targets companies rather than home users. Cyber criminals search for vulnerable network shares or tries to trick users into malicious email attachments. They usually use Backdoor.Win32.Hlux and HEUR:Trojan.Win32.Generic malware to infect computers and then install ransomware. It's not rocket science to come to understand that the greater the amount of time we spend online – whether for work or for leisure, the higher the chances of being infected by malicious software or a virus, or falling prey to a scam or phishing attack are. It is no longer enough to simply install an anti-virus program and then expect it to keep you safe – nowadays we need to educate ourselves on how to use the internet safely and securely. The problems are compounded by the fact that just as anti-viruses and other types of security software are in a constant cycle of upgrading, so too are all the different types of malware.


After all, business is booming in the world of cyber crime and the people that create, distribute and profit from malware and other scams or threats are constantly on top of their game to conjure up even more ways to get us to part with our money.

Understanding ransomware

The problem is, learning about all of the numerous threats out there can feel like information overload and it can be tricky knowing what may affect you. It might not be fun learning about the latest cyber threats but it is most definitely important to take the time to if you want to adequately protect yourself, your data and your bank account.

With that in mind we are now going to take a look at the malware known as MW_ IN FILES ransomware. This is something you certainly should inform yourself about as it is particularly nasty – and that's saying something! Read on and give yourself a fighting chance of defending yourself in the event of a ransomware attack.

What is ransomware?

Put simply, ransomware is a software program that has been created to 'kidnap' the files or data on your PC and hold them hostage by encrypting them until you pay a ransom to get them back. In this case the clue really is in the name. It leaves a ransom with the following information:

Good day. Your computer has been locked by ransomware, your personal files are encrypted and you have unfortunately "lost" all your pictures,
files and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc.
Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.
All encrypted files contain MW_
Your number: [edited]
To obtain the program for this computer, which will decrypt all files, you need to pay
3 bitcoins on our bitcoin address [edited] (today 1 bitcoin was 260 USA dollars). Only we and you know about this bitcoin address.
You can check bitcoin balanse here - https://www.blockchain.info/address/[edited]
After payment send us your number on our mail ttk@ruggedinbox.com and we will send you decryption tool (you need only run it and all files will be decrypted during 1...3 hours)
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your garantee that we have decryption tool. And send us your number with attached file
We dont know who are you. All what we need - it's some money.
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter (for example if you use hotmail.com or outlook.com
it can block letter, SO DON'T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in www.ruggedinbox.com (it will takes 1..2 minutes) and write us again)
You can use one of that bitcoin exchangers for transfering bitcoin.

In your case the prefix can be different, for example "All encrypted files contain KK_" and email address nown@ruggedinbox.com instead of ttk@ruggedinbox.com. They even change ransom notes probably to make this ransomware campaign more random and avoid unnecessary pattern detection. Anyway, the whole idea remains the same. They encrypt your files, you pay 3 or 4 bitcoins and then email them your unique encryption number.

So I pay the ransom and my files will be returned to me?

This is one of those maddening questions that there is no straight answer to. After all, we are dealing with cyber criminals here and there is absolutely no guarantee that by handing over your credit card details you are going to get your files back. In theory, once you've made the payment, you will be sent a code that enables you to unlock, or decrypt, your inaccessible files but there have been numerous examples of this not being the case and the 'kidnappers' simply taking the money and running, so to speak.

What steps should I take if I've been infected by ransomware?

First and foremost do not hand over any money. As I said, chances are you'll be paying for a big fat nothing. If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing Trojan-Ransom.NSIS.ONION.air ransomware and related malware:


Before restoring your files from shadow copies, make sure the Trojan-Ransom.NSIS.ONION.air is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by Trojan-Ransom.NSIS.ONION.air virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Read more

Tuesday, August 25, 2015

Remove Enhanced Shopping Assistant Ads Malware (Uninstall Guide)

Just like 'real life' traditional advertising, some of the Enhanced Shopping Assistant adverts that you see when you're online are advertising something you may be interested in, while others hold no appeal for you whatsoever. But the chances are that a good deal of the adverts that you see on web pages, are closely related to a product or service that you are genuinely interested in. But why is this and why are such a high proportion of these adverts seemingly appealing directly to you? In fact, once you start noticing this you will see that, uncannily, many of these adverts are in actual fact the very same goods or services that you have recently been looking at. And no, your PC hasn't suddenly developed mind reading abilities – the truth is that you are being closely monitored by adware.

Enhanced Shopping Assistant: a mind reader or just clever software?

Let's say you're seeing "Ads by Enhanced Shopping Assistant" adverts for the new smart watch all of a sudden. Have you recently been looking at the watch on a retailer's website? Maybe you've been looking at cheap flights for a last minute getaway to San Francisco – and what do you know, now you're seeing ads for budget airlines, flights to the West Coast and hotels in that very location. This is what adware does: it installs a component on your PC which is designed to monitor the websites that you visit and make a note of which products or services you are looking at on that site. The Enhanced Shopping Assistant adware is then able to show you adverts that are related to your search – thus increasing the chances of you clicking on them.


Surely that's not a bad thing?

While seeing adverts and pop-ups for products that you may be considering buying might not be the worst thing to happen, after all, you can just ignore them if you're not ready to part with your cash, the fact is that somebody is spying on you. Just because you're not looking at anything illegal or shady, doesn't mean that you should have to surrender your online privacy in such a fashion.

However it's a thin line because a lot of people can forgive adware for its nosiness because without it we wouldn't have access to as many free apps or files as we currently do. That's because, as mentioned earlier, the adware is way of generating revenue for its programmer who packages it with apps or other software that they give away for free. The adware is used as a way to recoup some of the costs of developing their freebie - and often for making a tidy profit too.

The problem is when it turns nasty it can really cause you some issues - pop-up and pop-under windows that refuse to go away are just one of the annoyances. In addition to this, the component that tracks your internet usage will also slow your operating system right down. Needless to say, it can make your web browser unusable. The answer? Install a good anti-malware program on your PC and avoid the nuisance altogether.

How to get rid of Enhanced Shopping Assistant ads?

To remove this adware from your computer and stop Enhanced Shopping Assistant ads, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Enhanced Shopping Assistant Ads Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






2. Remove Enhanced Shopping Assistant related programs from your computer using the Uninstall a program control panel (Windows 7). Go to the Start Menu. Select Control PanelUninstall a Program.

If you are using Windows 8 or 10, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • Enhanced Shopping Assistant
  • GoSave
  • Extag
  • SaveNewaAppz
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove Enhanced Shopping Assistant related extensions from Google Chrome:

1. Click on Chrome menu button. Go to More ToolsExtensions.




2. Click on the trashcan icon to remove Enhanced Shopping Assistant, Extag, Gosave, HD-Plus 3.5 and other extensions that you do not recognize.

If the removal option is grayed out then read how to remove extensions installed by enterprise policy.



3. Then select Settings. Scroll down the page and click Show advanced settings.


4. Find the Reset browser settings section and click Reset browser settings button.


5. In the dialog that appears, click Reset. That's it!


Remove Enhanced Shopping Assistant related extensions from Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools MenuAdd-ons.




2. Select Extensions. Click Remove button to remove Enhanced Shopping Assistant, Extag, Gosave, MediaPlayerV1, HD-Plus 3.5 and other extensions that you do not recognize.


Remove Enhanced Shopping Assistant related add-ons from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.




2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Read more

Monday, August 24, 2015

Remove 1-855-484-3589 Fake BSOD Pop-up Malware (Uninstall Guide)

1-855-484-3589 phone number appears on a fake Windows Blue Screen Of Death message (BSOD). It's a scam where scammers request payment to fix your computer. Microsoft does not put their phone numbers on any error messages even if they are genuine. If you're reading this article with expectations of finding out how to remove this fake error message and associated malware from your computer then you are in the right place. In this article I am going to tell you how to defend yourself from being attacked by tech support scams.

This fake BSOD error message with the 1-855-484-3589 phone number that appeared on your computer screen was installed by a Potentially Unwanted Software or adware. It most likely came with a software download from a sketchy website. I've read some reports saying that users got it after installing a driver for a printer. So what actually is a PUP and how do you defend yourself against attack? PUP is an acronym for Potentially Unwanted Program which, as the name suggests, is a piece of software that you probably don't want to have installed on your PC. But how do you know if you have been 'bitten' by a PUP - what does one look like and how does it behave?


PUPs and similar malware are normally associated with rogue tool bars, although they sometimes appear as search engines or home pages. But whatever they look like, they normally have one end goal in common, which is to redirect the searches you make on the internet so that you are unable to visit the websites you want to go to, instead being sent directly to one of their own choice. In this case, it hijacks your web browser, creates a proxy server but instead of redirecting you to dodgy websites or displaying advertisements, it displays this fake BSOD error message and says that you need to call 1-855-484-3589 for technical support.

The fake blue screen says:

A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this stop error screen, restart your computer. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any bios updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

For technical support to this problem, call Windows helpline: +1-855-484-3589.
Technical Information:
*** STOP: 0x0000001E (0xFFFFFFFFC00000094,0xFFFFFF8000C074D1E,0x000000000,0xFFFFFFFFFFD)

And while you could argue this is not dangerous and won't do you any harm. The fact it is, it is not only incredibly annoying but it is a real waste of your time too. Imagine being infected by a PUP at work – how much would your (or your employees') productivity drop if you spent half your day trying get rid of it? It's not always easy, trust me.

So now let's take a look at how you defend yourself from such fake Blue Screens Of Death. It's a good idea, as with any malware, to know a little bit more about how they operate so that you can be better prepared to face them. First of all, it will install itself on your PC surreptitiously. This is usually by being bundled with another software download. It will piggyback on an installation so that when you download an app or software program, the it will sneakily install itself along with it.

So that begs the question, how do you make sure you are not also installing it alongside your definitely wanted program? The good news is that because malware programmers don't consider their product to be malware, they will mention that they are packaged with the main program in the End User License Agreement that belongs to that download.

Therefore the trick to NOT installing this malware too is to make sure that you read this license agreement carefully and double check whether any additional programs are mentioned. If you spot wording related to an add-on either abort the installation or make sure the check boxes are configured so that you don't also install the malware that will display fake error messages in your computer.

To remove fake BSOD caused by malware and other threats that may have been installed on your computer, please follow the removal guide below. If you have questions, leave a down comment below. I will be more than happy to help you. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Fake BSOD 1-855-484-3589 Pop-up Removal Guide:


1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer.






NOTE: If you can't download it, the problem can be resolved by finding and ending the associated malware program in the Task Manager. Open Properties tab, end the process (Tuejet64.exe or similar) and then delete the program. Or restart your computer in Safe Mode with Networking and download anti-malware software.

2. Download and run TDSSKiller. Press the button Start scan for the utility to start scanning.



3. Wait for the scan and disinfection process to be over. Then click Continue. Please reboot your computer after the disinfection is over.



Read more