Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Friday, September 4, 2015

Stop pop-up ads and adware in Edge Browser

How stop annoying adverts from taking over the new Microsoft Edge browser? I get this question a lot, especially when most users decided to upgrade to Windows 10. It becomes even more frustrating when people realize that they can't use ad blockers because Microsoft Edge doesn't support add-ons and extensions. As you may know, most pop-up ads are caused by adware. That's why you might need to remove adware first before blaming Edge browser for not doing enough to protect you from intrusive adverts. Adware, or Advertising Supported Software to give it its full name is something which you should be aware of even if you use Microsoft Edge. This is the name given to software programs that have been designed to display, or download, pop-up adverts onto your computer screen. Of course, advertising is a form of marketing – we all know that – and of course the reason for adware's existence is to generate a source of income for its programmer or owner. And while this is good news for programmers, advertisers and brands that use adware, where does that leave the likes of you and me? Can adware actually do us harm like so many of the other types of malicious software that are out there?

The way that adware works

Adware works in one of two ways and the adverts themselves will either appear as a pop-up window or they will be embedded in the Edge's interface. Adverts can be fairly discreet and sit neatly at the edges of a page of a website, or they can be in your face, thoroughly garish pop-up windows.


There's probably no one who will argue that pop-up windows aren't the bane of a computer user's life – they can be annoying to the point of distraction! But is adware something other than just a nuisance and could it actually be doing you any damage?

The issues with adware

Many people take umbrage with adware thanks to the way that it monitors which websites you are looking at. You see, at the point of installation, adware will also install a component which enables the programmer to track which websites you visit and see which pages or products you look at upon those pages. They are then able to customize the type of adverts they show you based on what they perceive to be your tastes, needs or interests.

It goes without saying that targeted adverts have a higher chance of tempting you to click on them to discover more, rather than adverts for completely random goods that you have no interest in whatsoever.

Who makes adware and why?

Well aside from the obvious reason why anyone creates any form of advertising, adware is also used by the software developers who make it to attempt to recover the costs they incurred when they developed another app or program. You will download their latest must have app or even a program that enables you to work smarter but unbeknown to you, the adware will be bundled with that program.

Is adware dangerous?

There are two sides to this ongoing argument. Many people don't worry too much about the existence of adware as they see it as a necessary evil if they want to be able to download free apps, files or programs. Other people however find the fact that it tracks your usage extremely intrusive and will argue that because the adware was packaged surreptitiously with another program to spy on you this makes it potentially dangerous.

How do I stop pop-up adverts in Microsoft Edge?

First of all, scan your computer with anti-malware software, especially if you are still not familiar with Windows 10. Adware's programmers are smart and try to hide malicious files on your computer making it difficult to find and remove each malicious file. To remove adware from your computer and stop the absolutely annoying ads, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com




Stop pop-up ads and adware in Edge Browser:


1. End Edge browser task in Task Manager.

2. Disconnect your computer from the Internet.

3. Start Edge browser and just before the offending pop-up appears, press Ctrl+T (several times if necessary). This will allow you to get into Edge settings and clear cookies, etc. Next time you start all should be well. If you are still getting the annoying ads, do the following:

a. Close Edge browser again.

b. Navigate to

C:\Users\[your-user-name]\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxxx\AC\MicrosoftEdge\User\Default\Recovery\Active

c. Delete everything on that directory and open Edge browser.

4. Download anti-malware software and run a full system scan. It will detect and remove adware from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this adware. Hopefully you won't have to do that.






5. Remove adware related programs from your computer using the Uninstall a program control panel. Simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



6. When the the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • PlayGEM
  • GoSave
  • Extag
  • SaveNewaAppz
  • and any other recently installed application


Simply select a suspicious application and click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.

Read more

Wednesday, September 2, 2015

Remove DNS-Keeper Ads Malware (Uninstall Guide)

DNS-Keeper is adware from the same family as CloudScout and DNS Unlocker. Most of us have heard of adware – or advertising supported software - but if you're not one hundred percent sure what this type of malware actually is and what it can do, then continue reading and I will hopefully be able to unlock the mystery for you!

DNS Keeper is a computer software program that has been designed to download or display adverts on the screen of your computer when you are online. The DNS-Keeper adverts may not all look alike – some can be simply sitting there at the edge of your screen waiting for you to click on them, while others show up in the guise of pop-up windows or banners. Whatever they look like, however, the curious thing you may soon discover is that the adverts you see are often showing you goods or services, or are for websites, that you have recently been looking at on the internet.

How does DNS-Keeper adware know what I've been browsing online?

Tailoring advert content to match your perceived requirements is something that adware excels at – and is in fact designed to do. And it is not just a coincidence and if you keep stumbling across the same old products time and time again you are right in thinking that somebody has their eye on you and knows just what it is you are looking at online.


It has been specifically designed to monitor the way you use the internet. It tracks which websites you visit and then saves that data – it then relays this information back to the adware's developer. They, of course, now know what you've been searching for and looking at and are then able to show you targeted advertising.

This might not seem like the biggest deal in the grand scheme of things – in fact it might even come across as quite helpful, but when you stop and think about it, not only is adware an invasion of your privacy, it's also pretty creepy too. What is more, it modifies your DNS settings which means that you no longer use your default ISP DNS server to access the internet. Instead, all your HTTP request go through a third party server and that's not the way you it should be to say the least.

How does DNS-Keeper get on to a computer?

Most of the time it is bundled with a program, application or other piece of software that you have downloaded. This can range from anything from a free peer to peer file, a lifestyle app or even a paid for software program. It doesn't matter and there is no guarantee that anything you download from the internet will be adware free. Or malware free, for that matter. The biggest problem about this adware is that most users don't even realize that they are going to install it and when later they start seeing DNS-Keeper ads on their computers they don't know what is going on.

Why do developers create adware?

Of course, as with any form of marketing, it's all about the money. Adverts are created, not just to drive sales (they also drive web traffic) but they are also a means for the developer to recoup the expense incurred in developing some original software that they give away for free.

How can I protect myself from adware?

Alongside the reputable anti-virus software that you already have installed (I hope!) download one of the many anti-malware programs too.

How to get rid of DNS-Keeper ads?

To remove this adware from your computer and stop DNS-Keeper ads, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



DNS-Keeper Ads Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






2. Remove DNS-Keeper related programs from your computer using the Uninstall a program control panel (Windows 7). Go to the Start Menu. Select Control PanelUninstall a Program.

If you are using Windows 8 or 10, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • DNS-Keeper
  • GoSave
  • Extag
  • SaveNewaAppz
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove DNS-Keeper related extensions from Google Chrome:

1. Click on Chrome menu button. Go to More ToolsExtensions.




2. Click on the trashcan icon to remove DNS-Keeper, Extag, Gosave, HD-Plus 3.5 and other extensions that you do not recognize.

If the removal option is grayed out then read how to remove extensions installed by enterprise policy.



3. Then select Settings. Scroll down the page and click Show advanced settings.


4. Find the Reset browser settings section and click Reset browser settings button.


5. In the dialog that appears, click Reset. That's it!


Remove DNS-Keeper related extensions from Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools MenuAdd-ons.




2. Select Extensions. Click Remove button to remove DNS-Keeper, Extag, Gosave, MediaPlayerV1, HD-Plus 3.5 and other extensions that you do not recognize.


Remove DNS-Keeper related add-ons from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.




2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Read more

Tuesday, September 1, 2015

Remove SAPE.Heur.9BDD4 Malware (Uninstall Guide)

SAPE.Heur.9BDD4 is a heuristic detection designed to generically detect newly released malicious files. It belongs to the W32.SAPE.Heur.2 malware family. If you have spotted multiple randomly named DLL files on your computer that you have no recollection of installing you may, quite justifiably, be wondering what on earth is going on, and where they came from. After all, if YOU didn't install them, then who did? Well, I'm going to break it to you, not very gently, that you were in fact responsible for these unidentified files! This is something known as malware. I'm talking about every computer user's potential enemy. SAPE.Heur.9BDD4 normally stealth installs itself on your computer by piggy backing on another program – something that you are intentionally downloading or upgrading. However, the worst part is that this malware can actually allow cyber criminals to access your computer.

Other ways that this malware can infect you

As well as this aforementioned piggy backing, such malicious programs have a couple of other tricks up their sleeve: some will be installed by what is known in techy circles as a 'drive-by installation', which is when you visit a website that has been compromised by the W32.SAPE.Heur.9BDD4 malware, and they then pass the infection on to you. That's why you should always make sure that you have the latest version of the Windows installed on your computer and that your anti-virus program is fully updated.

One of these teo installation methods are dealt with in different ways: obviously if you have just bought a used desktop or laptop, you should check what is pre-installed before you start using it. That way you can uninstall anything you don't like the look of. In the case of malicious programs that come bundled with other software, mostly Trojan horses, the trick to avoiding these is to carefully read End User License Agreements when installing or upgrading programs. Make sure you know exactly what you are installing by checking the small print and making sure that agreement boxes are not already checked or unchecked in favor of an add on. Unfortunately there is not a lot you can do about being hit at random by a drive by installation. If you are not so sure if the file you are going to run is malicious upload it to VirusTotal and see if it comes up with anything suspicious.

How to spot SAPE.Heur.9BDD4

On the plus side, if you do have this malware installed on your machine, it is fairly obvious. Your %Temp% folder will be full of randomly named DLL files. Your anti-virus program may pick them up but because it's a pretty new threat it may fail to permanently remove them. Luckily, there are few tools specifically designed to remove such malware.

What does it actually do?

Such malicious programs as SAPE.Heur.9BDD4 are not only seriously harmful but also cause a number of Windows problems. Some will bombard you with pop-up adverts but the majority of them will install that new toolbar and make using your computer unfamiliar. These tool bars are rarely as advanced as the ones we are used to using and will have scant capabilities. They also have an extremely irritating habit of sending you to websites that you don’t want to visit. As you can see, it's possible to allow a remote access to your computer and even hijack your web browser and display adverts. Needles to say, you should get rid of it immediately.

How do I remove SAPE.Heur.9BDD4?

If your computer is already infected and you can't seem to get rid of this high risk malware, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



SAPE.Heur.9BDD4 Malware Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






NOTE: If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. If you don't know how to do that, please watch this video.

2. Download and run TDSSKiller. Press the button Start scan for the utility to start scanning.



3. Wait for the scan and disinfection process to be over. Then click Continue. Please reboot your computer after the disinfection is over.



Read more

Monday, August 31, 2015

Remove 02037002205 Scam Pop-up Message (Uninstall Guide)

02037002205 phone number usually appears on a hoax virus message alert supposedly from Norton, together with a very loud warning noise, indicating that your computer is infected with Trojan.DealPly and SpyWare.bot. Scammers use rsc.cdn77.org website to display such scam pop-up alerts. It says WARNING: Your Chrome browser and your PC may have critical security vulnerabilities. Call 02037002205 now for immediate assistance. If you keep getting this hoax virus message live every ten minutes or so even if you reset your web browser settings then your computer is probably infected with browser hijackers and likely some other potentially programs. But definitely not a Trojan horse as this fake virus warning wants mislead you. Most users would think that it's not a big deal and simply close the window. However, it's actually can cause some serious troubles to your computer, especially when it comes packed with other malware. We all need to know how to protect our computers from all of the online nuisances (even fake security alerts) and dangers that are out there and if you're like us and you are getting sick and tired of constantly being on the lookout for the next big scary malicious software, computer virus or unwanted program then you need to take real steps to look after your best interests. And if you've already fallen prey to one of the aforementioned internet nasties then you'll certainly be well aware of just how annoying and disruptive – and not to mention dangerous - they can be.


You would be right in thinking that there are differing levels of seriousness when it comes to malware and viruses, some are merely irritating like the 020-3700-2205 scam pop-up window, while others can raid your bank accounts or destroy your personal data, however, we can probably all agree on one thing, and that is that we really do not want to waste our time and energy dealing with them. Especially when we don't really know what a certain program's intention is and what harm it could cause.

What are browser hijackers?

At the lower end of the malware scale is something called a browser hijacker. And although it is true that browser hijackers and potentially unwanted programs that display fake virus alerts are not as menacing as something like ransomware, spyware or a Trojan Horse, that doesn't mean you should ignore them if you have one installed on your computer.

Many people get duped by the mention of 'potentially' in the title however don't forget that on the flip side of every potentially unwanted program, there is also the chance that it is 'actuall' unwanted by some people. And that will pretty much include everyone who runs into a potentially unwanted program or a browser hijacker!

What do browser hijackers do?

The truth is, however, that your computer is infected with a browser hijacker. Or if it's a stand alone window then your computer is infected with a potentially unwanted program that displays 02037002205 tech support number and suggests you to call for help. Don't call the number because scammers just want money from you and will put on a program that will make a mess of your system. Some variants can stake their claim on your computer by hijacking your browser and installing their own toolbar as a replacement for your existing one. They may also replace your homepage or search engine too with one of their own. If you're thinking that browser hijackers are an invasion of our privacy, then you wouldn't be far from the truth.

Why do Potentially Unwanted Programs change your toolbar?

The reason that such fake pop-up windows exist is to convert calls to sales. This 02037002205 phone number may belong to the person who developed the browser hijacker or it could be owned by a third party. Therefore, if you've found this fake security alert pop-up, I suggest you close it right away before you go nuts! And of course, scan your computer for malware because you certainly have one installed on your computer - a browser hijacker. If your computer has been infected by this malware, please follow the steps in the removal guide below. If you have questions, please leave a comment down below. I will be more than happy to help you. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



02037002205 Scam Pop-up Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






2. Remove browser hijacker related programs from your computer using the Uninstall a program control panel (Windows 7). Go to the Start Menu. Select Control PanelUninstall a Program.

If you are using Windows 8 or 10, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • Magical Find
  • GoSave
  • Extag
  • SaveNewaAppz
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove 02037002205 pop-up ads related extensions from Google Chrome:

1. Click on Chrome menu button. Go to More ToolsExtensions.




2. Click on the trashcan icon to remove Magical Find, Extag, Gosave, HD-Plus 3.5 and other extensions that you do not recognize.

If the removal option is grayed out then read how to remove extensions installed by enterprise policy.



3. Then select Settings. Scroll down the page and click Show advanced settings.


4. Find the Reset browser settings section and click Reset browser settings button.


5. In the dialog that appears, click Reset. That's it!


Remove 02037002205 pop-up ads related extensions from Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools MenuAdd-ons.




2. Select Extensions. Click Remove button to remove Magical Find, Extag, Gosave, MediaPlayerV1, HD-Plus 3.5 and other extensions that you do not recognize.


Remove 02037002205 pop-up ads related add-ons from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.




2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Read more

Sunday, August 30, 2015

Remove Inline hook win32k.sys (Uninstall Guide)

Inline hook win32k.sys is a rootkit that can pose a serious threat to your PC and the data stored on it. If you have it installed on your computer you will certainly know about it as it wastes no time in corrupting your data, writing over your hard drive, rendering files useless or inaccessible and creating instability in your operating system. In order to stay up to date and current with the world of malware, we are going to take a closer look at this rootkit infection. This is a thoroughly unpleasant piece of malware that rubs salt into the wound by appearing to be harmless, convincing you of its innocence, and then in reality, doing you untold damage.

But just how does Inline hook win32k.sys rootkit infect your PC, what does it do once it is up and running, and how can you protect yourself from it?


Like most of us, you probably don't think you put yourself at risk unwittingly and you may even consider yourself somewhat impenetrable or not easily fooled. The passwords that you choose are the right combination of letters and numbers, your top notch anti-virus software is always bang up to date, and you wouldn't dream of opening an email or instant message attachment if you don't know the sender. And that is all very good stuff indeed, however, the sad fact is that rootkits are very, very good at playing on even the most cynical of natures and even worse, they force you into playing a part in their execution too. Such malicious software usually arrives in the form of an unwanted download or as code illegally injected into a legitimate website without the webmaster's knowledge. It can also be received as an email attachment or an instant message from an untrusted source. It can also come packed with Trojan horses, mostly Trojan downloaders.

Inline hook win32k.sys detection indicates that there is a hidden program on your computer with potentially malicious behaviors. Otherwise, why would someone wanted to hide it deep inside your operating system? The answers is pretty obvious, cyber criminals want to gather personal information or even gain a remote access to your computer without your consent. This rootkit installs itself for auto run at Windows startup. It even creates and alternative data steam and injects code into system files. Then it performs some HTTP requests mostly to look up an external IP address and to send PC information as well as receive further commands from control and command server. When such rootkit is installed on your computer you can expect anything to be downloaded and installed onto your PC. It can be spyware, Trojan horses or even adware. Certain variants of Inline hook win32k.sys infection tries to change proxy and DNS servers and redirect all your traffic through web servers controlled by cyber criminals. As a result, they can see what websites you visit and what search queries you make. Such information is very useful and can be used for ad injection and simply sold to third parties.

Inline hook win32k.sys removal can be complicated as you can't simply locate the malicious file and delete it. As a matter of fact, your anti-virus program may not be able to remove it either. To do so, you will have to use a few tools designed to remove rootkits and other deeply embedded malware. If your computer is already infected and you can't seem to get rid of this dangerous rootkit, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Inline hook win32k.sys Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






NOTE: If you are using Internet Explorer and can't download anti-malware software because "Your current security settings do not allow this file to be downloaded" then please reset IE security settings and try again.

2. Download and run TDSSKiller. Press the button Start scan for the utility to start scanning.



3. Wait for the scan and disinfection process to be over. Then click Continue. Please reboot your computer after the disinfection is over.



Read more

Friday, August 28, 2015

Remove LaSuperba Ads Malware (Uninstall Guide)

LaSuperba is a malicious software program that has been created to display adverts labeled "Ads by LaSuperba" and "Powered/optimized by LaSuperba". These adverts aim to generate a high click through rate in order to increase sales and drive traffic to the website belonging to the advert's owner. Naturally, it is also a source of income for the adware's programmer too.

You've no doubt heard of adware already, as let's face it; it's pretty hard to escape from its blatant form of online marketing. But what is advertising supported software in reality, and more importantly, can it have any unpleasant side effects on your PC?

The dark side of adware

The main thing that many people have against adware is that it collects data about your internet browsing habits. At the point of installation, the adware will also install a component on your computer which monitors which websites you visit. It tracks which products or services that you visit within any given site and then uses this information to display adverts that are related to the products you have been looking at. Sometimes you'll even see ads for the exact same items.


Other problems and issues that LaSuperba can have on your PC

There are a few other issues connected with, and caused by, our friend adware. One of the most downright irritating is the software's propensity for displaying LaSuperba pop up and pop under adverts. Unlike the targeted adverts you are seeing, these often bear no similarity to products or services that you are genuinely interested in – in fact they are often quite the opposite and are usually for websites that encourage gambling or any other distasteful, unwanted, or downright illegal content.

Another big problem is that thanks to the adware constantly tracking what you are looking at on the internet and transmitting the data back to the programmer, it is gobbling up your PC's resources, including memory and storage space. And that's not all, because, outrageously, it uses your internet connection to relay this information, which can cause your internet speed to slow down, even to the point where pages won't open or your browser keeps crashing.

Is that enough problems to be going on with? Well, we have one more for you: adware can also cause conflict between the other programs you have installed on your computer which makes them – and subsequently your computer's security – unstable.

Okay, I've heard enough - how do I protect myself from LaSuperba installing itself on my PC?

It normally comes packaged as a bundle with another software program or application. Which is why, to stop it at its source, you should be careful what you download, and where you download it from. When you do install something make sure you read the small print and check for any add-ons – adware will normally be mentioned. In addition to this downloading an anti-adware program is always a good idea to be on the safe side.

How to get rid of LaSuperba ads?

To remove this adware from your computer and stop LaSuperba ads, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



LaSuperba Ads Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






2. Remove LaSuperba related programs from your computer using the Uninstall a program control panel (Windows 7). Go to the Start Menu. Select Control PanelUninstall a Program.

If you are using Windows 8 or 10, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • LaSuperba
  • GoSave
  • Extag
  • SaveNewaAppz
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove LaSuperba related extensions from Google Chrome:

1. Click on Chrome menu button. Go to More ToolsExtensions.




2. Click on the trashcan icon to remove LaSuperba, Extag, Gosave, HD-Plus 3.5 and other extensions that you do not recognize.

If the removal option is grayed out then read how to remove extensions installed by enterprise policy.



3. Then select Settings. Scroll down the page and click Show advanced settings.


4. Find the Reset browser settings section and click Reset browser settings button.


5. In the dialog that appears, click Reset. That's it!


Remove LaSuperba related extensions from Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools MenuAdd-ons.




2. Select Extensions. Click Remove button to remove LaSuperba, Extag, Gosave, MediaPlayerV1, HD-Plus 3.5 and other extensions that you do not recognize.


Remove LaSuperba related add-ons from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.




2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Read more

Thursday, August 27, 2015

Restore_files.txt and .abc Extension Ransomware Removal Guide

As you are reading this, it is probably safe to assume that you are as aware of the myriad of malicious software programs that are hell bent on penetrating every corner of our PCs' operating systems in their attempt to scam us out of money, trick us into handing over our personal details and sometimes even just scare us for the fun of it.

There are so many scams, cons, tricks and attacks out there that it can feel like just the simple act of logging onto your computer could trigger a nightmare scenario. And the sad fact is that it actually can. With that in mind, we're going to take a look at one of those malware programs that use scare tactics to get you to hand over your hard earned cash: TeslaCrypt ransomware. Although not quite as widely discussed as some other types of malware, ransomware is a particularly unpleasant program and one that you shouldn't be tempted to ignore, just because it is not as well known. Once you read what it can do, we think you will agree!

Restore_files.bmp content:


What is TeslaCrypt?

It's a crypto-virus that encrypts your files and appends the extension .abc to the file name of the encrypted files. It also drops restore_files.txt ransom note in each folder and the same information in a HTML file and even BMP file. The ransom note says:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

You may not have heard of ransomware but have you heard of cryptoviruses or cryprotrojans? These are all names for the same thing – all equally frightening sounding too. And if you're wondering just what it is that TeslaCrypt ransomware can do, the name will probably give it away. It 'kidnaps' the files or data that you have stored on your computer, holds them to ransom – in other words it encrypts them so that you cannot open them - and then tells you that you will need to pay a ransom in order to regain access to your files. Allegedly you will be sent a code to unlock the files once you have made the payment. But here's the truth: many ransomware programmers will happily accept the payment, or ransom, and leave you high and dry without bothering to send you the code.

Ransomware's scare tactics

To increase the chances of you making payment the ransom note that you receive is often designed to look official – and they can be very convincing. The 'kidnapper' knows that you are far more likely to be scared into paying if their notification comes, not from some shadowy third party, but from a law enforcement agency – the FBI or MI5 for example – depending on where your IP address shows you are. However, not all variants of this ransomware use care tactics. Your ransom note can be slightly different but it's still the same TeslaCrypt ransomware. Certain variants adds a few random letter to restore_files.txt file name for example: restore_files_fgrtl.txt but that really doesn't change anything. It's still the same crypto-virus.

The wording will tell you that you are under investigation for downloading pirated software or files, or for visiting an illegal website and if you pay the fine you’ll be off the hook. It's utter nonsense of course and whatever you do, do not pay a penny.

Ways that TeslaCrypt can infect your computer

There are a few ways that ransomware can infect you so you do need to be careful. It can be embedded within the code of a compromised website, it may be disseminated by email or chat apps, or it can come bundled with another program or download. All every day things that we take for granted when we are online. Once installed, it modifies the Internet Explorer Zone Settings stop you from downloading anti-malware software. It sets security settings to high which means you can't download any executable files. Luckily, this can easily fixed by resting security settings. What is more, it terminates Windows Task Manager, Registry Editor and some other Windows tools that are usually very helpful when dealing with malware. For this reason, you may have to restart your computer in safe mode with networking or only safe mode and try to download anti-malware software from there. Or if you know how to remove Windows registry values you can delete these:

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
{installation ID} = "%Application Data%\svc{random letters}.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
{installation ID} = "%Application Data%\svc{random letters}.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnabledLinkConnections = 1

How to get my files back?

If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .abc. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing TeslaCrypt (restore_files.txt) ransomware and related malware:


Before restoring your files from shadow copies, make sure the TeslaCrypt is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. If you don't know how to do that, please watch this video.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by TeslaCrypt (restore_files.txt) virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Read more

Wednesday, August 26, 2015

Remove MW_ IN FILES and KK_ IN YOUR DOCUMENTS Ransomware and Restore Encrypted Files

A new variant of Trojan-Ransom.NSIS.ONION.air ransomware has been detected which encrypts your files and leaves MW_ IN FILES.txt or KK_ IN YOUR DOCUMENTS.txt ransom notes in each folder. All the encrypted files have MW_ or KK_ prefixes, for example MW_report.docx or KK_mysongg.mp3. Cyber criminals claim that in order to obtain a program which will decrypt your files you need to pay 3 or 4 bitcoins to a unique bitcoin wallet address. Unlike CryptoWall or CTB-Locker, this ransomware targets companies rather than home users. Cyber criminals search for vulnerable network shares or tries to trick users into malicious email attachments. They usually use Backdoor.Win32.Hlux and HEUR:Trojan.Win32.Generic malware to infect computers and then install ransomware. It's not rocket science to come to understand that the greater the amount of time we spend online – whether for work or for leisure, the higher the chances of being infected by malicious software or a virus, or falling prey to a scam or phishing attack are. It is no longer enough to simply install an anti-virus program and then expect it to keep you safe – nowadays we need to educate ourselves on how to use the internet safely and securely. The problems are compounded by the fact that just as anti-viruses and other types of security software are in a constant cycle of upgrading, so too are all the different types of malware.


After all, business is booming in the world of cyber crime and the people that create, distribute and profit from malware and other scams or threats are constantly on top of their game to conjure up even more ways to get us to part with our money.

Understanding ransomware

The problem is, learning about all of the numerous threats out there can feel like information overload and it can be tricky knowing what may affect you. It might not be fun learning about the latest cyber threats but it is most definitely important to take the time to if you want to adequately protect yourself, your data and your bank account.

With that in mind we are now going to take a look at the malware known as MW_ IN FILES ransomware. This is something you certainly should inform yourself about as it is particularly nasty – and that's saying something! Read on and give yourself a fighting chance of defending yourself in the event of a ransomware attack.

What is ransomware?

Put simply, ransomware is a software program that has been created to 'kidnap' the files or data on your PC and hold them hostage by encrypting them until you pay a ransom to get them back. In this case the clue really is in the name. It leaves a ransom with the following information:

Good day. Your computer has been locked by ransomware, your personal files are encrypted and you have unfortunately "lost" all your pictures,
files and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc.
Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.
All encrypted files contain MW_
Your number: [edited]
To obtain the program for this computer, which will decrypt all files, you need to pay
3 bitcoins on our bitcoin address [edited] (today 1 bitcoin was 260 USA dollars). Only we and you know about this bitcoin address.
You can check bitcoin balanse here - https://www.blockchain.info/address/[edited]
After payment send us your number on our mail ttk@ruggedinbox.com and we will send you decryption tool (you need only run it and all files will be decrypted during 1...3 hours)
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your garantee that we have decryption tool. And send us your number with attached file
We dont know who are you. All what we need - it's some money.
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter (for example if you use hotmail.com or outlook.com
it can block letter, SO DON'T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in www.ruggedinbox.com (it will takes 1..2 minutes) and write us again)
You can use one of that bitcoin exchangers for transfering bitcoin.

In your case the prefix can be different, for example "All encrypted files contain KK_" and email address nown@ruggedinbox.com instead of ttk@ruggedinbox.com. They even change ransom notes probably to make this ransomware campaign more random and avoid unnecessary pattern detection. Anyway, the whole idea remains the same. They encrypt your files, you pay 3 or 4 bitcoins and then email them your unique encryption number.

So I pay the ransom and my files will be returned to me?

This is one of those maddening questions that there is no straight answer to. After all, we are dealing with cyber criminals here and there is absolutely no guarantee that by handing over your credit card details you are going to get your files back. In theory, once you've made the payment, you will be sent a code that enables you to unlock, or decrypt, your inaccessible files but there have been numerous examples of this not being the case and the 'kidnappers' simply taking the money and running, so to speak.

What steps should I take if I've been infected by ransomware?

First and foremost do not hand over any money. As I said, chances are you'll be paying for a big fat nothing. If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing Trojan-Ransom.NSIS.ONION.air ransomware and related malware:


Before restoring your files from shadow copies, make sure the Trojan-Ransom.NSIS.ONION.air is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by Trojan-Ransom.NSIS.ONION.air virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Read more