Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Thursday, August 27, 2015

Restore_files.txt and .abc Extension Ransomware Removal Guide

As you are reading this, it is probably safe to assume that you are as aware of the myriad of malicious software programs that are hell bent on penetrating every corner of our PCs' operating systems in their attempt to scam us out of money, trick us into handing over our personal details and sometimes even just scare us for the fun of it.

There are so many scams, cons, tricks and attacks out there that it can feel like just the simple act of logging onto your computer could trigger a nightmare scenario. And the sad fact is that it actually can. With that in mind, we're going to take a look at one of those malware programs that use scare tactics to get you to hand over your hard earned cash: TeslaCrypt ransomware. Although not quite as widely discussed as some other types of malware, ransomware is a particularly unpleasant program and one that you shouldn't be tempted to ignore, just because it is not as well known. Once you read what it can do, we think you will agree!

Restore_files.bmp content:


What is TeslaCrypt?

It's a crypto-virus that encrypts your files and appends the extension .abc to the file name of the encrypted files. It also drops restore_files.txt ransom note in each folder and the same information in a HTML file and even BMP file. The ransom note says:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
What happened to your files ?
All of your files were protected by a strong encryption with RSA-2048.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean ?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them,
it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen ?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do ?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

You may not have heard of ransomware but have you heard of cryptoviruses or cryprotrojans? These are all names for the same thing – all equally frightening sounding too. And if you're wondering just what it is that TeslaCrypt ransomware can do, the name will probably give it away. It 'kidnaps' the files or data that you have stored on your computer, holds them to ransom – in other words it encrypts them so that you cannot open them - and then tells you that you will need to pay a ransom in order to regain access to your files. Allegedly you will be sent a code to unlock the files once you have made the payment. But here's the truth: many ransomware programmers will happily accept the payment, or ransom, and leave you high and dry without bothering to send you the code.

Ransomware's scare tactics

To increase the chances of you making payment the ransom note that you receive is often designed to look official – and they can be very convincing. The 'kidnapper' knows that you are far more likely to be scared into paying if their notification comes, not from some shadowy third party, but from a law enforcement agency – the FBI or MI5 for example – depending on where your IP address shows you are. However, not all variants of this ransomware use care tactics. Your ransom note can be slightly different but it's still the same TeslaCrypt ransomware. Certain variants adds a few random letter to restore_files.txt file name for example: restore_files_fgrtl.txt but that really doesn't change anything. It's still the same crypto-virus.

The wording will tell you that you are under investigation for downloading pirated software or files, or for visiting an illegal website and if you pay the fine you’ll be off the hook. It's utter nonsense of course and whatever you do, do not pay a penny.

Ways that TeslaCrypt can infect your computer

There are a few ways that ransomware can infect you so you do need to be careful. It can be embedded within the code of a compromised website, it may be disseminated by email or chat apps, or it can come bundled with another program or download. All every day things that we take for granted when we are online. Once installed, it modifies the Internet Explorer Zone Settings stop you from downloading anti-malware software. It sets security settings to high which means you can't download any executable files. Luckily, this can easily fixed by resting security settings. What is more, it terminates Windows Task Manager, Registry Editor and some other Windows tools that are usually very helpful when dealing with malware. For this reason, you may have to restart your computer in safe mode with networking or only safe mode and try to download anti-malware software from there. Or if you know how to remove Windows registry values you can delete these:

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
{installation ID} = "%Application Data%\svc{random letters}.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
{installation ID} = "%Application Data%\svc{random letters}.exe"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnabledLinkConnections = 1

How to get my files back?

If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .abc. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing TeslaCrypt (restore_files.txt) ransomware and related malware:


Before restoring your files from shadow copies, make sure the TeslaCrypt is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again. If you don't know how to do that, please watch this video.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by TeslaCrypt (restore_files.txt) virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Read more

Wednesday, August 26, 2015

Remove MW_ IN FILES and KK_ IN YOUR DOCUMENTS Ransomware and Restore Encrypted Files

A new variant of Trojan-Ransom.NSIS.ONION.air ransomware has been detected which encrypts your files and leaves MW_ IN FILES.txt or KK_ IN YOUR DOCUMENTS.txt ransom notes in each folder. All the encrypted files have MW_ or KK_ prefixes, for example MW_report.docx or KK_mysongg.mp3. Cyber criminals claim that in order to obtain a program which will decrypt your files you need to pay 3 or 4 bitcoins to a unique bitcoin wallet address. Unlike CryptoWall or CTB-Locker, this ransomware targets companies rather than home users. Cyber criminals search for vulnerable network shares or tries to trick users into malicious email attachments. They usually use Backdoor.Win32.Hlux and HEUR:Trojan.Win32.Generic malware to infect computers and then install ransomware. It's not rocket science to come to understand that the greater the amount of time we spend online – whether for work or for leisure, the higher the chances of being infected by malicious software or a virus, or falling prey to a scam or phishing attack are. It is no longer enough to simply install an anti-virus program and then expect it to keep you safe – nowadays we need to educate ourselves on how to use the internet safely and securely. The problems are compounded by the fact that just as anti-viruses and other types of security software are in a constant cycle of upgrading, so too are all the different types of malware.


After all, business is booming in the world of cyber crime and the people that create, distribute and profit from malware and other scams or threats are constantly on top of their game to conjure up even more ways to get us to part with our money.

Understanding ransomware

The problem is, learning about all of the numerous threats out there can feel like information overload and it can be tricky knowing what may affect you. It might not be fun learning about the latest cyber threats but it is most definitely important to take the time to if you want to adequately protect yourself, your data and your bank account.

With that in mind we are now going to take a look at the malware known as MW_ IN FILES ransomware. This is something you certainly should inform yourself about as it is particularly nasty – and that's saying something! Read on and give yourself a fighting chance of defending yourself in the event of a ransomware attack.

What is ransomware?

Put simply, ransomware is a software program that has been created to 'kidnap' the files or data on your PC and hold them hostage by encrypting them until you pay a ransom to get them back. In this case the clue really is in the name. It leaves a ransom with the following information:

Good day. Your computer has been locked by ransomware, your personal files are encrypted and you have unfortunately "lost" all your pictures,
files and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc.
Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.
All encrypted files contain MW_
Your number: [edited]
To obtain the program for this computer, which will decrypt all files, you need to pay
3 bitcoins on our bitcoin address [edited] (today 1 bitcoin was 260 USA dollars). Only we and you know about this bitcoin address.
You can check bitcoin balanse here - https://www.blockchain.info/address/[edited]
After payment send us your number on our mail ttk@ruggedinbox.com and we will send you decryption tool (you need only run it and all files will be decrypted during 1...3 hours)
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your garantee that we have decryption tool. And send us your number with attached file
We dont know who are you. All what we need - it's some money.
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter (for example if you use hotmail.com or outlook.com
it can block letter, SO DON'T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in www.ruggedinbox.com (it will takes 1..2 minutes) and write us again)
You can use one of that bitcoin exchangers for transfering bitcoin.

In your case the prefix can be different, for example "All encrypted files contain KK_" and email address nown@ruggedinbox.com instead of ttk@ruggedinbox.com. They even change ransom notes probably to make this ransomware campaign more random and avoid unnecessary pattern detection. Anyway, the whole idea remains the same. They encrypt your files, you pay 3 or 4 bitcoins and then email them your unique encryption number.

So I pay the ransom and my files will be returned to me?

This is one of those maddening questions that there is no straight answer to. After all, we are dealing with cyber criminals here and there is absolutely no guarantee that by handing over your credit card details you are going to get your files back. In theory, once you've made the payment, you will be sent a code that enables you to unlock, or decrypt, your inaccessible files but there have been numerous examples of this not being the case and the 'kidnappers' simply taking the money and running, so to speak.

What steps should I take if I've been infected by ransomware?

First and foremost do not hand over any money. As I said, chances are you'll be paying for a big fat nothing. If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted. But before restoring your files, please remove the ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing Trojan-Ransom.NSIS.ONION.air ransomware and related malware:


Before restoring your files from shadow copies, make sure the Trojan-Ransom.NSIS.ONION.air is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by Trojan-Ransom.NSIS.ONION.air virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Read more

Tuesday, August 25, 2015

Remove Enhanced Shopping Assistant Ads Malware (Uninstall Guide)

Just like 'real life' traditional advertising, some of the Enhanced Shopping Assistant adverts that you see when you're online are advertising something you may be interested in, while others hold no appeal for you whatsoever. But the chances are that a good deal of the adverts that you see on web pages, are closely related to a product or service that you are genuinely interested in. But why is this and why are such a high proportion of these adverts seemingly appealing directly to you? In fact, once you start noticing this you will see that, uncannily, many of these adverts are in actual fact the very same goods or services that you have recently been looking at. And no, your PC hasn't suddenly developed mind reading abilities – the truth is that you are being closely monitored by adware.

Enhanced Shopping Assistant: a mind reader or just clever software?

Let's say you're seeing "Ads by Enhanced Shopping Assistant" adverts for the new smart watch all of a sudden. Have you recently been looking at the watch on a retailer's website? Maybe you've been looking at cheap flights for a last minute getaway to San Francisco – and what do you know, now you're seeing ads for budget airlines, flights to the West Coast and hotels in that very location. This is what adware does: it installs a component on your PC which is designed to monitor the websites that you visit and make a note of which products or services you are looking at on that site. The Enhanced Shopping Assistant adware is then able to show you adverts that are related to your search – thus increasing the chances of you clicking on them.


Surely that's not a bad thing?

While seeing adverts and pop-ups for products that you may be considering buying might not be the worst thing to happen, after all, you can just ignore them if you're not ready to part with your cash, the fact is that somebody is spying on you. Just because you're not looking at anything illegal or shady, doesn't mean that you should have to surrender your online privacy in such a fashion.

However it's a thin line because a lot of people can forgive adware for its nosiness because without it we wouldn't have access to as many free apps or files as we currently do. That's because, as mentioned earlier, the adware is way of generating revenue for its programmer who packages it with apps or other software that they give away for free. The adware is used as a way to recoup some of the costs of developing their freebie - and often for making a tidy profit too.

The problem is when it turns nasty it can really cause you some issues - pop-up and pop-under windows that refuse to go away are just one of the annoyances. In addition to this, the component that tracks your internet usage will also slow your operating system right down. Needless to say, it can make your web browser unusable. The answer? Install a good anti-malware program on your PC and avoid the nuisance altogether.

How to get rid of Enhanced Shopping Assistant ads?

To remove this adware from your computer and stop Enhanced Shopping Assistant ads, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Enhanced Shopping Assistant Ads Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






2. Remove Enhanced Shopping Assistant related programs from your computer using the Uninstall a program control panel (Windows 7). Go to the Start Menu. Select Control PanelUninstall a Program.

If you are using Windows 8 or 10, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • Enhanced Shopping Assistant
  • GoSave
  • Extag
  • SaveNewaAppz
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove Enhanced Shopping Assistant related extensions from Google Chrome:

1. Click on Chrome menu button. Go to More ToolsExtensions.




2. Click on the trashcan icon to remove Enhanced Shopping Assistant, Extag, Gosave, HD-Plus 3.5 and other extensions that you do not recognize.

If the removal option is grayed out then read how to remove extensions installed by enterprise policy.



3. Then select Settings. Scroll down the page and click Show advanced settings.


4. Find the Reset browser settings section and click Reset browser settings button.


5. In the dialog that appears, click Reset. That's it!


Remove Enhanced Shopping Assistant related extensions from Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools MenuAdd-ons.




2. Select Extensions. Click Remove button to remove Enhanced Shopping Assistant, Extag, Gosave, MediaPlayerV1, HD-Plus 3.5 and other extensions that you do not recognize.


Remove Enhanced Shopping Assistant related add-ons from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.




2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Read more

Monday, August 24, 2015

Remove 1-855-484-3589 Fake BSOD Pop-up Malware (Uninstall Guide)

1-855-484-3589 phone number appears on a fake Windows Blue Screen Of Death message (BSOD). It's a scam where scammers request payment to fix your computer. Microsoft does not put their phone numbers on any error messages even if they are genuine. If you're reading this article with expectations of finding out how to remove this fake error message and associated malware from your computer then you are in the right place. In this article I am going to tell you how to defend yourself from being attacked by tech support scams.

This fake BSOD error message with the 1-855-484-3589 phone number that appeared on your computer screen was installed by a Potentially Unwanted Software or adware. It most likely came with a software download from a sketchy website. I've read some reports saying that users got it after installing a driver for a printer. So what actually is a PUP and how do you defend yourself against attack? PUP is an acronym for Potentially Unwanted Program which, as the name suggests, is a piece of software that you probably don't want to have installed on your PC. But how do you know if you have been 'bitten' by a PUP - what does one look like and how does it behave?


PUPs and similar malware are normally associated with rogue tool bars, although they sometimes appear as search engines or home pages. But whatever they look like, they normally have one end goal in common, which is to redirect the searches you make on the internet so that you are unable to visit the websites you want to go to, instead being sent directly to one of their own choice. In this case, it hijacks your web browser, creates a proxy server but instead of redirecting you to dodgy websites or displaying advertisements, it displays this fake BSOD error message and says that you need to call 1-855-484-3589 for technical support.

The fake blue screen says:

A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this stop error screen, restart your computer. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any bios updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.

For technical support to this problem, call Windows helpline: +1-855-484-3589.
Technical Information:
*** STOP: 0x0000001E (0xFFFFFFFFC00000094,0xFFFFFF8000C074D1E,0x000000000,0xFFFFFFFFFFD)

And while you could argue this is not dangerous and won't do you any harm. The fact it is, it is not only incredibly annoying but it is a real waste of your time too. Imagine being infected by a PUP at work – how much would your (or your employees') productivity drop if you spent half your day trying get rid of it? It's not always easy, trust me.

So now let's take a look at how you defend yourself from such fake Blue Screens Of Death. It's a good idea, as with any malware, to know a little bit more about how they operate so that you can be better prepared to face them. First of all, it will install itself on your PC surreptitiously. This is usually by being bundled with another software download. It will piggyback on an installation so that when you download an app or software program, the it will sneakily install itself along with it.

So that begs the question, how do you make sure you are not also installing it alongside your definitely wanted program? The good news is that because malware programmers don't consider their product to be malware, they will mention that they are packaged with the main program in the End User License Agreement that belongs to that download.

Therefore the trick to NOT installing this malware too is to make sure that you read this license agreement carefully and double check whether any additional programs are mentioned. If you spot wording related to an add-on either abort the installation or make sure the check boxes are configured so that you don't also install the malware that will display fake error messages in your computer.

To remove fake BSOD caused by malware and other threats that may have been installed on your computer, please follow the removal guide below. If you have questions, leave a down comment below. I will be more than happy to help you. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Fake BSOD 1-855-484-3589 Pop-up Removal Guide:


1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer.






NOTE: If you can't download it, the problem can be resolved by finding and ending the associated malware program in the Task Manager. Open Properties tab, end the process (Tuejet64.exe or similar) and then delete the program. Or restart your computer in Safe Mode with Networking and download anti-malware software.

2. Download and run TDSSKiller. Press the button Start scan for the utility to start scanning.



3. Wait for the scan and disinfection process to be over. Then click Continue. Please reboot your computer after the disinfection is over.



Read more

Sunday, August 23, 2015

Remove 1-844-329-3153 "Immediate PC Scan Recommended" Pop-up Ads (Uninstall Guide)

If you are one of the many PC users who have opened their web browsers only to be faced with a fake virus poo-up warning supposedly from your cable company saying that you must call 1-844-329-3153 for tech support then you may be well acquainted with browser hijackers and potentially unwanted programs. These are software programs that download themselves onto your PC, without making their intention to do so particularly obvious.

When this happens users usually ask (1) is my web browser infected? and (2) is my computer infected? The good news is that your web browser isn't infected but rather hijacked by a malicious browser extension that displays fake pop-ups warnings about possible data theft and other threats. The bad news is that your computer is infected with a browser hijacker and very likely adware as well. But what we also need to realize, and a frightening amount of personal and professional users don't, is that we need to take steps to protect ourselves from the myriad of different threats, including such fake pop-ups and adverts. And this doesn't mean simply 'setting and forgetting' a security software solution, it also means educating ourselves about the threats that we face every time we connect to the internet.


On that note, this article is going to take a closer look at browser hijackers that promote 1-844-329-3153 scam tech support services.

What are browser hijackers?

Whilst browser hijackers are not as dangerous as many types of malware, they still have a negative effect on your computer's functions. But why, in that case, are they only 'potentially' unwanted, if they have not been created to do us any real good?

The name browser hijacker was coined by online security experts and is used to categorize software that is mostly undesired by the average end user – i.e. you and me. While they may purport to have some use, browser hijackers generally have more in common with their malware, cousins then they are often given credit for.

The prime function of a browser hijacker is to redirect you to a website that they want you to visit, instead of sending your search query to a relevant website. Even if you type in the URL (website address) of your chosen site they will still send you in whichever direction they choose. As you already know, among various misleading and even malicious websites scammers also use fake tech support web pages to scare you into thinking that your computer is infected. Then they immediately offer tech support by calling 1-844-329-3153. However, I wouldn't recommend calling this number because scammers will ask you to pay $200 or even more for a 'fix' and may even install remote control software on your computer. That's not a good idea at all.

Other problems caused by browser hijackers

Because browser hijackers install tool bars and search engines that replace your existing ones, not only will your searches be manipulated, but you'll suddenly find that using your computer's browser is now an unfamiliar chore. If it's already too late and your computer has been infected by a browser hijacker then please follow the steps in the removal guide below. If you have questions, please leave a comment down below. I will be more than happy to help you. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com




1-844-329-3153 Pop-up Ads Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this malware. Hopefully you won't have to do that.






2. Remove browser hijacker related programs from your computer using the Uninstall a program control panel (Windows 7). Go to the Start Menu. Select Control PanelUninstall a Program.

If you are using Windows 8 or 10, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • Magical Find
  • GoSave
  • Extag
  • SaveNewaAppz
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove 1-844-329-3153 pop-up ads related extensions from Google Chrome:

1. Click on Chrome menu button. Go to More ToolsExtensions.




2. Click on the trashcan icon to remove Magical Find, Extag, Gosave, HD-Plus 3.5 and other extensions that you do not recognize.

If the removal option is grayed out then read how to remove extensions installed by enterprise policy.



3. Then select Settings. Scroll down the page and click Show advanced settings.


4. Find the Reset browser settings section and click Reset browser settings button.


5. In the dialog that appears, click Reset. That's it!


Remove 1-844-329-3153 pop-up ads related extensions from Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools MenuAdd-ons.




2. Select Extensions. Click Remove button to remove Magical Find, Extag, Gosave, MediaPlayerV1, HD-Plus 3.5 and other extensions that you do not recognize.


Remove 1-844-329-3153 pop-up ads related add-ons from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.




2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Read more

Saturday, August 22, 2015

Remove Windows 10 Browser Ads (Uninstall Guide)

The list of Windows 10 new security features is both long and significant but unfortunately this OS is still vulnerable to various threats, including adware. You might not be particularly worried about adware that can infect Windows 10 and display annoying web browser ads and I admit that it is probably not the worst type of malicious software out there, especially when compared to real internet nasties such as Trojan Horses, spyware or ransomware for example. But that doesn't mean you should write it off completely as something that won't do you any harm, and you would definitely be advised to look into the ways that you can protect yourself from an adware infection even if you're using the latest Windows 10 and fully updated web browser.


Like most online scams, malware programs and viruses, the whole reason for adware's existence is to make money – and make no mistake, for business is booming when it comes to nefarious online commerce. Adware can generate a decent income for those who use it which is why the programmers who create it put in a not inconsiderable effort when it comes to ensuring that you are captivated by their browser adverts and very tempted to click on them and spend some of your hard earned money. Since most users switched to Windows 10, scammers had to make certain adjustments as well. And I'm afraid they did this very successfully because Windows 10 browser adverts and pop-ups appear all over the screen just like on Windows 8 and 7 no matter what browser you use. Yes, even the Microsoft Edge can be affected and display ads.

This also means that if you have been infected by adware, it can be difficult to find and delete it from your PC, but that's not to say that you should simply ignore it because adware has some disruptive traits that will soon start to have a negative effect on your user experience.

Adware is everywhere

There was a time, in the not too distant past, that adware was only really a problem if you visited websites of a 'certain nature' – i.e. adult and illicit or illegal content but that is no longer the case for adware can now be found on the websites of even the most reputable brands or businesses. So what that means for you and me is that we have a far greater chance of being infected by adware, especially if we happen to stumble across a website that has been compromised by adware – something known as a drive-by download.

What can adware do?

Adware has a number of side effects – none of them particularly desirable. It can make your computer run slowly, it can cause it to keep crashing, and it can send you insane with its incessant pop-up and pop-under windows. Some adware will even go as far as deleting and then installing a new tool bar so that it can manipulate your internet searches and redirect you to websites that the adware's programmer wants you to visit. And let's not forget that with all of this unwanted activity taking place on your PC, it can cause instabilities and weaken your PC's security.

How to protect yourself from an adware infection on Windows 10

Aside from drive-by installations, adware is normally installed as a package with another file or program. That means you need to be a lot more discerning when you are downloading something. Steer clear of third party download websites and only download from the publisher. You should also always read the End User License Agreement carefully and check or uncheck boxes that tell you that an optional extra is included in the installation.

How do I make Windows 10 browser ads disappear?

First of all, scan your computer with anti-malware software, especially if you are still not familiar with Windows 10. Adware's programmers are smart and try to hide malicious files on your computer making it difficult to find and remove each malicious file. To remove adware from your computer and stop the absolutely annoying ads, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com




Windows 10 Browser Ads Removal Guide:


1. First of all, download anti-malware software and run a full system scan. It will detect and remove adware from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this adware. Hopefully you won't have to do that.






2. Remove adware related programs from your computer using the Uninstall a program control panel. Simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • TwistGrips
  • GoSave
  • Extag
  • SaveNewaAppz
  • and any other recently installed application


Simply select a suspicious application and click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove Windows 10 adware related extensions from Google Chrome:

1. Click on Chrome menu button. Go to More ToolsExtensions.




2. Click on the trashcan icon to remove TwistGrips, Extag, Gosave, HD-Plus 3.5 and other extensions that you do not recognize.

If the removal option is grayed out then read how to remove extensions installed by enterprise policy.



3. Then select Settings. Scroll down the page and click Show advanced settings.


4. Find the Reset browser settings section and click Reset browser settings button.


5. In the dialog that appears, click Reset. That's it!


Remove Windows 10 adware related extensions from Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools MenuAdd-ons.




2. Select Extensions. Click Remove button to remove TwistGrips, Extag, Gosave, MediaPlayerV1, HD-Plus 3.5 and other extensions that you do not recognize.


Remove Windows 10 adware related add-ons from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.




2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Read more

Friday, August 21, 2015

What is ExtTag.exe and how to remove it?


ExtTag.exe - by AgentMainService


What is ExtTag.exe?


ExtTag.exe is a browser hijacker that will redirect your web browser to dodgy and spammy websites. In a worst-case scenario you may be redirected to a malicious website and infect your computer. It's usually detected as RDN/Generic.dx, PUP.Optional.Linkury.PrxySvrRST, Generic6.BUEW, a variant of MSIL/Toolbar.Linkury.S potentially unwanted program. Detection ration is 18 / 57. Needless to say, such detection ration is pretty low and must be improved to ensure proper protection against this malware. As a savvy internet user you don't need me to tell you that there is a plethora of weird and (not so) wonderful things hiding in plain view on the internet and waiting to do us harm. Malicious software is big business and there are no end of different, innovate (and not in a good way) methods being used to con us out of our hard earned cash, corrupt our precious files and data and render our PCs virtually unusable. Browser hijackers can be as dangerous as spyware and Trojans. ExtTag.exe can not delete your files or steal sensitive information. However, it can modify proxy settings and redirect you to malicious websites. What is more, it runs multiple processes on your computer in order to download updates and install more malware. It goes without saying that it's not essential for Windows and can cause serious problems. It's not digitally signed too. I recommend you to remove ExtTag.exe and related malware from your computer. To do so, please run a full system scan with anti-malware software.






File name: ExtTag.exe
Publisher: AgentMainService
File Location Windows XP: C:\Program Files\ExtTag\
File Location Windows 7/8: C:\ProgramData\ExtTag\
Startup file: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run → ExtTag.exe

Read more

Remove help-file-decrypt.enc Virus and Restore Encrypted Files

Help-file-decrypt.enc and pronk.txt files belong to Trojan.Cryptolocker.X ransomware. I wrote about it a few years ago. I was surprised to see that it's still active although slightly modified. Anyway, if you got these files in every folder on your computer and you noticed that most of your files are encrypted then your computer is infected with this encryption virus. It also renames encrypted files by adding either safefiles32@mail.ru or filesdecrypt@india.com at the end of each file name. Cyber criminals who created this ransomware use these email address to communicate with victims and send further information on how to decrypt files and of course how to pay the ransom. Basically, they expect you will contact them through safefiles32@mail.ru for more information.

It's a rather new variant first detected about a week ago. However, it doesn't bring anything new and instead use a well known encryption and extortion scheme. If you're a savvy internet user and you are well aware that there are numerous threats to your online safety. Whether you are a home user who uses the web for sending emails, shopping and reading the news or you’re a small business owner or manager, protecting the data that is rightfully yours is more crucial than ever before. And if you are the owner of a company, data security is often a matter of law and you will need to be compliant to avoid risking fines or other penalties.

It may appear that cyber criminals, hackers, phishers, spammers, call them what you will, only target big corporations, but the fact is you and your home PC or small business computer network are a far easier target. These people exploit our vulnerabilities and our lesser degree of technical expertise to make big bucks. And one of the ways they do this is through the use of a malicious software program, called ransomware.

What is help-file-decrypt.enc ransomware?

It is a program which has been designed to 'kidnap' your files or data by making them inaccessible to you. The files will be encrypted – i.e. held hostage – and only released back to you once you have paid the ransom. The ransom note pronk.txt will either be created in each folder with at least one encrypted file or displayed in a pop-up window or full screen message – pretty panic inducing for most of us. The message will tell you that once you have paid the kidnapper's demands, you will be sent a code so that you can decrypt your files. It allocates virtual memory in foreign processes and creates even more malicious files on your computer. It can also modify proxy settings and communicate with C&C servers. Not to mention that it can control your CPU usage and send sensitive information to cyber criminals.

Ransomware's method of attack

Like most malware, it is disseminated either by email, by being embedded on a compromised or malicious website, or included as an add-on with a download. And of course, as we all use email and the web every day, and download apps, software and files on a frequent basis, we are all at risk of potentially losing, not only our files, but a large sum of money too.

The trick is to stay vigilant

Just because you're not a world famous pop star or a global leader it doesn't mean you are not at risk of kidnapping – at least not this form of online cyber kidnapping anyway. Your data is just as prone to being kidnapped and held to ransom as that belonging to the most beloved film stars and loathed politicians! And that means that you need to be careful when downloading and installing things, and be very cautious when dealing with emails or chat messages from unknown senders.

You should also try to avoid visiting websites that may potentially be disreputable, and don't let yourself be suckered into downloading freebie games and apps that don't have any reviews or recommendations or are not offered via one of the big download websites.

Of course, installing a good anti-malware program on your PC is crucial too, as is making sure it is always up to date.

How to get my files back?

If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted. But before restoring your files, please remove the help-file-decrypt.enc ransomware and related malware files from your computer. To do so, please follow the steps in the removal guide below. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Step 1: Removing help-file-decrypt.enc (Trojan.Cryptolocker.X) virus and related malware:


Before restoring your files from shadow copies, make sure the Trojan.Cryptolocker.X is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.






Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.


Step 2: Restoring files encrypted by help-file-decrypt.enc (Trojan.Cryptolocker.X) virus:


Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.



3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.



Hopefully, this will help you to restore all encrypted files or at least some of them.

Read more