Friday, 31 August 2012

Remove United States Cyber Security Ransomware (Uninstall Guide)

In this post we will discuss a new variant of Reveton ransomware, specifically the United States Cyber Security MoneyPak online extortion scam. Reveton related ransomware scams are hardly new. Crooks behind this ransomware traditionally have been targeting European users for years. Not the entire Europe of course, only the wealthiest countries including Germany, France, Sweden, Spain, Italy and probably five or six more.

But things have started to change recently when cyber crooks released new variants of Reveton ransomware targeting U.S. and Canadian users. First, there was the FBI ransomware, then United States Department of Justice scams followed by other scams mimicking official notices from national police agencies in Canada. So, what we have now is the latest malware variant that mimics United States Cyber Security notice and frightens people into paying fines to avoid prosecution for supposedly downloaded and distributed pirated and illegal content. Needless to say that police authorities would rather knock at your front door rather than send you a warning asking to pay the fine via MoneyPak. Very often cyber crooks use strong language to scare victims into paying the fine, usually 100 or 200 bucks. It could be as low as $50 but we’ve never seen more than$200.



United States Cyber Security MoneyPak and related scams can be very successful. In fact, a ransom Trojan is very similar to a rogue antivirus program which similarly hijacks your computer and displays fake warnings until you pay the ransom or find a way to remove the malicious application. Don’t pay the fine because most certainly you won’t be able to get your money back. This scam does not rely on credit card payments from victims, there can’t be any chargebacks. Cyber crooks use alternative payment systems, mostly MoneyPak, Ukash and Paysafe. It’s rather easy to pay the fine via MoneyPak. MoneyPak cards are available for purchase at Wal-Mart, Kmart and other retailers. Victim maintains his anonymity but at the same time repeals any valid opportunity to get his money back. That’s an unenviable situation.

Manual United States Cyber Security ransomware removal is a risky and sometimes rather confusing process because it involves Windows registry editing and removing hidden or system protected files. Most users seek professional technical assistance. However, United States Cyber Security MoneyPak malware scam be removed manually and we will show you how. Please follow the removal instructions below.

There’s one more thing about this ransomware that you should be aware of - United States Cyber Security ransomware and other variants of Reveton malware are being distributed in conjunction with password stealing and banking Trojans, mostly Zeus Trojan. The most popular exploit kit used to plan malicious code on victim computers remains the same - Blackhole. Cyber criminals fine-tune exploit kits and payloads at the same time. For example, fake threatening messages are now being served from an encrypted connection and only when victim’s PC returns a special request. In such way, cyber crooks know their malware got infected the right person in targeted location who may pay the ransom and not the malware researcher’s PC who will quickly test malware and warn users about new threat. Recently, crooks started to exploit CVE-2012-4681 which is the latest Java vulnerability. Most likely this new vulnerability was discovered by Chinese. And it wasn’t even sold; someone leaked it saving at least $100.000 for cyber crooks who develop exploit packs. Obviously, they rushed to add this new exploit to all major exploit packs. As a result, infection rates almost doubled. They should consider themselves lucky. But not for long, Oracle made an announcement yesterday and introduced available patches for different versions of Java. So, hurry up, update Java!

OK, so now you know the basic information and schemes used by Reveton authors that are used to steal money form not so computer savvy users. When it comes to United States Cyber Security malware removal, there are at least two possible ways: manual removal and partly automated using a rescue disk. Manual removal may not be possible if you cannot reboot your computer in Safe Mode. Last, but not least, one your PC is clean, please change all your passwords and make sure they are strong enough. As we said, very often this ransomware comes bundled with spyware. Finally, to in order to eliminate the threat posed by the current version of this ransomware, you should run a full system scan with recommend anti-malware software.

If you have any further questions, please fell free to comment. If you want to share the removal method that worked for you, please do. Good luck and be safe online!

http://deletemalware.blogspot.com


Quick United States Cyber Security MoneyPak removal instructions (System Restore, may not work for all users):

1. Unplug your network cable and manually turn your computer off. Reboot your computer is Safe Mode with Command Prompt. As the computer is booting tap the F8 key continuously which should bring up the Windows Advanced Options Menu as shown below. Use your arrow keys to move to Safe Mode with Command Prompt and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the United States Cyber Security ransomware will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove the remnants of United States Cyber Security ransomware.


United States Cyber Security ransomware removal using Kaspersky Rescue Disk:

1. Download the Kaspersky Rescue Disk iso image from the Kaspersky Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it downloads.

2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can use any CD/DVD record software you like. If you don't have any, please download and install ImgBurn. Small download, great software. You won't regret it, we promise.

For demonstration purposes we will use ImgBurn.

So, open up ImgBurn and choose Write image file to disc.



Click on the small Browse for file icon as show in the image. Browse into your download folder and select kav_rescue_10.iso as your source file.



OK, so know we are ready to burn the .iso file. Simply click the Write image file to disc button below and after a few minutes you will have a bootable Kaspersky Rescue Disk 10.



3. Configure your computer to boot from CD/DVD. Use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.



The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:
  • Ctrl+Esc
  • Ctrl+Ins
  • Ctrl+Alt
  • Ctrl+Alt+Esc
  • Ctrl+Alt+Enter
  • Ctrl+Alt+Del
  • Ctrl+Alt+Ins
  • Ctrl+Alt+S
If you can enter Boot Menu directly then simply select your CD/DVD-ROM as your 1st boot device.

If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority.



Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.



4. Let's boot your computer from Kaspersky Rescue Disk.

Restart your computer. After restart, a message will appear on the screen: Press any key to enter the menu. So, press Enter or any other key to load the Kaspersky Rescue Disk.



5. Select your language and press Enter to continue.



6. Press 1 to accept the End User License Agreement.



7. Select Kaspersky Rescue Disk. Graphic Mode as your startup method. Press Enter. Once the actions described above have been performed, the operating system starts.



8. Click on the Start button located in the left bottom corner of the screen. Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by United States Cyber Security ransomware. It won't take very long.



9. Click on the Start button once again and fire up the Kaspersky Rescue Disk utility. First, select My Update Center tab and press Start update to get the latest malware definitions. Don't worry if you can't download the updates. Just proceed to the next step.



10. Select Object Scan tab. Place a check mark next to your local drive C:\. If you have two or more local drives make sure to check those as well. Then click Start Objects Scan to scan your computer for malicious software.



11. Quarantine (recommended) or delete every piece of malicious code detected during the system scan.



12. You can now close the Kaspersky Rescue Disk utility. Click on the Start button and select Restart computer.



13. Please restart your computer into the normal Windows mode. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove the remnants of United States Cyber Security ransomware and spyware modules.


Associated United States Cyber Security ransomware files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"
Tell your friends:

Remove search.sweetim.com and SweetIM toolbar (Uninstall Guide)

I'm sure that you've been frustrated when you installed certain application (mostly freeware or shareware) only to find that it drops additional toolbars and changes your default search engine provider. Rajesh Moganti who authors Geeks Desk Technology Blog has shared some interesting thoughts about SweetIM toolbar and on-going concern regarding web browser modifications.



Important note: SweetIM toolbar and associated components are safe and contain no malicious or dangerous software whatsoever. We know that software developers take this kind of publications very seriously claiming that we are slandering their good reputation. However, that's not true. Even thought, this site deals with malware, we DO NOT refer to the SweetIM as a malicious product. This post provides detailed instructions regarding the way the SweetIM products, including SweetIM toolbar, search.sweetim.com and home.sweetim.com, can be removed by end users. Why? Because you guys made it so freaking confusing that most users don't even know where to start and how to remove all the components of SweetIM products. We know that our readers are smart enough to tell the difference between a potentially unwanted web toolbar and malicious application. Don't worry about that.

SweetIM toolbar is all about fun. SweetPacks team provides a high quality product with loads of fun making features. That's probably the reason why more than 150 million users are using this toolbar across the globe.
  • Animated Smileys. SweetIM toolbar gives you an exclusive free list of animated smileys. These smileys can be sent through different instant messengers, Facebook, email etc. Use of smileys reflects your mood while chatting, sometimes chatting could be boring but this boredom can be wiped out with the use of cute and funky smileys to bring freshness in chatting.

  • Online Games. You can select any of the cool and fun games listed in the toolbar or website and enjoy your time at its fullest. You can invite your friends also to participate for multi-player games.

  • Snick Peak. Before sharing the animation, emoticon, smiley, etc., you can preview it and choose the best one before actually sending it.

  • Search bar. SweetIM toolbar comes with default search bar and search engine provider. Some people find it useful; however, some say it's a nightmare mostly because SweetIM toolbar changes the way people search displaying entirely different search results.

  • SweetIM default Home Page. During the installation, SweetIM asks whether you want to set home.sweetim.com as your default home page and search.sweetim.com as your default web search provider. This is true when you run the official SweetIM installer. However, quite the opposite happens when the toolbar comes bundled with other software, for example freeware players, codes and screens savers.
But not everything about this product is great, especially when it comes to removing the default search engine provider called SweetIM Search which redirects users to search.sweetim.com instead of Google when searching directly from the address bar in Mozilla Firefox, Google Chrome and Internet Explorer. Of course, there's an official removal guide that covers most frequently asked questions but for some odd reasons SweetIM authors forgot to mention that certain web browser settings can be restored manually only. For instance, you have to change default search engine provider and keyword.URL key date value in Mozilla Firefox manually yourself. Why's that? We bet you know that most user do not want to deal with advanced web browser settings. Some of them don't know how to do that in the first place. And that’s not their fault. Such remnants are very annoying, users cannot surf the web as they used to before installing SweetIM. Forcing users to use your web search engine in such unethical manner won't add credibility to your products. It might increase revenue but not the reputation.

To remove search.sweetim.com and SweetIM toolbar from your computer, please follow the removal instructions below. If you have any questions or valuable remarks, please leave a comment below. Good luck and be safe online!

Source: http://deletemalware.blogspot.com


Search.sweetim.com and and SweetIM toolbar removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



3. Search for SweetIM for Messenger, SweetPacks Toolbar for Internet Explorer and Update Manager for SweetPacks in the list. Select the program and click Remove button. Remove all components!

If you are using Windows Vista/7, click Uninstall up near the top of that window.




Remove search.sweetim.com in Internet Explorer:

1. Go to ToolsInternet Options. Select General tab and click Use default button or enter your own website, e.g. google.com instead of http://home.sweetim.com. Click OK to save the changes.



If your search results are being redirected to search.sweetim.com, please go to Tools → Manage Add-ons and select Search Providers. Choose Bing or Live Search as your default search engine provider and then remove SweetIM Search. Usually, SweetIM Search engine is removed with the core components of SweetIM toolbar in Internet Explorer.


Remove search.sweetim.com and SweetIM toolbar in Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Remove SweetPacks Toolbar for Firefox toolbar. Close the window.



3. Click on the magnifying glass search icon as shown in the image below and select Manage Search Engines....



4. Choose SweetIM Search from the list and click Remove to remove it. Click OK to save changes.




5. Go to ToolsOptions. Under the General tab reset the startup homepage or change it to google.com, etc.



6. In the URL address bar, type about:config and hit Enter.



Click I'll be careful, I promise! to continue.



In the filter at the top, type: sweetim



Now, you should see all the preferences that were changed by SweetIM toolbar. Right-click on the preference and select Reset to restore default value. Reset all found preferences!



That's it!


Remove search.sweetim.com and SweetIM for Facebook in Google Chrome:

1. Click on Customize and control Google Chrome icon. Go to ToolsExtensions.



2. Select SweetIM for Facebook and click on the small recycle bin icon to remove the toolbar.



3. Click on Customize and control Google Chrome icon once again and now select Settings.



4. Click the Manage search engines... button.



5. Select Google or any other search engine you like from the list and make it your default search engine.



6. Select SweetIM Search from the list and remove it by clicking the "X" mark as shown in the image below.



And that's about it!


Associated SweetIM Toolbar files and registry values:

Files:
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\conf\logger
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcm90.dll
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcp90.dll
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\Microsoft.VC90.CRT\msvcr90.dll
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\resources
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\default
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgconfig.dll
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelperApp
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\mglogger.dll
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgxml_wrapper.dll
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\ClearHist
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgcommon.dll
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\mghooking.dll
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgsimcommon.dll
  • C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarProxy.dll
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
  • HKEY_CURRENT_USER\Software\SweetIM\Install
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "%ProgramFiles%\SweetIM\Communicator\SweetPacksUpdateManager.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\SweetIM\Communicator
  • HKEY_LOCAL_MACHINE\SOFTWARE\SweetIM
Tell your friends:

Friday, 17 August 2012

Remove Celas Ransomware (Uninstall Guide)

Today's post is something we've been observing for several months now. Recently, we wrote about FBI and Police Central e-crime unit ransom Trojans. This time, we will take a closer look at Celas ransomware, how it has evolved over time, and how to properly remove this kind of infection.

Celas is a new company that represents the world's leading musicians. This company is owned by EMI, GEMA and PRS. If you want to learn more about it, please visit Celas official website. In short, this company stands behind popular artists or right holders and controls over how their music is used. This company is already aware of Celas virus and even made an official statement on this computer locking scam.

Unfortunately, this ransowmare is on the move at the moment. The fake Celas warning hasn't change much since we came across it for the first time, probably in April or May. But it's definitely evolving. Cyber crooks released a new variant which targets U.S. internet users. They also changed payment methods probably because they got banned from payment systems they were using previously.



There are at least five different Celas ransomware warnings that change depending on what part of the continent you are in. The structure and design elements are exactly the same for most countries but of course the wording changes. Anyway, all they trying to do with this is scare you guys to pay for something that you don't need to pay for. If you look at the ransomware you will see that are using pretty strong language. Celas ransomware claims that you were illegally downloading and distributing copyrighted songs.

Some of you guys probably might have fall for it, we know our friends have. But it's all fake. It's just a scam. If they actually caught you doing that they probably won't send you a message asking to pay $100 or euro100 to unlock your PC. That just doesn't make sense at all.

Now, if you're facing an American version of Celas ransomware, you probably noticed that there's only one way to pay the 'fine' – using Ultimate Game Card. That doesn't make sense either. You can use Ultimate Game Card to buy online games and there’s nothing wrong with this service but no one uses this service to actually pay fines. We don't know what were the main reasons why cyber criminals decided to use this service, but it doesn't look right.

The goods news is that Celas ransomware doesn't encrypt files. Other Trojans do encrypt certain files on infected computers and for this reason it usually takes longer to remove malicious files and decrypt files.

The British version is pretty much the same, except for different payment methods: Ukash and PaySafecard.

So, if you got infected with Celas ransomware, please follow the steps in the removal guide below. Normally, this malware can be removed in Safe Mode rather easily. Unfortunately, sometimes it comes bundled with other malware that locks down the computer completely. In such case, Live CD is the only option. We will show you how to remove Celas ransomware using Kaspersky Rescue Disk. Hopefully, this virus will only cost you time without taking your money too.

If you have any questions about this infection or need help removing it, please leave a comment below. Good luck!

Source: http://deletemalware.blogspot.com


Celas malware removal instructions:

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens. Do not close it.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Modified value data points to Trojan Ransomware executable file.



Please copy the location of the executable file it points to into Notepad or otherwise note it and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor.

5. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step.

Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.



6. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove the leftovers of Celas ransomware from your computer.


Celas malware removal using Kaspersky Rescue Disk:

1. Download the Kaspersky Rescue Disk iso image from the Kaspersky Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it downloads.

2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can use any CD/DVD record software you like. If you don't have any, please download and install ImgBurn. Small download, great software. You won't regret it, we promise.

For demonstration purposes we will use ImgBurn.

So, open up ImgBurn and choose Write image file to disc.



Click on the small Browse for file icon as show in the image. Browse into your download folder and select kav_rescue_10.iso as your source file.



OK, so know we are ready to burn the .iso file. Simply click the Write image file to disc button below and after a few minutes you will have a bootable Kaspersky Rescue Disk 10.



3. Configure your computer to boot from CD/DVD. Use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.



The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:
  • Ctrl+Esc
  • Ctrl+Ins
  • Ctrl+Alt
  • Ctrl+Alt+Esc
  • Ctrl+Alt+Enter
  • Ctrl+Alt+Del
  • Ctrl+Alt+Ins
  • Ctrl+Alt+S
If you can enter Boot Menu directly then simply select your CD/DVD-ROM as your 1st boot device.

If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority.



Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.



4. Let's boot your computer from Kaspersky Rescue Disk.

Restart your computer. After restart, a message will appear on the screen: Press any key to enter the menu. So, press Enter or any other key to load the Kaspersky Rescue Disk.



5. Select your language and press Enter to continue.



6. Press 1 to accept the End User License Agreement.



7. Select Kaspersky Rescue Disk. Graphic Mode as your startup method. Press Enter. Once the actions described above have been performed, the operating system starts.



8. Click on the Start button located in the left bottom corner of the screen. Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Celas ransomware. It won't take very long.



9. Click on the Start button once again and fire up the Kaspersky Rescue Disk utility. First, select My Update Center tab and press Start update to get the latest malware definitions. Don't worry if you can't download the updates. Just proceed to the next step.



10. Select Object Scan tab. Place a check mark next to your local drive C:\. If you have two or more local drives make sure to check those as well. Then click Start Objects Scan to scan your computer for malicious software.



11. Quarantine (recommended) or delete every piece of malicious code detected during the system scan.



12. You can now close the Kaspersky Rescue Disk utility. Click on the Start button and select Restart computer.



13. Please restart your computer into the normal Windows mode. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove the remnants of Celas ransomware and to protect your computer against these types of threats in the future.


Associated Celas ransomware files and registry values:

Files:
  • [SET OF RANDOM CHARACTERS].exe
Registry values:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"
tell your friends: