So, you got the click.get-amazing-results.com browser hijacker and you can't remove it. This can be a sigh of malware or potentially unwanted browser helper object. In most cases, I have to assume that it’s some sort of malicious software, specifically a Trojan horse or a rootkit. The last time a got a computer infected with click.get-amazing-results redirect virus I found like 30 more malware including Trojan ad loader and rather sophisticated rootkit. It can't be a coincidence, right?
There are many variations on browser hijacking but the main idea is very simple: you are being redirected to malicous or spammy websites after conducting a search. Sometimes, click.get-amazing-results.com redirects victims to unexpected websites, you know, it works like a tracking sites. However, sometimes, it simply displays paid and very irrelevant search results or even ads which have nothing to do with your search term. All in all, click.get-amazing-results.com is a pretty direct hijack. And it's annoying as hell.
Trojan download which is responsible for get-amazing-results.com redirects usually modifies the way your system locates servers on the internet. In case of a DNS hijack a different IP address is returned. However, some malware rather than modifying your DNS settings takes a more direct route and injects malicious code into already running processes. Such malware very often infects web browser components and adds malicious browser extensions.
Fixing click.get-amazing-results.com redirect should be fairly easy. Run an up-to-date anti-malware scan. Please note that the website itself isn't malicious. You probably found some other sites claiming that click.get-amazing-results.com is 'malicious' or 'dangerous'. It’s only being used to redirect victims or display paid search results. It's not about the website; it's about your computer being infected with a combination of Trojan horse and probably rootkit. To remove this browser hijacker and malware associated to it, please follow the removal instructions below. Good luck and be safe online!
Click.get-amazing-results.com redirect virus removal instructions:
1. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.
NOTE: in some cases malware may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.
2. Check Windows HOSTS file.
Go to: C:\WINDOWS\system32\drivers\etc.
Double-click "hosts" file to open it. Choose to open with Notepad.
The "hosts" file should look the same as in the image below. There should be only one line: 127.0.0.1 localhost in Windows XP and 127.0.0.1 localhost ::1 in Windows Vista/7. If there are more, then remove them and save changes. Read more about Windows Hosts file here: http://support.microsoft.com/kb/972034
3. If the problem persists, please read this web document and follow the steps carefully: http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html
Tell your friends:
Sunday, 30 September 2012
Remove click.gethotresults.com redirect virus (Uninstall Guide)
Click.gethotresults.com is a very questionable web search engine tied to the Win32/TrojanDownloader.Adload.NIQ malware. This search engine returns either paid or rather irrelevant search results. Once way or another, I don’t recommend using it. Once your machine is infected with this Trojan horse you will quickly notice that when you click on a link, let’s say Google search result, you’re redirected to some place you don’t want to be. It’s mostly click.gethotresults.com but could be any other shady website. This is a classic case of a browser hijacking. While most users say they got infected with the Click.gethotresults redirect virus, that isn’t quite correct because virus is a piece of malicious code that can copy itself and automatically spread to other computers.
In a word: malware. The word virus is now used by most if us as a common term for all malicious programs. Maybe for most people it’s easier to use a generic term virus to describe pretty much any kind of infection rather than learning all the nuances of a Trojan horse ore a computer worm. Anyway, it doesn’t really matter how you describe the problem and what terms you use as long as you are fully aware that your computer is infected. Click.gethotresults.com hijacked search is typical of malware. In short, you have malware on your machine. What I’m going suggest you to do is run a full system scan with recommended anti-malware software. Checking your LAN settings and web browser for potentially unwanted add-ons would be also a good idea. Sometimes, cyber crooks modify Windows hosts file to redirect victims to spammy or even malicious websites.
So, to remove Click.gethotresults.com redirect virus from your computer, please follow the removal instructions below. If you have any further questions or concerns, please feel free to ask. Good luck and be safe online!
Click.gethotresults.com redirect virus removal instructions:
1. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.
NOTE: in some cases malware may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.
2. Check Windows HOSTS file.
Go to: C:\WINDOWS\system32\drivers\etc.
Double-click "hosts" file to open it. Choose to open with Notepad.
The "hosts" file should look the same as in the image below. There should be only one line: 127.0.0.1 localhost in Windows XP and 127.0.0.1 localhost ::1 in Windows Vista/7. If there are more, then remove them and save changes. Read more about Windows Hosts file here: http://support.microsoft.com/kb/972034
3. If the problem persists, please read this web document and follow the steps carefully: http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html
Tell your friends:
In a word: malware. The word virus is now used by most if us as a common term for all malicious programs. Maybe for most people it’s easier to use a generic term virus to describe pretty much any kind of infection rather than learning all the nuances of a Trojan horse ore a computer worm. Anyway, it doesn’t really matter how you describe the problem and what terms you use as long as you are fully aware that your computer is infected. Click.gethotresults.com hijacked search is typical of malware. In short, you have malware on your machine. What I’m going suggest you to do is run a full system scan with recommended anti-malware software. Checking your LAN settings and web browser for potentially unwanted add-ons would be also a good idea. Sometimes, cyber crooks modify Windows hosts file to redirect victims to spammy or even malicious websites.
So, to remove Click.gethotresults.com redirect virus from your computer, please follow the removal instructions below. If you have any further questions or concerns, please feel free to ask. Good luck and be safe online!
Click.gethotresults.com redirect virus removal instructions:
1. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.
NOTE: in some cases malware may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.
2. Check Windows HOSTS file.
Go to: C:\WINDOWS\system32\drivers\etc.
Double-click "hosts" file to open it. Choose to open with Notepad.
The "hosts" file should look the same as in the image below. There should be only one line: 127.0.0.1 localhost in Windows XP and 127.0.0.1 localhost ::1 in Windows Vista/7. If there are more, then remove them and save changes. Read more about Windows Hosts file here: http://support.microsoft.com/kb/972034
3. If the problem persists, please read this web document and follow the steps carefully: http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html
Tell your friends:
Monday, 24 September 2012
Remove System Progressive Protection (Uninstall Guide)
System Progressive Protection is a fake antivirus program that claims to scan your computer for malware and displays fake security warnings "your PC is infected", "viruses and malware found", etc. Cyber crooks prey upon people's fears to steal either money or valuable information willing that someone will buy it. In other words, malware authors use unethical software distribution and marketing practices to deceive you into paying for completely worthless and malicious application masquerading as legitmate computer security software. Do not pay for it and do not enter your credit card details or any other sensitive information while your computer is infected. System Progressive Protection itself doesn't have any spyware modules but we all know that such fake antivirus program are rarely distributed without Trojans and rootkits.
Fake antivirus software is still common today but it's not a major problem for most users. System Progressive Protection belongs to the Winwebsec malware family. It's not the most aggressive or widely spread scareware family but it has some really steady records and it still holds the top positions when it comes to infected un-patched machines.
System Progressive Protection is very common fake security software. It can not replicate and it has to be installed manually most of the time either running the executable file or running some malicious code in your web browser. Once installed, the rogue antivirus program displays bogus messages announcing that your computer is infected with spyware, viruses and other malicious software. Most rogue antivirus programs use names that sound trustworthy. For me, System Progressive Protection isn't very trustworthy name or at least is doesn't sound familiar.
When running, System Progressive Protection scareware displays bogus messages announcing that certain applications are infected, Task manager for example. Of course, it blocks legitimate security products so if your antivirus program didn't stop the rogue program then it probably won't work throwing some error message or something like that. The good news is however System Progressive Protection doesn't work in Safe Mode with Networking, so you can easily use recommend anti-malware software to remove System Progressive Protection from your computer.
Here's a screenshot of what the fake payment web page looks like:
There's this nice product box. Also, a 100% money back guarantee logo and common Visa and Master card logos. As you can see, a total price for System Progressive Protection lifetime license is about 90 bucks. It's a very expensive antivirus product.
System Progressive Protection has a support page as well (sys.cougarsupport.net). Too bad they do not follow their own guidelines, especially their refund policy.
Another unique thing about Winwebsec malware family is that most rogue apps have working or partly working uninstallers. They are available via Add/Remove programs. However, when the computer is infected the user cannot uninstall it. So, there's a uninstaller but you can't use it to remove the rogue program until your pay for a full version. This is the way it works :)
To remove System Progressive Protection from your computer, please follow the removal instructions below. There are three simple ways you can remove this virus. The first removal method is probably the easiest: using cracked registration key + anti-malware software. Scroll the page down to find the key. The second variant is also easy but it may take longer and unfortunately it may not work for all users due to additionally installed malware. And finally, you can remove the rogue program manually yourself without using any anti-malware software. But this isn't a good idea because there are many chances you will leave some malicious code on your computer and the rogue program will come back. So, even if you remove the rogue application manually, you will have to scan your computer with anti-malware software whatsoever.
Source: http://deletemalware.blogspot.com
Quick System Progressive Protection removal guide:
1. Open System Progressive Protection scanner. Click the "Registration" button (top right corner).
Enter the following debugged registration key and click "Activate" to register the rogue antivirus program. Don't worry, this is completely legal since it's not genuine software.
AA39754E-715219CE
Once this is done, you are free to install recommended anti-malware software and remove System Progressive Protection from your computer properly.
2. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.
NOTE: don't forget to update anti-malware software before scanning your computer.
System Progressive Protection removal in Safe Mode with Networking:
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.
NOTE: don't forget to update anti-malware software before scanning your computer.
System Progressive Protection manual removal:
1. First of all, go to your Desktop and right click the System Progressive Protection.lnk shortcut file and select Properties.
2. Select Shortcut tab. Find the location of System Progressive Protection executable file (target location). It should be a randomly named file.
3. Browser to the executable file. Rename it, for instance to virus.exe. Restart Windows.
4. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.
NOTE: don't forget to update anti-malware software before scanning your computer.
Associated System Progressive Protection files and registry values:
Files:
Windows XP:
Fake antivirus software is still common today but it's not a major problem for most users. System Progressive Protection belongs to the Winwebsec malware family. It's not the most aggressive or widely spread scareware family but it has some really steady records and it still holds the top positions when it comes to infected un-patched machines.
System Progressive Protection is very common fake security software. It can not replicate and it has to be installed manually most of the time either running the executable file or running some malicious code in your web browser. Once installed, the rogue antivirus program displays bogus messages announcing that your computer is infected with spyware, viruses and other malicious software. Most rogue antivirus programs use names that sound trustworthy. For me, System Progressive Protection isn't very trustworthy name or at least is doesn't sound familiar.
When running, System Progressive Protection scareware displays bogus messages announcing that certain applications are infected, Task manager for example. Of course, it blocks legitimate security products so if your antivirus program didn't stop the rogue program then it probably won't work throwing some error message or something like that. The good news is however System Progressive Protection doesn't work in Safe Mode with Networking, so you can easily use recommend anti-malware software to remove System Progressive Protection from your computer.
Here's a screenshot of what the fake payment web page looks like:
There's this nice product box. Also, a 100% money back guarantee logo and common Visa and Master card logos. As you can see, a total price for System Progressive Protection lifetime license is about 90 bucks. It's a very expensive antivirus product.
System Progressive Protection has a support page as well (sys.cougarsupport.net). Too bad they do not follow their own guidelines, especially their refund policy.
Another unique thing about Winwebsec malware family is that most rogue apps have working or partly working uninstallers. They are available via Add/Remove programs. However, when the computer is infected the user cannot uninstall it. So, there's a uninstaller but you can't use it to remove the rogue program until your pay for a full version. This is the way it works :)
To remove System Progressive Protection from your computer, please follow the removal instructions below. There are three simple ways you can remove this virus. The first removal method is probably the easiest: using cracked registration key + anti-malware software. Scroll the page down to find the key. The second variant is also easy but it may take longer and unfortunately it may not work for all users due to additionally installed malware. And finally, you can remove the rogue program manually yourself without using any anti-malware software. But this isn't a good idea because there are many chances you will leave some malicious code on your computer and the rogue program will come back. So, even if you remove the rogue application manually, you will have to scan your computer with anti-malware software whatsoever.
Source: http://deletemalware.blogspot.com
Quick System Progressive Protection removal guide:
1. Open System Progressive Protection scanner. Click the "Registration" button (top right corner).
Enter the following debugged registration key and click "Activate" to register the rogue antivirus program. Don't worry, this is completely legal since it's not genuine software.
AA39754E-715219CE
Once this is done, you are free to install recommended anti-malware software and remove System Progressive Protection from your computer properly.
2. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.
NOTE: don't forget to update anti-malware software before scanning your computer.
System Progressive Protection removal in Safe Mode with Networking:
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.
NOTE: don't forget to update anti-malware software before scanning your computer.
System Progressive Protection manual removal:
1. First of all, go to your Desktop and right click the System Progressive Protection.lnk shortcut file and select Properties.
2. Select Shortcut tab. Find the location of System Progressive Protection executable file (target location). It should be a randomly named file.
3. Browser to the executable file. Rename it, for instance to virus.exe. Restart Windows.
4. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.
NOTE: don't forget to update anti-malware software before scanning your computer.
Associated System Progressive Protection files and registry values:
Files:
Windows XP:
- C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS]\
- %UserProfile%\Desktop\System Progressive Protection.lnk
- %UserProfile%\Start Menu\Programs\System Progressive Protection\
- %UserProfile%\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk
- C:\ProgramData\[SET OF RANDOM CHARACTERS]\
- %UserProfile%\Desktop\System Progressive Protection.lnk
- %UserProfile%\Start Menu\Programs\System Progressive Protection\
- %UserProfile%\Start Menu\Programs\System Progressive Protection\System Progressive Protection.lnk
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "[SET OF RANDOM CHARACTERS]"
- HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\System Progressive Protection\
Monday, 17 September 2012
Remove Yontoo Adware (Uninstall Guide)
Yontoo is adware that installs a web browser extension to display advertisements and special offers while surfing the Web. It works just fine with the major web browsers (Internet Explorer, Mozilla Firefox, Google Chrome). Usually, this adware must be installed manually but it may also come bundled with other software, even with CNET’s own installer. You probably remember all these devastating reports about CNET adding adware to software available through the website, even free and open source applications. Read more about this issue here.
A few words about the company, it was founded by a small group of people that had worked together on previous projects. Their mission is to enhance, extend and personalize everyone’s experience across all websites. Sounds great, but why so many ads?
One more thing, you can easily find other write-ups about Yontoo and Yontoo Runtime Layers with slightly different classification, for example Symantec detects Yontoo as a potentially unwanted application. And we have to say it’s rather confusing because folks who have been working on this software since 2006 have valid Symantec and McAfee certificates, not just identity verification but also malware scan. Seriously, that doesn’t make sense. Symantec states that it’s a potentially unwanted app, you know, something that you don’t want to install and at the same time they flag their site as completely safe even thought it hosts Yontoo installers. ESET, Spybot, Dr.Web classify Yontoo as adware. ESET blocks yontoo.com and any web requests from their website as well. TrendMicro says it’s a Trojan… well they probably went too far with such assertions. It’s hardly a Trojan horse but that doesn’t mean you should keep it. It’s up to you whether you want to keep or remove it from your machine. Maybe you find this software useful.
Probably the most widely spread web browser extension which is tied to Yontoo is called Pagerage. This browser extension allows you to modify your Facebook profile which is cool but also displays advertisements that appear to be from Facebook even thought they are usually delivered from entirely different ad networks. However, Yontoo.Pagerage is not the only web browser extension tied to Yontoo adware. Recently, we stumbled upon a FLV Player application bundled with Yontoo dependable software: Banner Gadgets, FreeTwitTube, ezLooker, Buzzdock and Wajam. In this particular case, Yontoo had proper EULA and privacy policy. But we know for sure that certain extensions get installed without proper display of an EULA and privacy policy. No doubt about that.
In the image below, you can clearly see how Yontoo adware and associated applications changed Google search page. There are two blocks of sponsored ads instead of one and there’s also this Wajam social search app on the right side of the screen. It messes things up rather badly.
All in all, Yontoo isn’t a very widespread infection. And it’s definitely not the most dangerous infection. But that doesn't mean it is not used much. To remove Yontoo and associated applications from your computer, please follow the removal instructions below. If you have any questions about this adware or potentially unwanted application or would like to share information that isn’t covered in this page, please leave a comment. Good luck and be safe online!
Added: Yontoo 1.10.03 is the current version of this software, however, there are still enough websites that serve Yontoo 1.10.02 or even older version. Removal instructions remain the same for both versions.
Source: http://deletemalware.blogspot.com
Yontoo removal instructions:
1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.
2. Go to the Start Menu. Select Control Panel → Add/Remove Programs.
If you are using Windows Vista or Windows 7, select Control Panel → Uninstall a Program.
3. Search for Yontoo (1.10.03 or 1.10.02) in the list. Select the program and click Remove button. By the way, it's a good idea to remove any other application that could be tied to Yontoo adware.
If you are using Windows Vista/7, click Uninstall up near the top of that window.
4. Select the second option to completely remove Yontoo from your computer and click Next.
5. Click Yes to confirm uninstall and remove Yontoo Adware from your computer.
Remove Yontoo browser add-ons Internet Explorer:
1. Open Internet Explorer. Go to Tools → Manage Add-ons.
2. Remove all Yontoo LLC components: Yontoo Api and Yontoo. Close the window.
Remove Yontoo browser extention in Mozilla Firefox:
1. Open Mozilla Firefox. Go to Tools → Add-ons.
2. Select Extensions. Remove Yontoo Runtime extension. Close the window.
That's it!
Remove Yontoo browser extension in Google Chrome:
1. Click on Customize and control Google Chrome icon. Go to Tools → Extensions.
2. Select Yontoo and click on the small recycle bin icon to remove the toolbar.
Associated Yontoo adware files and registry values:
Files:
A few words about the company, it was founded by a small group of people that had worked together on previous projects. Their mission is to enhance, extend and personalize everyone’s experience across all websites. Sounds great, but why so many ads?
One more thing, you can easily find other write-ups about Yontoo and Yontoo Runtime Layers with slightly different classification, for example Symantec detects Yontoo as a potentially unwanted application. And we have to say it’s rather confusing because folks who have been working on this software since 2006 have valid Symantec and McAfee certificates, not just identity verification but also malware scan. Seriously, that doesn’t make sense. Symantec states that it’s a potentially unwanted app, you know, something that you don’t want to install and at the same time they flag their site as completely safe even thought it hosts Yontoo installers. ESET, Spybot, Dr.Web classify Yontoo as adware. ESET blocks yontoo.com and any web requests from their website as well. TrendMicro says it’s a Trojan… well they probably went too far with such assertions. It’s hardly a Trojan horse but that doesn’t mean you should keep it. It’s up to you whether you want to keep or remove it from your machine. Maybe you find this software useful.
Probably the most widely spread web browser extension which is tied to Yontoo is called Pagerage. This browser extension allows you to modify your Facebook profile which is cool but also displays advertisements that appear to be from Facebook even thought they are usually delivered from entirely different ad networks. However, Yontoo.Pagerage is not the only web browser extension tied to Yontoo adware. Recently, we stumbled upon a FLV Player application bundled with Yontoo dependable software: Banner Gadgets, FreeTwitTube, ezLooker, Buzzdock and Wajam. In this particular case, Yontoo had proper EULA and privacy policy. But we know for sure that certain extensions get installed without proper display of an EULA and privacy policy. No doubt about that.
In the image below, you can clearly see how Yontoo adware and associated applications changed Google search page. There are two blocks of sponsored ads instead of one and there’s also this Wajam social search app on the right side of the screen. It messes things up rather badly.
All in all, Yontoo isn’t a very widespread infection. And it’s definitely not the most dangerous infection. But that doesn't mean it is not used much. To remove Yontoo and associated applications from your computer, please follow the removal instructions below. If you have any questions about this adware or potentially unwanted application or would like to share information that isn’t covered in this page, please leave a comment. Good luck and be safe online!
Added: Yontoo 1.10.03 is the current version of this software, however, there are still enough websites that serve Yontoo 1.10.02 or even older version. Removal instructions remain the same for both versions.
Source: http://deletemalware.blogspot.com
Yontoo removal instructions:
1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.
2. Go to the Start Menu. Select Control Panel → Add/Remove Programs.
If you are using Windows Vista or Windows 7, select Control Panel → Uninstall a Program.
3. Search for Yontoo (1.10.03 or 1.10.02) in the list. Select the program and click Remove button. By the way, it's a good idea to remove any other application that could be tied to Yontoo adware.
If you are using Windows Vista/7, click Uninstall up near the top of that window.
4. Select the second option to completely remove Yontoo from your computer and click Next.
5. Click Yes to confirm uninstall and remove Yontoo Adware from your computer.
Remove Yontoo browser add-ons Internet Explorer:
1. Open Internet Explorer. Go to Tools → Manage Add-ons.
2. Remove all Yontoo LLC components: Yontoo Api and Yontoo. Close the window.
Remove Yontoo browser extention in Mozilla Firefox:
1. Open Mozilla Firefox. Go to Tools → Add-ons.
2. Select Extensions. Remove Yontoo Runtime extension. Close the window.
That's it!
Remove Yontoo browser extension in Google Chrome:
1. Click on Customize and control Google Chrome icon. Go to Tools → Extensions.
2. Select Yontoo and click on the small recycle bin icon to remove the toolbar.
Associated Yontoo adware files and registry values:
Files:
- C:\Program Files\Yontoo\YontooIEClient.dll
- HKEY_CLASSES_ROOT\AppID\YontooIEClient.DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Layers
- HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Sunday, 2 September 2012
Den Svenska Polisen IT-Sakerhet Ukash - how to remove
Den Svenska Polisen IT-Sakerhet and other similar ransomware have been targeting Sweden computers with online extortion attacks at least for a few years. But it's happening more and more. New variants of ransomware are more sophisticated that most screen locking malware. They use advanced geo location tools, encrypted connections and even valid software certificates. Cyber crooks can now target users in specific cities rather than the whole country.
Sweden is one of the wealthiest countries in the world, no wonder it remains the main target for most cyber crooks. Besides, Swedes respect the laws and they have enough money to pay a 'fine'. The Swedish mentality is a key factor here, because they are usually socially closed, they hold the distance and are rather shy. They would rather react to the threat and pay the money than tell someone about it.
Police in Sweden are warning internet users not to pay a 'fine' via a prepaid money card or online payment services. Still, Police officers get dozens of complaints every day. A significant part of internet users in Sweden are not aware of ransomware. There are at least five different ransomware families targeting Sweden: Reveton, Gimemo, LockScreen, Ulocker and Weelsof. A ransom Trojan from any of these families instantly locks the infected computer. Bogus messages are slightly different but they all claim the user violated federal law by downloading or distributing copyrighted and illegal files. For example, the bogus warning message of Reveton malware looks like it's from the Svenska Polisen IT-Sakerhet. Other variants pretend to be from International Police Association Sweden and Polisen enheten för databrott.
To unlock the machine, the victim is told to pay a 'fine', about 500 kr. via Ukash. If the demands were not met, criminal charges would be filed and victim's machine would remain locked on that Polisen warning screen. The truth is, it will remain locked no matter if you pay a 'fine' or not. This part is not very important for cyber crooks. They got the money, so why bother?
If you think that such attacks, especially in Sweden are not successful then think again. From 3 to 5 percents of infected users choose to pay a 'fine'. Only a few other countries have such high conversion rates. Let’s do the math, 1000 infected PCs, 50 users who sent the money (usually $100) and we have $5000 a day. Not bad, right?
One of our readers got the Den Svenska Polisen IT-Sakerhet virus when he visited one of his favorite adult sites. Another user said he got if from an online games site. We took a look at both sites. The first one is a well known adult site ranking very well in Sweden. Our reader said it wasn't the first time he got a virus from that site. It makes me wonder whether it's just a coincidence or the owner of investigated adult site has some sort of agreement with cyber crooks. As for the online games site it's rather new, just about two months old. However, it already has an amazing number of back links which is probably the main reason why the site went from zero to the second page in just a few months. On both cases, the infection was delivered by a 'drive-by' download. This is why good security software is a must. Also, it's a good idea to back your files because certain variants of ransomware encrypt the files using rather strong encryption and there’s really no way for an average PC user to crack it.
To remove Den Svenska Polisen IT-Sakerhet Ukash virus ransomware, please follow the removal instructions below. Feel free to comment if you have any questions or need help removing this malware. Good luck and be safe online!
http://deletemalware.blogspot.com
Quick Den Svenska Polisen IT-Sakerhet Ukash removal instructions (System Restore, may not work for all users):
1. Unplug your network cable and manually turn your computer off. Reboot your computer is Safe Mode with Command Prompt. As the computer is booting tap the F8 key continuously which should bring up the Windows Advanced Options Menu as shown below. Use your arrow keys to move to Safe Mode with Command Prompt and press Enter key.
2. Make sure you log in to an account with administrative privileges (login as admin).
3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the Den Svenska Polisen IT-Sakerhet ransomware will take over and will not let you type anymore.
4. If you managed to bring up Windows Explorer you can now browse into:
6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Den Svenska Polisen IT-Sakerhet ransomware.
Den Svenska Polisen IT-Sakerhet ransomware removal using Kaspersky Rescue Disk:
1. Download the Kaspersky Rescue Disk iso image from the Kaspersky Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it downloads.
2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can use any CD/DVD record software you like. If you don't have any, please download and install ImgBurn. Small download, great software. You won't regret it, we promise.
For demonstration purposes we will use ImgBurn.
So, open up ImgBurn and choose Write image file to disc.
Click on the small Browse for file icon as show in the image. Browse into your download folder and select kav_rescue_10.iso as your source file.
OK, so know we are ready to burn the .iso file. Simply click the Write image file to disc button below and after a few minutes you will have a bootable Kaspersky Rescue Disk 10.
3. Configure your computer to boot from CD/DVD. Use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.
The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:
If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority.
Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.
4. Let's boot your computer from Kaspersky Rescue Disk.
Restart your computer. After restart, a message will appear on the screen: Press any key to enter the menu. So, press Enter or any other key to load the Kaspersky Rescue Disk.
5. Select your language and press Enter to continue.
6. Press 1 to accept the End User License Agreement.
7. Select Kaspersky Rescue Disk. Graphic Mode as your startup method. Press Enter. Once the actions described above have been performed, the operating system starts.
8. Click on the Start button located in the left bottom corner of the screen. Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Den Svenska Polisen IT-Sakerhet ransomware. It won't take very long.
9. Click on the Start button once again and fire up the Kaspersky Rescue Disk utility. First, select My Update Center tab and press Start update to get the latest malware definitions. Don't worry if you can't download the updates. Just proceed to the next step.
10. Select Object Scan tab. Place a check mark next to your local drive C:\. If you have two or more local drives make sure to check those as well. Then click Start Objects Scan to scan your computer for malicious software.
11. Quarantine (recommended) or delete every piece of malicious code detected during the system scan.
12. You can now close the Kaspersky Rescue Disk utility. Click on the Start button and select Restart computer.
13. Please restart your computer into the normal Windows mode. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Den Svenska Polisen IT-Sakerhet ransomware and spyware modules.
Associated Den Svenska Polisen IT-Sakerhet ransomware files and registry values:
Files:
Sweden is one of the wealthiest countries in the world, no wonder it remains the main target for most cyber crooks. Besides, Swedes respect the laws and they have enough money to pay a 'fine'. The Swedish mentality is a key factor here, because they are usually socially closed, they hold the distance and are rather shy. They would rather react to the threat and pay the money than tell someone about it.
Police in Sweden are warning internet users not to pay a 'fine' via a prepaid money card or online payment services. Still, Police officers get dozens of complaints every day. A significant part of internet users in Sweden are not aware of ransomware. There are at least five different ransomware families targeting Sweden: Reveton, Gimemo, LockScreen, Ulocker and Weelsof. A ransom Trojan from any of these families instantly locks the infected computer. Bogus messages are slightly different but they all claim the user violated federal law by downloading or distributing copyrighted and illegal files. For example, the bogus warning message of Reveton malware looks like it's from the Svenska Polisen IT-Sakerhet. Other variants pretend to be from International Police Association Sweden and Polisen enheten för databrott.
To unlock the machine, the victim is told to pay a 'fine', about 500 kr. via Ukash. If the demands were not met, criminal charges would be filed and victim's machine would remain locked on that Polisen warning screen. The truth is, it will remain locked no matter if you pay a 'fine' or not. This part is not very important for cyber crooks. They got the money, so why bother?
If you think that such attacks, especially in Sweden are not successful then think again. From 3 to 5 percents of infected users choose to pay a 'fine'. Only a few other countries have such high conversion rates. Let’s do the math, 1000 infected PCs, 50 users who sent the money (usually $100) and we have $5000 a day. Not bad, right?
One of our readers got the Den Svenska Polisen IT-Sakerhet virus when he visited one of his favorite adult sites. Another user said he got if from an online games site. We took a look at both sites. The first one is a well known adult site ranking very well in Sweden. Our reader said it wasn't the first time he got a virus from that site. It makes me wonder whether it's just a coincidence or the owner of investigated adult site has some sort of agreement with cyber crooks. As for the online games site it's rather new, just about two months old. However, it already has an amazing number of back links which is probably the main reason why the site went from zero to the second page in just a few months. On both cases, the infection was delivered by a 'drive-by' download. This is why good security software is a must. Also, it's a good idea to back your files because certain variants of ransomware encrypt the files using rather strong encryption and there’s really no way for an average PC user to crack it.
To remove Den Svenska Polisen IT-Sakerhet Ukash virus ransomware, please follow the removal instructions below. Feel free to comment if you have any questions or need help removing this malware. Good luck and be safe online!
http://deletemalware.blogspot.com
Quick Den Svenska Polisen IT-Sakerhet Ukash removal instructions (System Restore, may not work for all users):
1. Unplug your network cable and manually turn your computer off. Reboot your computer is Safe Mode with Command Prompt. As the computer is booting tap the F8 key continuously which should bring up the Windows Advanced Options Menu as shown below. Use your arrow keys to move to Safe Mode with Command Prompt and press Enter key.
2. Make sure you log in to an account with administrative privileges (login as admin).
3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the Den Svenska Polisen IT-Sakerhet ransomware will take over and will not let you type anymore.
4. If you managed to bring up Windows Explorer you can now browse into:
- Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
- Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Den Svenska Polisen IT-Sakerhet ransomware.
Den Svenska Polisen IT-Sakerhet ransomware removal using Kaspersky Rescue Disk:
1. Download the Kaspersky Rescue Disk iso image from the Kaspersky Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it downloads.
2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can use any CD/DVD record software you like. If you don't have any, please download and install ImgBurn. Small download, great software. You won't regret it, we promise.
For demonstration purposes we will use ImgBurn.
So, open up ImgBurn and choose Write image file to disc.
Click on the small Browse for file icon as show in the image. Browse into your download folder and select kav_rescue_10.iso as your source file.
OK, so know we are ready to burn the .iso file. Simply click the Write image file to disc button below and after a few minutes you will have a bootable Kaspersky Rescue Disk 10.
3. Configure your computer to boot from CD/DVD. Use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.
The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:
- Ctrl+Esc
- Ctrl+Ins
- Ctrl+Alt
- Ctrl+Alt+Esc
- Ctrl+Alt+Enter
- Ctrl+Alt+Del
- Ctrl+Alt+Ins
- Ctrl+Alt+S
If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority.
Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.
4. Let's boot your computer from Kaspersky Rescue Disk.
Restart your computer. After restart, a message will appear on the screen: Press any key to enter the menu. So, press Enter or any other key to load the Kaspersky Rescue Disk.
5. Select your language and press Enter to continue.
6. Press 1 to accept the End User License Agreement.
7. Select Kaspersky Rescue Disk. Graphic Mode as your startup method. Press Enter. Once the actions described above have been performed, the operating system starts.
8. Click on the Start button located in the left bottom corner of the screen. Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Den Svenska Polisen IT-Sakerhet ransomware. It won't take very long.
9. Click on the Start button once again and fire up the Kaspersky Rescue Disk utility. First, select My Update Center tab and press Start update to get the latest malware definitions. Don't worry if you can't download the updates. Just proceed to the next step.
10. Select Object Scan tab. Place a check mark next to your local drive C:\. If you have two or more local drives make sure to check those as well. Then click Start Objects Scan to scan your computer for malicious software.
11. Quarantine (recommended) or delete every piece of malicious code detected during the system scan.
12. You can now close the Kaspersky Rescue Disk utility. Click on the Start button and select Restart computer.
13. Please restart your computer into the normal Windows mode. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Den Svenska Polisen IT-Sakerhet ransomware and spyware modules.
Associated Den Svenska Polisen IT-Sakerhet ransomware files and registry values:
Files:
- [SET OF RANDOM CHARACTERS].exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "[SET OF RANDOM CHARACTERS].exe"
Saturday, 1 September 2012
Remove Win 8 Security System (Uninstall Guide)
We came across a new rogue security program called Win 8 Security System a few days ago. It's been quite some time since we discussed rogue anti-virus software. The truth is there wasn't much to say about scareware apart from some slightly modified or extremely buggy pieces of malicious code that couldn't even load properly. Anyway, rogue security products are not completely gone yet but rather replaced with ransomware. On the other hand, second opinion malware scanners confirm that rogue security programs are still the most widely spread threats, holding the top positions. What that means? Well, it means that most antivirus programs fail to detect rogue AVs, especially those that are obfuscated and re-packed very often, sometimes a couple of times a day.
So, Win 8 Security System is a rogue antivirus program that reports non-existent computer infections and tries to scare less computer savvy users into paying for completely useless antivirus solution. In most aspects, it's a very typical rogue. Win 8 Security System is a very generic term too. As the name suggests, cyber crooks would infect machines running Windows 8 rather than Windows XP or Seven. However, this rogue antivirus program works just fine on different versions of Windows.
Once installed, the rogue program pretends to scan the computer for malicious software. It manages to find a bunch of extremely dangerous and sophisticated malware on perfectly clean computers. The way it presents supposedly infected files would definitely put a smile on your faces if you were security expert. In order to remove supposedly detected malware infections victim has to pay almost 100 bucks. That’s probably the most expensive antivirus software you’ve ever seen.
The rogue antivirus program is configured so that it runs automatically when Windows starts. But that's not the biggest problem. Win 8 Security System has a rather complex self-protection mechanism. It drops a rootkit on infected machine which monitors PC activity and blocks pretty much all attempts to terminate the rogue program or run legitimate antivirus software. This scareware doesn't block Task Manager or Registry editor but that changes nothing. You can't just simply end the offending process and delete associated files. Any attempt to end its process will trigger the following error message.
The file is locked and protected by the rootkit known as Rootkit.Win32.Necurs.gen. As a matter of fact, detection rates are amazingly low for this rootkit. Cyber crooks did a great job and apparently spent many hours fine-tuning this malware. What is more, crooks made a different rootkit which works on 64-bit systems. It even has a valid certificate. Such combination can be very successful which means it's along term investment. We will probably see new variants of this malware soon and that's not very exciting.
When running, Win 8 Security System displays fake security alerts and pop-ups, mostly claiming that your computer is infected with spyware and Trojans that can steal your sensitive information. Simply ignore those fake alerts.
Furthermore, the rogue program displays a fake Security Center window claiming that your computer is not protected and encouraging you to purchase the full version of Win 8 Security System to protect your computer from malware attacks that exploit software vulnerabilities. For Windows Seven and Windows 8 the rogue program displays a fake Action Center window.
Last, but not least, the rogue program displays fake Win 8 Security System ALERT in Internet Explorer, Mozilla Firefox, and Google Chrome. The fake web browser security alerts claims that the website you're about to visit is infected with malware. If you choose to continue surfing the web unprotected you will be able to access requested website but only for a short period of time, then the fake warning message will appear again. Anyhow, it's still better than having no access to your web browser whatsoever.
Here's an example of Win 8 Security System payment page. As you can see in the image below, cyber crooks added to Comodo safe site graphics to make the payment page look more reliable and professional. Of course, the payment page is hardly safe. DO NOT pay for the bogus security program.
The official website of this malware is win8sec.com. Do not download anything from this site, don't even visit it. Even better, add it to the list of potentially harmful sites.
To remove Win 8 Security System, please follow the removal instructions very carefully. Use at your own risk. If you have any questions, feel free to comment. Good luck and be safe online!
Source: http://deletemalware.blogspot.com
Quick Win 8 Security System malware removal using cracked key:
1. Use the activation key given below to register your copy of Win 8 Security System. This will allow you to download and run recommended malware removal software. Don't worry, you're not doing anything illegal.
Select "Registration".
Then select "Manual Activation".
Use the following activation key:
8F42D6E3-FD18
Click "Register".
2. Download TDSSKiller and run a system scan to remove Rootkit.Win32.Necurs.gen. Reboot your computer if required.
NOTE: You may get the following TDSSKiller error. Ignore it, click OK to continue.
3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove Win 8 Security System and associated malware from your computer.
Win 8 Security System in Safe Mode with Networking:
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Open Internet Explorer. Download exefix.reg and save it to your Desktop. Double-click on exefix.reg to run it. Click "Yes" for Registry Editor prompt window. Click OK.
3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove Win 8 Security System from your computer.
NOTE: don't forget to update anti-malware software before scanning your computer.
So, Win 8 Security System is a rogue antivirus program that reports non-existent computer infections and tries to scare less computer savvy users into paying for completely useless antivirus solution. In most aspects, it's a very typical rogue. Win 8 Security System is a very generic term too. As the name suggests, cyber crooks would infect machines running Windows 8 rather than Windows XP or Seven. However, this rogue antivirus program works just fine on different versions of Windows.
Once installed, the rogue program pretends to scan the computer for malicious software. It manages to find a bunch of extremely dangerous and sophisticated malware on perfectly clean computers. The way it presents supposedly infected files would definitely put a smile on your faces if you were security expert. In order to remove supposedly detected malware infections victim has to pay almost 100 bucks. That’s probably the most expensive antivirus software you’ve ever seen.
The rogue antivirus program is configured so that it runs automatically when Windows starts. But that's not the biggest problem. Win 8 Security System has a rather complex self-protection mechanism. It drops a rootkit on infected machine which monitors PC activity and blocks pretty much all attempts to terminate the rogue program or run legitimate antivirus software. This scareware doesn't block Task Manager or Registry editor but that changes nothing. You can't just simply end the offending process and delete associated files. Any attempt to end its process will trigger the following error message.
The operation could not be completed. Access denied.
The file is locked and protected by the rootkit known as Rootkit.Win32.Necurs.gen. As a matter of fact, detection rates are amazingly low for this rootkit. Cyber crooks did a great job and apparently spent many hours fine-tuning this malware. What is more, crooks made a different rootkit which works on 64-bit systems. It even has a valid certificate. Such combination can be very successful which means it's along term investment. We will probably see new variants of this malware soon and that's not very exciting.
When running, Win 8 Security System displays fake security alerts and pop-ups, mostly claiming that your computer is infected with spyware and Trojans that can steal your sensitive information. Simply ignore those fake alerts.
Furthermore, the rogue program displays a fake Security Center window claiming that your computer is not protected and encouraging you to purchase the full version of Win 8 Security System to protect your computer from malware attacks that exploit software vulnerabilities. For Windows Seven and Windows 8 the rogue program displays a fake Action Center window.
Last, but not least, the rogue program displays fake Win 8 Security System ALERT in Internet Explorer, Mozilla Firefox, and Google Chrome. The fake web browser security alerts claims that the website you're about to visit is infected with malware. If you choose to continue surfing the web unprotected you will be able to access requested website but only for a short period of time, then the fake warning message will appear again. Anyhow, it's still better than having no access to your web browser whatsoever.
Here's an example of Win 8 Security System payment page. As you can see in the image below, cyber crooks added to Comodo safe site graphics to make the payment page look more reliable and professional. Of course, the payment page is hardly safe. DO NOT pay for the bogus security program.
The official website of this malware is win8sec.com. Do not download anything from this site, don't even visit it. Even better, add it to the list of potentially harmful sites.
To remove Win 8 Security System, please follow the removal instructions very carefully. Use at your own risk. If you have any questions, feel free to comment. Good luck and be safe online!
Source: http://deletemalware.blogspot.com
Quick Win 8 Security System malware removal using cracked key:
1. Use the activation key given below to register your copy of Win 8 Security System. This will allow you to download and run recommended malware removal software. Don't worry, you're not doing anything illegal.
Select "Registration".
Then select "Manual Activation".
Use the following activation key:
8F42D6E3-FD18
Click "Register".
2. Download TDSSKiller and run a system scan to remove Rootkit.Win32.Necurs.gen. Reboot your computer if required.
NOTE: You may get the following TDSSKiller error. Ignore it, click OK to continue.
3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove Win 8 Security System and associated malware from your computer.
Win 8 Security System in Safe Mode with Networking:
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Open Internet Explorer. Download exefix.reg and save it to your Desktop. Double-click on exefix.reg to run it. Click "Yes" for Registry Editor prompt window. Click OK.
3. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove Win 8 Security System from your computer.
NOTE: don't forget to update anti-malware software before scanning your computer.