Sunday, June 30, 2013

How to Remove DomaIQ, removal instructions

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
DomaIQ is adware that will display pop-up advertisements on your computer. Most antivirus engines detect it as Adware.DomaIQ. Other security applications flag it simply as PUP (Potentially Unwanted Program), for example, PUP.DomaIQ or PUP.FakeFlash.Domaiq. When the program is executed, it drops a few .exe files in %Temp% folder, usually launcher4.exe and launcher.exe. It also creates .zip archives containing DomaIQ10.exe and DomaIQ.exe files. Have you found that you suddenly have an issue with seemingly endless pop-up windows when you are using your computer? Do you seem to be bombarded with full page screens showing explicit photos, dubious weight loss or adult content websites when you are browsing the internet? If you answered yes to either or both of these questions it is very likely that your computer has been infected with this adware. Computer experts have estimated that anywhere from between 60 to 80% of all home computers that are connected to the internet have some sort of adware – or the other malware that it is often bundled with, spyware, installed and the scary part is that the majority of people have no idea how the adware even found its way on to their computer in the first place. This particular adware usually masquerades as an installer of legitimate software, for instance Flash Player Update. However, many legitimate applications use DomaIQ monitization platform to monetize their software, so it's not necessarily misleading or malicious all the time.

DomaIQ Adware detection.

DomaIQ by Tuguu SLU is easier to spot than spyware and if you’re seeing pop up boxes, your computer is running sluggishly or you’re being directed to websites you’ve no interest in it’s fairly safe to say that you want to know how to get rid of it and you’d like to know how you can prevent it from happening again in the future. This article attempts to answer those questions but before we do that let’s look a little closer at what adware and spyware actually are.

The definition of adware is that it is any program that is running on your PC that connects to the internet and then uses your computer to host adverts - and perhaps to even transmit adverts to other computers. These ads take the form of those annoying little pop-ups, banners and flashing ads. They will appear every time you connect to the internet - and all of them are trying their hardest to get you to click on them. Adware may also install additional components on compromised computer, for example malicious web browser extensions or rogue software optimization tools.

There are a number of routes that DomaIQ adware can take to infect your computer system. It could have been when you were installing another program online, or when you clicked a dialogue box in your internet browser and unwittingly authorized this rogue message to install the adware. Adware often packaged with a great number of free software programs and it is highly likely that the adware was installed without your knowledge when you were installing a program that you did actually want.

DomaIQ by Tuguu installer.

You should always exercise extreme caution when downloading files, shareware and programs – even reputable ones – from the internet as these can often be bundled with adware. Fake Flash player update adware applications are still going strong. Make sure you trust the program and its software author, and think to yourself whether you really need it in the first place.

Another thing to watch out for is the fake dialogue boxes mentioned earlier; these will often give you a ‘yes’ or ‘no’ option concerning a command – clicking on either could install the adware so make sure you close them with the red ‘x’ in the top right hand corner instead.

The key to avoiding DomaIQ adware is to stay vigilant and to not download programs from unknown sources. Last, but not least, some users get an error message every time they try the uninstall DomaIQ. If such case, use DomaIQ Uninstaller. Please note, you after you remove DomaIQ from your computer, you will have to remove DomaIQ Uninstaller as well. Please follow the removal instructions below. If you have any questions, please leave a comment below. Good luck and be safe online!

Written by Michael Kaur, http://spywareremovalx.blogspot.com


DomaIQ adware removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this adware from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this adware. Hopefully you won't have to do that.





2. Go to My Computer or Computer (depending on what OS your using Windows XP, Vista or Windows 7/8).
3. Go to Program Files, then open DomaIQ Uninstaller folder and run Uninstaller.exe. Follow the on-screen instructions.

Uninstaller: "C:\Program Files\DomaIQ Uninstaller\uninstaller.exe"

4. Now, delete the DomaIQ Uninstaller:
a) Go to DomalQ Uninstaller and drag that folder to the recycle bin on your desktop.
b) Right Click on Recycle Bin and Click empty Recycle Bin.
c) Then open Add/Remove programs in the Control Panel and now you can safely remove the remaining path.
d) Restart your computer.

Saturday, June 29, 2013

Remove bizcoaching.info, removal instructions

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
Have you ever been minding your own business, casually browsing the web and then clicked on an interesting advert or link and suddenly found that you’ve: been bombarded with a whole bunch of bizcoaching.info pop-up windows that appear on your screen or been redirected by your browser to a rash of dubious looking websites, for example fake Flash Player update, then your computer is infected with adware and potentially unwanted software. Adware in particular is simply annoying but the problems start when it is bundled with spyware – which it so often is – and then it becomes more than a pain in the behind and can actually pose a serious security threat to your computer’s system and your data. www.bizcoaching.info appears frequently for no apparent reason. It'll suddenly appear whenever you click a link and then redirect you to misleading websites.


As you may already know adware’s main purpose is to display advertising on your computer. In the majority of cases these adverts will take the format of pop-up windows, banners, flash advertisements and links to other websites. Whilst it is true that some of these adverts are for genuine and legitimate products many of them are for rather more unsavory websites which are promoting questionable weight loss methods or fake software installers. bizcoaching.info usually comes along with either adware or potentially unwanted software. Furthermore, it is often installed alongside another program you've downloaded and whilst that software normally comes with an end user license agreement (EULA) which purports to ‘warn’ you of that fact, it is normally hidden away in the endless wording of the agreement or worded very ambiguously. Generally speaking this adware is packaged with freeware that you download from the internet and although some users see it as a fair deal (you get free software, they get to cover their programming costs by monitoring your browsing habits) many other people find it underhand and intrusive. The rule of thumb here: if you are bothered about adware being installed on your PC read the EULA carefully, as tempting as it might be to scroll straight to the bottom and click ‘OK’. Very often, these pop ups are caused by unwanted or even malicous web browser extensions. This is the reason why most users can't find the culprit.

bizcoaching.info might be used to monitor your browsing habits and then use that information to compile a profile on you. This enables them to show you more tailored made and focused advertising content. Whilst you may not be too concerned about this and see it as simply internet marketing, albeit a slightly annoying one, it is worth remembering that this is actually an invasion of your computer’s system and your privacy.

Other unwanted software finds its way onto your computer while you’re browsing the web. They do this by sneakily getting you to actually activate the download yourself by clicking on a pop up window or a fake dialog box. One of these pop ups might contain a so called urgent message or it might offer you a free gift if you click on it. It may also tell you that to be able to view a certain web page you need to download some software. These windows usually give you a "yes" or "no" choice but both options will trigger adware or spyware if clicked on. If faced with a pop up window that looks dubious or is offering something awesome, ensure that you close it using the small red ‘x’ in the top right hand corner.

The likelihood of you winning $5000 just by clicking on a pop up ad is highly unlikely so if something seems too good to be true – it probably is.

To stop bizcoaching.info pop ups and remove related adware from your computer, please follow the removal guide below. If you have any questions, please leave a comment below. Good luck and be safe online!

Written by Michael Kaur, http://spywareremovalx.blogspot.com


bizcoaching.info removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this adware infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this adware. Hopefully you won't have to do that.





2. Remove bizcoaching.info related programs from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • SingAlong
  • FindLyrics
  • LessTabs
  • DefaultTab
  • Webcake
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove bizcoaching.info pop-ups from Google Chrome:

1. Click on Chrome menu button. Go to ToolsExtensions.



2. Click on the trashcan icon to remove the following extensions:





Remove bizcoaching.info pop-ups from Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Click Remove button to the following extensions. If you can't find the Remove button, then simply click on the Disable button.




Remove bizcoaching.info pop-ups from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.



2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

Friday, June 28, 2013

What is CltMngSvc.exe and how to remove it?

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection

cltmngsvc.exe - Search Protect by Conduit Ltd.


What is CltMngSvc.exe?


cltmngsvc.exe is a part of the Search Conduit browser hijacker. It runs as a Windows service called 'CltMngSvc' with extensive privileges. This service enables auto-updates of Search Protect by Conduit. It runs automatically every time Windows starts. cltmngsvc.exe and related components are designed to protect search.conduit.com from being replaced with competing search engines and web browser add-ons. There are at least seven different variants of this file and most of them are flagged and dangerous or potentially dangerous by multiple antivirus products. Search Conduit displays misleading and sometimes even offending ads on your computer which is why most users decide to get rid of it. It's not essential for Windows and may cause problems. What is more, cltmngsvc.exe comes along with adware and potentially unwanted programs that may collect certain information about your browsing habits and searches. Needless to say, I recommend you to remove cltmngsvc.exe from your computer.





Security Rating: Potentially Dangerous

File name: cltmngsvc.exe
Publisher: Conduit Ltd.
File Location Windows XP: C:\Program Files\SearchProtect\bin\CltMngSvc.exe
File Location Windows 7: C:\Program Files\SearchProtect\bin\CltMngSvc.exe
Startup file: SYSTEM\CurrentControlSet\Services 'CltMngSvc'

What is Search Assistant WebSearch 1.74 and how to remove it?

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection

Search Assistant WebSearch 1.74 - Search Assistant SProtector


What is Search Assistant WebSearch 1.74?


Search Assistant WebSearch 1.74 is adware developed by Search Assistant SProtector. The main module comes bundled with other malware. It installs a browser helper object which collects information about your browsing habits, including visited websites and search terms. Third-party advertising networks use this information to display relevant ads when browsing the internet. Please note that Search Assistant WebSearch 1.74 may display pop up ads and also inject ads into websites you visit. What is more, this adware may change your home page and default search engine. Some variants of this application may block any attempt to change your search engine. The main file sprotector.dll has been flagged as malicious by at least 14 antivirus products. Detection: Adware.BGuard.B, Worm.SProtector.Gen, ADW_SPROTECT, a variant of Win32/SProtector.A. I recommend you to remove Search Assistant WebSearch 1.74 from your computer and run a full system scan with recommended anti-malware software.





Security Rating: Potentially Dangerous

File name: sprotector.dll
Publisher: Search Assistant SProtector
File Location Windows XP: C:\Program Files\websearch\sprotector.dll
File Location Windows 7: C:\Program Files\websearch\sprotector.dll

What is Search Protect by conduit and how to remove it?

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection

Search Protect by Conduit Ltd.


What is Search Protect by conduit?


Search Protect by conduit is a part of the Conduit browser hijacker which will change your home page and default search engine to search.conduit.com. It forces users to use Conduit Search and blocks setting reversions attempted by users who want to recover their settings after they are hijacked by this malicious browser hijacker. It's not essential for Windows and may cause problems. It may slow down your computer, especially when online. What is more, Conduit malware displays ads on infected computers and redirects users to misleading websites when searching directly through the address bar. Most of the time, it is side-installed with adware and potentially unwanted applications, for instance Optimum Installer. If you web browser has been hijacked then there's a good chance that your computer is infected with adware as well. I recommend you to remove Search Protect by conduit from your computer. Use recommend anti-malware software to remove related adware and PUPs.





Security Rating: Potentially Dangerous

File name: cltmng.exe
Publisher: Conduit Ltd.
File Location Windows XP: C:\Program Files\searchprotect\bin\cltmng.exe
File Location Windows 7: C:\Program Files\searchprotect\bin\cltmng.exe
Startup file: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 'SearchProtect'

What is IB Updater Service and how to remove it?

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection

IB Updater Service - by Perion Network Ltd.


What is IB Updater Service?


IB Updater Service (ExtensionUpdaterService.exe) automatically keeps software created by Perion Network Ltd. up to date. Incredibar, Sweetpacks, SmileBox, these are only a few applications that use IB Updater Service. It's not essential for Windows and may cause problems. It runs in the background and periodically checks for updates (connects to Perion servers) it may slow things down for a while or even use up to 100% of CPU. However, very often, these applications come bundled with adware (Adware.InstallBrain), not to mention that some Perion products are classified as adware or PUP as well, IB Updater keeps various adware applications updated as well. "IB Updater Service" may also show up when users try to uninstall Perion related software (see image below). As you can see there's a a captcha saying that you need to verify that you're human. IB Updater Servic explains that they want to make sure that you are a person and not an automated system. This is a very unusual practice. I recommend you to remove IB Updater Service from your computer.





Security Rating: Potentially Dangerous

File name: ExtensionUpdaterService.exe
Publisher: Perion Network Ltd.
File Location Windows XP: C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe
File Location Windows 7: C:\Program Files\Updater By SweetPacks\ExtensionUpdaterService.exe
Startup file: SYSTEM\CurrentControlSet\Services 'IBUpdaterService' (Updater Service)

Thursday, June 27, 2013

Remove vGrabber, removal instructions

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
What exactly is vGrabber and why should you be concerned about it? Read on as this article takes a look at this latest internet based annoyance.

vGrabber is a browser hijacker. Browser hijacking is often referred to or accused of being a drive-by download. This term is used for a virus or software that installs itself on your computer’s system completely without your knowledge or your permission. You may well think that you would never give a virus or malicious software permission to download themselves on your PC in the first place but believe me; the creators of malware (malicious software) definitely have their ways and means of sneaking things past you. This is most commonly done when you download software or shareware from the internet and the creator will slip some ambiguously worded small print into the License Agreement saying that vGrabber Toolbar and vGrabber Customized Web Search will be installed along with downloaded software.


vGrabber may be an extremely annoying internet pest that wastes no time in taking advantage of your computer system if it is not properly protected. They will optimistically label themselves as a ‘Browser Help Object’ however don’t be fooled as they’re more about helping themselves than helping you increase your productivity levels.

The number one thing you’ll probably notice at first if your browser has been hijacked by vGrabber is that you will constantly be redirected to a whole bunch of rather unsavory websites featuring misleading content - some of it fairly standard, some of it quite shocking. Naturally if you are at home with your partner or in the office surrounded by colleagues this can be extremely embarrassing and often pretty difficult to explain to an enraged boss or spouse! And let’s not even think about a scenario where you’re searching the internet for topics to help with your child’s homework.

The silver lining of the browser hijacking cloud is that it’s usually pretty easy to tell when you’ve been attacked. It is likely that your regular homepage has been changed so that you are sent to a site that is filled with adverts and you’ll often be bombarded with pop-up adverts too, for instance search.conduit.com.

The not so silver lining is that vGrabber toolbar and similar browser help objects normally include some sort of spyware or adware too: software programs and components that monitor your internet use and read your browser history so that they can create a profile on you and your browsing habits in order to send you even more targeted advertising.

But surely not all BHO’s (Browser Help Objects) are bad? Well, no they’re not and some reputable companies use them too. For instance, the Google Toolbar includes a Browser Help Object as part of its installation. It’s true that some components of the Google Toolbar are able to transmit data back to Google about your internet usage but this is clearly explained before you install the toolbar and you have the option to disable the ‘feature’ without it affecting Google’s search function.

On the opposite end of the scale, an example of an unwanted BHO is vGrabber of course. Naturally the authors of these unwanted toolbars and BHO’s don’t want you to remove them and they’ll make it as difficult as possible for you to do so. If you don’t uninstall and delete a browser hijacking program correctly you may find that certain programs on your PC no longer work or that you are no longer able to connect to the internet. Nice!

This is a very real threat so I suggest removing vGrabber and related programs from your computer.

So how can you prevent against having your browser hijacked by vgrabber in the first place? One thing that is crucial in guarding against hijacking as well as other forms of malware is to install a good anti-malware scanner on your computer which will provide extra protection against these in internet scourges. Also, do not download software from shady sites and read the License Agreement very carfully. Getting click-happy ain't gonna make your computer speed up. To remove vGrabber from your computer, please follow the removal guide below. If you have any questions, please leave a comment below. Good luck and be safe online!

Written by Michael Kaur, http://spywareremovalx.blogspot.com


vGrabber removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Uninstall vGrabber toolbar from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • Vgrabber v1.5 Toolbar
  • Video Downloader
  • Video Downloader version 2.0
  • Search Protect by conduit
  • also other applications you have recently installed.


Simply the application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove vGrabber from Google Chrome:

1. Click on Chrome menu button. Go to ToolsExtensions.



2. Click on the trashcan icon to remove the vGrabber Toolbar Chrome extension:

3. Click on Chrome menu button once again. Select Settings.

4. Click Set pages under the On startup.


Remove vGrabber Web Customized Search by clicking the "X" mark as shown in the image below.

5. Click Show Home button under Appearance. Then click Change.

Select Use the New Tab page and click OK to save changes.

6. Click Manager search engines button under Search.

Select Google or any other search engine you like from the list and make it your default search engine provider.

Select vGrabber Web Customized Search from the list and remove it by clicking the "X" mark as shown in the image below.


Remove vGrabber from Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Remove vGrabber Toolbar extension. Close the window.

3. In the URL address bar, type about:config and hit Enter.



Click I'll be careful, I promise! to continue.



In the search filter at the top, type: vgrabber



Now, you should see all the preferences that were changed by vgrabber. Right-click on the preference and select Reset to restore default value. Reset all found preferences!





Remove vGrabber from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons.




2. Select Toolbars and Extensions. Remove vGrabber Toolbar Internet Explorer add-on.

3. Select Search Providers. First of all, choose Live Search search engine and make it your default web search provider (Set as default).

4. Select vGrabber Web Customized Search and click Remove to remove it. Close the window.

Wednesday, June 26, 2013

Remove inksdata.com, removal instructions

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
If inksdata.com has constantly been popping up with advertising and asking you to complete surveys or download fake Flash Player updates then your computer is infected with potentially unwanted software, adware or even malware. If this has happened, or is even happening to you now, it is very likely that your browser was hijacked by adware or malicious web browser add-ons. If this is the case you’re no doubt wondering how on earth you can get back your regular browser and visit the websites that you want to visit instead of being sent to some advert-filled or rogue websites. Read on as we take a closer look at the annoyance – and potential danger – of inksdata.com virus.

Browser hijacking is the act of a third party taking over – hijacking! - your browser using malicious software that changes your browser's settings. Not only will your search engine and home page be changed without your permission but you will also very likely be inundated with advertising pop-ups which will try and convince you that you really want to visit their shady websites.

It may surprise you to learn that the majority of times you will have inadvertently downloaded and installed the hijacking software that displays inksdata.com pop ups and the redirects to misleading websites yourself. Maybe you downloaded a TV series via shareware or installed a software update; a hijacker could have been bundled with any number of programs that are something you want or need. Other times though, the hijacker installs itself without you actually having done anything – this is known as a ‘drive-by download’.

Yet other browser hijackers are imbedded in toolbars, toolbar add-ons and – shockingly even rogue anti-virus software.

It has to be said that not all hijacks are malicious, but the majority of them are annoying regardless. Let’s face it, you were perfectly happy with the search engine and tool bar you were using and resent the intrusion of being told to use another – whether you want to or not! I’ll be the first to admit that if I was downloading something I used to simply click ‘OK’ or ‘Next’ in User Agreements without reading what I was actually agreeing to but I’m a lot more careful now.

The key is, when installing something, to read the Agreement carefully. Yes it’s boring and often trickily worded but it’s far better to spend a few minutes reading the small print than hours or even days of frustrating and futile internet usage. If you look you’ll often see a pre-ticked check box which will ask if you want to also install another (unrelated) program to the one you are installing. If you don’t want that program or toolbar – uncheck it. For example, if you installed WebCake adware, there's a good change that inksdata.com will pop up in a new tab. There are more apps that may do the same, so please read the User Agreement very carefully.

If you already have anti-virus software on your computer it seems that it didn’t do its job properly so you might want to think about upgrading. If you don’t have anti-virus software installed at all, that should be the very next thing you do when you finish reading this. To remove inksdata.com from your computer, please follow the removal guide below. If you have any questions, please leave a comment below. Good luck and be safe online!

Written by Michael Kaur, http://spywareremovalx.blogspot.com



inksdata.com removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this adware infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this adware. Hopefully you won't have to do that.





2. Remove inksdata.com related programs from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the following:
  • WebCake
  • DownloadTerms
  • LessTabs
  • DefaultTab
  • TidyNetwork.com
  • and any other recently installed application


Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove inksdata.com pop-ups from Google Chrome:

1. Click on Chrome menu button. Go to ToolsExtensions.



2. Click on the trashcan icon to remove the following extensions:





Remove inksdata.com pop-ups from Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Click Remove button to the following extensions. If you can't find the Remove button, then simply click on the Disable button.




Remove inksdata.com pop-ups from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.



2. Select Toolbars and Extensions. Click Remove/Disable button to remove the browser add-ons listed above.

How To Get Rid of the "FBI Your computer has been locked" Virus

Don't Copy From This Blog...

Protected by Copyscape Plagiarism Detection
"FBI your computer has been locked" virus locks your computer and then has the nerve to ask you to pay for it to be unlocked. Surely no one in their right mind would pay for that, but what if the computer hackers trick you into thinking that not only is it your fault that your computer has been frozen but that you will be in trouble with your local – or even national – law enforcement agency thanks to ‘your’ suspicious online activity.

You see, the way these cyber criminals work is by preying on your vulnerability. Imagine the scenario; you’re at home, or possibly even worse in the office surrounded by your colleagues, when suddenly your computer freezes and on your screen appears a message purportedly from the FBI or other police or governmental agency, telling you that you are in serious trouble for violating the law and accessing, downloading or storing illegal content such as X rated pornography of a very distasteful nature or you’ve been visiting terrorist websites. This is police themed ransomware – also known as the ‘Police Trojan’ – a program that has infiltrated your computer’s operating system to display a rogue message claiming that it is from a law enforcement agency.


You will most likely be told that your IP address has been detected engaging in illegal activity and you will be asked to pay a fine, usually $300, using a prepaid card such as MoneyPak, Ukash or PaySafeCard. Malware creators prefer using these methods of payment (rather than PayPal for example) as transactions made via them are difficult to trace and cannot be reversed.

FBI your computer has been locked virus originated back in 2011 and initially targeted PC users in Western Europe, including the UK, France, Spain, Italy, Austria and Belgium, however these days its international boundaries know no limits and the USA and Canada have both seen a massive increase in crimes of this nature. Indeed cyber criminals can make hundreds of thousands of dollars each month with these scams.


Experts investigating cyber-crime have now also found that in addition to more countries being added to the list but that they now target people very specifically in an attempt to convince more people that their fake ‘police’ messages are real. One way of doing this is tailoring the payment methods to the country – for example the UKash card is not known in the States therefore a rogue police notice targeting an inhabitant of the US, for example the one that purports to be from the Computer Crime and Intellectual Property Section of the U.S. Department of Justice will only ask for payment of the fine via the PaySafeCard.

In the United States the victim will normally be asked to pay a not inconsiderable $300 fine via the MoneyPak or PaySafeCard and just to hammer the message home and make payment even easier the thoughtful hackers will include the logos of supermarkets and stores where you can purchase vouchers.


If you’re unlucky enough to be a victim of police themed "FBI your computer has been locked" virus you may well find yourself tempted to click on the ‘pay now’ button. After all, having your PC frozen and a message from the FBI telling you that you are a known visitor of hardcore and illegal adult content sites or a threat to national security is enough to send anyone into a panic. Even if you do suspect that the message may be a computer virus and the work of a hacker, you might be too worried or embarrassed about taking your computer to a store to get it checked out…just in case you did click on something pornographic, either by choice or by accident.

The best thing to do is to follow the removal instructions below to unlock your computer and get rid of the "FBI your computer has been locked" virus. Whatever you do don’t be tempted to pay the fine – as seen, this can be a lot of money and besides, there’s no guarantee that your computer will be returned to normal as many hackers simply take the money and leave you stranded; out of pocket and still with a locked computer.

And of course, as with all malware, having a first rate and up to date antivirus program installed on your computer is the first major step in protecting yourself against online crime. If you have any questions, please leave a comment below. Good luck and be safe online!

Written by Michael Kaur, http://spywareremovalx.blogspot.com


Method 1: System Restore in Safe Mode with Command Prompt:

1. Unplug your network cable and manually turn your computer off. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the FBI virus will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove the FBI virus.


Method 2: System Restore in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:
  • Win XP: C:\windows\system32\restore\rstrui.exe double-click or press Enter
  • Win Vista/7/8: C:\windows\system32\rstrui.exe double-click or press Enter
3. Select Restore to an earlier time or Restore system files... and continue until you get into the System Restore utility.

4. Select a restore point from well before the FBI virus appeared, two weeks should be enough.

5. Restore it. Please note, it can take a long time, so be patient.

6. Once restored, restart your computer and hopefully this time you will be able to login (Start Windows normally).

7. At this point, download recommended anti-malware software (direct download) and run a full system scan to remove the FBI virus.


Method 3: Using MSConfig in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "msconfig". Launch the application. If you're using Windows XP, go to Start then select Run.... Type in "msconfig" and click OK.

3. Select Startup tab. Expand Command column and look for a startup entry that launches randomly named file from %AppData% or %Temp% folders using rundll32.exe. See example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

4. Disable the malicious entry and click OK to save changes.

5. Restart your computer. This time Start Windows normally. Hopefully, you won't be prompted with a fake FBI screen.

6. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove the FBI virus.


Method 4: Manual removal, Safe Mode (requires registry editing) :

1. Unplug your network cable and manually turn your computer off. Reboot your computer in "Safe Mode". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. When Windows loads, open up Windows Registry Editor.

To do so, please go to Start, type "registry" in the search box, right click the Registry Editor and choose Run as Administrator. If you are using Windows XP/2000, go to StartRun... Type "regedit" and hit enter.

3. In the Registry Editor, click the [+] button to expand the selection. Expand:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run



Look on the list to the right for an randomly named item. Write down the file location. Then right click the randomly named item and select Delete. Please note that in your case the file name might be different. Close Registry Editor.

In our case the malicious file (pg_0rt_0p.exe) was located in Application Data folder. So, we went there and simply deleted the file. We're running Windows XP.

File location: C:\Documents and Settings\Michael\Application Data\



If you are using Windows Vista or Windows Seven, the file will be located in %AppData% folder.

File location: C:\Users\Michael\AppData\Romaming\

Finally, go into Windows Temp folder %Temp% and click Date Modified so the newest files are on top. You should see an exe file, possibly with the name  pg_0rt_0p.exe (in our case it was exactly the same), but it may be different in your case. Delete the malicious file.

One more thing, check your Programs Startup list for the following entry:

[UserPATH]\Programs\Startup\ctfmon.lnk - C:\Windows\system32\rundll32.exe pointing to [UserPATH] \Temp\wpbt0.dll,FQ10 (or FQ11)

In our case it was ctfmon.lnk pointing to malicious file which then loads the fake ransom warning. Please note that in your case the file name might be different, not necessarily ctfmon.lnk. Simply disable or remove (if possible) such entry and restart your computer.

4. Restart your computer into "Normal Mode" and scan the system with legitimate anti-malware software.

5. Download recommended anti-malware software (direct download) and run a full system scan to remove the FBI virus.

FBI MoneyPak Ransomware video:


To learn more about ransomware, please read Remove Trojan.Ransomware (Uninstall Guide).

Tell your friends:

 
//PART 2