KeRanger Virus (Removal Instructions)

KeRanger Virus (Removal Instructions)

KeRanger virus is a new type of Mac OS X (Apple) ransomware discovered in March 2015. The KeRanger virus is known to be the first real Mac ransomware that can encrypt personal files on a computer it infects and hold them for ransom.

KeRanger virus

The KeRanger virus was first spotted in compromised versions of the Transmission app (a BitTorrent client). According to a source the infected Transmission app was distributed from the official Transmission website; However, the app was distributed with a different code signature than the normal one which was previously used to sign or certify the Transmission app. This suggests that the Transmission app had been tampered and compromised by a third-party attacker.

The copy of the Transmission app that was compromised includes a deceptive executable file named General.rtf. The General.rtf file pretends to be a rich-text file (rtf) but is actually a Mach-O format executable file packed with UPX 3.91. Once the Transmission app starts, the General.rtf file is copied to another file named kernel_service, which can be located in the user Library folder. By default, this folder is set to hidden on recent Mac OS X versions.

The kernel_service process will run in the background and it will produce additional files named .kernel_pid and .kernel_time in the hidden user Library folder. One of the files contains a time-stamp, which is used by KeRanger ransomware to identify when 3 days have succeeded.

Once 3 days have gone by, the KeRanger virus will encrypt files on a Mac computer. KeRanger ransomware will encrypt everything in the /Users folder and other files that append a common document extension, rush as rt.f, and so on. It will also encrypt files found in the /Volumes folder which might affect files connected to a Mac computer by an external hard drive, server, or other storage device. This means that backups (including Time Machine backups stored on a Time Capsule) of the computer may become encrypted by the virus.

When files have been encrypted by the KeRanger virus the ransomware will leave multiple files named “README_FOR_DECRYPT.txt” in each folder it encrypts. This file contains a note and instructions on how to pay a ransom in order to obtain a decryption key to decrypt files.

Apple has added detection of this malware to XProtect and terminated the developer certificate used to sign the compromised version of the Transmission app. This is a good thing and it means that new infections will not be able to spread without an update from the malware authors.

If you have recently downloaded the Transmission app for your Mac device from the official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, your Mac might be been infected with the KeRanger virus.

KeRanger Virus (Removal Instructions)

These steps will help you locate and remove KeRanger files from your Mac computer.

  1. Start your Mac computer and open Terminal or Finder. Search for these files in these paths and uninstall Transmission app if found: /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist.
  2. Using the “Activity Monitor” preinstalled in Mac operating systems look to see if a process named “kernel_service” is running. If you can locate the process, double check the process, select “Open Files and Ports” and check whether there is a file name similar to “/Users/<username>/Library/kernel_service.” If you find this file terminate it with “Quit -> Force Quit”. This is the main file for the ransomware.
  3. You should also check to see if any of these files are found on your Mac: “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If you find them, delete them.

Staying Protected

It is important to protect your machine against future threats. A great program that can detect and remove KeRanger ransomware from your computer is Malwarebytes Anti-malware for Mac.

SurveyMeta (Removal Instructions)

SurveyMeta (Removal Instructions)

Even though SurveyMeta adware is not defined as a computer virus it is still recognized as a potentially unwanted program and potentially malicious. It may utilize deceptive marketing tactics that can trick internet users into installing it. The way SurveyMeta adware distributes itself is cause for concern because it can be deceptive and unethical. The author or a third-party website may promote it as something it is not. The program may also be promoted alongside adware and malicious files.

surveymeta

SurveyMeta adware serves pop-up advertisements in a victim’s web browser after it has been installed. If a computer is infected with SurveyMeta adware the user will notice pop-up advertisements in the web browser that say “Ads by SurveyMeta” on them.

Advertisements will arrive on an infected computer system inside the web browser. The ads can affect Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Apple Safari, and other web browsers. Ads can be shown as generic pop-ups, pop-under ads that take up an entire browser window, and in-text advertisements that appear when you hover your mouse over hyperlinked text on a webpage.

SurveyMeta Distribution

Like most adware infections, SurveyMeta adware primarily bundles with other programs that are downloaded by the user with out without consent. The most common way this happens is by downloading a program or file from a questionable distributor. Downloading items online such as freeware and torrent files will result in potentially unwanted programs infecting the user’s system. Even if a program is well known and trustworthy, downloading it from a malicious site will lead to infection.

If the computer user has recently downloaded a malicious program, SurveyMeta adware might have automatically downloaded in the background without permission or knowledge of the user. The user might also be tricked into accepting the download under the guise of a program update. Malicious authors often hide the download behind a terms and conditions page, effectively tricking users into downloading adware. In some instances SurveyMeta may be advertised as an extension to improve the user’s browsing experience in order to encourage a direct download. Regardless of how the system was infected, removal remains relatively unchanged.

SurveyMeta Details

Name SurveyMeta, SurveyMeta virus
Detection Categories Adware, Potentially Unwanted Program (PUP)
Description N/A
Symptoms Advertisements in the web browser
Browser redirects to sponsored webpages
Decreased internet speed and performance
Decreased computer functionality and performance
Bundles with malware and other potentially unwanted programs
Common Path(s) C:\Program Files (x86)
C:\Users\{USER}\Downloads\
Quick Detection & Removal Tool Click Here To Download Malwarebytes

SurveyMeta (Removal Instructions)

  1. Scan your computer with Malwarebytes
  2. Scan your computer with HitmanPro
  3. Uninstall SurveyMeta and unwanted programs
  4. Remove unwanted add-ons and extensions
  5. Cleanup and repair settings with CCleaner

1. Scan your computer with Malwarebytes

The first step to remove this adware is to download and install Malwarebytes Anti-Malware software in order to perform a full system scan for malicious files.

1. Download and Install Malwarebytes Anti-Malware software.

2. Open Malwarebytes and click the Scan Now button or go to the Scan tab and click the Start Scan button.

3. When the Malwarebytes scan is complete click the Remove Selected button.

4. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.

2. Scan your computer with HitmanPro

The second step to remove this adware is to download and install a second opinion scanner called HitmanPro by Surfright in order to perform a full system scan for malicious files.

1. Download and Install HitmanPro by Surfright.

2. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

3. When the HitmanPro scan is complete click the Next button.

4. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

5. Click the Reboot button.

3. Uninstall SurveyMeta and unwanted programs

The third step to remove this adware is to uninstall SurveyMeta and other unwanted programs in Windows Control Panel.

1. Open Windows Start Menu and go to the Control Panel.

2. In the Programs section click Uninstall a program. In earlier versions of Windows this is listed as “Add and remove programs.”

3. Search for SurveyMeta Supporting Application in the list and double click it.

4. Once you have uninstalled SurveyMeta, search for other unwanted programs that may be installed on your computer and uninstall them as well.

4. Remove unwanted add-ons and extension

The fourth step to remove this adware is to remove unwanted browser add-ons and extensions from Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari.

Google Chrome

1. Click the Customize and control Google Chrome icon and go to More tools > Extensions.

2. Search for the unwanted extension in the list and click the trashcan icon.

Mozilla Firefox

1. Open the Menu and click Add-ons.

2. Search for the unwanted add-on and click Remove.

Microsoft Internet Explorer

1. Go to Tools (Alt+X) and click Manage add-ons.

2. Search for the unwanted add-on in the list, select it with your mouse, and click Remove.

Apple Safari

1. Go to Safari > Preferences > Extensions.

2. Search for the unwanted extension in the list and click the Uninstall button.

5. Cleanup and repair settings with CCleaner

The fifth step to remove this adware is to download and install CCleaner by Piriform in order to delete leftover junk files, tracking cookies, registry entries, unwanted start-up tasks, and more.

1. Download and Install CCleaner by Piriform.

2. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.

3. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.

4. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.

FastInternet (Virus Removal Instructions)

FastInternet (Virus Removal Instructions)

FastInternet virus is a term often used to identify intrusive adware that serves pop-up advertisements across multiple web browsers, such as Chrome, Firefox, Internet Explorer, and Safari once it has been installed. If a computer is infected with FastInternet adware the user will notice pop-up advertisements in the web browser that say usually “Ads by FastInternet” or “brought by FastInternet” on them.

fastinternet virus removal

FastInternet ads are served inside the web browser, but can also be generated in third-party applications, web browsers associated with third-party applications, and Windows desktop. The ads can affect multiple web browsers if they are installed on an infected machine, such as Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, Apple Safari, as well as other web browsers. Ads can be shown as generic pop-ups, pop-under ads that take up an entire browser window, in-image advertisements that appear when you hover your mouse over an image or product on a retail website, and in-text advertisements that appear when you hover your mouse over hyperlinked text on a webpage.

FastInternet Distribution Method

Like most adware infections, FastInternet adware is no different in the way it is distributed. The adware primarily bundles with other programs that are downloaded by the user with out without consent and knowledge. The most common way this occurs is by downloading a program or file from a questionable distributor. Downloading items online such as freeware and torrent files can essentially result in potentially unwanted programs infecting the user’s system. Even if a program is well known and trustworthy, downloading it from a malicious site or questionable source can lead to infection.

If the computer user has recently downloaded a malicious program or deceptive software bundler, FastInternet adware might have automatically downloaded in the background without permission or knowledge of the user. The user might also be tricked into accepting the download under the guise of a program update. Malicious publishers often hide the download behind a terms and conditions page, effectively tricking users into downloading adware. In some instances FastInternet may be promoted as an extension to improve the user’s browsing experience in order to encourage a direct download or a media player update to view necessary files. Regardless of how the system was infected, FastInternet removal remains relatively unchanged.

FastInternet Details

Name FastInternet, FastInternet virus
Detection Categories Adware, Potentially Unwanted Program (PUP)
Description N/A
Symptoms Advertisements in the web browser
Browser redirects to sponsored webpages
Decreased internet speed and performance
Decreased computer functionality and performance
Bundles with malware and other potentially unwanted programs
Common Path(s) C:\Program Files (x86)
C:\Users\{USER}\Downloads\
Quick Detection & Removal Tool Click Here To Download Malwarebytes

FastInternet (Virus Removal Instructions)

  1. Scan your computer with Malwarebytes
  2. Scan your computer with HitmanPro
  3. Uninstall FastInternet and unwanted programs
  4. Remove unwanted add-ons and extensions
  5. Cleanup and repair settings with CCleaner

1. Scan your computer with Malwarebytes

The first step to remove this adware is to download and install Malwarebytes Anti-Malware software in order to perform a full system scan for malicious files.

1. Download and Install Malwarebytes Anti-Malware software.

2. Open Malwarebytes and click the Scan Now button or go to the Scan tab and click the Start Scan button.

3. When the Malwarebytes scan is complete click the Remove Selected button.

4. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.

2. Scan your computer with HitmanPro

The second step to remove this adware is to download and install a second opinion scanner called HitmanPro by Surfright in order to perform a full system scan for malicious files.

1. Download and Install HitmanPro by Surfright.

2. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

3. When the HitmanPro scan is complete click the Next button.

4. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

5. Click the Reboot button.

3. Uninstall FastInternet and unwanted programs

The third step to remove this adware is to uninstall FastInternet and other unwanted programs in Windows Control Panel.

1. Open Windows Start Menu and go to the Control Panel.

2. In the Programs section click Uninstall a program. In earlier versions of Windows this is listed as “Add and remove programs.”

3. Search for FastInternet Supporting Application in the list and double click it.

4. Once you have uninstalled FastInternet, search for other unwanted programs that may be installed on your computer and uninstall them as well.

4. Remove unwanted add-ons and extension

The fourth step to remove this adware is to remove unwanted browser add-ons and extensions from Google Chrome, Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari.

Google Chrome

1. Click the Customize and control Google Chrome icon and go to More tools > Extensions.

2. Search for the unwanted extension in the list and click the trashcan icon.

Mozilla Firefox

1. Open the Menu and click Add-ons.

2. Search for the unwanted add-on and click Remove.

Microsoft Internet Explorer

1. Go to Tools (Alt+X) and click Manage add-ons.

2. Search for the unwanted add-on in the list, select it with your mouse, and click Remove.

Apple Safari

1. Go to Safari > Preferences > Extensions.

2. Search for the unwanted extension in the list and click the Uninstall button.

5. Cleanup and repair settings with CCleaner

The fifth step to remove this adware is to download and install CCleaner by Piriform in order to delete leftover junk files, tracking cookies, registry entries, unwanted start-up tasks, and more.

1. Download and Install CCleaner by Piriform.

2. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.

3. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.

4. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.