How to remove Locker (Virus Removal Guide)
The “Locker virus” (also known as Locker v1.7, Locker v3.5.3, Locker V2.16, Locker V5.52) is a new type of global ransomware that was introduced to the public on midnight of May 25, 2015. The Locker v1.7 variant of the “Locker virus” previously laid dormant on computer systems it infected until midnight local time on May 25th when would finally activate and encrypt personal files on the computer system it had been hiding on.
The Locker virus encrypts personal files on a computer system and holds them for ransom. The virus will lock a computer system, encrypt files, and demand that the victim pay a fine or fee to decrypt the files. The Locker virus demands that the victim pay .1 Bitcoins within 72 hours or the ransom would increase to 1 Bitcoin.
The main screen for Locker ransomware will include a version number such as “Locker v1.7.” This version number appears in random with titles such as Locker v1.7, Locker v3.5.3, Locker V2.16, and Locker V5.52. The Locker virus has 4 different sections titled Information, Payment, Files, and Status. The Information screen contains the ransom note and information on what has happened to the victim’s personal data. The Payment screen displays the victim’s unique Bitcoin address and information about how to make payment. The Files screen shows a list of files that have been encrypted by the ransomware and the Status screen contains information about payment statuses.
Locker ransomware appears to be installed via a trojan dropper that creates a daisy-chain installation of several Windows services that help to launch the Locker screen. The main dropper can be located here C:\Windows\Syswow64 as a random name such as twitslabiasends.exe. This file will then produce the Steg service that uses the C:\ProgramData\Steg\steg.exe executable file. The steg executable file will then install Tor into C:\ProgramData\Tor and create an additional service called LDR. The LDR service is associated with the C:\ProgramData\rkcl\ldr.exe and it will help launch the rkcl.exe program which displays the Locker interface that contains the Information, Payment, Files, and Status sections. Finally the installation will eradicate all Shadow Volume Copies so that no one will be able use them to restore your files. The command that the Locker virus uses to delete the shadow volume copies is:
vssadmin.exe delete shadows /for=C: /all /quiet
How does Locker virus get onto a computer?
Dangerous computer infections such as Locker ransomware and similar threats are usually introduced to a computer system through exploit kits. The initial infection can related to websites that host malware, malicious torrent files, and email attachments
How to remove Locker (Removal Instructions)
We recommend that you write down the toll free number below in case you run into any issues or problems while removing this infection. Our techs will kindly assist you with any problems.
if you need help give us a call
1. Download and install the free or full version of Malwarebytes Anti-Malware software. The full version enables real-time protection to block malware and unwanted programs from infecting your computer, while the free version is just a free scan and removal tool.
2. Open the Malwarebytes Anti-Malware program.
3. Click the large Scan Now button or visit the “Scan” tab to manually run a scan.
4. Once the malware scan is complete, click the Remove Selected button and reboot your computer.
Ransomware usually infects 1 user account on Windows systems at a time. Here are some tips to remove ransomware by using different user accounts.
- Log into an account not affected by malware (with administrative rights) and perform a scan with reputable software to detect and remove malware.
- You can also delete the infected account.
- Other options include creating a new user account to remove malware if only 1 Window’s user account is present on the computer system.
Safe Mode With Networking can be used to access the Internet for updates, drivers, removal software, or other files if internet and network connectivity is compromised.