Home / Spyware Help / caforssztxqzf2nm.onion Locker Removal Guide

caforssztxqzf2nm.onion Locker Removal Guide

by 0 Comments

Do you know what caforssztxqzf2nm.onion Locker is?

caforssztxqzf2nm.onion Locker is a vicious screen locker as once it gets in you might be unable to unblock your screen even if you restart the affected computer in Safe Mode. Our computer security specialists say they were only able to get rid of it while using Remote Desktop Protocol services. However, if you receive this malicious application, but cannot connect to your device remotely to bypass screen lock you might have no other choice, but to reinstall Windows. For more information about this vicious threat as well what you could try to get rid of it, we recommend checking our full article. As for the removal guide available below, it will show how to delete caforssztxqzf2nm.onion Locker manually if a user restarts his system in Safe Mode and the screen does not seem to be locked.

It looks as if caforssztxqzf2nm.onion Locker’s developers are trying to convince their victims that their files were encrypted and that they are dealing with ransomware. However, our computer security specialists confirm that this threat is only a screen locked, which means it should only block screen and should not encrypt or somehow damage user files. Also, the malicious application’s ransom notes made us believe this screen locker could still be in development. As you see, no matter how many times we tried to run it, its message always showed the same user ID number, which no doubt should be unique. Plus, the link to the hackers’ site that is available on caforssztxqzf2nm.onion Locker’s note cannot be reached, which also, raise a suspicion. It could be good news because if the malware is not finished yet, it is unlikely its developers will distribute it.

Nonetheless, we cannot know for sure if caforssztxqzf2nm.onion Locker is being spread or not, which is why it is best to know where it could come from so you would be able to protect your system from it. Our specialists believe the screen locker could be distributed through Spam emails as a lot of similar threats travel this way. Usually, hackers disguise malicious launchers to make them look harmless. For instance, the malware’s installer could look like a text document or a photo. All that is left to do is trick potential victims into opening such files. Sometimes cybercriminals come up with convincing messages or make it look as if such emails are coming from reliable sources, for example, organizations or business that potential victims might know. In some cases, it is enough to make a user curious about a file, for example, add a message saying it is an embarrassing picture of a targeted user.caforssztxqzf2nm.onion Locker Removal Guidecaforssztxqzf2nm.onion Locker screenshot
Scroll down for full removal instructions

After getting in, the malware should make copies of itself in particular directories as well as modify a few Registry Files. Then, caforssztxqzf2nm.onion Locker should wait for 35 seconds and restart an infected computer. Once it restarts the screen should be already locked. As we mentioned before, it might remain blocked even if you restart a computer in Safe Mode. Nonetheless, we still recommend doing so. If the screen is unblocked, you could try to delete caforssztxqzf2nm.onion Locker while following the removal guide available below. Sadly, if the screen is still locked even in Safe Mode and you cannot access it remotely, there might be no other way to eliminate the threat but to rewrite Windows.

Eliminate caforssztxqzf2nm.onion Locker

  1. Restart your system in Safe Mode.
  2. If the screen is unlocked, press Windows Key+E.
  3. Go to C: disk.
  4. Locate files named:
    payload.hta
    clear.bat
    setup bat
  5. Right-click them one by one and press Delete.
  6. Go to:
    %TEMP%
    %USERPROFILE%\Desktop
    %USERPROFILE%\Downloads
  7. Look for a randomly named .exe file that appeared before the computer got infected.
  8. Right-click the malicious .exe file and click Delete.
  9. Close File Explorer.
  10. Press Windows Key+R.
  11. Type Regedit and click OK.
  12. Navigate to this path: HKLM\System\Setup
  13. Look for a value name called Setup Type, right-click it, and select Modify.
  14. Replace its value data with 0 and press OK.
  15. Then locate a value name titled CmdLine and modify it too.
  16. Delete what is written in its value data as it ought to be empty and click OK.
  17. Lastly, find a value name called Scancode Map, right-click it, and choose Delete.
  18. Close Registry Editor.
  19. Restart your computer.

In non-techie terms:

caforssztxqzf2nm.onion Locker is one of those threats that cause a lot of damage to users who do not back up their files. That is because the malicious application might make it impossible to eliminate it without rewriting Windows and, unfortunately, some data could get erased during this process. As for the removal guide available a bit above this paragraph, it shows how to delete the screen locker if you restart your system in Safe Mode and the malware does not lock your screen. Our sample did not leave us such an option, but research shows the threat could have other versions, which means it is possible some of them could be designed differently and might not necessarily keep a victim’s screen locked even after Safe Mode restart. The reason we believe there could be other versions is that the sample we tested looked like it was still in development mode. Thus, you should not despair right away after receiving caforssztxqzf2nm.onion Locker as there could be hope yet.