Virus and Spyware Removal Guides, uninstall instructions

What is Beneficiary/Inheritance email scam?

Generally, scammers behind email scams such as this one attempt to trick recipients into believing that they are beneficiaries of a will, life insurance policy, etc. Scammers ask recipients to contact them and provide various information. At some point, recipients are asked to pay a processing fee or transfer charge.

Note that scammers exploit the names of existing, often well-known organizations and companies to make their emails seem legitimate.

What is Termit?

Termit belongs to the Dcrtr ransomware family. Like most programs of this type, Termit encrypts files, renames them, and creates a ransom message. It renames files by adding the ashtray@outlookpro.net email address and appending the ".termit" extension to filenames.

For example, "1.jpg" is renamed to "1.jpg.termit", "2.jpg" to "2.jpg.termit", and so on. Termit creates the "ReadMe_Decryptor.txt" text file (ransom message) in each folder that contains encrypted files.

What is Restoreserver?

Restoreserver is part of the Scarab ransomware family. This ransomware is designed to encrypt files, rename them, and create the "HOW TO RECOVER ENCRYPTED FILES.TXT" text file (ransom message) in all folders that contain encrypted files. Restoreserver renames files by replacing their filenames with a string or random characters and the ".restoreserver" extension.

For example, "1.jpg" is renamed to "gAfFM6+JJ=Jsk.restoreserver", "2.jpg" to "DNSjkoN8+KK=Hgf.restoreserver", and so on.

What is Bolobi web?

The Bolobi web browser hijacker changes certain browser settings to keysearchs.com. In this way, it forces users to visit a fake search engine. This app can read browsing history, however, it might also be capable of accessing other data.

Note that Bolobi web is categorized as potentially unwanted application (PUA), since many users download and install browser hijackers inadvertently.

What is Quaverse?

Quaverse (also known as QRAT and Qua RAT) is a Remote Access Trojan (RAT) based on the Java programming language. Like most RATs, it allows cyber criminals responsible to remotely control infected computers. In most cases, RATs are used to steal sensitive information and distribute other malicious programs.

Research shows that Quaverse is offered under the software-as-a-service (SaaS) model - it can be accessed online via a subscription.

What is LaunchSystem?

LaunchSystem functions as adware, browser hijacker, and a data collector. It serves advertisements, promotes a fake search engine address by changing browser settings, and gathers sensitive information.

Generally, users download and install applications such as LaunchSystem inadvertently and, for this reason, they are categorized as potentially unwanted applications (PUAs). This particular app is distributed via a deceptive (fake) installer disguised as an installer for Adobe Flash Player.

What is Elvis ransomware?

This ransomware is a part of the Dharma ransomware family. It prevents victims from accessing/using their files by encrypting them, renames all encrypted files, displays a pop-up window (a ransom message) and creates the "FILES ENCRYPTED.txt" text file (another ransom message).

Elvis ransomware adds the victim's ID, the elvisdark@aol.com email address and appends the ".Elvis" extension to filenames of the encrypted files. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[ElvisDark@aol.com].Elvis", "2.jpg" to "2.jpg.id-C279F237.[ElvisDark@aol.com].Elvis", and so on.

What is Banjo?

Banjo is a malicious program belonging to the Phobos ransomware family. Like most programs of this type, Banjo is designed to encrypt files, modify their filenames, and provide instructions about how to contact the developers. It renames files by adding the victim's ID, the mutud@airmail.cc email address, and appending the ".banjo" extension.

For example, "1.jpg" is renamed to "1.jpg.id[C279F237-3069].[mutud@airmail.cc].banjo", "2.jpg" to "2.jpg.id[C279F237-3069].[mutud@airmail.cc].banjo", and so on. Banjo issues instructions about how to contact its developers in a pop-up window and "info.txt" text file.

What is Pethya Zaplat Zasifrovano?

Pethya Zaplat Zasifrovano was discovered by xiaopao. This ransomware is designed to encrypt files, modify their filenames, change the desktop wallpaper, display a number of pop-up windows, and create the "HOW TO DECRYPT FILES.txt" text file in folders containing encrypted files.

Its desktop wallpaper, one of the pop-up windows, and text files are the ransom messages. Pethya Zaplat Zasifrovano renames encrypted files by appending ".pethya zaplat zasifrovano" to the filenames. For example, "1.jpg" is renamed to "1.jpg.pethya zaplat zasifrovano", "2.jpg" to "2.jpg.pethya zaplat zasifrovano", and so on.

What is Spacerin?

Spacerin promotes spacerin.com (the address of a fake search engine) by changing certain browser settings. These apps also collect information relating to users' browsing habits. Note that people often download and install browser hijackers inadvertently. Therefore, Spacerin and other apps of this type are categorized as potentially unwanted applications (PUAs).