Virus and Spyware Removal Guides, uninstall instructions

What is WELL?

WELL is one of many malicious programs that are part of the Dharma ransomware family. It encrypts data, changes the names of all encrypted files, displays a pop-up window containing a ransom message and creates another in a text file.

WELL renames all encrypted files by adding the victim's ID, mewellwisher@protonmail.ch email address, and appending the ".WELL" extension to filenames.

For example, it might rename "1.jpg" to "1.jpg.id-1E857D00.[mewellwisher@protonmail.ch].WELL", "2.jpg" to "2.jpg.id-1E857D00.[mewellwisher@protonmail.ch].WELL", and so on. It also creates a text file named "FILES ENCRYPTED.txt".

What is Frogo?

Frogo is malicious software belonging to the Amnesia ransomware family. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption tools. During the encryption process, all affected files are renamed following a pattern consisting of a random string of characters and the ".frogo" extension.

For example, a file originally named "1.jpg" would appear as something similar to "kcTJLReLAMkMT4.frogo", and so on. After this process is complete, a ransom message within the "HOW TO RECOVER ENCRYPTED FILES.TXT" text file is dropped into compromised folders.

What is "SARS eFiling Email Virus"?

Like most malspam campaigns, this one is sent by cyber criminals who attempt to trick recipients into installing malware. In this particular case, the email is disguised as a message from South African Revenue Service (SARS).

The main aim of the cyber criminals responsible is to deceive recipients into opening the malicious attachment, which contains a malicious executable designed to install the Agent Tesla Remote Access Trojan (RAT). Therefore, you are strongly advised to leave the attached file unopened and ignore this email.

What is DualShot?

DualShot was discovered by S!Ri. This ransomware encrypts and renames files, and displays a ransom message in a pop-up window. DualShot renames encrypted files by appending the ".dsec" extension to filenames. For example, "1.jpg" would be renamed to "1.jpg.dsec", "2.jpg" to "2.jpg.dsec", and so on.

The displayed ransom message contains details such as size of ransom, how to pay, and various other information.

What is the "Cuerpo Nacional de Policía" email?

"Cuerpo Nacional de Policía" is a scam email disguised as summons given due to an ongoing investigation by the National Police Corps (Cuerpo Nacional de Policía), the national civilian police force of Spain. This scheme employs scare tactics and claims that recipients are suspects in a bank fraud investigation.

These messages are designed to proliferate the NanoCore RAT (Remote Access Trojan). This malware is disguised as an attached document containing important information, which must be read prior to the briefing.

What is MessengerHub?

MessengerHub is advertised as an instant messaging application, which includes a video chat feature. After installation, however, it starts to serve various advertisements. Therefore, MessengerHub is classified as adware.

Note that users often download and install adware accidentally and, therefore, programs of this type are also known as potentially unwanted applications (PUAs). Be aware that adware-type programs often collect user-system information.

What is Coronavirus?

Coronavirus is a part of Scarab, a family of ransomware programs. It encrypts files and modifies their filenames, changes the desktop wallpaper and creates other ransom messages in text files, and disables Task Manager. Coronavirus renames files by appending the ".coronavirus" extension.

For example, it renames "1.jpg" to "1.jpg.coronavirus", "2.jpg" to "2.jpg.coronavirus", etc. It drops text files named "HOW TO RECOVER ENCRYPTED FILES.TXT" into all folders that contain encrypted files.

What is QuericsSearch?

The QuericsSearch browser hijacker promotes search.querics.net by changing certain browser settings. In this way, the app hijacks browsers to promote a fake search engine. Furthermore, this app adds the "Managed by your organization" feature to Google Chrome browsers and might also be designed to gather browsing data.

Commonly, users download and install browser hijackers unintentionally - research shows that QuericsSearch is distributed through a deceptive (unofficial) Adobe Photoshop activation tool. Therefore, this and other similar apps are categorized as potentially unwanted applications (PUAs).

What is My Sweeps Tab?

My Sweeps Tab is a rogue application categorized as a browser hijacker. It operates by making alterations to browser settings to promote hmysweepstab.com (a fake search engine).

This app also monitors users' browsing habits. Due to the methods used to distribute My Sweeps Tab, most people download/install this software inadvertently, and therefore, is also classified as a Potentially Unwanted Application (PUA). Additionally, My Sweeps Tab is often proliferated with another PUA called Hide My History.

What is the "Windows firewall has blocked some features of this program" scam?

"Windows firewall has blocked some features of this program" is a deceptive pop-up window displayed by untrusted websites. It is disguised as a genuine Windows error message. The purpose of this scam is to trick people into calling a bogus technical support helpline.

Trusting this fake alert can lead to financial loss, serious privacy issues, system infections and other serious problems. Few visitors access sites promoting scams such as this intentionally - most are redirected to them by intrusive ads or Potentially Unwanted Applications (PUAs). These rogue apps do not need express user permission to be installed onto the system.