Virus and Spyware Removal Guides, uninstall instructions

What is Mark (Dharma)?

Discovered by Jakub Kroustek, Mark (Dharma) is a part of the Dharma ransomware family. This ransomware renames all encrypted files by adding the victim's ID, mark_white@mail.ua email address, and ".Mark" extension to filenames. For example, a file named "1.jpg" might become "1.jpg.id-1E857D00.[mark_white@mail.ua].Mark", and so on.

Mark (Dharma) ransomware also creates a ransom message within a text file ("FILES ENCRYPTED.txt") and displays another message in a pop-up window.

What is the Voyager ransomware?

Discovered by Petrovic, Voyager is a new variant of Hermes837 ransomware. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all affected files are appended with the ".voyager" extension.

For example, a file named "1.jpg" would appear as "1.jpg.voyager" following encryption. After this process is complete, a ransom message ("!READ_ME.txt") is dropped into each compromised folder.

What is SpeedyFixer?

SpeedyFixer is advertised as software that boosts computer speed and fixes various errors, crashes and application freezes. In fact, it is classified as a potentially unwanted application (PUA) due to its associated distribution methods (SpeedyFixer is promoted by including it into the set-ups of other software).

Many users download and install applications of this type unintentionally.

What are the Gourluck websites?

Gourluck is a group of deceptive sites. These web pages run various scams, including a commonly promoted scheme called "Dear Safari User, You Are Today's Lucky Visitor". Few users enter these websites intentionally - most are redirected to them by intrusive ads or Potentially Unwanted Applications (PUAs) already infiltrated into the system.

Note that these apps do not need explicit consent to be installed onto devices. Following successful infiltration, however, PUAs cause redirects, deliver intrusive advertisement campaigns, hijack browsers and track data.

What is Adhubllka ransomware?

Discovered by S!Ri, Adhubllka is a malicious program classified as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for appropriate decryption tools/software. When Adhubllka encrypts, it renames files by adding the ".ADHUBLLKA" extension.

For example, a file originally named "1.jpg" would appear as "1.jpg.ADHUBLLKA" following encryption, and so on for all affected files. After this process is complete, a text file ("read_me.txt") containing the ransom message is created on the desktop.

What is Horseleader?

Discovered by Jirehlov, Horseleader is a part of the Garrantydecrypt ransomware family. This ransomware renames encrypted files by appending the ".horseleader" extension to filenames. For example, it renames "1.jpg" to "1.jpg.horseleader", and so on.

It also changes the desktop wallpaper and creates a ransom message within the "#Decrypt#.txt" file. Horseleader stores this file in all folders that contain encrypted data.

What is LatenBot?

LatentBot is malicious software written in the Delphi programming language. It is capable of operating as a keystroke logger, form grabber, cookie stealer and Remote Access/Administration Tool (RAT). Cyber criminals behind this malware can use it to generate in various ways.

If your computer is infected with LatentBot, remove this malicious software immediately, since it can cause serious problems.

What is PDFEasyTool?

The PDFEasyTool application supposedly operates as a media file converter (conversion of various files to PDF documents). In fact, this is a browser hijacker that promotes a fake search engine. PDFEasyTool promotes pdfeasytool.com by changing certain browser settings.

Most browser hijackers are designed to promote fake search engines and gather information. Note that people do not usually download or install browser hijackers intentionally and, therefore, these apps are classified as potentially unwanted applications (PUAs).

What is the califiesrease[.]info website?

califiesrease[.]info is a rogue site similar to go9news.biz, speakwithjohns.com, goodbase.biz and countless others. Visitors to these web pages are presented with dubious content and/or are redirected to other untrusted or malicious websites.

Users rarely enter rogue sites intentionally - most are redirected to them by intrusive advertisements or Potentially Unwanted Applications (PUAs) already installed on the system. These apps do not need express user permission to infiltrate devices, and therefore you might be unaware of their presence.

PUAs operate by causing redirects, running intrusive ad campaigns and tracking browsing-related data.

What are the Primechse sites?

Primechse is a group of deceptive websites promoting various scams. Sites belonging to this group have been observed promoting the "Dear Safari User, You Are Today's Lucky Visitor" scheme, however, they might also promote other scams and untrustworthy or malicious web pages.

Most visits to Primechse web pages occur via redirects caused by intrusive advertisements or Potentially Unwanted Applications (PUAs) already infiltrated into the system.