Virus and Spyware Removal Guides, uninstall instructions

What is Onix ransomware?

Onix is malicious software categorized as ransomware. It operates by encrypting the data of infected systems to demand ransom payments for decryption tools.

During the encryption process, all affected files are renamed according to this pattern: original filename, random number, cyber criminals' email address and the ".ONIX" extension (e.g. "[random_number].petek@tutanota.com.ONIX").

For example, a file like "1.jpg" would appear as something similar to "1.jpg.33868453691972502380.petek@tutanota.com.ONIX" following encryption.

There are several variants of this malware. After the encryption process is complete, they drop a ransom message ("TRY_TO_READ.html") on the desktop and change the wallpaper. The text presented in the messages is identical in both variants, the only difference being the email addresses presented.

Updated variants of this ransomware use the ".Ad_finem@tutanotam.com.ONIX" extension for encrypted files.

What is "AOL Winner Email Scam"?

This email scam delivers messages that appear to be emails from AOL, an online service provider company. The scammers behind the scheme attempt to trick unsuspecting recipients into providing various information. Typically, scammers misuse provided details to generate revenue in various ways.

Trusting these emails exposes recipients to risk of a number of problems. Therefore, ignore these emails.

What is SystemNotes?

SystemNotes is software categorized as adware. As with most applications within this category, it is promoted as a tool for improving the browsing experience by providing fast searchers, accurate search results, etc. In fact, this rogue app diminishes the browsing experience by running intrusive advertisement campaigns.

Due to the dubious proliferation methods used to promote SystemNotes (most users download/install it inadvertently), it is also classified as a Potentially Unwanted Application (PUA). Furthermore, most PUAs (including adware) monitor users' browsing habits and gather information derived from it.

What is biglocateriod[.]pro?

biglocateriod[.]pro is a rogue website, and one of many similar pages on the internet. Some other examples include yaarileads[.]com, norobotcapcha2020[.]info and topoffers4all[.]com. Browsers are commonly forced to open these pages by installed potentially unwanted applications (PUAs).

Therefore, most people do not visit them intentionally. When opened, web pages such as biglocateriod[.]pro load dubious content or redirect visitors to other untrusted websites. PUAs also gather browsing data and display intrusive advertisements.

What is BenefitSites?

BenefitSites is an app supposedly designed to improve the browsing experience, however, it is categorized as adware, a potentially unwanted application (PUA). Adware-type apps such as BenefitSites serve various advertisements and gather information relating to users' browsing habits.

In most cases, people download and install PUAs such as BenefitSites inadvertently.

What is Dharma (.WHY)?

Discovered by Raby, Dharma (.WHY) is a malicious program, which is part of the Crysis/Dharma ransomware family. Systems infected with this program have data encrypted and users receive ransom demands for decryption.

When Dharma (.WHY) encrypts, compromised files are renamed following this pattern: original filename, victim's unique ID, cyber criminals' email address and the ".WHY" extension. For example, a file such as "1.jpg" would appear as "1.jpg.id-1E857D00.[mr.crypteur@protonmail.com].WHY" after encryption.

Once this process is complete, a text file ("FILES ENCRYPTED.txt") is created on the desktop and a pop-up window is displayed.

What is Parrot?

Parrot is malicious software belonging to the Dcrtr ransomware family. It operates by encrypting data and demanding payment for decryption tools. When Parrot malware encrypts, all affected files are appended with the developer's email address and the ".parrot" extension.

For example, a file such as "1.jpg" might become similar to "1.jpg[cryptonationusa@protonmail.com].parrot". After this process is complete, a ransom message ("ReadMe_Decryptor.txt") is dropped onto the desktop.

What kind of malware is Ragnar Locker?

Ragnar Locker is ransomware-type software designed not only to encrypt data but also to terminate installed programs (such as ConnectWise and Kaseya), which are commonly used by managed service providers and various Windows services. This ransomware renames encrypted files by appending an extension, which contains "ragnar" and a string of random characters.

For example, it will rename a file named "1.jpg" to "1.jpg.ragnar_0DE48AAB", and so on. It also creates a ransom message with a text file, the name of which contains the same string of random characters as the appointed extension. In this case, the ransom message would be named "RGNR_0DE48AAB.txt".

What is "Flash Player Update Download New Version"?

"Flash Player Update Download New Version" is a deceptive pop-up displayed by various scam websites. When sites running this scam are accessed, visitors are offered download/installation of fake Flash Player updates. Note that bogus updaters are commonly used to infiltrate systems with untrusted or malicious content.

The "Flash Player Update Download New Version" scheme has been observed promoting browser hijackers (e.g. SearchMine) and adware (e.g. MediaDownloader and MyCouponsmart) via fake update installers, however, other dubious or malicious software (e.g. trojans, ransomware, etc.) might also be installed through these bogus updates.

The updaters promoted by "Flash Player Update Download New Version" often originate from the Bundlore family. Most visitors to deceptive/scam web pages access them inadvertently through redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs) already installed on the system.

What is Razor?

Discovered by dnwls0719, Razor is part of the Garrantydecrypt ransomware family. Like many other programs of this type, Razor is designed to encrypt files (rendering them unusable/inaccessible), modify filenames, create ransom messages and change desktop wallpapers.

Razor renames files by appending the ".razor" extension to filenames. For example, it renames "1.jpg" to "1.jpg.razor", and so on. It also creates a ransom message within a text file named "#RECOVERY#.txt". This file contains instructions about how to contact Razor's developers (cyber criminals) and other details.