Virus and Spyware Removal Guides, uninstall instructions

What is Kodc?

Discovered by Michael Gillespie, Kodc is a malicious program belonging to the Stop/Djvu ransomware family. Systems infected with this malware have data encrypted and their respective users receive ransom demands for decryption. When Kodc ransomware encrypts, all files are appended with the ".kodc" extension.

For example, a filename such as "1.jpg" appears as "1.jpg.kodc" following encryption, and so on for all affected files. After this process is finished, a text file ("_readme.txt") is created on the desktop.

What is UpgradeStart?

UpgradeStart is a potentially unwanted application (PUA), an adware-type app that supposedly improves the browsing experience. In fact, adware serves various advertisements. Furthermore, applications such as UpgradeStart also gather information. People generally download and install adware unintentionally, and thus these apps are classified as PUAs.

What is BWNG?

BWNG belongs to the Matrix ransomware family. It encrypts victim's files, changing the filenames, and also stores several additional files on the desktop. BWNG renames each encrypted file using the following pattern: "[billwong73@yahoo.com].[random_string].BWNG", thus making them indistinguishable.

Furthermore, this ransomware creates five files and stores them on the desktop: "!BWNG_INFO!.rtf", "ALL_dmp.fldp", "bad_337D896C84DC0BCE.txt", "LFIN_337D896C84DC0BCE.txt", "log.txt" and "NWjsyZ8e.exe". The "!BWNG_INFO!.rtf" file is a ransom message containing instructions about how to contact the cyber criminals who designed BWNG.

What is Mark?

Mark is malicious software and a variant of Paradise ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption tools/software.

During the encryption process, files are renamed according to the following pattern: original title, the word "mark" accompanied by underscore symbols, the victim's unique ID in braces and the ".mak" extension.

For example, "_mark_{victim's ID}.mak". A filename such as "1.jpg" might thus appear as something similar to "1.jpg_mark_{kmllxU}.mak", and so on for all affected files. After this process is complete, a text file ("---==%$$$OPEN_ME_UP$$$==---.txt") is stored on the desktop.

What is 5ss5c?

Discovered by malware researcher, Onion, 5ss5c is malicious software and an updated variant of Satan ransomware. It operates by encrypting data and demanding payment for decryption. When 5ss5c ransomware encrypts, all affected files are renamed according to the following pattern: "[5ss5c@mail.ru][ORIGINAL_FILENAME].[RANDOM_STRING].5ss5c".

For example, a file entitled "1.jpg" might appear as something like "[5ss5c@mail.ru]1.jpg .TPTV2HP2MSLNOW85SH682X82ILJ4B6TGHZPC95QM.5ss5c". Once this process is complete, a text file ("_如何解密我的文件_.txt") containing a ransom message in Chinese is stored on the infected system's "C:\" disk drive.

What is "YOU ARE THE CHOSEN!"?

"YOU ARE THE CHOSEN!" is a scam run by deceptive websites. It claims that visitors have been chosen and can win a special reward.

These scams are simply intended to generate revenue for their designers. They must never be trusted, as doing so can lead to serious issues. Sites that promote "YOU ARE THE CHOSEN!" and similar scams are typically accessed via redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs) already infiltrated into the system.

What is install-plug-s3[.]com?

install-plug-s3[.]com is designed by scammers who seek to deceive unsuspecting visitors into installing potentially unwanted applications (PUAs), such as browser hijackers, adware or other apps of this kind, through a fake Adobe Flash Player installer. In some cases, these websites are used to spread malicious programs including ransomware, Trojans, and other malware.

Neither install-plug-s3[.]com nor other similar websites (there are many ) can be trusted. Typically, they are opened through other untrustworthy websites, deceptive advertisements or PUAs already installed on browsers and/or operating systems. People generally arrive at sites such as install-plug-s3[.]com unintentionally.

What is JhoneRAT?

JhoneRAT is the name of a Remote Access Tool (Trojan), which is distributed through malicious Microsoft Office documents. Cyber criminals behind it target Arabic-speaking users.

This malicious program selects (by filtering) victims by checking the keyboard layout of their computers. JhoneRAT is capable of downloading additional payloads (infecting systems with other malware) and gathering information about the victim's computer.

What is "You have (1) package waiting"?

"You have (1) package waiting" is a scam run by deceptive websites. Under the guise of an official delivery tracking site, the scam claims that visitors have packages waiting for them. The purpose of this scheme is to trick users into making a monetary transaction, a fake delivery fee.

All information provided by this scam is deceptive and there is no package for collection. Making any payments will not allow users to receive any deliveries. These deceptive/scam websites are usually accessed via redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs) already present on the system.

What is Picocode?

Discovered by GrujaRS, Picocode is ransomware and an updated version of Pico. Like many other programs of this type, Picocode changes filenames of all encrypted files and creates a ransom message. It renames files by appending the ".picocode#" extension and a number.

For example, it renames "1.jpg" to "1.jpg.picocode#8523", and so on. It also creates a text file ("README.txt"), which contains instructions about how to pay a ransom (pay for a decryption tool).