Virus and Spyware Removal Guides, uninstall instructions

What is TurkStatik?

Discovered by cyber security researcher, Jack, TurkStatik is rogue software classified as ransomware. This malicious program is designed to encrypt data and demand ransom payments for decryption. During the encryption process, all affected files are appended with the ".ciphered" extension.

For example, "1.jpg" might appear as "1.jpg.ciphered", and so on. After this process is complete, a text file named "README_DONT_DELETE.txt" is stored in each folder containing encrypted files.

What is cr447.xyz?

cr447.xyz is the address of a fake search engine, which is promoted through various potentially unwanted applications (PUAs) that are also categorized as browser hijackers. One of these apps (called APP) targets Google Chrome users. Research shows that cr447.xyz is related to QIP, another fake search engine.

Typically, people do not download or install browser hijackers intentionally. When installed, they generally change browser settings and record browsing data. Note, however, that the aforementioned PUA (APP) does not actually change browser settings.

What is "Call Microsoft Helpline"?

"Call Microsoft Helpline" is a scam run by deceptive websites. It operates by tricking users into believing that their device is infected and that they need to contact the (fake) technical support provided to resolve the issues. Note that no website can detect threats present on users' systems and any claims to this effect cannot be trusted.

This specific scam claims to originate from Microsoft, however, this is also false. Microsoft has no association with "Call Microsoft Helpline". Few people visit these deceptive, rogue sites intentionally - most are redirected by intrusive advertisements or Potentially Unwanted Applications (PUAs) already present on the device.

What is "UPS Email Virus"?

"UPS Email Virus" is a spam email campaign used to proliferate a high-risk virus called Hancitor. Cyber criminals send thousands of emails encouraging users to open attached documents. In this case, the email is presented as a notification from the UPS company, however, opening the attached file leads to infiltration of Hancitor malware.

What is F*CKaNDrUN?

Discovered by MalwareHunterTeam, F*CKaNDrUN is malicious software classified as ransomware and based on an open-source project called Hidden Tear. Victims who have computers infected with F*CKaNDrUN cannot access or use encrypted files unless they decode them with a key that can only be purchased from the cyber criminals who designed this software.

F*CKaNDrUN changes the victim's wallpaper, creates a ransom message within the "READ_IT.txt" text file, and appends the ".F*CKaNDrUN" extension (with "U" instead of "*") to each encrypted file. For example, "1.jpg" becomes "1.jpg.F*CKaNDrUN", and so on.

What is "International promotion of postal services"?

"International promotion of postal services" is a scam proliferated by deceptive/scam sites. It operates by congratulating visitors that they have been chosen by Company Control Service and "the international share of postal services" as one of several hundred annual "Happy e-mail" winners.

Users are notified that their email inboxes were chosen and that they have consequently won a monetary prize. These scams use social engineering tactics to fool users into revealing their personal and banking information. Rather than receiving any prizes, users experience financial loss.

Typically, web pages hosting these scams are accessed via redirects caused by intrusive advertisements or Potentially Unwanted Applications (PUAs) already infiltrated into the device.

What is Rote?

Rote belongs to the Djvu ransomware family. It encrypts victim's data, changes the filename of each encrypted file, and creates a text file that contains instructions about how to contact cyber criminals and other details.

It renames encrypted files by appending the ".rote" extension to filenames (for example, "1.jpg" becomes "1.jpg.rote", and so on) and creates the "_readme.txt" text file.

What is Zobm?

Discovered by Amigo-A, Zobm ransomware is a part of the Djvu family of ransomware-type malware. Like most programs of this type, it encrypts (locks) data, creates a ransom message, and adds its extension to each encrypted file. Zobm creates the "_readme.txt" file and appends the ".zobm" extension. For example, "1.jpg" becomes "1.jpg.zobm", and so on.

What is Gov Tax Info?

Gov Tax Info is a browser hijacker, which is advertised as a tool for easy access to various governmental forms. It can supposedly provide medical, travel, and revenue forms, and also news, weather forecasts, and email service web sites. In fact, it changes browser settings to promote a fake search engine (search.govtaxinfotab.com).

Furthermore, this app has data tracking capabilities, which are employed to monitor users' browsing habits. Due to its dubious proliferation methods, Gov Tax Info is also classed as a Potentially Unwanted Application (PUA). This browser hijacker is often distributed together with another PUA called Hide My Searches.

What is Deuce?

Deuce is a ransomware-type program, designed to encrypt data and demand ransom payments for decryption. The program belongs to the Phobos ransomware family. During the encryption process, all files are renamed with the victim's ID number, developer's email address, and ".deuce" (".id[victim's_ID].[prndssdnrp@mail.fr].deuce").

For example, "1.jpg" might appear as "1.jpg.id[1E857D00-2503].[prndssdnrp@mail.fr].deuce", and so on for all compromised files. Two files ("info.hta" and "info.txt") are then stored in each affected folder. Updated variants of this ransomware use the ".[topot@cock.li].deuce" extension for encrypted files.