Virus and Spyware Removal Guides, uninstall instructions

What kind of page is 0123movies.com?

The 0123movies.com website allows visitors to watch movies online free of charge. This may seem to be a legitimate and useful website, however, developers use it to promote other dubious sites, software, various services, and so on. Note that the site causes redirects to other untrustworthy websites.

Furthermore, these redirects occur on virtually every mouse click. To avoid the resultant installation of unwanted apps and computer infections, we recommend that you avoid 0123movies.com and any associated services.

What is ms13?

Discovered by Jakub Kroustek, ms13 is yet another ransomware infection belonging to the Dharma malware family. As with other viruses of this kind, ms13 compromises stored data by encryption. In addition, it appends filenames with the ".ms13" extension plus the victim's unique ID and developer's email address.

For example, "sample.jpg" might be renamed to a filename such as "sample.jpg.id-1E857D00.[ms_13@aol.com].ms13". After successful encryption, ms13 displays a pop-up window and places a text file ("FILES ENCRYPTED.txt") on the desktop.

What is ChangeToPDF?

The ChangeToPDF app is promoted as a PDF converter that allows users to convert their PDF files to various other formats such as Word, PowerPoint, Excel, PNG, JPG, etc.

In fact, this software originates from the Bundlore adware family and is used to distribute adware-type applications to Mac computers via the "bundling" method. If installed, adware displays intrusive advertisements and gathers information.

What is Marozka ransomware?

Discovered by GrujaRS, Marozka is a ransomware-type program that is based on an open-source ransomware project called Hidden Tear. It encrypts data using AES cryptography and creates a ransom message within a text file called "HOW TO DECRYPT FILES.txt", which can be found in each folder that contains encrypted files.

It also adds the ".Marozka" extension to encrypted files. For example, "1.jpg" is reamed to "1.jpg.Marozka". Additionally, Marozka changes the desktop wallpaper.

What is dongtaiwang.com?

The dongtaiwang.com website is created for Chinese-speaking users and promotes a VPN (Virtual Private Network) called Freegate. This app accesses websites that are otherwise blocked in the user's country.

Note, however, that it is categorized as a browser hijacker, a potentially unwanted application (PUA), since it changes browser settings, promotes the dongtaiwang.com website and articles, and collects information relating to users' browsing habits.

What is redrentalservice.com?

redrentalservice.com (a successor of setforconfigplease.com) is one of many websites that cause redirects to other untrustworthy sites. Some examples of other websites that operate in this way are setforconfigplease.com, somelandingpage.com, and setforspecialdomain.com.

People are usually redirected to these websites when cyber criminals exploit bugs of Content Management Systems (CMS) such as WordPress, Joomla, etc., and various extensions installed on these systems.

Cyber criminals inject malicious scripts into legitimate websites, which results in redirects to other dubious sites (such as redrentalservice.com) when users visit the hijacked, legitimate site.

What is "Flash Player Auto Update Daemon"?

"Flash Player Auto Update Daemon" is a fake system notification (pop-up window) encouraging Mac users to update their Flash Players. Typically, such notifications appear due to installed adware-type apps that are categorized as potentially unwanted applications (PUAs). These usually feed users with ads and collect browsing-related data.

What is securityP?

Originating from Paradise malware family, securityP is a high-risk ransomware discovered by Michael Gillespie.

This malware is designed to encrypt stored data and append filenames with the ".securityP" extension plus the victim's unique ID and developer's email address (e.g., "sample.jpg" might be renamed to a filename such as "sample.jpg_wblbXJ_{support@p-security.li}.securityP").

Compromised data immediately becomes unusable. After successful encryption, securityP places a text file ("Instructions with your files.txt") in each folder containing encrypted files and opens a pop-up window - this behavior is common to rogue software.

What is Baldr?

Baldr stealer (also known as Trojan:MSIL/Darbl.A) is a malicious program that steals data. Cyber criminals can purchase this tool from hacking forums to generate revenue by misusing recorded (stolen) information. Generally, they present this program as a tool that can be used for a number of purposes.

At time of research, it was promoted through CS:GO cheat videos as a program that supposedly allows users to cheat when playing this particular game. In this way, cyber criminals trick people into downloading and installing this rogue program.

What is Stun?

Stun is yet another variant of Dharma ransomware and was first discovered by Jakub Kroustek. As with its predecessor, Stun also encrypts most stored files and appends filenames with the ".stun" extension plus the victim's unique ID and developer's email address.

For example, "sample.jpg" might be renamed to a filename such as "sample.jpg.id-1E857D00.[unlockdata@foxmail.com].stun". Encrypted data immediately becomes unusable. Stun also opens a pop-up window and places a "FILES ENCRYPTED.txt" file on the desktop.