Virus and Spyware Removal Guides, uninstall instructions

What is Dogelon Mars (ELON) giveaway scam?

One of the most popular crypto-related scam types is a giveaway scam offering participants a chance to multiply their cryptocurrency, for example, to get back double the amount of cryptocurrency deposit. It is common that scammers use names of well-known people (e.g., Elon Musk, Steve Wozniak) to trick people into sending them cryptocurrency.

Cryptocurrency transactions on the Bitcoin, Ethereum, and other networks are irreversible. Therefore, people who fall for these giveaway scams lose their money/cryptocurrency without a chance to get them back.

What is Matryoshka?

Ransomware is a form of malware that makes files inaccessible by encrypting them. Usually, victims cannot decrypt files without a decryption tool that can be provided only by the attackers.

Matryoshka encrypts and renames files. It appends the ".matryoshka" extension to their filenames.

For example, it renames a file named "1.jpg" to "1.jpg.matryoshka", "2.jpg" to "2.jpg.matryoshka", and so forth.

Matryoshka displays a pop-up window as its ransom note. It contains instructions on how to pay for data decryption and other information.

What is the Sal13 ransomware?

Belonging to the Xorist ransomware family, Sal13 is a malicious program that operates by encrypting data and demands payment for the decryption. In other words, systems infected with Sal13 have their files rendered inaccessible/useless and are issued demands for the access/use recovery.

During the encryption process, affected files are appended with the ".Sal13" extension. To elaborate, a file initially titled something like "1.jpg" would appear as "1.jpg.Sal13", "2.jpg" as "2.jpg.Sal13", "3.jpg" as "3.jpg.Sal13", etc.

Once this process is complete, identical ransom notes are created/displayed in a pop-up window and "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt" text files, which are dropped into compromised folders.

If the affected operating system does not have the Cyrillic alphabet installed - the text presented in the pop-up will appear as nonsensical gibberish. Furthermore, Sal13 ransomware changes the desktop wallpaper.

What is "Your MAC has been blocked due to suspicious activity!" scam?

Typically, scammers behind technical support scams claim to offer legitimate technical support services. Their websites display fake virus notifications stating that the device is infected with a virus or there is another problem that needs to be solved immediately.

The main purpose of such scams is to trick unsuspecting users into calling the provided number and then paying money for some unnecessary software, services, or providing remote access to a computer. It is noteworthy that users do not visit technical support scam websites on purpose.

Usually, these pages get opened through shady advertisements, websites, or installed potentially unwanted applications (PUAs).

What kind of malware is Cesar ransomware?

Cesar is the name of a malicious program belonging to the Dharma ransomware group. Systems infected with this malware - have their data encrypted (files rendered inaccessible) and receive ransom demands for the decryption (access recovery).

During the encryption process, affected files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address, and ".cesar" extension. For example, a file initially titled "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[yasomoto@tutanota.com].cesar" - after encryption.

Once this process is complete, ransom-demanding messages are created/displayed in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is Eye?

Ransomware is a type of malicious software that encrypts files to prevent victims from accessing them and generates a ransom note with contact and (or) payment information. Eye ransomware belongs to the Dharma ransomware family. It encrypts files and modifies their filenames by appending the victim's ID, eye@onionmail.org email address, and the ".eye" extension.

For example, it renames a file named "1.jpg" to "1.jpg.id-C279F237.[eye@onionmail.org].eye", "2.jpg" to "2.jpg.id-C279F237.[eye@onionmail.org].eye", and so on. It displays a pop-up window and creates the "FILES ENCRYPTED.txt" file (ransom notes).

What is Igvm?

Ransomware is a form of malware that encrypts files (and often renames them) and displays or creates a ransom note. The main purpose of ransomware is to keep files inaccessible unless they are decrypted with the right decryption tool.

Igvm encrypts and renames encrypted files too, it appends the ".igvm" extension to their filenames. For example, it renames a file named "1.jpg" to "1.jpg.igvm", "2.jpg" to "2.jpg.igvm", and so on.

It also creates the "_readme.txt" file (a ransom note). Igvm is part of the Djvu ransomware family.

What is Lightening Media Player?

As its name suggests, Lightening Media Player is supposedly a media player, however, this program is distributed by including it into the installation set-ups of other software. Typically, people download and install these programs unintentionally.

For this reason, Lightening Media Player is categorized as a potentially unwanted application (PUA). This program might also function as adware, feeding users with intrusive ads.

What is the Ratty RAT?

Ratty is a malicious program categorized as a Remote Access Tool (RAT). When used for malicious purposes, RATS are referred to as Remote Access Trojans.

Ratty malware is an open source Java RAT. This Trojan was made available on the GitHub software development platform and was strongly endorsed on HackForums.

Sometime in 2016/2017, Ratty's original uploader deleted their repository, however, several clones (potentially, other variants) of Ratty still exist. Remote access Trojans allow remote access and control over infected devices.

These malicious programs can have a broad range of functionalities that enable likewise varied misuse. RATs are highly dangerous and, as such, all infections must be eliminated immediately.

What is CALVO?

Ransomware is a type of malicious software that encrypts files (and renames them) and generates a ransom note. Typically, a ransom note generated by ransomware informs victims that they cannot access their files without the right decryption tool and provides further instructions.

CALVO encrypts files and appends the victim's ID, the seamoon@criptext.com email address, and ".CALVO" extension to their filenames. For example, it renames a file named "1.jpg" to "1.jpg.id[C279F237-3143].[seamoon@criptext.com].CALVO", "2.jpg" to "2.jpg.id[C279F237-3143].[seamoon@criptext.com].CALVO", and so on.

It generates two ransom notes: "info.hta" and "info.txt". CALVO is part of the Phobos ransomware family.