Virus and Spyware Removal Guides, uninstall instructions

What is Telegram virus?

Telegram is legitimate messaging software and an application service with approximately 500 million monthly active users. It is available for download on its official web page, Google Play, and App Store.

Research shows that there are several unofficial, deceptive pages (telegramdesktop[.]com, telegramdesktop[.]net, and telegramdesktop[.]org) offering download of a fake Telegram app, which actually functions as spyware and an information stealer.

There are at least three web pages used to trick users into installing the fake Telegram app. Note that these sites may appear similar to the official Telegram page (desktop.telegram.org).

What is the Barboza ransomware?

Belonging to the Matrix ransomware family, Barboza is a malicious program designed to encrypt data and demand payment for decryption. The files stored on the infected system are rendered inaccessible, and victims receive ransom demands for access recovery.

When Barboza ransomware encrypts, files are renamed following this pattern: "[random_string].[barboza40@yahoo.com]", which consists of a random character string and the cyber criminals' email address. For example, a file originally named "1.jpg" would appear as something similar to "pAWQLhmp-4sRJ505q.[barboza40@yahoo.com]" after encryption.

Once this process is complete, ransom-demand messages in "!_!WHERE-IS-MY-FILES!_!.rtf" files are dropped into compromised folders.

Additionally, Barboza changes the desktop wallpaper.

What is Networklock?

Networklock is a type of malicious software that encrypts files and restricts access to them until a ransom is paid to decrypt (unlock) them. This ransomware variant creates ransom messages (HTML files named "Recovery_Instructions.html") in each folder that contain encrypted files.

Networklock also renames each encrypted file by appending ".networklock" to the filename. For example, "1.jpg" is renamed to "1.jpg.networklock", "2.jpg" to "2.jpg.networklock", and so on.

What is the "Proof Of Payment" scam email?

The "Proof Of Payment email scam" refers to a spam campaign, a mass-scale operation during which deceptive emails are sent by the thousand. The messages distributed through this campaign claim to contain a payment-related document attached to them.

The fake attachment redirects to a phishing website, which is presented as an email account sign-in page. The site is designed to record log-in credentials (i.e., passwords) entered into it, thereby allowing the scammers access to the vulnerable information and the associated email account.

What is Maš Velky Problem Zasifrovano?

Ransomware is a type of malicious software that renders files stored on the infected computer unusable/inaccessible by encrypting them. Typically, cyber criminals demand that victims pay a specific cryptocurrency sum to restore access to files.

Maš Velky Problem Zasifrovano encrypts files, changes desktop wallpaper, creates "HOW TO DECRYPT FILES.txt" text files in folders containing affected files, and displays a pop-up window. Maš Velky Problem Zasifrovano's desktop wallpaper, text files, and pop-up window contain the ransom messages.

This ransomware renames encrypted files by appending ".maš velky problem.zasifrovano" to filenames. For example, "1.jpg" is renamed to "1.jpg.maš velky problem.zasifrovano", "2.jpg" to "2.jpg.maš velky problem.zasifrovano", and so on.

Note that this ransomware variant belongs to the Xorist ransomware family.

What is HelpYou ransomware?

HelpYou is a malicious program categorized as ransomware.

Systems infected with this malware experience data encryption and users receive ransom demands for decryption. I.e., files affected by HelpYou are rendered inaccessible and victims are asked to pay to recover their data.

During the encryption process, files are appended with the ".IQ_IQ" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.IQ_IQ", "2.jpg" as "2.jpg.IQ_IQ", "3.jpg" as "3.jpg.IQ_IQ", and so on.

Once this process is complete, ransom-demand messages in "HOW_TO_RECOVERY_FILES.txt" files are dropped into compromised folders.

What is SearchBrowserSky?

SearchBrowserSky is the name of an application distributed using a fake installer, which appears similar to the installer for Adobe Flash Player. Apps distributed using such methods are often downloaded and installed by users inadvertently and are thus classified as potentially unwanted applications (PUAs).

SearchBrowserSky functions as adware and as a browser hijacker: it displays advertisements and promotes a fake search engine by making certain changes to browser settings.

SearchBrowserSky and similar apps often collect information relating to users' browsing habits and other data.

What is Secured Browser Search?

Secured Browser Search is classified as a browser hijacker because it promotes a fake search engine (securedbrowsersearch.com) by changing certain settings. It achieves this without users' knowledge.

Browser hijackers also collect information relating to users.

Apps such as Secured Browser Search are also classified as potentially unwanted applications (PUAs), since many people download and install them inadvertently.

What is liveads[.]net?

liveads[.]net is a rogue website sharing many similarities with freshannouncement.com, itscythera.com, load00.biz, and thousands of others. Visitors to this site are presented with dubious material and/or are redirected to other untrusted and possibly malicious web pages.

Most users access these websites via redirects caused by intrusive ads or installed Potentially Unwanted Applications (PUAs). This software does not require explicit user consent to infiltrate systems. PUAs cause redirects, deliver intrusive advertisement campaigns, and collect private data.

What is Arch?

In most cases, ransomware blocks access to files by encryption, renames affected files, and creates/displays ransom messages.

Arch renames files by adding a string of randomly-generated characters and numbers, the bobwhite@msgsafe.io email address, and appending the ".arch" extension. For example, "1.jpg" is renamed to "1.jpg.[9B83AE23].[bobwhite@msgsafe.io].arch", "2.jpg" to "2.jpg.[9B83AE23].[bobwhite@msgsafe.io].arch", and so on.

Arch also creates text files named "readme-warning.txt" (ransom messages) in all folders containing affected data.

This ransomware variant belongs to the Makop ransomware family.