Virus and Spyware Removal Guides, uninstall instructions

What is Onim ransomware?

Onim is a ransomware-type program discovered by malware researcher S!Ri. Systems infected with this malware experience data encryption (i.e., affected files are rendered inaccessible) and victims receive ransom demands for decryption.

During the encryption process, files are appended with the ".aes" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.aes" following encryption.

After this process is complete, ransom messages in "Readme.txt" files are dropped into compromised folders. Additionally, Onim changes the desktop wallpaper.

What is WebRadioSearch?

WebRadioSearch is rogue software categorized as a browser hijacker. It operates by making changes to browser settings to promote the webradiosearch.com fake search engine. Furthermore, most browser hijackers can monitor users' browsing habits. Therefore, it is likely that WebRadioSearch has these data tracking capabilities as well.

Due to the dubious techniques used to proliferate browser hijackers, they are also classified as Potentially Unwanted Applications (PUAs).

What is Pecunia?

Typically, ransomware encrypts files and generates ransom messages. Malware of this type prevents victims from accessing/using files and encourages them to purchase decryption tools.

Pecunia encrypts files, renames them, and creates the "readme-warning.txt" text file (ransom message) in folders containing affected data. It renames files by appending a string of randomly-generated characters, the pecunia0318@airmail.cc email address and ".pecunia" as the file extension to the filenames. For example, "1.jpg" is renamed to "1.jpg.[9B83A23].[pecunia0318@airmail.cc].pecunia", "2.jpg" to "2.jpg.[9B83A23].[pecunia0318@airmail.cc].pecunia", and so on.

Note that Pecunia is part of the Makop ransomware family.

What is landoseseq[.]com?

landoseseq[.]com is a deceptive website designed to scare visitors into downloading and installing a potentially unwanted application (PUA). Like most websites of this type, landoseseq[.]com claims to be an official Apple website and to have detected a Trojan on the device.

Notifications, virus alerts and other messages on websites such as landoseseq[.]com are fake and should be ignored. Typically, these web pages are promoted through other untrusted pages, deceptive advertisements, and PUAs.

What is PC CURE PRO?

PC CURE PRO is an untrusted application, promoted as an operating system optimization tool. It is supposedly capable of resolving Windows Registry issues and removing various errors.

Due to the dubious techniques used to proliferate this app, it is categorized as a Potentially Unwanted Application (PUA). Software within this category may seem legitimate, yet it is usually nonoperational.

Furthermore, PUAs often have undisclosed, dangerous capabilities.

What kind of malware is DarkCrystal?

DarkCrystal, also known as dcRAT, is a Remote Access Trojan (RAT). Malware of this type enables remote access and control over an infected device. RATs can manipulate machines in various ways and can have likewise varied functionality.

DarkCrystal is a dangerous piece of software, which poses a significant threat to device and user safety.

What is Crapsomware?

Discovered by Petrovic, Crapsomware is a ransomware-type program designed to encrypt data and demand payment for decryption tools. I.e., the files affected by Crapsomware are rendered inaccessible, and victims are asked to pay a ransom to unlock them.

During the encryption process, files are appended with the ".crap" extension. For example, a file initially named something like "1.jpg" would appear as "1.jpg.crap", "2.jpg" as "2.jpg.crap", etc.

Following the completion of this process, a ransom message is displayed in a pop-up window.

What is fastcaptcharesolve[.]com?

fastcaptcharesolve[.]com is a rogue website, sharing many similarities with thedailyrobotcheck.site, bestletherservice.me, wholefreshposts.com, and countless others. This page operates by delivering dubious content and redirecting visitors to other untrusted/malicious sites.

Users rarely access web pages of this kind intentionally - most are redirected to them by intrusive ads or installed Potentially Unwanted Applications (PUAs). This software does not require explicit permission to infiltrate systems, and thus users may be unaware of its presence.

PUAs cause redirects, run intrusive ad campaigns, and collect browsing-related information.

What is ardoppoprus[.]biz?

Sharing many common traits with thedailyrobotcheck.site, bestletherservice.me, wholefreshposts.com, filemix-1.com, pushails.com, and thousands of others, ardoppoprus[.]biz is an untrusted website. Visitors to this site are presented with dubious content and/or are redirected to other rogue or possibly malicious pages.

Most users enter these websites inadvertently - they are redirected to them by intrusive advertisements or installed Potentially Unwanted Applications (PUAs). These apps do not need explicit user permission to infiltrate devices. PUAs have dangerous functionality such as causing redirects, delivering intrusive advertisement campaigns, and collecting browsing-related information.

What is the Ghost ransomware?

Ghost is the name of a ransomware-type program. It is designed to encrypt and rename data - in order to demand ransoms for the decryption tools. In other words, files affected by Ghost malware are rendered inaccessible, and victims are asked to pay - to recover access to their data.

During the encryption process, filenames are appended with an extension, which differs throughout Ghost variants.

Versions of this ransomware have been observed adding the ".BeHappy", ".D0ntW0rry", ".GetMoney", ".Gets", ".KrB3Ha99y", ".KrDontCry", ".Spanishghost", ".Welcomeghost", ".dkghost", ".jpghosts", ".phantom", ".rsaes", ".ryuks", and ".vjiszy1lo" extensions to the files.

Therefore, a file originally named something like "1.jpg" could appear as "1.jpg.BeHappy", "1.jpg.D0ntW0rry", "1.jpg.GetMoney", "1.jpg.Gets", etc. - depending on the ransomware variant.

Once the encryption process is complete, ransom notes - "HOW_CAN_GET_FILES_BACK.txt" and "HOW_CAN_GET_FILES_BACK.rtf" - are dropped into compromised folders.