Virus and Spyware Removal Guides, uninstall instructions

What is Rickwrecked?

Rickwrecked is a malicious program classified as ransomware with screenlocker traits. Typically, malicious software within this classification encrypts files and/or locks the device screen to make ransom demands. In fact, the purpose of Rickwrecked is not monetary gain, as victims are not presented with ransom message containing relevant information that would enable them to pay for data/device access recovery.

This malware damages the Master Boot Record (MBR), displays messages, and then prevents victims from booting/ turning on their computers.

What is the "Employee Retention Credit" scam email?

"Employee Retention Credit email virus" refers to a spam campaign proliferating the TrickBot trojan. The term "spam campaign" defines a mass-scale operation during which deceptive emails are sent by the thousand.

The scam messages distributed through this campaign are disguised as notifications from the IRS (Internal Revenue Service), the United States main body of federal statutory tax law, responsible for collecting taxes and administering the IRC (Internal Revenue Code).

The fake IRS emails notify of renewed taxation policies for business issued in response to the COVID-19 pandemic. The amended policies are supposedly contained in an attached Microsoft Office Excel document, however, upon opening, the file initiates download/installation of TrickBot malware.

What is cehuiy[.]com?

Websites such as cehuiy[.]com are not often visited by users intentionally - they are opened via other bogus websites, dubious advertisements, or installed potentially unwanted applications (PUAs). Most PUAs gather data and generate advertisements.

Cehuiy[.]com is one of many websites of this kind on the internet. More examples are premiumbros[.]com, viketohelp[.]online, and thenicenewz[.]com.

What is "365Scores - Live Scores and Sports News"?

"365Scores - Live Scores and Sports News" is a typical browser hijacker: it hijacks browsers to promote a fake search engine (get365scores.com). Generally, apps of this type achieve this by changing browser settings.

365Scores - Live Scores and Sports News also reads browsing-related data. Typically, users download and install browser hijackers inadvertently and, therefore, this app and others of its type are classified as potentially unwanted applications (PUAs).

What is the HENRI IV ransomware?

HENRI IV is a malicious program, which is part of the Paradise ransomware family. Systems infected with this malware experience data encryption (i.e., stored files are rendered inaccessible/useless) and victims receive ransom demands for decryption.

When HENRI IV ransomware encrypts, affected files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address, and the ".malwarehenri" extension. For example, a file initially named "1.jpg" would appear as something similar to "1.jpg[id-HgT0Jbi6].[f**kparadise@heniiv.com].malwarehenri" after encryption.

Once this process is complete, ransom messages within "#DECRYPT MY FILES#.html" files are dropped into compromised folders.

What is M.0.A.B.?

M.0.A.B. ransomware is a type of malware that prevents victims from accessing their personal files and demands ransom payments.

Different ransomware variants often append their extensions to filenames of files encrypted by them, however, M.0.A.B. leaves the original filenames unaffected - it simply encrypts the files and displays a ransom message.

Note that M.0.A.B. is based on another ransomware variant called Povlsomware.

What kind of scam is "Google Membership Rewards"?

"Google Membership Rewards" is a scam presented as a prize raffle. The scheme claims that, should users select the correct answers to the following multi-choice questions, they will win a prize worth up to US$1099 (USD).

The fraudulent gift giveaway is supposedly a show of gratitude for users' support of Google products and services. Note that "Google Membership Rewards" is in no way associated with Google LLC, and all of the information provided by it is false.

Online scams are promoted on various untrusted websites, which users rarely access intentionally. Most enter these pages via mistyped URLs, redirects caused by intrusive advertisements, and installed rogue applications.

What is viketohelp[.]online?

viketohelp[.]online is an untrusted website designed to promote other pages of this kind or load dubious content. The internet is full of websites like viketohelp[.]online and some examples are thenicenewz[.]com, leasedtohe[.]biz, and ablotadom[.]com.

Typically, users do not visit these sites intentionally - they are promoted through other untrusted websites, deceptive advertisements, and potentially unwanted applications (PUAs).

What is VIPxxx?

Ransomware-type malware encrypts files so that victims cannot use or access them without valid decryption keys/programs purchased from the attackers.

VIPxxx also renames files by appending the victim's ID, cmd_bad@keemail.me email address, and the ".VIPxxx" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.[ID-C279F237].[cmd_bad@keemail.me].VIPxxx", "2.jpg" to "2.jpg.[ID-C279F237].[cmd_bad@keemail.me].VIPxxx", and so on.

VIPxxx also creates the "RESTORE_FILES_INFO.txt" file, which contains the ransom message. This file can be found in all folders that contain files encrypted by this ransomware.

Avast has updated their Prometheus decryptor - hence, it is now capable of restoring files encrypted by VIPxxx (more information below).

What is omarona[.]com?

omarona[.]com is a rogue website, sharing common traits with thenicenewz.com, leasedtohe.biz, pu.biz, and countless others. Visitors to this page are presented with dubious content and are redirected to other untrusted/malicious sites.

Most users access omarona[.]com and similar websites inadvertently - they are redirected to them by intrusive ads or installed Potentially Unwanted Applications (PUAs). This software does not require explicit user consent to infiltrate systems. These apps cause redirects, run intrusive advertisement campaigns, and collect browsing-related data.