Virus and Spyware Removal Guides, uninstall instructions

What is PDFSearchWeb?

Typically, users download and install browser hijackers inadvertently. Therefore, PDFSearchWeb and other applications of this kind are classified as potentially unwanted applications (PUAs).

The main purpose of browser hijackers is to modify browser settings to promote specific addresses (fake search engines). They also gather browsing-related (and other data). Therefore, you should remove PDFSearchWeb from browsers/computers.

What is BleachGap ransomware?

BleachGap is a ransomware-type program. It operates by encrypting data and demanding payment for decryption. I.e., the files affected by BleachGap are rendered inaccessible and victims are asked to pay a ransom to regain access.

During the encryption process, files are appended with the ".lck" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.lck" following encryption.

At the time of research, BleachGap seemingly had an unintentional flaw: it left the original file and created two encrypted copies (e.g., "1.jpg.lck" and "1.jpg.lck.lck"). The original was likely intended for deletion, with only the compromised copy remaining.

After the encryption process is complete, ransom messages are dropped onto the desktop. This ransomware creates 100 copies of the message, named as follows: "Pay2Decrypt1.txt", "Pay2Decrypt2.txt", "Pay2Decrypt3.txt", and so on up to "Pay2Decrypt100.txt".

What is Ades?

Information stealers are malware programs that can be designed to record keystrokes, take screenshots, and gather other data in order to send it to the attackers. Malware of this type can run stealthily in the background so that victims do not suspect infection.

Ades is a stealer written in the C# multi-paradigm programming language and uses Telegram as its command & control (C2) platform.

Ades is for sale on hacker forums and costs 4000 RUB, or purchased through a subscription for 400 RUB per month.

What is DefaultTool?

DefaultTool is a piece of dubious software, which operates as adware and a browser hijacker. It delivers intrusive advertisements and promotes fake search engines by making changes to browser settings. Due to the dubious techniques used to proliferate DefaultTool, it is also categorized as a Potentially Unwanted Application (PUA).

Most PUAs collect browsing-related information, and DefaultTool likely has these data tracking capabilities as well. This app has been observed being proliferated via fake Adobe Flash Player updates. Note that bogus software updaters/installers are employed to spread PUAs, trojans, ransomware, and other malware as well.

What is Urs ransomware?

Usually, ransomware prevents victims from accessing their files or the entire system. It encrypts files and demands payment (typically, in Bitcoins) in exchange for a decryption tool (software, key).

Urs encrypts files and adds the victim's ID, necurs@aol.com email address, and appends the ".urs" extension. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[necurs@aol.com].urs", "2.jpg" to "2.jpg.id-C279F237.[necurs@aol.com].urs", and so on.

Urs also displays a pop-up window and creates the "FILES ENCRYPTED.txt" file (ransom message).

Note that Urs is part of the Dharma ransomware family.

What is OpticalUpdater?

OpticalUpdater is an adware-type application with browser hijacker traits. Following successful infiltration, it runs intrusive advertisement campaigns and promotes fake search engines by modifying browser settings. Additionally, most adware-types and browser hijackers collect browsing-related information.

Typically, users download/install OpticalUpdater unintentionally and, therefore, this app is classified as a Potentially Unwanted Application (PUA).

This piece of software has been observed being spread via fake Adobe Flash Player updates. Note that bogus software updaters/installers are also used to proliferate malware (e.g., trojans, ransomware, etc.).

What is ORAL ransomware?

Belonging to the Dharma ransomware group, ORAL is a malicious program, which operates by encrypting data and demanding ransoms for decryption - victims cannot access the files affected by this ransomware and are informed that they must pay to unlock them.

During the encryption process, files are renamed following this pattern: original filename, unique ID, cyber criminals' email address, and the ".ORAL" extension. For example, "1.jpg" might appear as something similar to "1.jpg.id-C279F237.[oral@tuta.io].ORAL" following encryption.

Once this process is complete, ransom messages are created in a pop-up window and "Manual.txt" text file.

What is the "C.N. FREIGHT & SHIPPING" scam email?

"C.N. FREIGHT & SHIPPING email virus" refers to a malware-proliferating spam campaign - a large-scale operation during which deceptive emails are sent by the thousand. The messages distributed through this campaign are presented as quotation requests from C.N. FREIGHT & SHIPPING.

Note that these scam emails are in no way associated with the genuine C.N. Freight & Shipping company. The purpose of this spam campaign is to infect recipients' systems with the GuLoader malicious program, which is designed to cause chain infections.

What is Wallet ransomware?

Ransomware is malware that infects computers and restricts access to the infected computer (or files stored on it). It encrypts files and demands a payment in exchange for a decryption key or software. Usually, it renames encrypted files as well.

Wallet ransomware renames files by adding the amagnus@india.com email address (may vary) and appending the ".wallet" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.[amagnus@india.com].wallet", "2.jpg" to "2.jpg.[amagnus@india.com].wallet", and so on. It also creates a ransom message within the "Good morning.txt" file and changes the desktop wallpaper.

Wallet is a ransomware variant belonging to the Dharma family.

What is the penit[.]xyz site?

penit[.]xyz is an untrustworthy website running various schemes. This page has been observed promoting versions of the "(3) Viruses have been detected on your iPhone" and "VPN Update" scams, mainly targeting iPhone users.

Schemes of this type operate by presenting visitors with misleading or outright deceptive information to trick them into downloading/installing and purchasing dubious products. These scams typically endorse fake anti-viruses, adware, browser hijackers, and other Potentially Unwanted Applications (PUAs).

They may even promote trojans, ransomware, and other malware. People usually access scam sites via mistyped URLs, or redirects caused by intrusive advertisements, or installed PUAs.