Virus and Spyware Removal Guides, uninstall instructions

What is the "Socar" scam?

"Socar email virus" refers to a malware-spreading spam campaign - a large-scale operation during which thousands of deceptive emails are sent.

The letters distributed through this campaign - are disguised as mail from SOCAR (State Oil Company of Azerbaijan Republic) - national oil and gas company headquartered in Baku, Azerbaijan. It must be emphasized that these scam emails are in no way associated with the genuine SOCAR company.

The letters claim to have a copy of a bank payment receipt of the sender's order attached to them. Instead of containing the stated information, the attached file is designed to initiate download/installation of the Vidar trojan - upon opening.

This malware is classified as a stealer, and it operates by exfiltrating sensitive and personal data from infected systems.

What is Uniwinnicrypt?

Ransomware is a form of malicious software that encrypts files (makes them inaccessible, unusable for victims) and displays, creates a ransom note. It is common that malware of this type modifies filenames.

Uniwinnicrypt encrypts files and appends the ".uniwinnicrypt" as their file extension, for example, it changes a file named "1.jpg" to "1.jpg.uniwinnicrypt", "2.jpg" to "2.jpg.uniwinnicrypt", and so on. Also, Uniwinnicrypt creates one "HOW_FIX_FILES.htm" file (ransom note) in all folders that contain affected data.

What is the Jormungand ransomware?

Discovered by dnwls0719, Jormungand is a ransomware-type program. This malware operates by encrypting data and demanding payment for the decryption. In other words, the files affected by Jormungand are rendered inaccessible, and victims are asked to pay - to recover access to their data.

During the encryption process, files are appended with the ".glock" extension. For example, a file initially titled something like "1.jpg" would appear as "1.jpg.glock", "2.jpg" as "2.jpg.glock", and so forth.

After this process is complete, ransom-demanding messages - "READ-ME-NOW.txt" - are dropped into compromised folders.

What is SearchConverterApp?

Most browser hijackers are designed to promote one or another fake search engine (its address) by making certain changes in a web browser's settings. SearchConverterApp is designed to promote the searchconverterapp.com address.

It is noteworthy that browser hijackers tend to be designed to collect browsing-related and (or) other information. Another detail about apps like SearchConverterApp is that most users download and install them accidentally (unknowingly).

For this reason, this and other browser hijackers are called potentially unwanted applications (PUAs).

What is RunExeMemory?

Ransomware is a type of malicious software that cybercriminals monetize by leaving victims with no other option but to purchase a decryption tool from them. Malware of this type encrypts files and keeps them inaccessible unless they are decrypted with the right tool (program, key).

RunExeMemory not only encrypts but also renames files, it appends a string of random characters as the file extension (e.g., ".c97hqe"). It renames a file named "1.jpg" to "1.jpg.c97hqe", "2.jpg" to "2.jpg.c97hqe", and so on.

Also, RunExeMemory creates a ransom note, the "Read me, if you want to recover your files.txt" file.

What is ourbestnews[.]com?

Ourbestnews[.]com is one of the many pages designed to promote untrustworthy websites and load questionable content. A couple of examples of other sites like ourbestnews[.]com are essingto[.]online, mycoolnewz[.]com, and download-app[.]net.

Typically, users do not visit them intentionally. It is common that such pages get opened by potentially unwanted applications installed on browsers or computers, after clicking on deceptive ads, or while visiting other unreliable sites.

What is the "We have detected a potential risk of unsecured connection" fake alert?

"We have detected a potential risk of unsecured connection" is a scam promoted on various deceptive sites. This scheme targets Apple device users.

It makes false claims about users' Internet connection not being secure - in order to trick them into downloading/installing and/or purchasing untrustworthy software products. Typically, scams of this type endorse fake anti-viruses, adware, browser hijackers, and other PUAs (Potentially Unwanted Applications).

These schemes may even proliferate malware, e.g., trojans, ransomware, cryptocurrency miners, etc. Visitors to scam websites seldom access them intentionally; most get redirected to the pages by intrusive advertisements or installed PUAs.

What is ValidBoost?

ValidBoost is the name of a potentially unwanted application (PUA) that functions as adware and a browser hijacker. More precisely, this application serves advertisements and promotes the address of a certain fake search engine by modifying browser settings.

It is likely that ValidBoost collects information about its users as well. Either way, it is not a trustworthy app, and it should not be downloaded and installed. Typically, users download and install PUAs unknowingly.

It is known that ValidBoost is distributed via a deceptive installer that looks like the installer for the Adobe Flash Player.

What is websearches.club?

Websearches.club is the URL (address) of an illegitimate search engine. Despite its legitimate appearance, this web searcher is unable to provide accurate search results. Fake search engines are typically promoted by browser hijackers through the modifications this software makes to browser settings.

The websearches.club web searcher has been observed being promoted by Img downloadit, Newtab, SysKey, GillCom, and other browser hijackers. Furthermore, both browser hijackers and their search engines are known to collect browsing-related information.

Due to the dubious methods used to proliferate browser hijackers, they are also classified as PUAs (Potentially Unwanted Applications).

What is revercecaptcha[.]com?

Revercecaptcha[.]com is similar to hevethat[.]online, bemasx[.]com, mycoolnewz[.]com, and many other untrustworthy websites.

Typically, users open such pages by clicking on deceptive advertisements, or those pages get opened while users visit other shady websites or when their web browser has some potentially unwanted application (PUA) installed on it.

In other words, it is uncommon for pages like revercecaptcha[.]com to be visited by users on purpose. It is important to mention that a PUA is a type of app that can be designed to promote untrustworthy pages and serve ads and (or) collect various data.