Virus and Spyware Removal Guides, uninstall instructions

What is Acrux?

In most cases, ransomware encrypts files (renders them unusable) and generates ransom messages.

Acrux not only encrypts but also renames files, appending the victim's ID, the decodeacrux@gmail.com email address, and ".Acrux" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.id[C279F237].[decodeacrux@gmail.com].Acrux", "2.jpg" to "2.jpg.id[C279F237].[decodeacrux@gmail.com].Acrux", and so on.

Acrux also creates a text file ("ReadMe-[victim's_ID].txt") containing the ransom message in all folders that contain affected files.

What is AndroRAT?

AndroRAT is the name of a malicious program targeting Android operating systems on smartphones. It is classified as a Remote Access Trojan (RAT). Malware of this type is designed to enable stealthy remote access and control over an infected device.

These Trojans have a wide variety of dangerous functionality, which can be used in various ways. Therefore, the threats posed by RAT infections are especially broad. AndroRAT is classified as a highly dangerous piece of software, and as such associated infections must be removed immediately upon detection.

What is Ares?

Ares is the name of a banking Trojan, a new variant of Kronos. Usually, malware of this type targets login credentials (e.g., usernames, email addresses, passwords), bank account numbers, credit card information, and other financial information.

Research shows that Ares is designed to download an information stealer (Ares Stealer) that collects login credentials from various applications.

What is the MailRU ransomware?

MailRU is a malicious program, which is part of the Xorist ransomware family. It is designed to encrypt data (render files inaccessible/unusable) and demand payment for decryption (access recovery).

When this ransomware encrypts, filenames of affected files are appended with the ".MailRU" extension. For example, a file initially named something like "1.jpg" would appear as "1.jpg.MailRU", "2.jpg" as "2.jpg.MailRU", and so on.

After this process is complete, ransom messages are displayed/created in a pop-up window and "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt" text files, which are dropped into compromised folders.

If the infected system does not have the Cyrillic alphabet installed, the text presented in the pop-up window will appear as nonsensical gibberish.

What kind of application is Cactus Search?

Cactus Search is rogue software classified as a browser hijacker. It operates by promoting the cactus-search.com fake search engine through modification of browser settings.

Furthermore, Cactus Search has data tracking capabilities, which are employed to monitor users' browsing habits. Since browser hijackers are typically downloaded/installed unintentionally, they are also categorized as unwanted applications.

What is essingto[.]online?

essingto[.]online is similar to bemasx[.]com, mycoolnewz[.]com, private-message[.]live, and many other pages of this kind. Most display dubious content and promote other untrusted sites.

Users do not often visit these rogue sites intentionally - they are opened by clicking deceptive advertisements or visiting untrusted web pages. Browsers regularly open essingto[.]online and similar sites due to potentially unwanted applications (PUAs) installed on them.

What is Wintenzz ransomware?

Discovered by malware researcher S!Ri, Wintenzz is a ransomware-type program. It operates by encrypting files (rendering them inaccessible) and demanding payment for the decryption (access recovery).

During the encryption process, the filenames of affected files are appended with the ".wintenzz" extension. For example, a file initially titled something like "1.jpg" would appear as "1.jpg.wintenzz", "2.jpg" as "2.jpg.wintenzz", "3.jpg" as "3.jpg.wintenzz", etc.

Once this process is complete, a ransom message within the "STARTOPEN_ote.html" file is created. This HTML file is automatically opened each time the system is rebooted.

What is Siliconegun?

Ransomware is a form of malware that encrypts files (rendering them inaccessible). The attackers demand ransoms to restore access to victims' data.

Siliconegun encrypts files and modifies their filenames by appending ".siliconegun@tutanota.com" as the file extension. For example, "1.jpg" is renamed to "1.jpg.siliconegun@tutanota.com", "2.jpg" to "2.jpg.siliconegun@tutanota.com", and so on.

Siliconegun also generates ransom messages in "HOW_TO_RECOVER_ENCRYPTED_FILES.txt" text files, placing them in all folders that contain encrypted files.

What is bemasx[.]com?

bemasx[.]com is a rogue website sharing many similarities with mycoolnewz.com, private-message.live, yourdeliv.online, and thousands of others. Visitors to this page are presented with dubious content and/or are redirected to various untrusted or malicious sites.

Web pages of this kind are seldom accessed intentionally - most users enter them via redirects caused by intrusive ads or installed Potentially Unwanted Applications (PUAs). This software does not require explicit user permission to infiltrate devices. These unwanted apps can force-open websites, run intrusive advertisement campaigns, and gather browsing-related information.

What is Mie Player?

Adware refers to a type of unwanted software that displays advertisements. Mie Player (also known as Lumia Player) is also classified as adware. It is likely that this app generates advertisements and collects browsing-related (or other) information.

Note that many users download and install adware-type applications such as Mie Player unintentionally. Therefore, they are classified as potentially unwanted applications (PUAs).