Virus and Spyware Removal Guides, uninstall instructions

What is the fake "Kaspersky" email?

"Kaspersky email scam" refers to a spam campaign, a large-scale operation during which deceptive emails are sent by the thousand. The messages distributed through this campaign are presented as messages from Kaspersky Lab, the global cyber security service and anti-virus software provider.

Note that these fake emails are in no way associated with the genuine Kaspersky Lab, despite any proclamations stating otherwise. The scam messages claim that malicious files have been detected in recipients' mailboxes.

This spam campaign aims to promote a phishing website, which asks users to verify their emails by logging into the accounts. Phishing pages are designed to record the information entered into them, in this case, mail account log-in credentials (i.e., email addresses and passwords).

Therefore, never trust these fraudulent "Kaspersky" emails, as doing so can result in email account loss and other serious problems.

What kind of malware is POLSAT?

The main purpose of ransomware is to encrypt files and keep them inaccessible until victims recover them with decryption tools purchased from the attackers.

Malware of this type not only encrypts files but also renames them. POLSAT appends the victim's ID, ICQ_Polsat (ICQ username), and the ".POLSAT" extension to the filename of each encrypted file. For example, "1.jpg" is renamed to "1.jpg.id[C279F237-3188].[ICQ_Polsat].POLSAT", "2.jpg" to "2.jpg.id[C279F237-3188].[ICQ_Polsat].POLSAT", and so on.

POLSAT also provides instructions about how to contact the attackers and other details within a pop-up message ("info.hta") and text file ("info.txt").

What is the Contact ransomware?

Contact is a malicious program categorized as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption tools. I.e., victims are unable to access/use the files affected by this ransomware and are asked to pay to recover the data.

During the encryption process, files are renamed following this pattern: "[random_string].bannedlands@msgsafe.io.contact", consisting of a random character string and the cyber criminals' email address.

For example, a file initially named "1.jpg" would appear as something similar to "TWljcm9zb2Z0IEVkZ2UubG5r.bannedlands@msgsafe.io.contact" after encryption. Once this process is complete, a ransom-demand message within the "CONTACT-README-WARNING.html" file is created.

What is topcaptchasolver[.]com?

Topcaptchasolver[.]com is used to promote untrusted, potentially malicious websites. It also can load dubious content, depending on the visitor's geolocation. In any case, topcaptchasolver[.]com cannot be trusted.

Note that users do not visit these websites intentionally. In most cases, they are opened after clicking deceptive ads, visiting other dubious pages, or by potentially unwanted applications (PUAs) that users have inadvertently installed onto browsers or operating systems.

There are many pages similar to topcaptchasolver[.]com online. Some examples are eouldeco[.]online, mekiroki[.]com, and sakh[.]site.

What is GlobalSearchSystem?

GlobalSearchSystem is an adware-type application with browser hijacker traits. This piece of software delivers intrusive advertisement campaigns and modifies browser settings to promote bogus search engines.

Furthermore, most adware and browser hijackers monitor users' browsing habits and collect vulnerable data. This app has been observed being distributed through fake Adobe Flash Player updates (note, rogue updaters/installers can also proliferate trojans, ransomware, and other malware).

Due to the especially dubious methods used to spread GlobalSearchSystem, it is also classified as a Potentially Unwanted Application (PUA).

What kind of application is TypicalProcess?

TypicalProcess is a rogue application categorized as adware. It also has browser hijacker traits. After successful infiltration, this app runs intrusive advertisement campaigns (i.e., delivers various ads) and makes modifications to browser settings in order to promote fake search engines.

Additionally, most software within these categories has data tracking capabilities, which are used to monitor users' browsing activity and collect sensitive/private information. Due to the dubious methods used to proliferate TypicalProcess, it is classified as an unwanted application.

This app has been observed being distributed via fake Adobe Flash Player updates. Note that bogus software updaters/installers often proliferate unwanted apps and even malware (e.g., trojans, ransomware, etc.).

What is McAfee Tollfree scam?

In most cases, technical support scams display fake pop-up messages/notifications claiming that the computer is infected with viruses and encouraging users to call the provided number to get help with removing them.

Usually, scammers behind tech-support scams attempt to trick users into purchasing unnecessary or even fake software, paying for remote technical "support", or installing remote administration tools, which allow them to access and control computers.

Ignore these scams - the virus alerts and other notifications issued by them are fake.

People do not often visit technical support scam websites intentionally - they are forcibly redirected to these pages after clicking deceptive ads, visiting bogus websites, or when potentially unwanted applications (PUAs) are installed on browsers/operating systems.

What is Urnb ransomware?

Belonging to the Djvu ransomware family, Urnb is a malicious program designed to encrypt data (render victims' files inaccessible) and demand ransoms for decryption (payment for access recovery).

When this ransomware encrypts, affected files are appended with the ".urnb" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.urnb", "2.jpg" as "2.jpg.urnb", and so on.

Once the encryption is complete, a ransom message within the "_readme.txt" file is created.

What is Fdcz?

Fdcz is a type of malware that encrypts files and appends its extension to filenames. Ransomware victims cannot access or use their files unless they decrypt them with a specific decryption tool (program, key). 

Fdcz appends ".fdcz" as the file extension to the filenames. For example, "1.jpg" is renamed to "1.jpg.fdcz", "2.jpg" to "2.jpg.fdcz", and so on. This ransomware creates the "_readme.txt" file containing the ransom message.

Note that Fdcz is part of the Djvu ransomware family.

What kind of scam is "Hackers are watching you!"?

There are many deceptive websites using scare tactics to trick unsuspecting visitors into downloading and installing potentially unwanted applications (PUAs). Usually, the websites display fake virus notifications claiming that the device is infected with a number of viruses and urge users to remove them immediately.

These pages may show different notifications, however, none are genuine. Note that these rogue web pages are often promoted through deceptive advertisements, dubious websites, and PUAs. I.e., users do not often visit them intentionally.