Virus and Spyware Removal Guides, uninstall instructions

What kind of email is "Here's your PayPal invoice"?

Phishing emails (malspam campaigns) are one of the most common malware delivery channels. Usually, they are disguised as important or urgent messages from legitimate companies, organizations, institutions, and other entities.

Cyber criminals send them to trick recipients into clicking a link and opening a malicious file, or opening a malicious attachment designed to infect computers with rogue software.

This phishing email is used to deliver Agent Tesla, a remote administration/access trojan (RAT).

What is the fake "Microsoft Teams" email?

"Microsoft Teams email scam" refers to a spam campaign. This term defines a mass-scale operation during which thousands of deceptive emails are sent. The scam messages distributed through this campaign claim that recipients have unread messages in their chat on Microsoft Teams.

Note that these messages are not notifications from the genuine Microsoft Teams platform. The purpose of the fake emails is to trick users into visiting a phishing/malicious website, which can result in severe problems.

What is alert-info[.]space?

The main purpose of the alert-info[.]space website is to advertise an application called AdsBlock for Safari (it might also advertise other apps). Note that alert-info[.]space uses deception to advertise software: it displays a fake notification stating that access to Safari is blocked and cannot be restored without the recommended application.

Users do not often visit websites such as alert-info[.]space intentionally. In most cases, browsers open these deceptive pages when potentially unwanted applications (PUAs) are installed on browsers or devices, or when people visit other dubious pages and click dubious advertisements.

What is INTERNATIONAL MONETARY FUND (IMF) email scam?

The International Monetary Fund (IMF) is a legitimate financial institution, an international organization that promotes global economic growth, reduces poverty, encourages international trade. There is more than one email scam variant claiming to be authored by IMF officials.

Typically, scammers behind these bogus emails attempt to trick recipients into contacting the IMF for issuance of some form of approval, to receive a donation, or for other matters. In any case, the purpose of these emails is to deceive recipients into providing personal information or transferring money.

What is the "Email Account Is Almost Full" scam email message?

"Email Account Is Almost Full Scam" refers to a spam campaign, a large-scale operation during which deceptive emails are sent by the thousand. The messages distributed through the campaign in question are presented as notifications concerning a near-capacity email account.

These scam emails aim to trick recipients into attempting to sign into their mail accounts via a promote phishing website. Thus, any data (i.e., passwords) entered into the web page is exposed to the scammers.

What is Clman?

Ransomware is a type of malware that encrypts files or the entire device. It also displays a ransom message demanding payment in exchange for decryption software or a key. Usually, victims cannot access or use their files unless they decrypt them with a valid decryption tool.

Clman encrypts files and renames them, adding the victim's ID, coleman2021@aol.com email address, and appending ".clman" as the extension. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[coleman2021@aol.com].clman", "2.jpg" to "2.jpg.id-C279F237.[coleman2021@aol.com].clman", and so on.

Clman displays a pop-up window and creates the "FILES ENCRYPTED.txt" text file, which contains instructions about how to contact the attackers.

Note that Clman is part of the ransomware family called Phobos.

What is ApolloSearch?

ApolloSearch is a rogue application classified as adware (not to be confused with another adware-type app of the same name). It also has browser hijacker traits. Following installation, this app runs intrusive advertisement campaigns and makes alterations to browser settings to promote fake search engines.

Additionally, most adware and browser hijackers have data tracking capabilities, which are employed to monitor users' browsing activity. Therefore, it is likely that ApolloSearch has this functionality as well.

Due to the dubious methods used to distribute this app, it is categorized as a Potentially Unwanted Application (PUA).

ApolloSearch has been noted being spread via fake Adobe Flash updates. Note that bogus software updaters distribute PUAs and also Trojans, ransomware, and other malware.

What is Raped ransomware?

Raped ransomware is malicious software that encrypts data and demands payment for decryption. I.e., this malware locks files stored on the compromised system and demands ransom payment for recovery.

During encryption process, files are appended with the "..raped" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg..raped", "2.jpg" as "2.jpg..raped", and so on.

After this process is complete, ransom messages in "HOW TO DECRYPT FILES.txt" files are dropped into affected folders.

Note that Raped ransomware belongs to the Xorist malware family.

What is UnitHandler?

UnitHandler displays advertisements and modifies browser settings to promote a specific address. In this way, it functions as adware and as a browser hijacker.

Typically, users do not download or install apps like UnitHandler intentionally and, therefore, this application falls into the category of potentially unwanted applications (PUAs).

UnitHandler is distributed via deceptive installer, which emulates the Adobe Flash Player installer.

What is PortalAgent?

PortalAgent displays unwanted advertisements and forces users to visit a specific address (a fake search engine). It is also likely that PortalAgent also collects information relating to internet browsing activities and other data.

Note that PortalAgent is distributed through a deceptive installer (a fake installer for Adobe Flash Player) and users often download and install this app unintentionally. Therefore, these rogue apps are classified as potentially unwanted applications (PUAs).