Virus and Spyware Removal Guides, uninstall instructions

What is Xtreme?

Xtreme is a Remote Access Trojan (RAT), which grants access and control of infected machines to facilitate various malicious actions.

This malware has been used globally, targeting governments and governmental organizations, financial institutions, large private corporations, telecommunication companies and media outlets, however, while it primarily targeted representatives and employees of the aforementioned entities, smaller businesses or average users are often targeted.

What is the hanksforyou[.]biz site?

hanksforyou[.]biz is a rogue website designed to deliver dubious content and redirect visitors to other untrusted, possibly malicious web pages.

Users rarely access hanksforyou[.]biz and similar sites intentionally - most are redirected to them by intrusive advertisements or installed Potentially Unwanted Applications (PUAs). This software does not need explicit permission to infiltrate systems, and thus users may be unaware of its presence.

PUAs are designed to cause redirects, run intrusive advertisement campaigns, and collect browsing-related data. The internet is full of rogue websites including fastcaptcharesolve.com, allowsuccess.org, ardoppoprus.biz, and thedailyrobotcheck.site as just some examples.

What is the "Facebook Lottery" scam email?

"Facebook Lottery" is a spam email campaign, a large-scale operation during which deceptive email messages are sent by the thousand. This campaign is in no way associated with Facebook, Inc. and all of the information provided by these emails is false.

The scam messages claim that recipients have been selected as one of the three winners of a fake lottery. This spam mail operates as a phishing scam. I.e., the purpose is to extract sensitive/personal information and use it for nefarious purposes.

What is Search Button?

Search Button is a browser hijacker promoting the keysearchs.com bogus search engine. Typically, software within this classification modifies browser settings to promote its associated search engines, however, Search Button does not always make alterations to the settings when promoting the keysearchs.com web searcher (see below).

Additionally, Search Button has data tracking capabilities, which are used to monitor users' browsing habits. Since most users download/install browser hijackers inadvertently, they are also classified as Potentially Unwanted Applications (PUAs).

What is optavut[.]com?

optavut[.]com is a deceptive website used to promote potentially unwanted applications (PUAs). There are many similar pages on the internet, all of which display fake notifications stating that a device is infected, damaged, hacked, etc., and encouraging users to download and install an application, which will supposedly fix the problem (remove viruses, fix errors, etc.).

Neither optavut[.]com nor other similar page can be trusted. Commonly, these sites are promoted via dubious advertisements, other untrusted web pages, or PUAs that users download/install onto their devices inadvertently.

What is Ncovid ransomware?

Ncovid is a malicious program designed to encrypt data and demand ransoms for decryption. This is a new variant of RIP lmao ransomware. The files stored on systems infected with Ncovid are rendered inaccessible, and victims are asked to pay to recover access to their data.

When this ransomware encrypts, affected files are appended with the ".ncovid" extension. For example, a file originally named something like "1.jpg" will appear as "1.jpg.ncovid", "2.jpg" as "2.jpg.ncovid", "3.jpg" as "3.jpg.ncovid", and so on.

After this process is complete, ransom-demand messages are created in a pop-up window and "___RECOVER__FILES__.ncovid.txt" text file.

What kind of malware is FluBot?

FluBot (also known as Cabassous) is malicious software that targets Android smartphones. Cyber criminals distribute FluBot via SMS messages, which they send (in at least in three different languages such as German, Polish, and Hungarian) with links to download websites for a fake FedEx application. These websites download a malicious APK file (Android Package file) designed to install FluBot banking malware.

What is Ekvf?

This ransomware belongs to the Djvu family.

Generally, ransomware encrypts files and displays/creates ransom messages. Cyber criminals use malware of this type to prevent victims from accessing their files and force them to pay for decryption keys/software.

Ekvf also encrypts files and renames them by appending ".ekvf" as the file extension. For example, "1.jpg" is renamed to "1.jpg.ekvf", "2.jpg" to "2.jpg.ekvf", and so on. Ekvf crates its ransom message (within the "_readme.txt" text file) in all folders containing affected data.

What is Onim ransomware?

Onim is a ransomware-type program discovered by malware researcher S!Ri. Systems infected with this malware experience data encryption (i.e., affected files are rendered inaccessible) and victims receive ransom demands for decryption.

During the encryption process, files are appended with the ".aes" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.aes" following encryption.

After this process is complete, ransom messages in "Readme.txt" files are dropped into compromised folders. Additionally, Onim changes the desktop wallpaper.

What is WebRadioSearch?

WebRadioSearch is rogue software categorized as a browser hijacker. It operates by making changes to browser settings to promote the webradiosearch.com fake search engine. Furthermore, most browser hijackers can monitor users' browsing habits. Therefore, it is likely that WebRadioSearch has these data tracking capabilities as well.

Due to the dubious techniques used to proliferate browser hijackers, they are also classified as Potentially Unwanted Applications (PUAs).