Virus and Spyware Removal Guides, uninstall instructions

What is clickmp3[.]com?

clickmp3[.]com offers download of videos from YouTube. Note that using websites such as clickmp3[.]com or third-party apps to download videos is against YouTube's Terms of Service.

clickmp3[.]com also uses rogue advertising networks: the site contains dubious ads and opens other untrusted pages.

What is Resgateseup ransomware?

Discovered by 0x4143, Resgateseup is malicious software classified as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption tools. Typically, ransomware renames affected files, however, the filenames of files encrypted by Resgateseup remain unchanged.

Once this process is complete, a CMD (Command Prompt) window is opened. Additionally, a ransom message in Portuguese ("config.ini") is created and a website is opened - the message presented in both is identical.

What is InitialDevice?

InitialDevice changes browser settings, generates advertisements, and might also gather certain information. In this way, InitialDevice functions both as adware and as a browser hijacker.

Typically, users download and install apps such as InitialDevice inadvertently and, therefore, they are classified as potentially unwanted applications (PUAs).

What is the "Spin The Wheel" scam?

"Spin The Wheel" is a scam promoted on various deceptive websites. There are several variants of this scam. In general, the scheme claims users have the chance to win a prize.

Note that "Spin The Wheel" is in no way associated with Home Depot, Amazon, Apple, or other companies it mentions. Additionally, any prizes/rewards offered by this scam are fake.

The purpose of such schemes is to generate revenue for its designers by abusing users' trust. Sites that promote scams are usually accessed via mistyped URLs, redirects caused by intrusive advertisements, or by Potentially Unwanted Applications (PUAs).

What kind of malware is URSA?

URSA ransomware encrypts files and creates two ransom messages in "RECOVER_YOUR_FILES.HTML" and "RECOVER_YOUR_FILES.TXT" files, which it places in folders that contain encrypted files.

Note that, unlike most ransomware, URSA does not rename any of the encrypted files.

What is SearchConverterInc?

SearchConverterInc is rogue software classified as a browser hijacker. It operates by making changes to browser settings to promote searchconverterinc.com (a fake search engine). Additionally, SearchConverterInc monitors users' browsing habits.

Due to the dubious methods used to proliferate browser hijackers, they are also classified as Potentially Unwanted Applications (PUAs).

What is LIZARD ransomware?

LIZARD is a ransomware-type program, which is identical to LANDSLIDE malware. Systems infected with LIZARD experience data encryption and users receive ransom demands for decryption.

During the encryption process, all affected files are renamed following this pattern: "[DeathSpicy@yandex.ru][id=victim's_ID]original_filename.LIZARD", consisting of the cyber criminals' email address, unique ID assigned to the victim, original filename, and ".LIZARD" extension. For example, a file such as "1.jpg" would appear as something similar to "[DeathSpicy@yandex.ru][id=C279F237]1.jpg.LIZARD" after encryption.

Once this process is complete, identical ransom messages in "#ReadThis.HTA" and "#ReadThis.TXT" files are created.

What is reander[.]net?

reander[.]net is a scam website. Its main purpose is to scare visitors into downloading and installing a potentially unwanted application (PUA) by displaying a fake virus notification stating that the device is infected.

Users do not often visit reander[.]net or similar web pages intentionally - they are opened when deceptive ads are clicked, dubious websites are visited, or when a PUA is installed on the browser and/or operating system.

What is the "Cobra Industrial Machines" scam email?

"Cobra Industrial Machines email virus" refers to a spam campaign designed to proliferate malware. The term "spam campaign" defines a mass-scale operation, during which thousands of deceptive/scam emails are sent. The messages distributed through this campaign ask recipients to provide a product quote, as they have supposedly collaborated with this company before.

Note that these scam emails are in no way associated with any entities under the "Cobra Industrial Machines" name. The purpose of the "Cobra Industrial Machines email virus" is to proliferate the MassLogger and AZORult malicious programs.

What is Foo ransomware?

Foo belongs to the VoidCrypt ransomware family.

This ransomware encrypts files and appends the encryptfull@criptext.com email address, victim's ID, and the ".Foo" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.[encryptfull@criptext.com][ZRC71WE2QGBLYX5].Foo", "2.jpg" to "2.jpg.[encryptfull@criptext.com][ZRC71WE2QGBLYX5].Foo", and so on.

Foo also creates the "!INFO.HTA" file (ransom message) in folders that contain encrypted files.