Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is CARLOS?

Discovered by malware researcher S!Ri, CARLOS is a malicious ransomware program that operates by encrypting the data of infected systems and demanding ransoms to be paid for decryption tools/software.

During the encryption process, all affected files are renamed according to the following pattern: original filename; unique ID; cyber criminals' email address, and; ".CARLOS" extension. For example, a file such as "1.jpg" would appear as something similar to "1.jpg.[EF7BE7BC].[carlosrestore2020@aol.com].CARLOS".

After the encryption process is complete, a text file ("readme-warning.txt") is dropped onto the desktop. Updated variants of this ransomware use the ".[markmontgomery2020@hotmail.com].CARLOS" extension for encrypted files.

What is torrentfunk[.]com?

Torrentfunk[.]com is a torrent website that contains dubious ads and redirects users to other bogus web pages using rogue advertising networks. Note that torrenting is not illegal, however, downloading copyrighted content is, and it is likely that torrentfunk[.]com contains such content.

What is GetIncognitoSearch?

GetIncognitoSearch promotes a fake search engine (getincognitosearch.com). Like most browser hijackers, it achieves this by making certain changes to browser settings. Additionally, it is likely that GetIncognitoSearch gathers browsing-related details and other information.

Frequently, users download and install browser hijackers unintentionally and, therefore, apps such as GetIncognitoSearch are classified as potentially unwanted applications (PUAs).

What is the torrentgalaxy[.]to site?

torrentgalaxy[.]to is an untrusted Torrent website, which uses rogue advertising networks. This is a common monetization technique and operates by promoting (i.e. force-opening/causing redirects to) various dubious and malicious sites. In addition to the threats posed by visiting the promoted web pages, Peer-to-Peer sharing networks infringe copyright laws.

Torrent websites commonly offer unwanted apps and even malware  (e.g. ransomware, Trojans, etc.) for downloading, disguised as or bundled with normal content. Therefore, you are strongly advised against visiting or using torrentgalaxy[.]to.

What is moderation-support[.]network?

moderation-support[.]network is one of many deceptive pages that scammers use to trick visitors into installing various potentially unwanted applications (PUAs). When visited, these web pages display a fake notification stating that the device is infected (and/or damaged) and that it can be fixed with a specific app.

Pages such as moderation-support[.]network should never be trusted. Note that users do not often visit them intentionally - usually, these web pages are promoted via other dubious sites, deceptive ads, and PUAs.

What is the "Message attachments were delayed" email?

"Message attachments were delayed" refers to a spam email campaign. The term "spam campaign" refers to a mass-scale operation, during which thousands of scam emails are sent. These deceptive messages claim that several email attachments have been delayed and were not delivered to the inbox.

To access the attached files, recipients are instructed to click a button, which redirects to a phishing website. This site is presented as a log-in page for the recipient's mail account. Note that the "Message attachments were delayed" promoted web page records information (i.e. passwords) entered into it.

What is LivePDFSearch?

Typically, apps such as LivePDFSearch force users to visit a specific web address. This browser hijacker promotes livepdfsearch.com, the address of a fake search engine by modifying certain browser settings. It can also read browsing-related information.

Users often download and install browser hijackers inadvertently and, for this reason, LivePDFSearch and other apps of this type are classified as potentially unwanted applications (PUAs).

What is WebFox?

WebFox is a rogue browser, based on an open-source project called Chromium. It is endorsed as a browser that offers faster and safer browsing. In addition, it has a feature that allows users to access certain browser functions straight from the desktop.

In fact, WebFox is classified as adware. It runs intrusive advertisement campaigns and delivers various misleading, deceptive and possibly malicious ads. Due to the dubious methods used to proliferate WebFox, it is also classified as a Potentially Unwanted Application (PUA). Furthermore, most PUAs have data tracking capabilities, which are employed to monitor users' browsing activity.

What is OceanLotus?

Research shows that the OceanLotus 'backdoor' targets MacOS computers. Cyber criminals behind this backdoor have already used this malware to attack human rights and media organizations, some research institutes, and maritime construction companies .

The OceanLotus backdoor is distributed via a fake Adobe Flash Player installer and a malicious Word document (it is likely that threat authors distribute the document via malspam emails).

What is .help (VoidCrypt) ransomware?

Discovered by xiaopao, .help is a malicious program that belongs to the VoidCrypt ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools/software.

When .help (VoidCrypt) encrypts, all affected files are renamed following this pattern: original filename, cyber criminals' email address, unique ID assigned to the victims and the ".help" extension. For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.[galivertones@aol.com][AT72E0MYZU5JN4Q].help" following encryption.

After this process is complete, ransom messages within "!INFO.HTA" files are dropped into compromised folders. An updated variant drops "Decrypt-me.txt" file instead.