Virus and Spyware Removal Guides, uninstall instructions

What is REDROMAN ransomware?

Discovered by MalwareHunterTeam, REDROMAN is malicious software categorized as ransomware. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, files are appended with the ".REDROMAN" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.REDROMAN following encryption. After this process is complete, the ransomware creates three identical ransom messages within the following files: "RR_README.html", "OPENTHIS.html" and "README.html".

Only one copy of each is created. Into which folders they are dropped is randomized and, therefore, victims may have trouble locating the files.

What is Your iPhone is highly damaged by 5 viruses!?

Generally, websites such as this one display a fake virus notification, stating that an iPhone (or other device) is infected with viruses, and encourage visitors to remove them immediately with a potentially unwanted application (PUA). In summary, these pages promote PUAs in a deceptive ways.

Typically, users do not visit these websites intentionally - they are opened through other untrusted web pages, dubious advertisements, or PUAs that are already installed on devices.

What is Lisp?

Lisp is one of many ransomware-type programs that belong to the Djvu ransomware family. Like most malicious programs of this type, it encrypts and renames files, and creates a ransom message with instructions about how to contact the developers, pay the ransom, etc.

Lisp renames files by appending the ".lisp" extension to filenames (note that .lisp is a legitimate file extension for Lisp programming language files). For example, "1.jpg" is renamed to "1.jpg.lisp", "2.jpg" to "2.jpg.lisp", and so on. Lisp creates a ransom message within "_readme.txt" text files in all folders that contain encrypted files.

What is WRTenets?

WRTenets is rogue software and a browser hijacker, which promotes searchnets.xyz (a fake search engine). Typically, browser hijackers cause redirects to fake search engines by changing browser settings, however, WRTenets does always not operate in this manner.

Additionally, this browser hijacker has data tracking capabilities, which are employed to monitor users' browsing activity. Due to the dubious techniques used to proliferate WRTenets, it is also classified as a Potentially Unwanted Application (PUA).

What is OriginalSearchManager?

OriginalSearchManager is designed to change specific browser settings (to promote search.locatorunit.com) and add the "Managed by your organization" feature on Google Chrome browsers.

This app is also likely to gather browsing data. Generally, users do not download or install browser hijackers intentionally and, for this reason, OriginalSearchManager is categorized as a potentially unwanted application (PUA).

What is 1000-eur[.]cash?

1000-eur[.]cash is a rogue website designed to redirect visitors to other untrusted/malicious web pages and/or present them with dubious content. There are thousands of similar sites similar to 1000-eur[.]cash online including special-breaking.news, bigkick.biz, mylot.com and undertain.work to name just some examples.

Typically, users access these rogue web pages via redirects caused by intrusive advertisements or Potentially Unwanted Applications (PUAs) already infiltrated into their devices. This software does not require explicit user permission to be installed onto systems. PUAs cause redirects, run intrusive advertisement campaigns and collect browsing-related information.

What is Cvc ransomware?

Cvc belongs to the Dharma ransomware family and is designed to encrypt files, modify their filenames, display a pop-up window, and create a text file ("FILES ENCRYPTED.txt") that contains instructions about how to contact the developers.

It renames all encrypted files by adding the victim's ID, patrik008@tutanota.com email address and appending the ".cvc" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[patrik008@tutanota.com].cvc", "2.jpg" to "2.jpg.id-C279F237.[patrik008@tutanota.com].cvc", and so on.

What is Sfile ransomware?

Discovered by Emmanuel_ADC-Soft, Sfile is a malicious program that is classified as ransomware. It is designed to encrypt data, change filenames and demand payment for decryption. When Sfile malware encrypts, all affected files are appended with the ".BRN-qfp7mkc" extension.

For example, a file named something like "1.jpg" would appear as "1.jpg.BRN-qfp7mkc", "2.jpg" as "2.jpg.BRN-qfp7mkc", and so on following encryption. After this process is complete, ransom messages within "readme_to BRN.inf" files are dropped into compromised folders.

What kind of website is oksearch.org?

Oksearch.org is an untrusted search engine. Microsoft Edge and Chrome users are often forced to visit this address when they click a search result generated by Google or Bing. After clicking on the Google/Bing result, users are redirected to oksearch.org, which then redirects to another website.

Research shows that redirects to and from oksearch.org happen mainly on Edge browsers that have a fake extension (browser hijacker) installed on them, however, some Chrome users have encountered an identical problem.

What is .google (Phobos)?

.google is a malicious program belonging to the Phobos ransomware family. Despite the name, this malware is in no way associated with the actual Google LLC. Systems infected this ransomware have their data encrypted and users receive ransom demands for decryption.

During the encryption process, all affected files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address, and ".google" extension. For example, a file named "1.jpg" would appear as something similar to "1.jpg.id[C279F237-2455].[jackbez@yeah.net].google" following encryption.

Once this process is complete, ransom messages in "info.hta" and "info.txt" files are created.