Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is the .help (Dharma)?

.help is a malicious program belonging to the Dharma ransomware family. Systems infected with .help (Dharma) experience data encryption and users receive ransom demands for decryption.

During the encryption process, all compromised files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address and the ".help" extension.

For example, a file named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[alinas89@aol.com].help" following encryption. Once this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is Sss?

Belonging to the Dharma ransomware family, Sss renames encrypted files by adding the victim's ID, m5b92n5p1@mail.com email address, and appending the ".sss" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[m5b92n5p1@mail.com].sss", "2.jpg" to "2.jpg.id-C279F237.[m5b92n5p1@mail.com].sss", and so on.

It also creates the "FILES ENCRYPTED.txt" text file and displays a pop-up window - ransom messages that contain instructions about how to contact Sss developers plus various other details.

What is ZqVIkE ransomware?

ZqVIkE is ransomware-type program based on the Hidden Tear (HiddenTear) open-source project. Systems infected with this type of malware experience data encryption and users receive ransom demands for decryption. Note that ZqVIkE is still in development, and thus might not encrypt all of files stored on the compromised device.

During the encryption process, affected files are appended with the ".ZqVIkE" extension. For example, a file originally named "1.jpg" would appear as "1.jpg.ZqVIkE", "2.jpg" as "2.jpg.ZqVIkE", and so on. The ransom-demand messages are created in the desktop wallpaper and "@READ_ME@.txt" text file.

What is Mpmp?

This ransomware belongs to the VoidCrypt ransomware family. Like most malicious programs of this type, Mpmp encrypts files and renames them. It also generates a ransom message with instructions about how to contact the developers.

Mpmp renames encrypted files by adding the mpdecoder@gmail.com email address and victim's ID, and appending the ".mmp" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.[mpdecoder@gmail.com][YL03P8OKRI1D2XU].mpmp", "2.jpg" to "2.jpg.[mpdecoder@gmail.com][YL03P8OKRI1D2XU].mpmp", and so on.

Mpmp creates the "!INFO.HTA" file in all folders that contain encrypted files. The file is designed to display a ransom message.

What is the 24-support-global[.]expert website?

24-support-global[.]expert is a deceptive web page that promotes various scams. At the time of research, this site was observed promoting several versions of the "Your Apple iPhone is severely damaged" scam and one stating that users need to download a VPN application to continue watching content online.

This type of scheme promotes nonoperational and untrusted software. The most common kinds are potentially unwanted applications (PUAs) such as fake anti-virus programs, adware, browser hijackers, etc. These scams might also promote malware such as Trojans, ransomware, etc.

No website can actually detect threats/issues present on visitors' devices. Note that 24-support-global[.]expert and other scam sites are typically accessed via mistyped URLs, redirects caused by intrusive advertisements, and PUAs.

What is mobile-detection[.]com?

Like many other websites of this kind, mobile-detection[.]com promotes a potentially unwanted application (PUA) by claiming that use of the app will remove viruses, which have supposedly been detected by the site. In summary, websites such as mobile-detection[.]com promote software in deceptive ways.

Note that users do not often visit these sites intentionally - they are opened when users visit other bogus sites, click dubious ads, or have PUAs installed on their browsers and/or computers.

What is Epor?

Belonging to the Djvu ransomware family, Epor is designed to encrypt files, modify their filenames, and create a ransom message. Epor renames files by appending the ".epor" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.epor", "2.jpg" to "2.jpg.epor", and so on.

It also creates a ransom message (within the "_readme.txt" text file) in all folders that contain encrypted files.

What is the "Mac OS Alert" scam?

"Mac OS Alert" is a scam promoted on various deceptive websites. This scheme claims that visitors' devices may be infected and recommends a quick scan. The fake scan then details several nonexistent viruses and states that the anti-virus suite must be updated. No web page can detect threats/issues present on systems, and any that make such claims are scams.

Schemes of this kind promote various untrusted or even dangerous software. These scams commonly promote potentially unwanted applications (PUAs) such as fake anti-virus programs, adware, browser hijackers, etc. In some cases, they even proliferate malware (e.g. Trojans, ransomware, etc.).

Few users access these deceptive sites intentionally - most access them via mistyped URLs, redirects caused by intrusive advertisements or PUAs.

What is CRAT?

CRAT is a Remote Access Trojan (RAT), a form of malware that allows cyber criminals to control infected devices remotely.

Research shows that this RAT (depending on its version) can be used to access and control computers and to download and install additional malicious components allowing it to capture the victim's screen, log keystrokes, monitor the clipboard, and encrypt files with ransomware.

What is IStreamingSearch?

IStreamingSearch is rogue software classified as a browser hijacker. Following successful installation, it makes alterations to browser settings to promote istreamingsearch.com (a fake search engine). Additionally, IStreamingSearch has data tracking capabilities, which are used to monitor users' browsing habits.

Due to the dubious methods used to proliferate this browser hijacker, it is also classified as a Potentially Unwanted Application (PUA).