Virus and Spyware Removal Guides, uninstall instructions

What is MARS?

MARS was discovered by Michael Gillespie. This ransomware encrypts files and modifies the filenames by appending its extension. It also creates the "!!!MARS_DECRYPT.TXT" text file in all folders that contain encrypted files. MARS renames files by appending ".mars" extension to their filenames.

For example, "1.jpg" is renamed to "1.jpg.mars", "2.jpg" to "2.jpg.mars", and so on. The "!!!MARS_DECRYPT.TXT" file is the ransom message, which contains details such as size of ransom, how to pay, etc.

What is ConverterSearchPlus?

ConverterSearchPlus is a browser hijacker that operates by making modifications to browser settings to promote convertersearchplus.com (a fake search engine). Furthermore, as with most browser hijackers, ConverterSearchPlus has data tracking capabilities, which are used to monitor users' browsing activity.

Due to the dubious techniques employed to distribute this browser hijacker, it is also classified as a Potentially Unwanted Application (PUA).

What is finvesterns[.]work?

Commonly, web pages such as finvesterns[.]work are promoted by potentially unwanted applications (PUAs), which most users download and install unintentionally. More examples of pages that are promoted by PUAs are bargaret[.]work, dropapk[.]to and jrg-news1[.]club.

Note that PUAs promote dubious websites, serve ads and collect information relating to users' browsing activities.

What is bargaret[.]work website?

Similar to jrg-news1.club, nnouncils.space, robotornotcheckonline.icu, the-best-push-news.com and countless others, bargaret[.]work is a rogue web page. This site presents visitors with dubious content and/or redirects them to other untrusted or possibly malicious websites.

Typically, these pages are entered via redirects caused by intrusive advertisements or by Potentially Unwanted Applications (PUAs) already infiltrated into the system. These apps do not need user consent to be installed onto devices. PUAs operate by causing redirects, running intrusive ad campaigns and collecting browsing-related content.

What is H@RM@?

H@RM@ was discovered by 0x4143 and is a ransomware-type program belonging to the WannaScream family. H@RM@ prevents victims from accessing their files by encryption and renames each encrypted file. It also creates the "ReadMe.txt" text file and displays a pop-up window, both containing ransom messages.

H@RM@ renames files by adding the victim's ID, recoverydata98@protonmail.com email address and appending the ".H@RM@" extension to filenames.

For example, "1.jpg" is renamed to "1.jpg.C279F237[recoverydata98@protonmail.com].H@RM@", "2.jpg" to "2.jpg.C279F237[recoverydata98@protonmail.com].H@RM@", and so on.

What is Search with Engine of your choice?

Typical browser hijackers promote addresses fake search engines by changing specific browser settings. In fact, Search with Engine of your choice is not a typical browser hijacker - it allows users to search for selected text using the context menu without changing any settings.

Additionally, the app can read and change all data on websites that users visit. Note that people do not often download or install browser hijackers intentionally - research shows that this particular hijacker is distributed via a scam website offering an update to Adobe Flash Player with a fake installer.

What is Captcha Ransomware?

Captcha ransomware is a part of the Makop ransomware family. It encrypts files, modifies their filenames and creates the "build note.txt" text file. Captcha adds the victim's ID, garantos@mailfence.com email address and appends the ".captcha" extension to the filenames of encrypted files.

For example, "1.jpg" is renamed to "1.jpg.[9B83AE23].[garantos@mailfence.com].captcha", "2.jpg" to "2.jpg.[9B83AE23].[garantos@mailfence.com].captcha", and so on. The "build note.txt" text file is a ransom message, which Captcha creates in all folders that contain encrypted files.

What is RegretLocker ransomware?

Discovered by MalwareHunterTeam, RegretLocker is malicious software classified as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. During the encryption process, all affected files are appended with the ".mouse" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.mouse", "2.jpg" as "2.jpg.mouse", "3.jpg" as "3.jpg.mouse", and so on. After the encryption process is complete, ransom messages named "HOW TO RESTORE FILES.TXT" are dropped into compromised folders.

What is the "Among Us Free Items" scam?

"Among Us Free Items" refers to a scam run on various deceptive websites. This scheme is presented as a service, which can be used to obtain free content for Among Us, an online multiplayer social deduction game developed by the InnerSloth game studio.

Supposedly, users can obtain skins, hats, pets and other items for the game, however, rather than receiving the promised content, they are presented with false information intended to abuse their trust. Victims might be redirected to phishing web pages and/or to other untrusted/malicious sites.

This scam is in no way associated with the InnerSloth game studio. Deceptive websites can be accessed unintentionally via redirects caused by intrusive advertisements or by Potentially Unwanted Applications (PUAs) already infiltrated into the system.

What is Mytab App?

Applications such as Mytab App promote fake search engines by changing browser settings. Commonly, users download and install these rogue apps inadvertently and, therefore, they are classified as potentially unwanted applications (PUAs). Note that browser hijackers promote various fake search engines and record data.