Virus and Spyware Removal Guides, uninstall instructions

What is CollectorStealer?

CollectorStealer (also known as DCStealer) is malicious software which allows cyber criminals to steal various sensitive information (e.g. passwords, credit card details) and files. This malware is for sale on a hacker forum for $12 or $75 (depending on the subscription type).

It is advertised on the aforementioned forum as a "top-end information stealer" with a Russian interface.

What is Image Seeker?

Image Seeker is a browser hijacker which assigns certain browser settings to image-seeker.com.

In this way, the app promotes the fake search engine web site. Most browser hijackers also track and record information. Typically, users download and install apps such as Image Seeker unintentionally and, for this reason, they are categorized as potentially unwanted applications (PUAs).

What is System Care Pro?

System Care Pro is a system cleaner supposedly designed to improve computer performance. In fact, this software is categorized as a potentially unwanted application (PUA), due to the methods used by developers to distribute it. Commonly, users download and install PUAs unintentionally and these bogus apps should never be trusted.

What is the "Gift card giveaway" scam?

The "Gift card giveaway" is a scam promoted on various deceptive websites. This scheme offers fake gift cards for popular brands/services. For example, Amazon, eBay, Google Play, iTunes, Microsoft, MasterCard, PayPal, Skype, Netflix, Nintendo, PlayStation, Roblox, and so on.

This scheme redirects to various phishing sites and other similar scam pages. Therefore, trusting "Gift card giveaway" can lead to serious issues. Typically, users access these untrusted sites unintentionally - they are redirected to them by intrusive ads or Potentially Unwanted Applications (PUAs) already installed on the system.

What is Baraka Team?

Discovered by dnwls0719, Baraka Team is the name of malicious software classified ransomware. Systems infected with this malware have their data encrypted so that ransom demands can be made for decryption tools/software.

Most ransomware-type programs rename compromised files and/or append them with an extension during the encryption process, however, Baraka Team malware does not modify filenames. After encryption is complete, a ransom message ("ReadmeCrypto.txt") is dropped onto the desktop, the wallpaper of which is also changed.

What is the "Request for quotation" email?

"Request for quotation" is a scam email designed to proliferate the Agent Tesla Remote Access Tool (RAT).

When used for malicious purposes, it is classified as a Remote Access Trojan. The emails supposedly concern an urgent order and recipients are asked to provide relevant specification of this potential purchase, however, opening the attached file starts the infection process (i.e. download/installation of the Agent Tesla RAT).

What is Chinz?

Chinz belongs to the Phobos ransomware family. This is a typical ransomware infection designed to encrypt files, modify their filenames, and provide instructions about how to contact the developers regarding decryption.

Chinz changes the name of each encrypted file by adding the victim's ID, yuzhou13@tutanota.com email address, and appending the ".chinz" extension to the filename.

For example, it would rename a file called "1.jpg" to "1.jpg.id[1E857D00-2875].[yuzhou13@tutanota.com].chinz", "2.jpg" to "2.jpg.id[1E857D00-2875].[yuzhou13@tutanota.com].chinz", and so on. It also displays a ransom message in a pop-up window and creates another in the "info.txt" text file.

What is the "Secure Parking" email?

"Secure Parking" is the name of a spam email campaign. These scam messages are disguised as final warning notifications from Secure Parking, a legitimate international parking service provider. Note that the email is in no way connected to the genuine Secure Parking car park operator.

The messages claim that recipients have received a fine for parking violations, which must be addressed immediately. Rather than containing information relating to the incident and issued fine, the attached file starts the infection process/chain of Taurus Stealer malware.

When opened (and after the instructions provided within the document are carried out), the file begins downloading/installing this malicious program.

What is Perfect Startpage?

Perfect Startpage browser hijacker promotes perfectstartpage.com, a fake search engine, by modifying specific browser settings. These apps also collect information relating to users' browsing habits. People often download and install browser hijackers inadvertently and, therefore, they are categorized as potentially unwanted applications (PUAs).

What is DataSearchLauncher?

DataSearchLauncher is a potentially unwanted application (PUA), which has characteristics of adware-type apps and browser hijackers. I.e., it serves advertisements and changes certain browser settings (to promote addresses of fake search engines). These apps are cateogorized as PUAs, since users often download and install them inadvertently.

Research shows that people install DataSearchLauncher through a deceptive Adobe Flash Player installer. Note that PUAs often gather certain data.