Virus and Spyware Removal Guides, uninstall instructions

What are "Prizesfinder" websites?

Prizesfinder is a group of deceptive websites, which promote various scams. They have been recorded promoting "Latest version of Adobe Flash Player" and "Dear Chrome User, Congratulations!" schemes. Trusting these scams can lead to serious issues.

Few users enter Prizesfinder and other, similar pages intentionally - most are redirected to them by intrusive ads or Potentially Unwanted Applications (PUAs) already installed onto their devices. Note that these apps do not need express permission to infiltrate systems.

What is CryptoDarkRubix?

CryptoDarkRubix is the name of ransomware that was discovered by dnwls0719. Most programs of this type are designed to encrypt files, create and display ransom messages, and rename encrypted files. Rather than encrypting files, however, CryptoDarkRubix rewrites their contents (and renders them unusable).

It renames all modified files by appending the ".CryptoDarkRubix" extension to filenames. For example, a file named "sample.jpg" is renamed to "sample.CryptoDarkRubix", and so on. CryptoDarkRubix also creates a text file ("unlockFiles.txt") containing a ransom message with instructions about what victims should supposedly do next.

What is This_is_no_jock?

Discovered by Jayesh B. Kulkarni, This_is_no_jock is a malicious program belonging to the Xorist ransomware family. Systems infected with this malware suffer data encryption and users receive ransom demands for decryption.

When this ransomware encrypts, all affected files are appended with the ".system_damaged_payment_must_be_done_ in_maxim_24_hours_or_your_encryption_key_will_ be_deleted_forver_this_is_no_jock" extension.

For example, a file originally entitled 1.jpg" would appear as "1.jpg.system_damaged_payment_must_ be_done_in_maxim_24_hours_or_your_ encryption_key_will_be_deleted_forver_this_is_no_jock" following encryption.

After this process is complete, a ransom message in the form of a text file ("HOW TO DECRYPT FILES.txt") is dropped into each compromised folder.

What are "Hotrivsaln" sites?

Hotrivsaln is a group of deceptive websites running various scams. Sites belonging to Hotrivsaln have been observed promoting "Latest version of Adobe Flash Player" and "Dear Chrome User, Congratulations!" schemes, yet other scams might also be accessed through or run on these web pages.

Most people enter deceptive/scam pages via redirects caused by intrusive advertisements or Potentially Unwanted Applications (PUAs) already installed on their systems.

What is "Install.app wants access to control"?

"Install.app wants access to control" is text from a fake system notification. This appears on MacOS operating systems that have potentially unwanted applications (PUAs) installed. Note that Install.app is a PUA and should not be allowed to control Safari (Safari.app) or other apps, perform actions within the browser or access documents or other data within it.

What is Tsar ransomware?

Discovered by dnwls0719, Tsar is a malicious program classified as ransomware. It operates by encrypting the data of infected systems and demanding payment for decryption. During the encryption process, all affected files are appended with the ".Tsar" extension.

For example, a file such as "1.jpg" would appear as "1.jpg.Tsar" following encryption. After encryption is complete, a pop-up window is displayed and a text file ("ReadME-Tsar.txt") is created on the desktop. Both the pop-up and text file contain ransom messages.

What is Pyrogenic/Qealler?

Pyrogenic/Qealler is Java-based information stealer, which cyber criminals proliferate to steal credentials from browsers and other applications. The information stolen by Pyrogenic/Qealler could be misused to generate revenue in various ways. If there is reason to believe that this malware is installed on the operating system, it should be removed immediately.

What is apl-def[.]com?

apl-def[.]com is a deceptive website running several different scam variants. By claiming that the visitors' devices are infected, or that their internet connection is not secure, it attempts to trick them into downloading/installing nonoperational, untrusted or malicious software.

Few users access websites such as apl-def[.]com intentionally - they are usually redirected by intrusive advertisements or Potentially Unwanted Applications (PUAs) already infiltrated into the device.

What is sepSys?

Like most ransomware-type programs, sepSys encrypts files, modifies their filenames and creates a ransom message. This particular ransomware renames files by appending the ".sepsys" extension to filenames. For example, "sample.jpg" becomes "sample.jpg.sepsys", and so on.

It also creates a ransom message within an HTML file named "README.html". This message contains details such as cost of a decryption tool, instructions about how to purchase it, and other information.

What is the "Roundcube" email scam?

"Roundcube" email (subject: "- NOTIFICATION - Storage Full") is deceptive message supposedly from Roundcube, a legitimate email service provider. The message claims that recipients have reached their mail storage limit and, unless immediate actions are taken, their accounts will be blocked.

This scheme has no connection to the genuine Roundcube email client and uses the name with malicious intent. This is a phishing scam designed to steal users' email account credentials (log-ins and passwords) to gain full control over the accounts.