Virus and Spyware Removal Guides, uninstall instructions

What is faters0upload[.]com?

Identical to mob1ledev1ces.com, faters0upload[.]com is a scam website that promotes various rogue installers, which are usually disguised as Flash Player updates. These fake updaters are commonly used to infiltrate systems with untrustworthy software - adware, browser hijackers and other Potentially Unwanted Applications (PUAs).

They can also cause malware infections (e.g. install trojans, ransomware, etc.). Few users access faters0upload[.]com or other deceptive sites intentionally - they are redirected by intrusive ads or PUAs already installed on the system.

What kind of malware is Parallax?

Parallax is a remote administration tool (RAT), which can be purchased on a hacker forum. Remote administration tools are programs used by cyber criminals to take full control over the targeted computer. Generally, they use RATs to infect systems with malware, steal personal information and perform other actions that enable them to generate revenue in various ways.

What is CentralRush?

CentralRush is one of many apps that supposedly improve the browsing experience, but is categorized as a potentially unwanted application (PUA), adware. Typically, people download and install software of this type unintentionally. Adware-type apps display various intrusive advertisements.

They also operate as information tracking tools, gathering information relating to users' browsing habits.

What is "Your computer is low on memory"?

"Your computer is low on memory" is a deceptive pop-up window displayed by rogue applications (e.g. adware, browser hijackers or other Potentially Unwanted Applications - PUAs). It is displayed by ScreenSaver.app, ScreenCapture.app, Spaces.app, MacSecurityPlus and other dubious apps.

The pop-up is designed to trick users into giving the application displaying it various permissions such as control over browsers and the data stored therein.

What is oke[.]io?

The oke[.]io website provides a URL-shortening service, however, it uses rogue advertising networks - it redirects visitors who use the service to various other untrusted websites.

Websites of this type commonly open pages that attempt to trick people into installing potentially unwanted applications (PUAs) including browser hijackers, adware-type apps, or even malicious software such as Trojans and ransomware. We advise against visiting any sites that redirect visitors to other untrustworthy, potentially malicious websites.

What is prizeseeker?

prizeseeker is a family of deceptive pages designed to trick people into providing personal information, installing potentially unwanted applications (PUAs) such as browser hijackers and adware, or even malicious programs including Trojans and ransomware.

In any case, none of the prizeseeker web pages are trusted. These websites are often opened when people click deceptive advertisements, visit other dubious web pages or have PUAs installed on the browser and/or operating system. Therefore, people do not often open prizeseeker or other, similar websites intentionally.

What is SDfghjkl?

Discovered by Raby, SDfghjkl is a malicious program belonging to the Paradise ransomware family. This malware operates by encrypting the data of infected systems so that ransoms can be issued for decryption tools/software. During the encryption process, all files are renamed according to this pattern: "_      _{fiasco911@protonmail.com}SDfghjkl".

For example, a file originally named "1.jpg" would appear as "1.jpg_      _{fiasco911@protonmail.com}SDfghjkl", and so on for all compromised files. After this process is complete, a text file ("Instructions with your files.txt") is created on the desktop and a pop-up window is displayed.

Note that SDfghjkl is decryptable ransomware - files encrypted by it can be recovered with a tool developed by Emsisoft (user guide and download link).

What is Meterpreter?

Meterpreter is a malicious trojan-type program that allows cyber criminals to remotely control infected computers. This malware runs in computer memory without writing anything to disk. Therefore, it injects itself into compromised processes and does not create any new processes.

Meterpreter can be used to send and receive files, run executable files, run various commands through command shell, take screenshots and record keystrokes. Like most programs of this type, it is distributed to steal information that could be used to generate revenue and/or infect computers with other malware.

What is "BadutClowns Team"?

Discovered by malware researcher, Raby, "BadutClowns Team" is a screenlocking ransomware program, which operates by encrypting the data of infected systems and locking screens - a ransom payment is then demanded for decryption and screen unlocking.

When the infection process begins, a fake Windows update screen is displayed. During encryption, affected files are appended with the ".badutclowns" infection. For example, a file such as "1.jpg" would appear as "1.jpg.badutclowns". The text presented on the locked screen is the ransom message.

What is KBOT?

KBOT is malicious software that can steal various credentials such as passwords, logins, cryptocurrency wallet data, lists of files and installed programs, banking-related and other personal information. It can cause serious problems for victims. Research shows that Kaspersky solutions detects this malware and associated components as Kpot.

If you believe that KBOT (also known as KBOT stealer) is installed on the operating system, you should remove it immediately.