Virus and Spyware Removal Guides, uninstall instructions

What is WSH?

WSH (also known as WSHRAT) is the name of a remote access/administration trojan (RAT). Typically, cyber criminals use software of this type to control victims' computers remotely. In this way, they can steal personal details and data, which is then used to generate revenue in various ways.

WSH is a powerful RAT that can cause users of infected computers serious problems. If there is reason to believe that WSH is installed on your system, remove/uninstall it immediately.

What is an Apple ID scam?

Scammers (cyber criminals) design many deceptive websites to have the appearance of official Apple (Apple ID) websites. In fact, the genuine address of the Apple ID website is appleid.apple.com (deceptive websites use different addresses). Furthermore, fake Apple ID websites usually do not function properly.

For example, menu links do not work. The main purpose of these scam sites is to obtain personal details from unsuspecting people. We strongly advise that you avoid unofficial Apple sites and, more importantly, do not provide any personal information.

What is WannaCash?

Ransomware is software that encrypts files and denies access unless victims unlock them with specific decryption software (and/or keys) that can be purchased from cyber criminals who designed the program. WannaCash encrypts files using the AES-256 encryption algorithm.

It compresses all files and renames them by adding the "файл зашифрован" string to filenames. For example, "1.jpg" becomes "файл зашифрован (1.jpg).zip". Additionally, when a victim launches a malicious executable file, WannaCash opens the "keys.txt" text file. It also creates a ransom message within the "как расшифровать файлы.txt" file.

What is Caleb?

Discovered by GrujaRS, Caleb is malicious software classified as ransomware. It is part of the Phobos ransomware family and/or is based on this software. Caleb operates by encrypting files and keeping them locked until a ransom is paid (i.e., a decryption program/tool is purchased).

The delivered message files, which demand the ransom, depend on specific ransomware. In this case, Caleb stores two files on the desktop: "info.txt" and "info.hta", each containing ransom details. Encrypted files are also renamed with the user's unique ID number, followed by an email address, and the ".Caleb" file extension.

For example, "1.jpg" might be renamed to "1.jpg.id[1E857D00-2394].[adagekeys@qq.com].Caleb", and so on for all affected files. Updated variants of this ransomware use ".[sverdlink@aol.com].Caleb", ".[AlterCore@mail.ee].Caleb", ".[theonlyoption@qq.com].Caleb" and ".[funnyredfox@aol.com].Caleb" extensions for encrypted files.

What is Sherminator?

Sherminator is ransomware-type software that encrypts files and creates a ransom message. Typically, people with computers infected with ransomware cannot access their files unless they decrypt them with a tool that can be purchased from the cyber criminals who designed the program.

Sherminator was discovered by GrujaRS and is a new variant of MrDec ransomware. It renames all encrypted files by adding a string of random characters to the filenames. For example, "1.jpg" might become "1.jpg.[ID]JrCHOfl83prTYZtyK[ID]".

What is mediasvideo[.]world?

Mediasvideo[.]world is a rogue site, designed to generate redirects to unreliable/malicious webpages and for the purpose of force-feeding users dubious content. There are thousands of such websites out there and many of them share certain similarities; sites similar to mediasvideo[.]world are: cudalbapt.com, celeb-secret.live, offer.agency and so on.

It is noteworthy, that few users access this website willingly, most get redirected to it. Invasive advertisements and PUAs (potentially unwanted applications) are both capable of causing such redirects. What should be known about the latter, is that undesirable apps do not need explicit user consent to invade their devices.

Once successfully installed, they generate redirects, deliver intrusive ad campaigns and gather information.

What is folmetor[.]com?

Folmetor[.]com, akin to telecomer.live, nerinlelighda.pro, bigclicker.me and thousands of others, is a rogue website. It operates by generating redirects to other unreliable and possibly malicious websites, as well as by presenting users with highly questionable content.

Most visitors to this site enter it unintentionally, as they usually access it through unauthorized redirects. Both intrusive advertisements and PUAs (potentially unwanted applications) are capable of generating such redirects. It should be mentioned, that undesirable apps do not need explicit user permission to invade their devices.

Once successfully infiltrated, PUAs cause redirects, run invasive ad campaigns and some can even track data.

What is WannaCry?

Discovered by GrujaRS and belonging to the Phobos family, WannaCry (also known as WannaCryFake) is software categorized as ransomware. This malicious program encrypts files and keeps them locked unless the victim pays a ransom (purchases decryption software/tool).

WannaCry creates a ransom message that can be viewed by opening the "info.hta" file. It also renames all encrypted files by adding a string of random characters, an email address, and the ".WannaCry" extension to the filenames. For example, "sample.jpg" becomes "sample.jpg.[BFEBFBFF000906E9][recoverydata54@protonmail.com].WannaCry".

What is cudalbapt[.]com?

Cudalbapt[.]com is classified as a rogue website. It shares many similarities with vinuser.biz, onlinecontent.fun, chanelets-aurning.com and thousands of others. It is created for the purpose of force-feeding users unreliable content and/or redirecting them to various untrustworthy and possibly malicious webpages.

It should be mentioned, that few visitors to this site ever encounter it willingly. Most get redirected by clicking on intrusive advertisements or by having it force-opened by PUAs (potentially unwanted applications). These rogue apps generate redirects, run invasive ad campaigns and track data.

What is of import, is that PUAs do not need express user permission to infiltrate their devices.

What is alballaim[.]com?

Like solo85.biz, topernews.me, rumiceseeds.com, nerinlelighda.pro and many others, alballaim[.]com is a rogue site. It is designed to deliver highly dubious content for user consumption and to generate redirects to other unreliable/malicious websites. This webpage is rarely accessed intentionally or happened upon by accident.

In most cases, users get redirected to it by invasive advertisements or by PUAs (potentially unwanted applications). These undesirable apps cause redirects to dangerous websites, run invasive ad campaigns and spy on users' browsing habits. It should be noted, that PUAs do not need explicit user consent to invade their devices.