Virus and Spyware Removal Guides, uninstall instructions

What is junbi-tracker.com?

Similar in many ways to billmscurlrev.com, questionfly.com, popunderzone.com, and many others, junbi-tracker.com is a rogue website designed to redirect users to various other deceptive sites.

In most cases, users visit junbi-tracker.com inadvertently - they are redirected to it by potentially unwanted programs (PUPs) that are installed on computers without consent. PUPs also provide intrusive advertisements and gather sensitive user-system information.

What is jumpers.mobi?

jumpers.mobi is a rogue website that is identical to many other sites (such as nametraff.com, thesterminator.com, and celeryleek.com) of this type.

These sites redirect from one rogue site to another. Users are likely to to visit jumpers.mobi inadvertently - they are redirected by potentially unwanted programs (PUPs) that infiltrate systems without users' consent. They can cause redirects, but also deliver intrusive ads and collect information relating to browsing habits (and other data).

What is incluster.com?

incluster.com is another rogue website (similar to dealclicks.us, goldoffer.online, redirecting.zone, and many more) that redirects to various other dubious/suspicious websites.

Users are often redirected to these websites by potentially unwanted programs (PUPs) or intrusive ads that are displayed on other dubious websites. Therefore, many users visit incluster.com without their consent. PUPs are typically installed without permission, cause redirects, collect sensitive data, and deliver intrusive ads.

What is hyptas.com?

Identical to other sites (such as allbest.mobi, bestabid.com, and securecould-dl.com), hyptas.com is a rogue website that redirects to other dubious and potentially malicious websites.

In most cases, users arrive at hyptas.com inadvertently - probably via potentially unwanted programs (PUPs) or intrusive ads that trigger redirects to the website. PUPs usually infiltrate systems without permission, cause redirects, provide intrusive ads, and collect information relating to browsing activity.

What is greatene.com?

greatene.com is a rogue website similar to toroadavdertisingmedia.com, smartoffer.site, adskpak.com and many others of this type that redirect to other (potentially malicious) websites.

In most cases, users visit these sites inadvertently - they are redirected by intrusive advertisements or potentially unwanted programs (PUPs). These are usually installed without permission, cause redirects to unwanted/dubious websites, provide users with intrusive ads, and collect private information.

What is DjvuApp?

DjvuApp (also known as WniDjView) is an open-source application that allows users to view the DjVu file format. This app is legitimate and useful, however, cyber criminals inject DjvuApp's source code with malicious scripts.

Therefore, some variants of this application are categorized as adware and potentially unwanted programs (PUPs). The main reasons for these negative associations are: 1) stealth installation without users' consent; 2) tracking of web browsing activity, and; 3) display of intrusive advertisements.

What is Virus Scanner?

"Virus Scanner" is a fake warning message displayed by a deceptive website. This site's URL is typically used to promote spam email campaigns - messages state that users' email clients are infected and encourage them to immediately perform a scan and remove all issues.

In some cases, however, users are redirected to this website by various potentially unwanted programs (PUPs) that infiltrate systems without permission. As well as causing redirects, potentially unwanted programs deliver intrusive advertisements and gather various sensitive information.

What is hp.myway.com?

FromDocToPDF is a deceptive application developed by Mindspark Interactive Network (also known as IAC Applications). By offering a feature that allows conversion of .doc files to .pdf (and vice versa), FromDocToPDF attempts to give the impression of legitimacy.

In fact, this app is categorized as a potentially unwanted program (PUP) and a browser hijacker. There are two main reasons for these negative associations: 1) installation without users' consent, and; 2) stealth modification of web browser options.

What is LockCrypt?

LockCrypt is a ransomware-type virus discovered by malware security researcher, xXToffeeXx. Once infiltrated, LockCrypt encrypts various files and renames them using the "[random_characters]=ID=[random_characters].lock" pattern.

For instance, "sample.jpg" might be renamed to a filename such as "CjBKBVcdVRk+AkkLPEQhNGpJPgkeO35TKBt0IUNSSQIzLnxgP04xRFEnewBTPCAEJ0BqA19DPjI= ID BM83S37H145HNUbT.lock".

LockCrypt then opens a pop-up window and creates a text file ("ReadMe.txt"), placing it on the desktop. Updated variants of this ransomware use .mich, .1btc or .1BTC extensions for encrypted files.

What kind of malware is Scarab?

Discovered by malware security researcher, Michael Gillespie, Scarab is a ransomware-type virus that stealthily infiltrates systems and encrypts various data. During encryption, Scarab appends filenames with the ".[resque@plague.desi].scarab" extension.

For instance, "sample.jpg" is renamed to "sample.jpg.[resque@plague.desi].scarab". Updated variants of this ransomware append: .inchin, .gold, .crabs. .dom, .rsalive, .btchelp@xmpp.jp, .{Help557@cock.li}.exe, .o$l, .alilibat, .les#, .Oops, .Navi, .[zoro4747@gmx.de].zoro, .kes$, .vally, .croc, .CRABSLKT, .burn, .fuchsia, .tokog, .crypt000, .[mrpeterson@cock.li].GFS, .suffer, .[crab2727@gmx.de].gdcb, .[decrypt2019@gmx.de].crypt2019, .X3, .nosafe, .GEFEST, .crash, .RAP, .[Traher@Dr.Com], .zzzzzzzz, .[[crab1917@gmx.de]].krab. .aztecdecrypt@protonmail.com, .online24files@airmail.cc, .stevenseagal@airmail.cc, .CRYPTO, .Enter, .fast, .key, .supportfiless24@protonmail.ch, .wewillhelp@airmail.cc, .yourhope@airmail.cc, .DD, .helpersmasters@airmail.cc, .[crab7765@gmx.de].crab, .ERROR, .firmabilgileri, .onlinesupport, .skype, .hitler, .mammon, .bruuuuz@yahoo.com, .glutton, .danger, .rent, .CYBERGOD, .anonimus.mr@yahoo.com, .BARRACUDA, .sdk, .ukrain, .bin2, .[firmabilgileri@bk.ru], .BD.Recovery, .[Filesreturn247@gmx.de].lock, .Recovery, .[mrbin775@gmx.de].bin, .dan@cock.email, .bomber, .fastsupport@xmpp.jp, .fastrecovery@xmpp.jp, .oneway, .infovip@airmail.cc, .osk, .walker, .locked, .please, [Help-Mails@Ya.Ru].Scorpio, .xmail@cock.li, .macc.edont@protonmail.com .[suupport@protonmail.com].scarab, .worcservice@protonmail.ch, .cashdashsentme@protonmail.com, .(hupstore@keemail.me) or .one extensions to encrypted files. 

Other variants of this ransomware add .[unlocking.guarantee@aol.com] extension to encrypted files. Following successful encryption, the virus creates and automatically opens a text file ("IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT"), and then places it on the desktop.

Since April, 2018 Scarab ransomware started using .decrypts@airmail.cc extension for encrypted files (for example 1.jpg after encryption would appear as VhyC=mMdD31qs4.decrypts@airmail.cc).

Other variants use .red and .fastrecovery@airmail.cc extension for encrypted files. Ransom demanding message is now presented in "HOW TO RECOVER ENCRYPTED FILES - decrypts@airmail.cc.TXT" file.