Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Rar?

Rar is ransomware - malware that uses encryption to prevent victims from accessing their files. We found that Rar appends the victim's ID, spystar1@onionmail.com email address, and ".Rar" extension to the filenames of all encrypted files. Also, it creates the "Read.txt" file that contains a ransom note.

Rar is one of the ransomware variants belonging to the VoidCrypt family. Our team discovered Rar while inspecting malware samples submitted to the VirusTotal website. An example of how Rar renames files: it changes "1.jpg" to "1.jpg.[CW-JL7840913526](spystar1@onionmail.com).Rar", "2.png" to "2.png.[CW-JL7840913526](spystar1@onionmail.com).Rar", and so forth.

What is ZEUS (Chaos) ransomware?

While inspecting new submissions to VirusTotal, our researchers found the ZEUS malicious program, which is based on the Chaos ransomware.

Once we executed a sample of the ZEUS (Chaos) ransomware on our testing system, it began encrypting files and changed their names. Original filenames were appended with extensions consisting of our random characters, e.g., on our test machine, a file titled "1.jpg" appeared as "1.jpg.5uqw", "2.png" as "2.png.854t", etc.

Afterward, the ransomware created a ransom note named "read_it.txt". It also changed the desktop wallpaper to one that contains a message. The text presented both in the file and on the wallpaper is in Indonesian.

What kind of page is prime-scanner[.]com?

Prime-scanner[.]com is one of the many deceptive websites running the "McAfee - Your PC is infected with 5 viruses!" scam. The purpose of this site is to trick visitors into purchasing legitimate antivirus software. Also, prime-scanner[.]com asks for permission to show notifications. We discovered it while inspecting websites that use rogue advertising networks.

What is Bookmark Drag and Drop?

While checking out suspicious software promoting sites, our research team discovered the Bookmark Drag and Drop browser extension. It is endorsed as a bookmark management and quick access tool.

Our inspection of Bookmark Drag and Drop revealed that it operates as a browser hijacker. This extension modifies browser settings to cause redirects and collects sensitive information.

What kind of malware is Flame?

Flame is ransomware based on the Chaos ransomware. It encrypts files, appends four random characters to filenames (appends its extension), changes the desktop wallpaper, and creates the "read_it.txt" file containing a ransom note. We discovered Flame ransomware while inspecting samples submitted to the VirusTotal page.

An example of how Flame modifies filenames: it renames "1.jpg" to "1.jpg.6p5i", "2.png" to "2.png.hmb6", and so on.

What kind of page is control-scanning[.]com?

Our researchers discovered the control-scanning[.]com rogue page during a routine investigation of suspicious websites. It is designed to run scams, promote spam browser notifications, and redirect visitors to other (likely untrustworthy/malicious) sites.

Users typically enter webpages like control-scanning[.]com through redirects caused by sites employing rogue advertising networks.

What is InitialConnection?

While inspecting new submissions to VirusTotal, our researchers found the InitialConnection rogue application. Our analysis of this app revealed that it operates as adware and belongs to the AdLoad malware family. InitialConnection is designed to run intrusive advertisement campaigns, and it may have additional harmful abilities.

What kind of application is FocusAhead?

FocusAhead is an untrustworthy application that displays intrusive advertisements and can read sensitive information. Apps that show ads are called adware (advertising-supported software). Typically, users install adware on their computers unintentionally. We discovered FocusAhead while inspecting deceptive pages.

What kind of email is "Email Security Update Scam"?

"Email Security Update Scam" refers to an email spam campaign that we have analyzed. We determined that it is a phishing scam targeting email account log-in credentials (passwords). These fake emails attempt to extract this information from recipients by claiming that security issues have occurred on their mail accounts.

What kind of page is protect2023[.]xyz?

Protect2023[.]xyz is an untrustworthy website that runs the "McAfee - Your PC is infected with 5 viruses!" scam and wants to show notifications. All messages displayed on this page are fake. We discovered protect2023[.]xyz while examining dubious pages that use rogue advertising networks.