Virus and Spyware Removal Guides, uninstall instructions

What is Kook?

Kook is malicious software belonging to the Djvu ransomware family. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption tools/software. During the encryption process, all compromised files are appended with the ".kook" extension.

For example, a file named something like "1.jpg would appear as "1.jpg.kook" following encryption. Once this process is complete, a ransom message within the "_readme.txt" file is created.

What is Tcprx ransomware?

Discovered by Marcelo Rivero, Tcprx is malicious software belonging to the Dharma ransomware family. It operates by encrypting data and demanding payment for decryption. During the encryption process, all affected files are renamed according to this pattern: original filename, unique ID, cyber criminals' email address and the ".tcprx" extension.

For example, a file like "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[tcprx@tutanota.com].tcprx" following encryption. An updated variant of this ransomware uses the ".[tcprx@cock.li].tcprx" extension.

After this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text files, which are dropped into compromised folders.

What is the fake "IOS /MAC Defender Alert"?

"IOS /MAC Defender Alert" is a technical support scam, promoted on deceptive websites. This scheme targets Apple product users and claims that their devices have been infected. To prevent any damage being caused to the device, users are encouraged to call "Apple technical Support".

This is a scam, and all of the information provided by "IOS /MAC Defender Alert" is false. Additionally, this fake alert is in no way associated with the genuine Apple Inc. company. Few users access these deceptive/scam pages intentionally - most are redirected to them by intrusive advertisements or Potentially Unwanted Applications (PUAs) already infiltrated into the system.

What is Docallisec?

Docallisec is an adware-type application with browser hijacker traits. Following installation, it runs intrusive advertisement campaigns (i.e. delivers various unwanted ads), makes alterations to browser settings and promotes fake search engines. Most adware and browser hijackers have data tracking capabilities, and it is highly likely that Docallisec has these as well.

Due to the dubious methods used to spread this app, it is also classified as a Potentially Unwanted Application (PUA). One of the distribution techniques used for Docallisec is proliferation via fake Adobe Flash Player updates. Rogue software updaters/installers proliferate not just PUAs but also Trojans, ransomware and other malware.

What is ExpertLookupEngine?

ExpertLookupEngine is rogue software categorized as adware. This app also has browser hijacker traits. It operates by running intrusive advertisement campaigns, making modifications to browser settings and promoting fake search engines. It is highly likely that ExpertLookupEngine records browsing activity, as is the case with most adware and browser hijackers.

Since users typically download/install ExpertLookupEngine unintentionally, it is classified as a Potentially Unwanted Application (PUA). One of the dubious techniques used to distribute ExpertLookupEngine is via fake Adobe Flash Player updates. Bogus software updaters/installers are also used to proliferate malware (e.g. Trojans, ransomware, etc.).

What is "Your Mac is infected with 5 viruses!"?

This deceptive website is designed to promote another scam ("Norton subscription has expired today") and trick visitors into believing that their Mac computers are infected with viruses. It claims that, to remove the viruses, visitors must renew their antivirus software subscriptions.

In fact, this web page promotes a potentially unwanted application (PUA), which has nothing to do with Norton AntiVirus or any other legitimate antivirus software.

What is SectionBrowser?

SectionBrowser is an adware-type application with browser hijacker traits. Following successful installation, it operates by delivering intrusive advertisement campaigns, making modifications to browser settings and promoting fake search engines. SectionBrowser promotes Safe Finder via akamaihd.net in this way.

Additionally, most adware and browser hijackers have data tracking capabilities that are used to monitor users' browsing activity. It is highly likely that SectionBrowser has this functionality as well. Due to the dubious methods used to proliferate SectionBrowser, it is classified as a Potentially Unwanted Application (PUA).

What is [Zfile@Tuta.Io] ransomware?

[Zfile@Tuta.Io] is a malicious program, which is part of the GlobeImposter ransomware family. It operates by encrypting files and demanding payment for decryption. During the encryption process, all affected files are appended with the ".[Zfile@Tuta.Io]" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.[Zfile@Tuta.Io]" following encryption. After this process is complete, ransom-demand messages within "recover files.hta" files are dropped into compromised folders.

What is SearchWebPortal?

SearchWebPortal is a rogue application classified as adware, which also has browser hijacker traits. Following successful infiltration, it operates by delivering intrusive advertisement campaigns, making modifications to browser settings and promoting fake search engines.

Most adware and browser hijackers monitor users' browsing activity, and it is highly likely that SearchWebPortal does so as well. Due to the dubious methods used to proliferate this app, it is classified as a Potentially Unwanted Application (PUA). One of the dubious distribution methods employed to proliferate SearchWebPortal is via fake Adobe Flash Player updates.

Note that bogus software updaters/installers distribute both PUAs and malware (e.g. Trojans, ransomware, etc.).

What is FlyingShip?

Discovered by Karsten Hahn, FlyingShip ransomware is based on CryptoWire. It encrypts files using the AES-257 encryption algorithm and renames all encrypted files by inserting the ".flyingship" string into the filenames. For example, it would rename a file called "1.jpg" to "1.flyingship.jpg", "2.jpg" to "2.flyingship.jpg", and so on.

Instructions about how to contact the cyber criminals behind FlyingShip and pay the ransom are provided in a pop-up window.