Virus and Spyware Removal Guides, uninstall instructions

What is Gyga ransomware?

Gyga is malicious software belonging to the Dharma ransomware family. This malware is designed to encrypt data and demand payment for decryption. During the encryption process, the files are renamed following this pattern: original filename, unique ID assigned to the victim, cyber criminals' email address and the ".gyga" extension.

For example, a file such as "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[gygabot@cock.li].gyga" following encryption. After this process is complete, a pop-up window is displayed and the "FILES ENCRYPTED.txt" text file is created, both of which contain ransom messages.

What is .RABBIT?

.RABBIT is written in the Python programming language and was discovered by dnwls0719. It is designed to encrypt files with the AES-256 algorithm, change their filenames by appending the ".RABBIT" extension, and create the "อ่านวิธีแก้ไฟล์โดนล๊อค.txt" text file, a ransom message in the Thai language.

The message can be found in all folders that contain encrypted files. An example of how .RABBIT modifies filenames is as follows: "1.jpg" becomes "1.jpg.RABBIT", "2.jpg" becomes "2.jpg.RABBIT", etc.

What is EvilQuest ransomware?

Discovered by Dinesh_Devadoss, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.

It drops the "READ_ME_NOW.txt" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.

What is the .java ransomware?

.java is a malicious program belonging to the Dharma ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption.

During the encryption process, files are renamed according to this pattern: original filename, unique ID, cyber criminals' email address and ".java" extension (not to be confused with the legitimate ".java" extension of JAVA files).

To elaborate on how a file could appear following encryption, a file like "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[pain@onefinedstay.com].java", and so on for all affected files. Once this process is complete, a ransom message is presented in a pop-up window and "FILES ENCRYPTED.txt" text file.

Updated variants of this ransomware use the ".[decrypthelp@qq.com].java" extension for encrypted files.

What is "2020 EU/COMMONWEALTH LOTTO"?

Scammers behind this phishing scam attempt to obtain sensitive information. They claim that whoever received this email has been selected as a winner of $500,000 in a 2020 EU/COMMONWEALTH lottery, and encourages them to claim the funds by making contact via the provided email address. You are strongly advised not to trust this or similar scams.

What is the mediamodern[.]biz site?

mediamodern[.]biz is an untrusted website sharing many similarities with newmode.biz, newmode.biz, keysdigita.com and countless others. Visitors to the site are redirected to other untrusted/malicious web pages or are presented with dubious content.

Few users access mediamodern[.]biz or similar sites intentionally - most are redirected to them by intrusive advertisements or Potentially Unwanted Applications (PUAs) already installed onto the system. PUAs cause redirects, deliver intrusive advertisement campaigns and gather browsing-relating information.

What is SearchConverterHD?

SearchConverterHD is dubious software classified as a browser hijacker. Following successful infiltration, it operates by making alterations to browser settings to promote bogus search engines. SearchConverterHD promotes search-converterhd.com in this manner.

Additionally, this browser hijacker monitors users' browsing activity. Due to the dubious techniques used to proliferate SearchConverterHD, it is also classified as a Potentially Unwanted Application (PUA).

What is search-7.com?

search-7.com is a fake search engine. Typically, fake search engines are promoted through browser hijackers, potentially unwanted applications (PUAs), which hijack browsers by modifying certain settings. Convlus App assigns these browser settings to search-7.com.

Other apps might also promote this fake search engine. Note that browser hijackers often gather data as well. They are categorized as PUAs, since most people download and install them unintentionally.

What is the newmode[.]biz site?

newmode[.]biz is a rogue website designed to present visitors with dubious material and/or redirect them to other untrusted or malicious web pages. Users rarely access newmode[.]biz intentionally - most are redirected to it by intrusive ads or Potentially Unwanted Applications (PUAs) already infiltrated into the system.

There are thousands of sites on the web similar to newmode[.]biz such as keysdigita.com, zmusic-online.com, and routemob.com

What is MyShortcutTab?

MyShortcutTab is classified as a browser hijacker, since it promotes a fake search engine (it assigns certain browser settings to search-find.net). Generally, apps of this type also collect details relating to users' browsing activities. Users often download and install browser hijackers inadvertently and, therefore, they are categorized as potentially unwanted applications (PUAs).