Virus and Spyware Removal Guides, uninstall instructions

What is OperativeField?

OperativeField is designed to serve advertisements, promote Safe Finder via akamaihd.net, collect sensitive information and change certain browser settings to promote a fake search engine.

In this way, it operates both as adware and a browser hijacker. People often download and install software of this type inadvertently and, therefore, these apps are categorized as potentially unwanted applications (PUAs).

What is hp.myway.com?

Developed by Mindspark Interactive Network, OnlinePrivacyManager is rogue software endorsed as a tool to improve users' browsing privacy. This application is classified as a browser hijacker. It operates by making modifications to browser settings to promote hp.myway.com (a fake search engine).

Additionally, OnlinePrivacyManager monitors users' browsing activity. Due to the dubious techniques used to proliferate OnlinePrivacyManager, it is classified as a Potentially Unwanted Application (PUA).

What is "Wacker Email Virus"?

Typically, malspam campaigns are disguised as email messages from legitimate, official companies and organizations and are sent to trick recipients into installing a malicious program.

This malspam campaign is disguised as a message from Wacker Chemie AG - cyber criminals responsible attempt to trick people into installing a Remote Access Trojan (RAT) named NetWire. Note that Wacker Chemie AG is a legitimate company, which has nothing to do with this spam campaign.

What is PDFConvertersSearch?

The PDFConvertersSearch browser hijacker promotes pdfconverters-search.com (the address of a fake search engine). Typically, apps of this type hijack browsers by changing certain settings. Commonly, they gather browsing-related and other information.

Apps of this type are categorized as potentially unwanted applications (PUAs), since most users download and install them unintentionally.

What is the "Covid-19 Health and Safety Plan" email?

"Covid-19 Health and Safety Plan" is yet another Coronavirus/COVID-19-themed spam campaign. The term "spam campaign" is used to define a large scale operation, during which thousands of deceptive/scam emails are sent.

The "Covid-19 Health and Safety Plan" messages claim to contain an invoice for a "Health and Safety Plan Package", however, the attached file infiltrates the Agent Tesla RAT (Remote Access Trojan). Malware of this type enables remote access and control over the infected device.

What is VinDizelPux?

VinDizelPux belongs to the MedusaLocker ransomware family and was discovered by Ravi. This ransomware renders files inaccessible by encryption. It also renames every encrypted file by appending the ".VinDizelPux" extension. For example, it renames "1.jpg" to "1.jpg.VinDizelPux", "2.jpg" to "2.jpg.VinDizelPux", and so on.

Instructions about how to contact cyber criminals and pay the ransom can be found in the "Recovery_Instructions.html" file (VinDizelPux drops this file in all folders that contain encrypted data).

What is Gyga ransomware?

Gyga is malicious software belonging to the Dharma ransomware family. This malware is designed to encrypt data and demand payment for decryption. During the encryption process, the files are renamed following this pattern: original filename, unique ID assigned to the victim, cyber criminals' email address and the ".gyga" extension.

For example, a file such as "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[gygabot@cock.li].gyga" following encryption. After this process is complete, a pop-up window is displayed and the "FILES ENCRYPTED.txt" text file is created, both of which contain ransom messages.

What is .RABBIT?

.RABBIT is written in the Python programming language and was discovered by dnwls0719. It is designed to encrypt files with the AES-256 algorithm, change their filenames by appending the ".RABBIT" extension, and create the "อ่านวิธีแก้ไฟล์โดนล๊อค.txt" text file, a ransom message in the Thai language.

The message can be found in all folders that contain encrypted files. An example of how .RABBIT modifies filenames is as follows: "1.jpg" becomes "1.jpg.RABBIT", "2.jpg" becomes "2.jpg.RABBIT", etc.

What is EvilQuest ransomware?

Discovered by Dinesh_Devadoss, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.

It drops the "READ_ME_NOW.txt" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.

What is the .java ransomware?

.java is a malicious program belonging to the Dharma ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption.

During the encryption process, files are renamed according to this pattern: original filename, unique ID, cyber criminals' email address and ".java" extension (not to be confused with the legitimate ".java" extension of JAVA files).

To elaborate on how a file could appear following encryption, a file like "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[pain@onefinedstay.com].java", and so on for all affected files. Once this process is complete, a ransom message is presented in a pop-up window and "FILES ENCRYPTED.txt" text file.

Updated variants of this ransomware use the ".[decrypthelp@qq.com].java" extension for encrypted files.