Virus and Spyware Removal Guides, uninstall instructions

What is "Your Windows is infected with (3) Viruses!"?

This untrusted website displays a deceptive notification stating that the computer is infected with viruses and attempts to scare users into downloading and installing potentially unwanted applications (PUAs).

Typically, these web pages are opened when users visit other dubious websites, click bogus advertisements or already have PUAs installed on the browser and/or computer. In most cases, they do not visit these sites intentionally.

What is "Your purchase of BTC has started"?

Cyber criminals behind this malspam campaign attempt to deceive recipients into believing that they have purchased a certain sum of Bitcoins and that opening the attached document supposedly contains more information about the purchase. In fact, the attached document is malicious and designed to install a Trojan named Gozi.

Therefore, ignore this email and leave the file attached to it unopened.

What is the Tabe ransomware?

Tabe is a malicious program belonging to the Djvu ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools/software. During the encryption process, all affected files are appended with the ".tabe" extension.

For example, a file named something like "1.jpg" would appear as "1.jpg.tabe" following encryption. After this process is complete, a ransom message ("_readme.txt") is dropped into every compromised folder.

What is Usam?

Discovered by Michael Gillespie, Usam is a malicious program that belongs to the Djvu ransomware family. Typically, malware of this type encrypts files, modifies their filenames and creates and/or displays a ransom message. Usam renames encrypted files by appending the ".usam" extension to their filenames.

For example, it would rename "1.jpg" to "1.jpg.usam", "2.jpg" to "2.jpg.usam", and so on. It also creates the "_readme.txt" text file, a ransom message with details such as size of ransom, email address (supposedly for contacting Usam's developers), etc.

What is the R3f5s ransomware?

Discovered by Jakub Kroustek, R3f5s is a malicious program belonging to the Dharma ransomware family. This malware encrypts data in order to demand payment for decryption. During the encryption process, all affected files are renamed according to this pattern: original filename, unique ID, cyber criminals' email address and the ".r3f5s" extension.

For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[r3ad4@aol.com].r3f5s" following encryption. After this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is Yogynicof?

Yogynicof is designed to encrypt files, change their filenames, and create a number of ransom messages. It renames all encrypted files by changing their names to a certain number (from zero to the total number of files). For example, if there are three files in a folder, it renames one file to "1", another one to "2", and the remaining one to "3".

Yogynicof also drops 20 identical HTML files (ransom messages) onto the desktop, all of which are numbered ("Read-me! 0.html", "Read-me! 1.html", "Read-me! 2.html" ... "Read-me! 19.html").

What is UpgradeCoordinator?

UpgradeCoordinator is software classified as adware and also possessing browser hijacker traits. This application operates by running intrusive advertisement campaigns, modifying browser settings, and promoting fake search engines. UpgradeCoordinator promotes Safe Finder via search.adjustablesample.com.

Additionally, most adware programs and browser hijackers collect browsing-related information, and this is likely to be the case with UpgradeCoordinator. Due to the dubious techniques used to proliferate UpgradeCoordinator, it is classified as a Potentially Unwanted Application (PUA).

What is Convert PDF Hub?

Convert PDF Hub is designed to promote hp.hconvertpdfhub.com and search.hconvertpdfhub.com (addresses of fake search engines) by changing certain browser settings. It is also likely that this app will gather information relating to users' browsing activities.

Browser hijackers are categorized as potentially unwanted applications (PUAs), since, in most cases, people download and install them unintentionally. This particular app is distributed with another PUA called Hide My History.

What is s3redirect.com?

s3redirect.com is the address of a fake search engine. Typically, these addresses appear in browser settings after installation of a browser hijacker. Research shows that one of the browser hijackers that promotes s3redirect.com is called Kano APP, however, it is possible that this address is promoted through other similar apps.

Generally, people install browser hijackers inadvertently and, therefore, they are categorized as potentially unwanted applications (PUAs).

What is SearchArchive?

SearchArchive is a rogue application classified as adware, which also has browser hijacker traits. After successful installation, SearchArchive delivers intrusive ad campaigns, modifies browser settings and promotes bogus search engines.

Most adware programs and browser hijackers collect browsing-related information, and it is highly likely this will be the case with SearchArchive. Due to the dubious methods used to proliferate this app, it is classified as a Potentially Unwanted Application (PUA). It has has been observed that SearchArchive was distributed through fake Adobe Flash Player updates.

Note that bogus software updaters/installers are commonly used to distribute Trojans, ransomware and other malware.