Virus and Spyware Removal Guides, uninstall instructions

What is NetGuideSearch?

NetGuideSearch is an adware-type application that has browser hijacker characteristics. This app runs intrusive ad campaigns and modifies browser settings to promote a fake search engine. Additionally, most adware infections and browser hijackers monitor users' browsing activity.

Due to the dubious methods used to proliferate NetGuideSearch, it is also classified as a Potentially Unwanted Application (PUA). One method that has been used to proliferate this application is via fake Adobe Flash Player updates. Note that bogus updaters/installers proliferate Trojans, ransomware and other malware as well.

What is extrasafe[.]xyz?

extrasafe[.]xyz is a deceptive website, the main purpose of which is to trick visitors into downloading and installing a potentially unwanted application (PUA). The app is apparently capable of removing viruses that this website has supposedly detected.

Commonly, pages such as extrasafe[.]xyz are opened through other websites of this kind, clicked deceptive advertisements, and installed PUAs. In any case, people do not often visit these sites intentionally. Do not trust these sites or download applications from them - use only official websites.

What is SearchSeries?

SearchSeries is rogue software which modifies browser settings to promote search-series.com (a bogus search engine). Therefore, it is classified as a browser hijacker. Additionally, SearchSeries has data tracking capabilities, which are employed to gather browsing-related information.

Since most users install SearchSeries unintentionally, it is also classified as a Potentially Unwanted Application (PUA).

What is LickyAgent?

Discovered by Amigo-A, LickyAgent ransomware encrypts victims' files, modifies their filenames and creates ransom messages. It renames files by appending a random extension. For example, ".dMQDF" (it would then rename "1.jpg" to "1.jpg.dMQDF", "2.jpg" to "2.jpg.dMQDF", etc.).

It also drops the "[symbols-from-random-extension]-HOW-TO-FIX.TXT" text files (ransom messages) in every folder that contains encrypted files.

What is Zwer?

Zwer is malicious software belonging to the Djvu ransomware family. This malware is designed to encrypt the data of infected systems in order to demand ransoms for decryption tools. During the encryption process, files are appended with the ".zwer" extension.

Therefore, a file named something like "1.jpg" would appear as "1.jpg.zwer" following encryption, and so on for all affected files. After this process is complete, a ransom demand message is created in the "_readme.txt" text file.

What is WCH?

WCH was discovered by Jakub Kroustek. This malware belongs to the Dharma ransomware family. Like many other programs of this type, WCH is designed to encrypt files, modify their filenames and create a ransom message. It renames encrypted files by adding the victim's ID, wecanhelpu@tuta.io email address and appending the ".wch" extension to filenames.

For example, it renames "1.jpg" to "1.jpg.id-1E857D00.[wecanhelpu@tuta.io].wch", "2.jpg" to "2.jpg.id-1E857D00.[wecanhelpu@tuta.io].wch", etc. It also displays a pop-up window and creates the "FILES ENCRYPTED.txt" text file - both are ransom messages that contain instructions about how to contact the cyber criminals responsible.

What is SearchNetLetter?

SearchNetLetter is a rogue application classified as adware and possessing browser hijacker characteristics. It operates by running intrusive advertisement campaigns, making modifications to browser settings, and promoting fake search engines.

Additionally, most adware infections and browser hijackers can record browsing-relating information, and it is highly likely that SearchNetLetter also has these data tracking capabilities. Due to the dubious techniques used to distribute SearchNetLetter, it is also classified as a Potentially Unwanted Application (PUA).

This app is proliferated via bogus Adobe Flash Player updates. Note that fake software updaters/installers are commonly used to distribute not just PUAs, but also malware (e.g. Trojans, ransomware, etc.).

What is SmartQuestSearch?

SmartQuestSearch is classified as a browser hijacker and an adware-type app. It is designed to promote a fake search engine by modifying browser settings and displaying advertisements. Users often download and install these apps unintentionally and, therefore, they are categorized as potentially unwanted applications (PUAs).

Note that SmartQuestSearch is distributed through a deceptive Adobe Flash Player installer.

What is the Club ransomware?

Discovered by Jakub Kroustek, Club is a malicious program belonging to the Dharma ransomware family. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption.

During the encryption process, all affected files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address and the ".club" extension. For example, a file such as "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[admin@stelsdatas.com].club" following encryption.

Once this process is complete, ransom-demand messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is Wowsearch?

Wowsearch hijacks browsers by changing certain browser settings to search.wowsearch.net (the address of a fake search engine).

Commonly, apps of this type track and record information relating to users' browsing habits, and other details. People often download and install browser hijackers inadvertently and, therefore, Wowsearch and other apps of this type are categorized as potentially unwanted applications (PUAs).