Virus and Spyware Removal Guides, uninstall instructions

What is Bukyak?

Bukyak is a part of the Aurora ransomware family. Like most programs of this type, it encrypts files, renames them and provides victims with instructions about how to contact the developers (plus other information). Bukyak renames files by appending the ".bukyak" extension to filenames.

For example, it renames a file named "1.jpg" to "1.jpg.bukyak", "2.jpg" to "2.jpg.bukyak", etc. It drops three ransom messages ("@_FILES_WERE_ENCRYPTED_@.TXT", "@_HOW_TO_PAY_THE_RANSOM_@.TXT" and "@_HOW_TO_DECRYPT_FILES_@.TXT") in every folder that contains encrypted data.

All contain identical text. Additionally, when the computer is restarted, Bukyak displays a fake Windows sign-in window designed to steal passwords.

What is WANNACASH NCOV?

WANNACASH NCOV is a new variant of WannaCash ransomware discovered by Alex Svirid. WANNACASH NCOV encrypts files, changes their filenames, changes the desktop wallpaper, and creates a text file named "Как расшифровать файлы.txt".

It renames encrypted files by using the "Файл зашифрован. Пиши. Почта clubnika@elude.in [number].WANNACASH NCOV v310320" pattern (the only variable within the filenames is the number following the email address).

What is AresLookup?

AresLookup is an adware-type application that also possess browser hijacker characteristics. It delivers various intrusive advertisements, modifies browsers and promotes fake search engines. Due to its dubious proliferation methods, AresLookup is also categorized as a Potentially Unwanted Application (PUA).

Most PUAs have data tracking capabilities, which are employed to track users' browsing habits. This app has been proliferated using fake Adobe Flash Player updaters/installers, which is a common method for distributing not just PUAs but also malware (e.g. ransomware, Trojans, etc.).

What kind of malware is Calix?

Discovered by Huntress Labs, Calix is malicious software that belongs to the Phobos ransomware family. Calix is designed to encrypt victims' files and create the "info.txt" and "info.hta" files. The first is a ransom message within a text file, whilst the .hta file displays a message in a pop-up window when executed.

Additionally, Calix renames all encrypted files by adding a string to the filenames. The string contains the victim's ID, email address, and the ".calix" extension. For example, "1.jpg" might become "1.jpg.id[1E857D00-2451].[painplain98@protonmail.com].calix".

What is Rogue ransomware?

Based on Hidden Tear, Rogue ransomware was discovered by GrujaRS. This software encrypts files (rendering them inaccessible), renames them and creates and/or displays ransom messages. Rogue renames encrypted files by appending the ".rogue" extension to filenames.

For example, it renames "1.jpg" to "1.jpg.rogue", "2.jpg" to "2.jpg.rogue", and so on. It also changes the victim's desktop wallpaper to display a ransom message and creates another message within a text file named "READ_IT.txt".

What is Jest?

Discovered by Petrovic, Jest is malicious software designed to encrypt data and demand payment for decryption. It is a new variant of FunFact ransomware. When Jest encrypts, all affected files are appended with the ".jest" extension. For example, a file like "1.jpg" would appear as "1.jpg.jest" following encryption.

After this process is complete, the desktop wallpaper is changed, the "note.ini" file is created (which has a desktop shortcut named "README - Decryption Note"), and a pop-up window is displayed. The text presented in all three are ransom-demand messages.

What is mybestsecureus[.]com?

mybestsecureus[.]com is the address of a dubious website, which advertises a potentially unwanted application (PUA) called VPN - Fast & Secure VPN Proxy.

Typically, web pages such as mybestsecureus[.]com suggest that the visitors' devices may be at risk, infected with viruses, etc., and encourage them to download and install an application, which will supposedly fix or prevent the problems. In any case, do not trust these pages or download software through or from them.

Commonly, sites such as mybestsecureus[.]com are opened when users click dubious ads, visit rogue web pages, or have PUAs installed on the browser and/or operating system.

What is search.becovi.com?

Search.becovi.com is the URL (address) of a search engine. Typically, when users experience redirects to various search engines - it is due to installed browser hijackers. This software does not require explicit user permission to infiltrate systems; therefore, users may be unaware of its presence.

Browser hijackers promote web searchers by making modifications to browser settings. The search engines can be promoted without the involvement and/or consent from their developers. Additionally, browser-modifying software can inject the search results provided by legitimate web searchers - with misleading/malicious ads and endorse untrustworthy/dangerous websites.

Furthermore, browser hijackers usually have data tracking capabilities, which are employed to monitor users' browsing activity. Since most users download/install hijackers inadvertently, they are also classified as PUAs (Potentially Unwanted Applications).

What kind of malware is Makop?

Makop is a type of malware categorized as ransomware. It operates by encrypting data of infected systems and demanding payment for decryption tools/software. During the encryption process, all affected files are renamed according to this pattern: original filename, unique ID, cyber criminals' email address and the ".makop extension.

For example, a file named "1.jpg" would appear as something like "1.jpg.[EF7BE7BC].[makop@airmail.cc].makop", and so on. After this process is finished, a text file named "readme-warning.txt" is created on the desktop.

What is the "WARNING! 36 infections found!!!" scam?

"WARNING! 36 infections found!!!" is a technical support scam promoted on various deceptive websites. The scheme states that users' systems have been infected with 36 viruses and urges them to call Microsoft 'tech support' via the number provided. All of these claims are false and are in no way connected to the Microsoft Corporation.

Furthermore, no website can detect threats/issues present on a device - any that make such claims are scams. These deceptive/scam web pages are usually accessed through redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs) already infiltrated into the system.