Virus and Spyware Removal Guides, uninstall instructions

What is Uzuvnkyh?

Uzuvnkyh was discovered by GrujaRS and is based on another ransomware infection called HiddenTear. Uzuvnkyh encrypts files, modifies their filenames and creates a ransom message. It appends the ".encrypted" extension to the filename of every encrypted file (e.g., "1.jpg" would be renamed to "1.jpg.encrypted", etc.) and creates a text file called "READ_IT.txt".

This message contains instructions about how to contact Uzuvnkyh's developers.

What is ATKL?

ATKL is malicious software belonging to the Matrix ransomware family. Systems infected with this program have their data encrypted and receive ransom demands for decryption.

During the encryption process, all compromised files are renamed according to the following pattern: cyber criminals' email address, random character string and the ".ATKL" extension (e.g. "[atomickule@cock.li].[random_string].ATKL").

For example, a file such as "1.jpg" would appear as something similar to "[atomickule@cock.li].EwjuqhUS-Nxw47YpM.ATKL" following encryption. After this process is complete, a ransom message ("!ATKL_README!.rtf") is dropped into every affected folder. Additionally, ATKL ransomware drops random files onto the desktop and deletes Shadow Volume Copies of files.

What kind of malware is GuLoader?

GuLoader (also known as CloudEyE) is a malware downloader used by cyber criminals to proliferate various Remote Access Trojans (RATs) and other Trojan-type programs. They use GuLoader to infect computers with malicious programs that can be used to steal sensitive information, infect computers with other malware, and perform other actions to help cyber criminals generate revenue.

What is ONION?

ONION is a malicious program belonging to the Dharma ransomware family. It operates by encrypting data and demanding payment for decryption tools/software. During the encryption process, all affected files are renamed according to the following pattern: original filename, unique ID, cyber criminals' email address and the ".ONION" extension.

For example, a file such as "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[onioncrypt@aol.com].ONION" following encryption. After this process is complete, a pop-up window is displayed and a text file ("FILES ENCRYPTED.txt") is created.

What is IPM?

Discovered by Jakub Kroustek, IPM is a malicious program belonging to the Dharma ransomware family. It encrypts files and renames them by adding the victim's ID, decoding@qbmail.biz email address and appending the ".IPM" extension to filenames. For example, it changes a file named "1.jpg" to "1.jpg.id-1E857D00.[Decoding@qbmail.biz].IPM", etc.

IPM also creates a ransom message within the "FILES ENCRYPTED.txt" file and displays another in a pop-up window.

What is Logic Search?

Logic Search is a potentially unwanted application (PUA), a browser hijacker supposedly designed to improve the browsing experience (provide accurate search results and other features). In fact, it promotes a fake search engine (feed.logic-search.com) by changing browser settings and gathering various information.

People usually download and install browser hijackers (and other apps categorized as PUAs) unintentionally.

What are the "Increaseofprofit" sites?

"Increaseofprofit" is a group of deceptive websites, which promote various scams. They have been observed promoting "Dear Chrome User, Congratulations!" and "Latest version of Adobe Flash Player" schemes. Other scams might also be promoted via these sites.

Few users access these deceptive web pages intentionally - most are redirected by intrusive advertisements or Potentially Unwanted Applications (PUAs) already infiltrated into the device. Note that these apps do not need express permission to be installed onto the system.

What is Megabonus-point?

Megabonus-point is a family of untrusted web pages that attempt to deceive visitors into downloading and installing potentially unwanted applications (PUAs) or even malicious programs, providing personal information, and so on. You are strongly advised not to trust any Megabonus-point websites.

Typically, they are opened through clicked deceptive ads, other dubious web pages or PUAs that are installed on browsers and operating systems.

What is the "Arabitol GLOBAL TRADING" email?

"Arabitol GLOBAL TRADING" is a deceptive email claiming that recipients need to confirm a "new order". This is a phishing scam designed to steal recipients' email credentials (i.e., log-ins and passwords) thereby allowing scammers to gain full control over the email account. This could potentially endanger other accounts associated with the stolen email account.

What is nvo1d.xyz?

nvo1d.xyz is the address of a fake search engine. Research shows that it is promoted through browser hijackers called SApp+ and Wisip, however, it is possible that other browser hijackers might also promote nvo1d.xyz. Generally, apps of this type promote such addresses by changing browser settings.

Most browser hijackers also operate as information tracking tools and gather data. People often download and install these apps inadvertently and, therefore, they are categorized as potentially unwanted applications (PUAs). Note that SApp+ and Wisip are related to another PUA called QIP.