Virus and Spyware Removal Guides, uninstall instructions

What is ryseconomi[.]info?

ryseconomi[.]info is the address of a website that redirects visitors to other dubious sites or loads dubious content. There are many other web pages of this type on the internet. Some examples are goodbase[.]biz, 1000-dollar[.]cash and thefastpush[.]com.

They are opened by potentially unwanted apps (PUAs) installed on the browser or operating system. Therefore, people do not generally visit sites such as ryseconomi[.]info intentionally. Note that PUAs often record browsing data and display intrusive ads.

What is the PC Power Speed application?

PC Power Speed software is classified as a Potentially Unwanted Application (PUA). It is promoted as a top-rated operating system cleaner and optimizer. Amongst the functions promised are system speed boosting, maximization of disk and memory space, system error repair and many others.

In fact, most users download and install this application intentionally due to its dubious proliferation methods, hence its classification as a PUA.

What is Assist_decoder?

Assist_decoder was discovered by Amigo-A and is part of the Cryakl ransomware family. Malicious programs of this type are designed to encrypt files, rename them and create and/or display ransom messages.

Assist_decoder renames encrypted files by adding the 3335799@protonmail.com_sel1 email address, the victim's ID, and appending an extension of three random characters to filenames.

For example, it would rename a file such as "1.jpg" to "1.jpg[3335799@protonmail.com_sel1][59436244-F9E4D68F].vjy", "2.jpeg" to "2.jpeg[3335799@protonmail.com_sel1][59436244-F9E4D68F].spq", and so on. Assist_decoder drops a text file ("README.txt") containing a ransom message in all folders that contain encrypted data.

What is TV Search?

TV Search is a browser hijacker endorsed as a tool supposedly capable of providing access to various free TV and movie streaming services. This software modifies browser settings to promote services.gettvsearch-svc.org (a fake search engine). Furthermore, it monitors users' browsing activity.

Due to the dubious methods used to proliferate the TV Search browser hijacker, it is also classed as a Potentially Unwanted Application (PUA).

What is Cheetah keylogger?

Cheetah is a keylogger (keystroke logger), which is sold for $30/month, $65/three months, and $110/year. Software of this type records keys pressed on the keyboard (keyboard input).

Typically, cyber criminals attempt to trick people installing keyloggers on their computers so that they can steal their personal, sensitive information, which is then used to generate revenue in various ways. If you believe that Cheetah (or another program of this type) is installed on the operating system, remove it immediately.

What are the Winprizes sites?

Winprizes is a group of deceptive websites, which promote various scams. For example, these web pages have been observed promoting "Latest version of Adobe Flash Player" and "Dear Chrome User, Congratulations!" scams. Note that different schemes or other dubious content might also be accessed via these web pages.

Most users access such websites unintentionally - they are redirected to them by intrusive advertisements or Potentially Unwanted Applications (PUAs) already infiltrated into the system. These apps do not need explicit permission to be installed onto devices.

What is Rxx?

Rxx is malicious software belonging to the Dharma ransomware family. This malware was discovered by Jakub Kroustek and operates by encrypting data in order to demand payment for decryption tools/software.

During the encryption process, all compromised files are renamed according to the following pattern: original filename, unique ID, cyber criminals' email address and ".rxx" extension. For example, a file such as "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[back_data@foxmail.com].rxx" following encryption.

Once this process is finished, a pop-up window is displayed and a text file ("FILES ENCRYPTED.txt") is created.

What is PwndLocker?

Research shows that cyber criminals behind PwndLocker ransomware target business networks and local governments. PwndLocker encrypts files with the RSA-2048 encryption algorithm and creates a ransom message within a text file named "H0w_T0_Rec0very_Files.txt", which can be found in folders that contain encrypted data.

Like most programs of this type, PwndLocker renames encrypted files by appending an extension. At the time of research, it appended the ".key" and ".pwnd" extensions. Therefore, PwndLocker appends varying extensions in different cases.

For example, in one case it renames a file such as "1.jpg" to "1.jpg.key", and in another, it renames the file to "1.jpg.pwnd", and so on. Note that this ransomware does not encrypt all files - it leaves files with certain extensions unaffected. It also skips files that are located in certain folders.

What is Deman?

Deman is a malicious program belonging to the Everbe ransomware family. This malware operates by encrypting the data of infected systems so that ransom demands can be made for decryption. During the encryption process, the filename extensions of all affected files have "deman" added to them.

For example, a file originally named something like "1.jpg" would appear as "1.jpgdeman" following encryption. After this process is complete, a text file ("!=How_to_decrypt_files=!.txt") is created on the desktop.

What is qlopx.xyz?

qlopx.xyz is the address of a fake search engine promoted through a potentially unwanted application (PUA), a browser hijacker called SApp+ (or Smash App+). It is possible that other apps also promote qlopx.xyz. Generally, apps of this type promote the addresses of fake search engines by changing browser settings.

Browser hijackers also gather information. They are classified as PUAs, since people usually download and install them unintentionally.