Virus and Spyware Removal Guides, uninstall instructions

What is Watch Movies Live?

Watch Movies Live is a rogue application, promoted as a tool for quick access to movie streaming, news and other film-related websites. It is a browser hijacker, due to the changes it makes to browsers in order to promote a fake search engine - search.watchmovieslivetab.app.

Additionally, it has data tracking abilities, which the app employs to gather browsing-related information. Since most users install Watch Movies Live inadvertently, it is also considered to be a PUA (Potentially Unwanted Applications). It is often distributed alongside another PUAs called Hide My Searches.

What is TV Fans Online Tab?

TV Fans Online Tab is endorsed as a tool for quick access to TV-related content. In fact, this is a rogue app, a browser hijacker designed to modify browsers to promote a fake search engine (search.htvfansonline.com). Additionally, it has data tracking capabilities and gathers browsing-related information.

Due to its dubious proliferation methods, TV Fans Online Tab is also classified as a Potentially Unwanted Application (PUA). Note that this app is often distributed together with another PUA called Hide My Searches.

What is 2conv[.]com?

The 2conv[.]com website provides an online service to convert YouTube videos to MP3 and other formats. It also promotes a desktop downloader and converter called Flvto Youtube Downloader.

Note that it is illegal to download videos from YouTube. Furthermore, the 2conv[.]com web page contains dubious ads and, if allowed, shows notifications that lead to other dubious web pages.

What is ZLoader?

ZLoader (also known as DELoader and Terdot) is a malicious program distributed through malicious web pages that display a fake error notification (e.g., "The 'Roboto Condensed' font was not found").

Research shows that ZLoader infects systems with another malicious program, a banking Trojan called Zeus. We strongly advise against opening files downloaded from web pages that display this error message, or similar.

What is Afrodita?

Discovered by S!Ri, Afrodita is a part of the LockerGoga ransomware family. It encrypts data with the AES-256 and RSA-2048 encryption algorithms. 

Afrodita also creates a ransom message within the "__README_RECOVERY_.txt" text file, which contains instructions about how to contact cyber criminals for information to pay a ransom (purchase the decryption tool and key).

What is y2meta[.]com?

Avoid the y2meta[.]com website, since it employs dubious advertising networks and provides an illegal video downloading service. Note that it is illegal to download videos from YouTube. Furthermore, y2meta[.]com contains various ads that redirect visitors to other untrustworthy websites. These are the two main reasons why this and other similar websites should not be used.

What is checkmail7@protonmail.com?

Discovered by S!Ri and further researched by Raby, checkmail7@protonmail.com (or simply CheckMail) is a malicious program categorized as ransomware. It operates by encrypting data and demanding ransom payments for decryption.

During the encryption process, this malware appends files with an extension consisting of the developer's email address (".checkmail7@protonmail"). For example, a file called "1.jpg" would become "1.jpg.checkmail7@protonmail". After this process is finished, a text file ("warning.txt") is stored in each compromised folder.

What is bo3news[.]biz?

bo3news[.]biz redirects visitors to a variety or untrustworthy, potentially malicious websites. Browsers are often forced to open sites such as bo3news[.]biz by potentially unwanted applications (PUAs) installed on browsers or operating systems. In any case, people do not open them intentionally. PUAs also gather browsing data and display unwanted advertisements.

What is Dever?

Belonging to the Phobos malware family, Dever is a ransomware-type malicious program. Infected devices have their data encrypted and a ransom is demanded from the victims for decryption software/tools.

When Dever encrypts files, it renames them according to the following pattern: unique ID, developer's email address (there are several addresses used the cyber criminals behind this infection, and thus there is more than one variant in the altered filenames), and appends them with the ".Dever" extension.

For example, a file like "1.jpg" might appear as something similar to "1.jpg.id[1E857D00-2544].[lizethroyal@aol.com].Dever" following encryption. Once this process is complete, a text file ("info.txt") and an HTML application ("info.hta") are created on the desktop.

What is "This is a VIRUS. You computer is blocked"?

"This is a VIRUS. You computer is blocked" is another technical support scam used by cyber criminals who claim to offer legitimate 'technical support'. They attempt to trick people into believing that their computers are infected/blocked and to make contact via the telephone number provided.

Most people do not open websites of this type intentionally - they are forced to visit them by potentially unwanted apps (PUAs) installed on their systems. These apps usually cause unwanted redirects, deliver advertisements, and record information.