Virus and Spyware Removal Guides, uninstall instructions

What is Werd?

Werd ransomware is part of the Djvu ransomware family and distributed to encrypt files and force victims to pay ransoms. Werd appends the ".werd" extension to each encrypted file. For example, "1.jpg" becomes "1.jpg.werd". Like most programs of this type, it creates a ransom message within a text file named "_readme.txt".

This file contains information about how to purchase decryption software. Typically, ransomware victims cannot decrypt their files without these tools and are often tempted to pay ransoms to cyber criminals.

What is gunnepaa[.]xyz?

gunnepaa[.]xyz is one of thousands of rogue websites online and similar to best2019-games-web1.com, piedppienews.com, and trementrecially.pro. This site operates by presenting users with dubious content and generating redirects to untrustworthy, malicious web pages.

Most visitors to gunnepaa[.]xyz access it through redirects caused by intrusive advertisements or Potentially Unwanted Applications (PUAs) already present on the system. These apps do not need explicit user permission to infiltrate devices. Once successfully installed, they generate redirects, run ad campaigns, and monitor users' browsing habits.

What is stremanp[.]com?

stremanp[.]com is virtually identical to many other websites of this type including, for example, best2019-games-web1[.]com, piedppienews[.]com, and newsapp[.]biz. When opened, these sites redirect visitors to other rogue websites or display dubious content.

Note that stremanp[.]com redirects visitors to potentially malicious sites. Typically, browsers open these websites due to potentially unwanted applications (PUAs) that are installed on them.

Therefore, most people do not visit them intentionally. Furthermore, PUAs often gather browsing-related data and display intrusive ads. Many people download and install apps of this type unintentionally.

What is bigdater[.]me?

bigdater[.]me is the address of a website that most people visit inadvertently. The site opens other untrustworthy web pages or displays dubious content. Note that bigdater[.]me functions as many other websites of this type including, for example, carbamylife[.]info, talkreply[.]com, and track.nuxues[.]com. 

Typically, people arrive at these sites due to potentially unwanted apps (PUAs) installed on their browsers or computers. These apps usually collect users' details and feed them with unwanted ads.

What is Masked?

Masked ransomware is a new variant of Aurora, and like most programs of this type, is designed to prevent victims from accessing their files by encryption. To recover them, victims are encouraged to purchase a decryption key (i.e., pay a ransom). Masked renames all encrypted files by appending the ".masked" extension to filenames.

For example, "1.jpg" becomes "1.jpg.masked". It also creates the "@@_Открыть_В_Браузере_TOR_@@.html" and "@@_OpenTheBrowserTOR_@@.html" HTML files, both of which are designed to open a Tor website. This website contains instructions about how to obtain a decryption key.

What is press-here-to-continue[.]com?

press-here-to-continue[.]com is a rogue website, which is virtually identical to lurunews.biz, vinuser.biz, best2019-games-web1.com, and thousands of others. It present visitors with dubious content and generates redirects to other untrustworthy, even malicious sites.

Few users enter press-here-to-continue[.]com intentionally - most are redirected by intrusive advertisements or Potentially Unwanted Applications (PUAs) already present on the device. Note that these unwanted apps do not need explicit permission to infiltrate systems. PUAs operate by generating redirects, running intrusive ad campaigns, and tracking browsing related data.

What is Phorpiex?

Phorpiex (Trik) is the name of a malicious program that sends spam (mainly sextortion emails) from infected computers. Research shows that previously it was used to proliferate other malware (GandCrab, Pony, and so on). Phorpiex is not new malware and has been active for virtually ten years, infecting hundreds of thousands of computers.

To avoid inadvertently receiving emails sextortion spam campaigns, we strongly recommend that you remove Phorpiex/Trik immediately.

What is best2019-games-web1[.]com?

best2019-games-web1[.]com is one of many websites that should be avoided. If visited, websites such as this open untrustworthy, potentially malicious web pages or display dubious content. Some examples of other similar sites are piedppienews[.]com, newsapp[.]biz, and trementrecially[.]pro.

Browsers usually open these web addresses due to potentially unwanted applications (PUAs) installed on the system. Therefore, people do not generally visit best2019-games-web1[.]com (or other pages of this kind) intentionally. Furthermore, few people download or install PUAs intentionally.

In most cases, these apps cause redirects to dubious web pages, display ads, and gather various data.

What is Online Recipes Viewer?

Online Recipes Viewer is a browser hijacker advertised as a tool for quick access to various recipes and cooking-related content. It is supposedly capable of providing quick and easy, top-rated breakfast, lunch, dinner and dessert recipes, and access to a continually updated database of meal ideas.

In fact, Online Recipes Viewer makes changes to browsers and promotes a fake search engine (search.viewfreerecipestab.com) without users' permission.

Furthermore, this rogue app tracks data relating to browsing activity. It is also classified as a potentially unwanted program (PUA) due to its dubious proliferation methods. Note that Online Recipes Viewer is often distributed together with another unwanted app called Hide My Searches.

What is Bot?

Belonging to the Crysis/Dharma malware family and discovered by Jakub Kroustek, Bot is malicious software categorized as ransomware. Bot operates by encrypting data and demanding ransom payments for decryption (i.e. payment for decryption software/tools and keys).

During the encryption process, all files are renamed with a unique ID number generated individually for each victim, Bot developer's email address, and the ".bot" extension. Therefore, "1.jpg might be renamed to a filename such as "1.jpg.id-1E857D00.[nmode@tutanota.com].bot", and so on for all files.

After this process is complete, a text file ("RETURN FILES.txt) is created on the desktop and a pop-window is displayed. Updated variants of this ransomware use ".[catchbtc797@protonmail.com].bot", ".[admin@sectex.net].bot" and ".[grdoks@tutanota.com].bot" extensions for encrypted files.