Virus and Spyware Removal Guides, uninstall instructions

What is Bguu?

Discovered by MalwareHunterTeam, Bguu is malicious software based on an open-source ransomware project called Hidden Tear. It is designed to encrypt files and keep them locked until a ransom is paid (decryption software/tool is purchased). As the encryption is in progress, this program renames files with the Bguu developer's email address and the ".bguu" extension.

For example, "1.jpg" becomes "1.jpg.[paymebtc@protonmail.com].bguu". After the process is complete, Bguu stores a text file called "HACKED.txt" on the Desktop and changes the wallpaper to state, "You Files Have Been Encrypted .".

What kind of malware is Veracrypt?

Veracrypt is a Russian offline version of a ransomware-type program that belong to the Aurora ransomware family. This particular ransomware was discovered by MalwareHunterTeam. It encrypts files, renames them, and creates three identical ransom messages.

Veracrypt renames files by adding the ".veracrypt" extension to filenames (e.g. "1.jpg" becomes "1.jpg.veracrypt") and creates three text files ("@@_ATTENTION_@@.txt", "@@_README_@@.txt", and "@@_RECOVERY_@@.txt"), which contain identical ransom messages.

What is Reco?

Reco is malicious software belonging to the Djvu ransomware family. This program operates by encrypting data and denying access until a ransom is paid (i.e., until a decryption tool/software is purchased). When this ransomware encrypts data, it renames files with the ".reco" extension.

Therefore, "1.jpg" becomes "1.jpg.reco". Once this process is complete, Reco creates a "_readme.txt" text file, which contains the ransom message.

What is search.roterismus.com?

Virtually identical to search.genieosearch.com, search.mapsonlinepro.com, search.convertersearch.com, and countless others, search.roterismus.com is a fake search engine. It supposedly enhances the browsing experience by providing improved search results.

It has a professional design similar to Google, Yahoo, Bing, and other genuine search engines, however, in most cases, these fake search engines are unable to generate unique results. They are usually promoted by browser hijacking applications, which make unauthorized changes to browsers.

Furthermore, search.roterismus.com monitors and records data relating to users' browsing activity.

What is OnyxLocker?

OnyxLocker was discovered by Alex Svirid and, like most ransomware-type programs, is designed to encrypt victims' files and keep them inaccessible unless a ransom is paid. In fact, this particular ransomware does not encrypt all files. Nevertheless, it impossible to decrypt files without a specific tool held only by OnyxLocker's developers.

OnyxLocker creates ten ransom messages, such as "Прочти меня! 0 .txt", "Прочти меня! 1 .txt", and so on. All are identical and in Russian. Furthermore, it renames all encrypted files by adding the ".onx" extension to filenames. For example, "1.jpg" becomes "1.jpg.onx".

What is Directions Maps Finder?

Directions Maps Finder is a browser hijacker endorsed for quick access to map and route related content. It is supposedly capable of providing various maps, local traffic data, driving directions and similar, however, it operates by modifying browser settings to promote a fake search engine (search.directionsmapsfindertab.com).

Furthermore, this rogue application has data tracking abilities. Since most users install Directions Maps Finder inadvertently, it is classified as a Potentially Unwanted Application (PUA).

What is ForBrowser?

ForBrowser is one of many adware-type applications that serve intrusive advertisements. Typically, people download and install apps of this type unintentionally. They are therefore called potentially unwanted applications (PUAs). Additionally, adware is often designed to gather information about users' browsing activities.

ForBrowser supposedly enhances the browsing experience, for example, to deliver accurate search results. Typically, adware developers advertise these apps as useful, legitimate, and so on, however, they are generally useless and simply cause problems.

What is Xoza?

Belonging to the Djvu ransomware family, Xoza ransomware is malicious software created by cyber criminals. It encrypts files and is used to blackmail victims. People with computers infected by Xoza cannot access or use their files unless they decrypt them with a tool that can be purchased only from the designers of this program.

Xoza renames all files by adding the ".xoza" extension. For example, "sample.jpg" becomes "sample.jpg.xoza". Instructions about how to decrypt files/purchase decryption software and key are provided in the "_readme.txt" file (ransom message).

What is fres-news[.]com?

Sharing many similarities with maroolatrack.com, procontent.me, folmetor.com, and offer.agency, fres-news[.]com is a rogue website that feeds users with dubious content and redirects them to other untrustworthy/malicious sites. Most users enter this website inadvertently and are redirected to it by intrusive ads or potentially unwanted applications (PUAs).

These rogue apps do not need explicit user consent to infiltrate devices. PUAs generate redirects, deliver intrusive ad campaigns, and some can track data.

What is "Hacker Who Has Access To Your Operating System"?

"Hacker Who Has Access To Your Operating System" is yet another spam email campaign that falls within the 'sextortion' category. Cyber criminals send hundreds of thousands of deceptive emails stating that they have hijacked the victim's computer and recorded a 'humiliating video'. In fact, this is merely a scam and such emails should be ignored.