Virus and Spyware Removal Guides, uninstall instructions

What kind of scam is "YOUR COMPUTER HAS BEEN BLOCKED"?

The "YOUR COMPUTER HAS BEEN BLOCKED" message states that the computer has been infected with various viruses/malware and that private data (Facebook Login, Credit Card Details, Email Account Login, etc.) has been stolen.

The message encourages users to contact technical support via a telephone number provided. Users are often tricked into believing that this message is legitimate, however, it is a scam. This virus is very similar to the previously-distributed scam, "Your Browser Has Been Blocked".

What is Gedantar?

Discovered by malware security researcher, Karsten Hahn, Gedantar is an updated version of a ransomware-type virus called Unlock92. Once infiltrated, Gedantar encrypts most stored files using RSA-2048 cryptography. During encryption, this malware renames files using the "[filename]_[8-random-characters].[extension]" pattern.

For instance, "sample.jpg" might be renamed to a filename such as "sample_eitn13pg.jpg". Following successful encryption, Gedantar creates a jpg file (with the "[20-random-characters].jpg" filename pattern, e.g., "tvosmnggwbwaycotdmce.jpg") and places a copy in each existing folder.

What is BansomQare Manna?

First discovered by malware security researcher, Bart, BansomQare Manna is a ransomware-type virus that stealthily infiltrates the system and encrypts most stored files. During encryption, BansomQare Manna adds the ".bitcoin" appendix to the name of each compromised file.

For example, "sample.jpg" is renamed to "sample.jpg.bitcoin". After successfully encrypting files, BansomQare Manna opens a pop-up window and creates a text file ("bitcoin2018.txt"), placing a copy in each existing folder.

What is AVCrypt?

Discovered by MalwareHunterTeam, AVCrypt is a ransomware-type virus that stealthily encrypts most stored files and prepends "+" to the name of each encrypted file.

For example, encrypted "sample.jpg" is renamed to "+sample.jpg". Following successful encryption, AVCrypt creates a text file ("+HOW_TO_UNLOCK.txt") and places a copy in each folder containing encrypted files. Note that AVCrypt is designed to corrupt the system and remove installed anti-virus suites.

What is macsafesearch.net?

macsafesearch.net is a fake Internet search engine that, according to the developers, enhances the browsing experience by generating improved results. Judging on appearance alone, macsafesearch.net may seem similar to Google, Bing, Yahoo, and other legitimate search engines.

Therefore, many users believe that this website is also legitimate, however, developers promote macsafesearch.net using a browser-hijacking application called Mac Safe Search. Be aware that macsafesearch.net and Mac Safe Search collect information relating to users' Internet browsing activity.

What is Flash Player Premium SMS?

"Flash Player Premium SMS" is a scam promoted by deceptive websites. In most cases, users are redirected to these websites by potentially unwanted programs (PUPs) or intrusive advertisements displayed by dubious sites. PUPs typically infiltrate systems without permission.

As well as causing redirects, they deliver intrusive advertisements, gather sensitive information, and even run unwanted background processes.

What is WhiteRose?

First discovered by Michael Gillespie, WhiteRose is a ransomware-type virus that stealthily infiltrates the system and encrypts most stored data. Research shows that WhiteRose originates from the same ransomware family as the BlackRuby2 and Zenis viruses.

During encryption, WhiteRose renames files using the "[12_random_letters_and_digits]_ENCRYPTED_BY.WHITEROSE" pattern. For example, "sample.jpg" might be renamed to a filename such as "1D3AbF5EACFE_ENCRYPTED_BY.WHITEROSE".

Encrypted files become unusable and indistinguishable. Immediately after encryption, WhiteRose creates a text file ("HOW-TO-RECOVERY-FILES.TXT") and places a copy in every existing folder.

What is Sorry?

Sorry is a ransomware-type virus discovered by malware security researcher, Karsten Hahn. Research shows that Sorry is based on an open-source ransomware project called Hidden Tear. Immediately after infiltration, Sorry encrypts stored data using AES cryptography and appends filenames with the ".sorry" extension (e.g., "sample.jpg" is renamed to "sample.jpg.sorry").

Note that there is also another ransomware infection called Purge (Globe) that uses the same extension. Once files are encrypted, using them becomes impossible. Following successful encryption, Sorry creates a text file ("How Recovery Files.txt") and places a copy in every existing folder.

What is GlobeImposter ransomware?

GlobeImposter is a ransomware-type virus that mimics Purge (Globe) ransomware. Following infiltration, GlobeImposter encrypts various files and appends: ".[blellockr@godzym.me].bkc", ".IGAMI", ".tabufa", ".FIT", ".ANAMI", ".crypted_bizarrio@pay4me_in", ".FORESTGUST", ".[dsupport@protonmail.com]", ".BOOTY", ".ONYX", ".MARK", ".emilysupp", ".ALCO2+", ".ALCO4+", ".BUNNY+", ".CRAZY+", ".LIN+", ".CHAK2", ".SEXY3", .suddentax", ".$MENTOS$", ".DREAM", ".crypted!", ".FREEMAN", ".waiting4keys", ".[Traher@Dr.Com]", ".Nutella", ".encencenc", ".DIZEL", ".Codificado", ".Ipcrestore", ".PANDA", ".BIG1", ".SEXY", ".kimchenyn", ".AK47", ".rrr", "...doc", ".restorefile", “.CHAK”, “.LIN”, “.Chartogy”, ".POHU", ".crypt_fereangos@airmail_cc", ".{jeepdayz@aol.com}BIT", ".TRUE", ".VYA", ".pliNGY", ".ñ1crypt", ".foSTE", “.YAYA”, “.nWcrypt”, ".needkeys", ".490", ".4035", ".f41o1", ".911", ".clinTON", "..txt", ".BUSH", ".illNEST", ".write_on_email", ".needdecrypt", ".ReaGAN", ".zuzya", ".granny" ".zuzya", ".UNLIS", ".LEGO", ".NIGGA", ".0402", ".trump", ".BONUM", ".rumblegoodboy", "..txt", ".ACTUM", “.492”, “.astra”, “.coded”, ".mtk118", ".cryptch", ".PLIN", ".sea", ".help", "..726", ".RECT", ".ocean", ".rose", ".GLAD", ".725", ".[tramkal@protonmail.ch]cryptall", ".write_me_[btc2017@india.com]", ".BRT92", "p1crypt", ".MAKB", ".skunk", ".au1crypt", ".GOTHAM", ".s1crypt", ".GORO", ".707", ".3ncrypt3d", .626, .blcrypt, .blscrypt, .nopasaran, ".xyrpottim228@ya.ru", ".VAPE", ".crypt", ".pscrypt", ".oni", ".pizdosik", ".[File-Help1@Ya.Ru]",".[aezakmi@india.com]", ".GRAF", ".fix", ".virginprotection", ".(mstut@cock.li)", ".WRITE_US", ".MIXI", ".HAPP", ".troy", ".write_us_on_email", ".PRIAPOS", ".515", ".nCrypt", ".hNcrypt", ".medal", ".paycyka", ".2cXpCihgsVxB3", ".vdul", ".keepcalm", ".legally", ".crypt", ".wallet", ".lockis" or ".pizdec" extension to the name of each encrypted file.

For example, "sample.jpg" is renamed to "sample.jpg.crypt". Following successful encryption, GlobeImposter creates an HTA file ("HOW_OPEN_FILES.hta"), placing it in each folder containing encrypted files.

Some newer variants of this ransomware store their ransom demanding message in how_to_back_files.html, READ_this_FILE.html, Read_ME.html, !SOS!.html, here_your_files!.html, !back_files!.html, #DECRYPT_FILES#.html, READ_IT.html or !your_files!.html files. In addition, GlobeImposter opens a pop-up window.

What is search.hinstantlyconverter.com?

Developers state that Instantly Converter is a legitimate application that allows conversion of PDF files to other formats. Initially, this app may seem legitimate and useful, however, Instantly Converter is categorized as a potentially unwanted program (PUP) and a browser hijacker.

There are three main reasons for these negative associations: 1) stealth installation without users' consent; 2) promotion of a fake Internet search engine [search.himmediatelyconverter.com], and; 3) tracking of sensitive information.