Virus and Spyware Removal Guides, uninstall instructions

What is GlobalAdviseSearch?

GlobalAdviseSearch is an adware-type application belonging to the AdLoad adware family. It is typically disguised as a fake Adobe Flash Player updater and operates by running intrusive advertisement campaigns.

Additionally, this app might possess browser hijacker traits, such as promotion of fake search engines. Due to the highly dubious distribution methods used for GlobalAdviseSearch, is also classified as a Potentially Unwanted Application (PUA).

Most PUAs (including adware) have data tracking capabilities, which they employ to monitor users' browsing habits.

What is Nok App?

Typically, browser hijackers promote fake search engines by making changes to browser settings. In addition, they often collect details relating to users' browsing habits.

Most users download and install browser hijackers inadvertently and, therefore, applications such as Nok App are classified as potentially unwanted applications (PUAs).

Nok App promotes the keysearchs.com address/fake search engine.

What is the "PASSWORD EXPIRATION NOTICE" email scam?

In most cases, scammers behind email phishing scams attempt to trick recipients into providing personal information such as bank account numbers, credit card details, passwords and other sensitive details, which can then be misused for malicious purposes.

In this particular case, scammers attempt to deceive recipients into entering their Office 365 login credentials onto a fake Microsoft website.

What is the fake "Banca Popolare di Bari" email?

"Banca Popolare di Bari email scam" is the name of a spam campaign, a mass-scale operation during which thousands of deceptive emails are sent. The emails distributed through this campaign are disguised as messages from Banca Popolare di Bari, a genuine Italian bank based in the Bari, Apulia region.

These fake emails claim that recipients must update their Banca Popolare di Bari accounts for security reasons. In fact, this spam campaign aims to promote a phishing website, which is presented as the Banca Popolare di Bari sign-in page.

Log-in credentials (i.e., usernames and passwords) entered into this site are exposed to the scammers, thereby allowing them access and control over the online bank accounts.

What is XcodeSpy?

XcodeSpy malware targets Apple developers and spreads through malicious (trojanized) Xcode projects (Run Script feature in Xcode IDE). Research shows that one of these malicious Xcode projects (called TabBarInteraction) supposedly includes features for animating the iOS Tab Bar.

It is likely that there is more than one trojanized Xcode project. Malicious code used by XcodeSpy can easily be hidden and launched in any third-party Xcode project.

XcodeSpy (or rather the backdoor it injects) can record audio using the microphone, video using camera, and keyboard input. It can also download and upload files.

What is the DiStUrBeD ransomware?

DiStUrBeD is a malicious program belonging to the Xorist ransomware family. It operates by encrypting data (thereby making the files inaccessible) and demanding payment for decryption.

During the encryption process, files are appended with the ".DiStUrBeD" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.DiStUrBeD" following encryption.

After this process is complete, identical ransom messages are created in a pop-up window and "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt" text file.

Note that if the compromised system does not have the Cyrillic alphabet, the text presented in the pop-up will appear as nonsensical gibberish.

What kind of malware is CopperStealer?

CopperStealer, also known as Mingloa, is a malicious program designed to steal sensitive/personal information. It also has the capability to cause chain infections (i.e., download/install additional malware).

Significant activity of CopperStealer has been observed in Brazil, India, Indonesia, Pakistan, and the Philippines. At the time of research, this malware had been noted being spread via websites offering illegal activation tools ("cracks") for licensed software products.

What is "Error Code: #0x564897"?

"Error Code: #0x564897" is a technical support scam run on various deceptive websites. This scheme has been observed being promoted via the Amazon AWS service.

Scams of this type operate by informing users of (nonexistent) viruses detected on their devices to trick them into contacting fake tech support. No web page can detect threats/issues present on systems, and any that make such claims are scams.

Users rarely access these deceptive sites intentionally - most enter them via mistyped URLs, redirects caused by intrusive ads, and installed unwanted applications.

What is Error Code: #2c522hq8wwj791?

Typically, scammers behind technical support scam websites like this one try to trick visitors into believing that their devices are infected and calling the provided number to resolve the problem (remove viruses, errors).

Scammers use these websites to trick users into paying for unnecessary fake software, services, and allowing remote access to their computers.

Note that users do not often visit tech support scam pages intentionally they are opened through dubious advertisements, other bogus web pages, or installed potentially unwanted applications (PUAs).

What is news-hot[.]xyz?

Most users do not open pages such as news-hot[.]xyz intentionally - they are opened by browsers that have potentially unwanted applications (PUAs) installed on them, through deceptive ads and other dubious pages.

These apps are classified as PUAs, since they are commonly downloaded and installed by users inadvertently.

There are many pages similar to news-hot[.]xyz on the internet. Some examples are ro01[.]biz, appzery[.]com, finddealsdaily[.]com.