Virus and Spyware Removal Guides, uninstall instructions

What is EasySearchConverter?

EasySearchConverter is rogue software categorized as a browser hijacker. It operates by making modifications to browser settings to promote fake search engines. Most browser hijackers monitor users' browsing activity, and EasySearchConverter is also likely to have these data tracking capabilities.

Due to the dubious distribution methods used to proliferate browser hijackers, they are also classified as Potentially Unwanted Applications (PUAs).

What is C0der_HACK?

Belonging to the Xorist ransomware family, C0der_HACK is a malicious program. This malware encrypts the data stored on infected systems in order to demand payment for decryption. I.e., victims receive ransom demands to recover access to their files.

During the encryption process, affected files are appended with the ".C0der_HACK" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.C0der_HACK", "2.jpg" as "2.jpg.C0der_HACK", and so on.

Following the completion of this process, identical ransom messages are created in a pop-up window and text files (with gibberish filenames), which are dropped into compromised folders.

What is itscythera[.]com?

The internet is full of dubious and harmful sites, including itscythera[.]com.

Load00.biz, captcha-sourcecenter.com, and yourcommonfeed.com are some examples of similar websites. Visitors to these web pages are presented with dubious content and are often redirected to other untrusted/malicious sites.

Typically, users enter these web pages inadvertently - most are redirected to them by intrusive advertisements or installed Potentially Unwanted Applications (PUAs). This software does not need explicit permission to infiltrate systems, and thus users may be unaware of its presence.

PUAs have dangerous capabilities, including causing redirects, running intrusive ad campaigns, and collecting browsing-related information.

What is the Black Kingdom ransomware?

Black Kingdom, also known as GAmmAWare, is a malicious program classified as ransomware. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools.

When Black Kingdom encrypts, the filenames of affected files are appended with the ".DEMON" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.DEMON" following encryption.

Once this process is complete, a ransom message is created in a full-screen pop-up window and within "README.txt" text files, which are dropped into compromised folders.

What is Gopher?

Gopher is malicious software that infects computers (encrypts files) and displays messages demanding fees to be paid to regain access to computers/files. It encrypts and renames files, displays a pop-up window ("Restore Your Files.exe"), and changes the desktop wallpaper.

Gopher renames files by appending the ".gopher" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.gopher", "2.jpg" to "2.jpg.gopher", and so on.

Note that this ransomware variant was discovered by S!Ri.

What is Pirat ransomware?

Pirat is a type of malicious software that encrypts and restricts access to files until a ransom is paid to unlock (decrypt) them. Like many other ransomware variants, Pirat not only renames files but also encrypts them.

It adds the victim's ID, brokendig@zimbabwe.su email address, and appends the ".pirat" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[brokendig@zimbabwe.su].pirat", "2.jpg" file to "2.jpg.id-C279F237.[brokendig@zimbabwe.su].pirat", and so on.

Pirat also creates a ransom message within the "FILES ENCRYPTED.txt" text file and displays a pop-up window (another ransom message). Note that this ransomware belongs to the Dharma ransomware family.

What is LAO ransomware?

LAO is malicious software belonging to the Dharma ransomware group. This malware is designed to encrypt data and demand payment for decryption. The files affected by LAO are rendered inaccessible (useless), and victims are asked to pay to recover access to their data.

During the encryption process, files are renamed according to this pattern: original filename, unique IDs assigned to the victims, cyber criminals' email address, and the ".LAO" extension. For example, a file initially named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[filerecovery@zimbabwe.su].LAO" following encryption.

After this process is complete, ransom-demand messages are created in a pop-up window and the "FILES ENCRYPTED.txt" text file.

What is QuickLookSearches?

The QuickLookSearches application operates as adware and a browser hijacker. It serves various advertisements and promotes the address of a fake search engine by modifying browser settings. Applications of this type often collect various user-system information.

In most cases, people download and install adware/browser hijackers inadvertently. For this reason, they are also known as potentially unwanted applications (PUAs).

People are commonly tricked into installing QuickLookSearches when using a fake Adobe Flash Player installer, which is designed to stealthily infiltrate the app.

What kind of malware is CryptoWire?

Typically, ransomware blocks access to data or operating systems by encrypting files and displaying/creating ransom messages. Victims cannot access (use) their data unless they pay the ransom.

Ransomware often renames files. CryptoWire renames encrypted files by inserting ".encrypted" into filenames. For example, "1.jpg" is renamed to "1.encrypted.jpg", "2.jpg" to "2.encrypted.jpg", "3.jpg" to "3.encrypted.jpg", and so on.

What is SimpleSignSearch?

SimpleSignSearch generates revenue for its developer by serving advertisements and promoting a fake search engine. In this way, it functions as adware and a browser hijacker. Apps of this type can also collect data relating to internet browsing activities.

Typically, users download and install apps such as SimpleSignSearch inadvertently and, therefore, they are classified as potentially unwanted applications (PUAs).

Note that SimpleSignSearch installs through a fake Adobe Flash Player installer.