Virus and Spyware Removal Guides, uninstall instructions

What is the keepv[.]id site?

keepv[.]id is an untrusted website, which operates as a YouTube converter. This page offers a service to convert YouTube video URLs (links) to MP3 and MP4 files, which users can download. As well as this service infringing copyright law, it also uses rogue advertising networks.

Sites that employ these networks promote dubious and malicious web pages, which, if visited, endanger device/user safety. Therefore, you are strongly advised against visiting or using keepv[.]id.

What is gogoanime[.]so?

gogoanime[.]so is an anime streaming site, however, this page does not have the rights for the anime shows they stream, and so it streams anime illegally. Another problem with this page is that it uses rogue advertising networks: it contains deceptive, dubious advertisements and redirects users to dubious websites. Therefore, gogoanime[.]so is not a trusted website.

What is Secure ransomware?

Secure is a malicious program that belongs to the Scarab ransomware family. This malware encrypts data and demands payment for decryption.

During the encryption process, all affected files are renamed with a random character string and the ".secure" extension. For example, a file originally named "1.jpg" would appear as something similar to "2vciB639=NGfIQ.secure" following encryption.

After this process is complete, ransom messages in Russian "Инструкция.TXT" are dropped into compromised folders.

What is Cukiesi?

Cukiesi encrypts files and appends "_cU{victim's_ID}Cukiesi" to their filenames. For example, "1.jpg" is renamed to "1.jpg_cU{zvsOEJ}Cukiesi", "2.jpg" to "2.jpg_cU{zvsOEJ}Cukiesi", and so on.

Cukiesi also creates the "nooode.txt" text file in each folder that contains encrypted files. That file contains a ransom message with contact details and various other information.

What is MicroClick?

MicroClick functions as adware and a browser hijacker: it makes certain changes to browser settings and displays advertisements. This app might also gather browsing-related (and other) information.

Commonly, users download and install apps such as MicroClick inadvertently and, therefore, they are categorized as potentially unwanted applications (PUAs).

What is TigerMovieSearch?

TigerMovieSearch is rogue software categorized as a browser hijacker. It operates by making modifications to browser settings to promote tigermoviesearch.com (a bogus search engine). Additionally, most browser hijackers monitor users' browsing activity - it is likely that TigerMovieSearch has these data tracking capabilities as well.

Due to the dubious methods used to proliferate browser hijackers, these programs are also classified as Potentially Unwanted Applications (PUAs).

What is the "Zero day security vulnerability on Zoom app" scam email?

"Zero day security vulnerability on Zoom app" is a spam campaign that uses the sextortion scam model. The term "spam campaign" defines a mass-scale operation during which thousands of deceptive emails are sent. The messages distributed through this campaign claim that the sender has obtained highly compromising video footage of the recipient.

The nonexistent recordings were supposedly made via an exploit of a vulnerability found in the Zoom application, a legitimate conferencing service. These scam emails aim to trick recipients into paying ransoms to avoid having the fake videos publicized.

Note that all claims made by the "Zero day security vulnerability on Zoom app" messages are false.

What is METZA email virus?

Malspam emails such as this one usually contain a download link or malicious attachment. The emails can be used to deliver ransomware, Trojans, crypto miners, spyware and keyloggers, and other malware. This particular malspam message is used to deliver Agent Tesla, a Remote Administration Tool (RAT).

What is ProcesserLog?

ProcesserLog is a dubious application classified as adware. It also has browser hijacker traits. This app operates by running intrusive advertisement campaigns and making alterations to browser settings to promote fake search engines.

Since most users download/install ProcesserLog inadvertently, it is classified as a Potentially Unwanted Application (PUA). PUAs typically have data tracking capabilities, which are used to collect browsing-related information.

What is Milleni5000?

Milleni5000 ransomware is designed to encrypt files and rename them by appending ".secure[milleni5000@qq.com]" as the file extension. For example, "1.jpg" is renamed to "1.jpg.secure[milleni5000@qq.com]", "2.jpg" to "2.jpg.secure[milleni5000@qq.com]", and so on.

Milleni5000 also creates the "RESTORE_FILES_INFO.txt" text file in folders that contain encrypted files.

An updated variant of Milleni5000 ransomware also drops the "RESTORE_FILES_INFO.hta" file in addition to the text file. The messages within these files are essentially identical.