Virus and Spyware Removal Guides, uninstall instructions

What is Online Searcher?

Online Searcher is classified as a browser hijacker because it promotes a fake search engine (tailsearch.com) by modifying certain browser settings. Furthermore, this app collects browsing data. Online Searcher and similar apps are categorized as potentially unwanted applications (PUAs), since many users download and install them inadvertently.

What is PayPal Desktop App scam?

PayPal is an American company operating a worldwide online payments system. Cyber criminals commonly exploit names of well-known companies, products and services for malicious purposes. In this particular case, they use a fake download website for the PayPal desktop application to trick users into downloading an installer for malicious software.

At the time of research, this website downloaded the installer for RedLine Stealer.

What is GlobalMovieSearch?

GlobalMovieSearch is rogue software categorized as a browser hijacker. Following successful infiltration, it makes alterations to browser settings to promote globalmoviesearch.com (a fake search engine). Additionally, browser hijackers can track and collect browsing-related information.

Furthermore, due to the dubious techniques used to proliferate GlobalMovieSearch, it is also classified as Potentially Unwanted Application (PUA).

What is WebSearchConverter?

WebSearchConverter is one of many browser hijackers that promote fake search engines by modifying certain browser settings. This particular app promotes the websearchconverter.com address. Additionally, WebSearchConverter can read data relating to users' browsing activities.

In most cases, users download and install browser hijackers inadvertently and, therefore, WebSearchConverter and other apps of this type are categorized as potentially unwanted applications (PUAs).

What is "iPhone 12 email virus"?

"iPhone 12 email virus" refers to a malware-spreading spam email campaign. The term "spam campaign" is used to define a mass-scale operation, during which thousands of scam emails are sent. The deceptive messages distributed through this spam campaign concern a fake order of an iPhone 12, which has been paid for and can still be cancelled within 24 hours.

All of the information given by these emails is false - no unauthorized order has been made with the recipient's credit card, nor does it have to be cancelled. These messages are used to trick recipients into opening the attached file (the supposed order invoice), which starts the infection process of DUNIHI malware.

This piece of malicious software is capable of receiving and executing commands on a system, thereby allowing the cyber criminals using it a certain level of control over the compromised machine.

What is XinFrams?

XinFrams prevents victims from accessing the operating system (restricts login and file access) by locking the screen. It displays a ransom message that contains instructions about how to pay a ransom to the developers plus various other details. Note that XinFrams is non-encrypting malware - it restricts access to files, but does not encrypt them.

What is ClickMovieSearch?

Apps such as ClickMovieSearch promote fake search engines by modifying certain browser settings. This particular apps assigns the settings to clickmoviesearch.com. ClickMovieSearch also promotes a fake search engine and gathers details relating to users' browsing habits.

Typically, users download and install browser hijackers inadvertently and, therefore, they are classified as potentially unwanted applications (PUAs).

What is Nsemad ransomware?

Nsemad is a malicious program, which is part of the Snatch ransomware family. It is designed to encrypt data and demand payment for decryption. During the encryption process, all compromised files are appended with the ".nsemad" extension. For example, a file originally titled something like "1.jpg" would appear as "1.jpg.nsemad" following encryption.

After this process is complete, ransom-demand messages within "HOW TO RESTORE YOUR FILES.TXT" files are dropped into affected folders.

What is HOTEL?

HOTEL is part of the Phobos ransomware family. This malware encrypts files, modifies their filenames, and generates two ransom messages ("info.hta" and "info.txt"). HOTEL renames files by adding the victim's ID, ICQ_username of its developers, and appending the ".HOTEL" extension to filenames.

For example, "1.jpg" is renamed to "1.jpg.id[C279F237-3098].[ICQ_RIXOSHORSE].HOTEL", "2.jpg" to "2.jpg.id[C279F237-3098].[ICQ_RIXOSHORSE].HOTEL", and so on.

What is SUKA ransomware?

Discovered by Jakub Kroustek, SUKA is malicious software belonging to the Dharma ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption.

During the encryption process, all affected files are renamed following this pattern: original filename, unique IDs assigned to victims, cyber criminals' email address, and the ".SUKA" extension. For example, a file originally named "1.jpg" would appear as "1.jpg.id-C279F237.[kjingx@tuta.io ].SUKA" after encryption.

Once this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.