Virus and Spyware Removal Guides, uninstall instructions

What is MyShopSearch browser hijacker?

The main purpose of the MyShopSearch application is to promote a fake search engine. It changes some of the browser's settings to myshopsearch.com to force users to use it as a search engine. It is common that browser hijackers like MyShopSearch collect browsing-related information as well.

It is worth mentioning that most browser hijackers are distributed using questionable methods. Therefore, users download and install them unknowingly.

What is the ndconsiderat[.]biz site?

Ndconsiderat[.]biz is the address of a rogue website. The Internet is rife with pages of this type; chicheet.com, bestonclock.com, and nmuandwishto.biz are some examples. Sites within this classification operate by loading dubious content and/or redirecting their visitors to other untrustworthy/malicious webpages. Users seldom intentionally access ndconsiderat[.]biz and websites akin to it.

Most get redirected to them by intrusive advertisements or installed PUAs (Potentially Unwanted Applications). This software can infiltrate systems without express user permission. PUAs are designed to cause redirects, deliver intrusive ad campaigns, and collect browsing-related data.

What is Iqll ransomware?

Ransomware is a type of malware threat actors use to prevent victims from accessing files. It encrypts files, adds extensions to their filenames, generates a ransom note, and keeps files inaccessible until the demanded ransom is paid.

Iqll appends the ".iqll" extension, for example, it renames a file named "1.jpg" to "1.jpg.iqll", "2.jpg" to "2.jpg.iqll", and so on. As its ransom note, it creates a text file named "_readme.txt". Iqll is one of the ransomware variants belonging to the Djvu family.

What is Pr09 ransomware?

Pr09 is the name of a malicious program designed to encrypt data and demand ransoms for the decryption tools/software. In other words, following successful infiltration - this ransomware renders files inaccessible and demands payment from the victims for access recovery to their data.

During the encryption process, affected files are retitled following this pattern: original filename, unique ID assigned to the victim, cyber criminals' email address, and ".pr09" extension. To elaborate, an encrypted file initially named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[khfsuca@protonmail.com].pr09".

Once this process is complete, ransom notes are created/displayed in a pop-up window and "FILES ENCRYPTED.txt" text file. Pr09 malicious program belongs to the Dharma ransomware family.

What is Lemon Duck?

Lemon Duck is malicious software. The primary function of this malware is to exploit the infected machine's resources to mine cryptocurrency, specifically Monero (XMR) cryptocurrency. This malicious program severely compromises infected devices and can even damage them permanently. Lemon Duck was first observed being proliferated in Asia (notably, China), however, its reach has spread exponentially.

What is wave-abstract.com?

According to the developers, Wave Abstract is a legitimate application that supposedly allows users to change the design of their homepages. Judging on appearance alone, Wave Abstract may seem legitimate, however, it is categorized as a potentially unwanted program (PUP) and a browser hijacker.

The main reasons for these negative associations are installation without users' consent, stealth modification of web browser options, and information tracking.

What is chicheet[.]com?

As a rule, users do not open/visit websites like chicheet[.]com intentionally. It is known that pages of this type can be promoted through potentially unwanted application (PUA), deceptive advertisements, or other questionable web pages.

It is noteworthy that users do not download and install PUAs on purpose as well. That is why they are called potentially unwanted. There are many pages like chicheet[.]com on the Internet. Some examples are earntthatyo[.]biz, rtenmy[.]com, and oundoutth[.]biz.

Bestonclock[.]com is a rogue website, sharing many common traits with nmuandwishto.biz, ponugraduatio.biz, arrowhurt.xyz, and thousands of others. This page is designed to present visitors with questionable content and/or redirect them to different untrustworthy or malicious sites.

Users rarely intentionally enter websites of this kind; most get redirected to them by intrusive ads or installed PUAs (Potentially Unwanted Applications). This software can be installed onto systems without express user permission. PUAs operate by causing redirects, delivering intrusive advert campaigns, and gathering browsing-related information.

What kind of malware is GoodMorning?

GoodMorning is a piece of malicious software, which is categorized as ransomware. It operates by encrypting data to demand payment for the decryption. In other words, the affected files are rendered inaccessible and unusable, and victims are asked to pay - to restore their data. During the encryption process, files are renamed according to this pattern: original filename, "Id" followed by the ID assigned to the victim in brackets, the words "Send Email", cyber criminals' email address in brackets, and the ".GoodMorning" extension.

For example, a file initially titled "1.jpg" would appear as something similar to "1.jpg.Id(045AEBC75) Send Email(Goood.Morning@mailfence.com).GoodMorning" - following encryption. After this process is complete, ransom-demanding messages - "GoodMorning.txt" - are dropped into compromised folders.

Ransomware is a type of malicious software that encrypts files, appends its extension (in most cases) and creates or displays (or both) a ransom note. MANSORY changes the filename of each encrypted file by appending ".MANSORY" as the extension.

For example, it renames a file named "1.jpg" to "1.jpg.MANSORY", "2.jpg" to "2.jpg.MANSORY", and so on. As its ransom note, MANSORY creates the "MANSORY-MESSAGE.txt" text file in all folders containing encrypted data.

It is worth noting that MANSORY is named after the targeted victim - the company named Mansory. The ransomware itself belongs to Nefilim family.