Virus and Spyware Removal Guides, uninstall instructions

What is GEHENNA LOCKER?

GEHENNA LOCKER is a piece of malicious software categorized as ransomware. It operates by encrypting data (rendering files inaccessible/unusable) and demanding payment for the decryption (access/use restoration).

As GEHENNA LOCKER encrypts, affected files are renamed with a random character string and the ".gehenna" extension. For example, a file initially tiled "1.jpg" would appear as something similar to "RmlyZWZveC5sbms=.gehenna" - following encryption.

Once this process is complete, a ransom note is created in an HTML file named "GEHENNA-README-WARNING.html".

What is PDFSearchTip?

Typically, browser hijackers change some of the browser settings to promote a certain address (a fake search engine). It is also common that apps of this type collect information related browsing habits of their users. PDFSearchTip promotes the pdfsearchtip.com address.

It is noteworthy that most users download and install apps like PDFSearchTip (browser hijackers) inadvertently. Therefore, they are called potentially unwanted applications (PUAs).

What is WebSearchUpgrade?

WebSearchUpgrade is a rogue application. It is classified as adware, and it has browser hijacker traits. It delivers intrusive advertisement campaigns and promotes fake search engines by making modifications to browser settings.

Additionally, most adware-types and browser hijackers collect browsing-related information and sensitive details extracted from it. Due to the questionable techniques used to distribute WebSearchUpgrade, it is also categorized as a PUA (Potentially Unwanted Application).

This app has been observed being spread via fake Adobe Flash Player updates. It is noteworthy that illegitimate software updaters/installers proliferate not only PUAs but trojans, ransomware, and other malware as well.

What kind of malware is Elbie?

Ransomware is a type of malicious software that encrypts files to make them inaccessible until victims decrypt files with certain software or decryption key. It is common that ransomware renames encrypted files by appending its extension.

Elbie renames files by appending the victim's ID, antich154@privatemail.com email address, and the ".Elbie" extension to their filenames.

For instance, it renames a file named "1.jpg" to "1.jpg.id[C279F237-2994].[antich154@privatemail.com].Elbie", "2.jpg" to "2.jpg.id[C279F237-2994].[antich154@privatemail.com].Elbie", and so on. Elbie generates two ransom notes: "info.hta" and "info.txt". This ransomware is part of the Phobos family.

What is 32T ransomware?

Belonging to the Amnesia ransomware family, 32T is a malicious program designed to encrypt data and demand payment for decryption. I.e., victims cannot open files affected by 32T ransomware, and they are asked to pay to recover access to their data.

During the encryption process, files are renamed with a random character string (i.e., characters, digits, symbols) and appended with the ".32T" extension. For example, a file originally named "1.jpg" would appear as something similar to "2g000000001ambDKNTIRyiLCJE9+A7LF.32T" following encryption.

After this process is complete, ransom messages within "RECOVER-FILES.HTML" files are dropped into compromised folders.

What is Lmas?

Ransomware is a type of malicious software that makes files inaccessible/unusable by encryption and displays/creates a ransom message.

This type of malware of often appends its unique extension to the filenames of all encrypted files. Lmas appends the ".lmas" extension. For example, "1.jpg" is renamed to "1.jpg.lmas", "2.jpg" to "2.jpg.lmas", and so on. The ransom created by Lmas appears in a text file named "_readme.txt".

Note that this ransomware variant is part of the Djvu family.

What is Usagoo?

Ransomware is a form of malware that encrypts files (prevents victims from accessing, using files stored on a device) and displays or creates a ransom message. Usagoo encrypts files, modifies their filenames and creates "readme-warning.txt" files (ransom notes) in all folders containing encrypted data.

Usagoo renames encrypted files by appending a string of random characters (likely to be the victim's ID), vassago0225@airmail.cc email address, and the ".usagoo" extension. For example, "1.jpg" is renamed to "1.jpg.[9B83AE23].[vassago0225@airmail.cc].usagoo", "2.jpg" to "2.jpg.[9B83AE23].[vassago0225@airmail.cc].usagoo", and so on.

Note that Usagoo ransomware is part of the Makop family.

What is SportSearchMaster?

SportSearchMaster is a browser hijacker promoting the sportsearchmaster.com bogus search engine. This piece of dubious software promotes its web searcher by causing redirects to it, facilitated via modifications to browser settings.

Additionally, browser hijackers typically monitor users' browsing habits and collect vulnerable information. Since most users download/install browser hijackers unintentionally, they are also classified as Potentially Unwanted Applications (PUAs).

What is Greed ransomware?

Greed is malicious software classified as ransomware. Systems infected with this malware have their data encrypted (files rendered inaccessible) and users receive ransom demands for decryption (access recovery).

During the encryption process, affected files are appended with the ".greed" extension. For example, a file initially named something like "1.jpg" would appear as "1.jpg.greed", "2.jpg" as "2.jpg.greed", "3.jpg" as "3.jpg.greed", and so on.

Following the end of this process, identical ransom messages are displayed in a pop-up window and created in "HOW TO DECRYPT FILES.txt" text files, which are dropped into compromised folders.

Note that the Greed malicious program belongs to the Xorist ransomware group.

What is hevethat[.]online?

Commonly, browsers open hevethat[.]online and similar sites due to potentially unwanted applications (PUAs) installed on them, or when users click deceptive ads or visit other untrusted websites. In any case, these web pages are not often visited by users intentionally.

hevethat[.]online is an untrusted website and should be avoided. There are many similar pages on the web including, for example, bemasx[.]com, mycoolnewz[.]com, and private-message[.]live.