Virus and Spyware Removal Guides, uninstall instructions

What is PDFConverter?

PDFConverter is software endorsed as a tool for converting various file formats. According to its promotional material, it is capable of converting Doc, PDF, XLS, JPG, HTML, and many other formats.

Since most users download/install PDFConverter inadvertently, it is classified as a Potentially Unwanted Application (PUA). If this app is present on the system, it is likely that other PUAs have also infiltrated it.

PDFConverter has been observed being distributed with adware and browser hijackers. These unwanted apps can have undisclosed, dangerous functionality. PUAs cause redirects, run intrusive advertisement campaigns, modify browsers, and collect browsing-related data.

What is Cm99v?

Cm99v ransomware is a type of malware that prevents victims from accessing their files by encrypting them with a strong encryption algorithm.

Like most ransomware variants, Cm99v renames encrypted files by changing their extensions. This particular variant renames files by appending the ".cm99v" extension. For example, "1.jpg" is renamed to "1.jpg.cm99v", "2.jpg" to "2.jpg.cm99v", and so on.

Cm99v creates the "HOW-TO-DECRYPT-cm99v.txt" file (the ransom message) in folders that contain encrypted files.

Note that this ransomware is part of the Hades ransomware family.

What is Lizscudata ransomware?

Lizscudata is malicious software categorized as ransomware. Systems infected with this malware experience data encryption (i.e., the files are rendered inaccessible and useless) and users receive ransom demands for decryption.

During the encryption process, affected files are renamed according to this pattern: "[random_string].lizscudata@tutanota.com.encrypted", which consists of a random character string, cyber criminals' email address, and the ".encrypted" extension. For example, a file initially named "1.jpg" would appear as something similar to "ZGVza3RvcC5pbmk=.lizscudata@tutanota.com.encrypted" after encryption.

Following the completion of this process, a ransom message within the "README-WARNING.html" file is created.

What is TheStreamSearch?

TheStreamSearch is classified as a browser hijacker because it changes certain browser settings to thestreamsearch.com. I.e., TheStreamSearch promotes a fake search engine by forcing users to visit its associated address.

The TheStreamSearch application can also read browsing-related, and possibly other, information. Browser hijackers are classified as potentially unwanted applications (PUAs), since users often download and install them inadvertently.

What is the pu[.]biz website?

pu[.]biz sites (e.g., pu5[.]biz, pu6[.]biz, and many other domain variations) are rogue web pages. They present visitors with dubious content and/or redirect them to other untrusted/malicious sites.

Typically, users access these websites inadvertently - most are redirected to them by intrusive ads or installed Potentially Unwanted Applications (PUAs). This software does not require explicit permission to infiltrate systems, and thus users may be unaware of its presence. PUAs operate by causing redirects, delivering intrusive advertisement campaigns, and gathering browsing-related data.

The internet is rife with rogue sites similar to pu[.]biz including news-central.org, ablotadom.com, hanksforyou.biz, and fastcaptcharesolve.com as just some examples.

What is Id2020 ransomware?

Id2020 is a ransomware-type program, which operates by encrypting data and demanding payment for decryption. Victims cannot use the files affected by Id2020, and are asked to pay to recover access and use of their data.

During the encryption process, files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address, and the ".id2020" extension. For example, a file initially named "1.jpg" would appear as something similar to "1.jpeg.[9B83AE23].[metasload2021@protonmail.com].id2020" after encryption.

Once this process is complete, ransom messages within "build note.txt" files are dropped into compromised folders.

What kind of malware is Recovery?

Ransomware is a type of malware that encrypts files stored on the infected computer and issues ransom messages. Ransomware often renames encrypted files as well. The Recovery ransomware variant renames encrypted files by appending the ".recovery" extension to filenames.

For example, "1.jpg" is renamed to "1.jpg.recovery", "2.jpg" to "2.jpg.recovery", and so on. Recovery creates a ransom messages within the "Recovery_Instructions.html" file, placing it in all folders that contain encrypted files. Note that this ransomware variant belongs to the MedusaLocker family.

What is the news-central[.]org website?

Sharing many similarities with ablotadom.com, hanksforyou.biz, fastcaptcharesolve.com, and thousands of others, news-central[.]org is a rogue site. It operates by delivering dubious material and redirecting visitors to other untrusted/malicious web pages.

Few users access news-central[.]org or similar sites intentionally - most are redirected to them by intrusive ads or installed Potentially Unwanted Applications (PUAs). These apps do not require user consent to be installed onto devices. This software can have dangerous functionality, including causing redirects, running intrusive advertisement campaigns, and collecting browsing-related information.

What is GANGBANG ransomware?

GANGBANG is a malicious program classified as ransomware. It operates by encrypting the data stored on infected systems in order to demand payment for decryption tools/software. I.e., the files affected by this ransomware are rendered inaccessible, and victims are asked to pay a ransom to recover access to their data.

During the encryption process, files are appended with the ".GANGBANG" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.GANGBANG", "2.jpg" as "2.jpg.GANGBANG", and so on.

Once this process is complete, ransom-demand messages within "GANGBANG-NOTE.txt" files are dropped into compromised folders.

What is the node Quota Exceeded email scam?

Commonly, cyber criminals use emails to trick recipients into providing personal information (such as credit card details, name, surname, bank account number), installing malware on the operating system (e.g., ransomware, Trojan), and transferring money.

Generally, they send emails purporting to be from a legitimate company, organization or other entity. This particular email is disguised as a final notice message from cPanel (web hosting control panel software developer) stating that a specific domain has reached its Inode quota (a website has reached maximum allowed resources).