Virus and Spyware Removal Guides, uninstall instructions

What is RequestPlan?

RequestPlan is designed to function as an adware-type application and a browser hijacker. Therefore, it serves advertisements and promotes a fake search engine address by making changes to certain browser settings. This app can also read sensitive information from browsers that have this app installed on them.

In most cases, users download and install apps such as RequestPlan inadvertently and, for this reason, they are classified as potentially unwanted applications (PUAs).

What is Sglh?

Belonging to the Djvu ransomware family, Sglh encrypts files and renames them by appending the ".sglh" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.sglh", "2.jpg" to "2.jpg.sglh", and so on.

Like most programs of this type, Sglh creates a ransom message (in this case, within the "_readme.txt" text file) demanding a fee to be paid. The file is created in each folder that contains encrypted files.

What is TopSportsSearch?

TopSportsSearch is rogue software classified as a browser hijacker. Following successful installation, it makes modifications to browser settings to promote topsportssearch.com (a bogus search engine). Additionally, TopSportsSearch collects browsing-related information.

Due to the dubious techniques used to proliferate this browser hijacker, it is also classified as a Potentially Unwanted Application (PUA).

What is Hidden ransomware?

Hidden is a malicious program belonging to the Voidcrypt ransomware family. It operates by encrypting data and demanding ransoms for decryption tools. During the encryption process, all affected files are renamed following this pattern: original filename, cyber criminals' email address, unique ID assigned to the victims and the ".Hidden" extension.

For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.[Wannadecryption@gmail.com][7W20T6934HP1LFO].Hidden" following encryption. After this process is complete, ransom messages within "!INFO.HTA" files are dropped into compromised folders.

What is R2block?

R2block was discovered by xiaopao. In most cases, ransomware is designed to encrypt files, rename them, and generate ransom messages. R2block renames encrypted files by appending the ".r2block" extension. For example, "1.jpg" is renamed to "1.jpg.r2block", "2.jpg" to "2.jpg.r2block", and so on.

It also changes the desktop wallpaper, creates an image file (also used as the desktop wallpaper) in all folders that contain encrypted files, and displays a pop-up window. The desktop wallpaper and pop-up window are the ransom messages.

What is Dpr ransomware?

Dpr is a malicious program and part of the VoidCrypt ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools.

During the encryption process, all compromised files are renamed following this pattern: original filename, cyber criminals' email address, unique ID assigned to the victims, and a ".Drp" extension (not to be confused with the legitimate "DPR" file extension).

For example, a file originally named like "1.jpg" would appear as "1.jpg.[Decrypt@criptext.com][U6EQA90IGCRDLH1].Dpr" following encryption. After this process is complete, ransom messages within "!INFO.HTA" files are dropped into compromised folders.

What is Ministro dell'Economia e delle Finanze email virus?

Typically, cyber criminals behind malspam emails such as this one attempt to trick recipients into downloading and executing a malicious attachment (or opening a file that can be downloaded via a provided website link), which then installs malware.

This particular email has a ZIP file attached, which contains a malicious MS Excel document designed to install Ursnif (also known as Gozi, Dreambot and IFSB).

What is gsearch.live?

gsearch.live a fake search engine. Typically, these sites are promoted through browser settings that have been modified by the set-ups of downloaded/installed software. I.e., users do not often intentionally choose to use these fake search engines. Note that gsearch.live is promoted via a fake installer for Adobe Flash Player.

These bogus search engines can gather browsing data and other information.

What is Zimba ransomware?

Zimba is a malicious program and part of the Dharma ransomware family. It is designed to encrypt data in order to demand payment for decryption. During the encryption process, files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address, and the ".zimba" extension.

For example, a file named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[backup@zimbabwe.su].zimba" following encryption. After this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is Pepe?

This ransomware-type program belongs to the VoidCrypt ransomware family. The ransomware encrypts victims' files, renames all compromised files, and creates a file designed to launch a ransom message in a pop-up window. Pepe renames files by adding the decodevoid@gmail.com email address, victim's ID, and appending the ".pepe" extension to filenames.

For example, "1.jpg" is renamed to "1.jpg.decodevoid@gmail.com][RD48IE5ULY93O1C].pepe", "2.jpg" to "2.jpg.decodevoid@gmail.com][RD48IE5ULY93O1C].pepe", and so on. Pepe creates the "!INFO.HTA" file (ransom message) in all folders that contain encrypted files.