Virus and Spyware Removal Guides, uninstall instructions

What is bestapps2020[.]com?

People do not often visit websites such as bestapps2020[.]com intentionally - browsers with potentially unwanted applications (PUAs) installed open these pages automatically. Other examples of similar web pages promoted by PUAs are mmk-news3[.]club, undertain[.]work and liveplayingnow[.]com.

Note that PUAs often promote (open) dubious web pages (including bestapps2020[.]com), serve advertisements, and collect user-system information.

What is Peace ransomware?

Discovered by xiaopao, Peace is malware and part of the VoidCrypt ransomware family. It encrypts files, modifies their filenames and displays a ransom message. Peace ransomware renames files by adding the peace491@tuta.io email address, victim's ID and appending the ".Peace" extension to filenames.

For example, "1.jpg" is renamed to "1.jpg.[peace491@tuta.io][5AH4CRT79BGYIXU].Peace", "2.jpg" to "2.jpg.[peace491@tuta.io][5AH4CRT79BGYIXU].Peace", and so on. It also launches a ransom message from the "!INFO.HTA" file, which it creates in all folders that contain encrypted files.

What is searchnets.xyz?

searchnets.xyz is the address of a bogus search engine. These fake search engines are usually promoted by rogue software called browser hijackers, which make modifications to browser settings. Browser hijackers have data tracking capabilities, which are employed to monitor users' browsing activity.

Due to the dubious methods used to proliferate browser hijackers, they are also classified as Potentially Unwanted Applications (PUAs).

What is PublicCharacterSearch?

The purpose of PublicCharacterSearch is to generate revenue for the developers by serving ads, promoting a fake search engine and gathering various data. This app functions both as adware and a browser hijacker. People often download these apps unintentionally and, therefore, they are categorized as potentially unwanted applications (PUAs).

This particular app is distributed by disguising it as the installer of Adobe Flash Player (it is installed through a fake installer).

What is GravityRAT?

GravityRAT is malware classified as spyware: it allows cyber criminals to steal certain data from infected devices. The cyber criminals behind this malware target Windows, macOS and Android users. If there is reason to believe that GravityRAT is installed on your computer or mobile telephone, remove it immediately.

What is "This computer is blocked"?

"This computer is blocked" is a tech support scam, a fake virus alert that occurs only when visiting an untrustworthy/deceptive website. Typically, users do not visit websites of this type intentionally - potentially unwanted applications (PUAs) redirect them to it.

As well as redirects to deceptive web pages, PUAs deliver ads and gather browsing-related (and other) data. Most infiltrate systems without users' consent.

What kind of malware is Elder?

Elder is malicious software belonging to the Phobos ransomware family. It is designed to encrypt data and keep it inaccessible until a ransom is paid (i.e., decryption software/tool is purchased). When Elder encrypts data, it renames files with the victim's unique ID number, developer's email address, and the ".elder" (or ".Elder") extension.

For example, "1.jpg" becomes "1.jpg.id[1E857D00-2397].[stocklock@airmail.cc].elder" and so on for all affected files. Once this process is complete, Elder stores two files on the desktop ("info.hta" and "info.txt"), which contain the ransom messages.

What is mylot[.]com ?

Typically, users arrive at mylot[.]com and similar sites after clicking deceptive advertisements, visiting bogus web pages, or when potentially unwanted applications (PUAs) are installed on browsers and/or operating systems. In any case, users do not often visit these sites intentionally.

Some examples of other pages similar to mylot[.]com are ahacdn[.]me, rex-news[.]org and samizdat-philosophy[.]com.

What kind of malware is RobbinHood?

Ransomware-type programs are computer infections that cyber criminals use to prevent people from accessing their files and to blackmail them by making ransom demands. RobbinHood was discovered by Michael Gillespie and is an example of one of these programs. 

It encrypts data stored on the system, rendering files unusable. To regain access to their files, people are encouraged to purchase a specific decryption tool. RobbinHood renames each encrypted file with the following format: "Encrypted_random.enc_robbinhood" (the word "random" is replaced with a string of random numbers and characters).

For example, "1.jpg" might be renamed to a filename such as "Encrypted_1y5u5msd65321fd2.enc_robbinhood", and so on. This program creates an HTML file ("_Decryption_ReadMe.html") containing a ransom message, which provides instructions about how to make payment and receive a decryption tool.

What is mmk-news3[.]club?

Sharing many similarities with undertain.work, liveplayingnow.com, swindoors.work, jrg-news1.club and thousands of other sites on the web, mmk-news3[.]club is a rogue website. Visitors to this page are presented with dubious content and/or are redirected to other untrusted or possibly malicious sites.

Few users access mmk-news3[.]club intentionally - most are redirected to it by intrusive ads or by Potentially Unwanted Applications (PUAs) already installed on their devices. This software does not need explicit user permission to infiltrate systems. PUAs cause redirects, run intrusive advertisement campaigns and collect browsing-related information.