Virus and Spyware Removal Guides, uninstall instructions

What is Phantom ransomware?

Discovered by xiaopao, Phantom, also known as PhantomChina, is a malicious program classified as ransomware. This malware operates by encrypting data and demanding payment for decryption. During the encryption process, all affected files are appended with the ".phantom" extension.

For example, a file originally named "1.jpg" would appear as "1.jpg.phantom" following encryption. Once this process is complete, ransom messages within "!How_To_Decrypt_My_File_如何解密我的文件.hta" files are dropped into compromised folders.

What is Ecogreen APP?

Ecogreen APP is a browser hijacker, which promotes tailsearch.com, the address of a fake search engine. Generally, browser hijackers promote specific addresses by modifying browser settings. Additionally, Ecogreen APP collects search queries that users enter whilst browsing the web.

Commonly, apps of this type also gather other browsing-related information. Many users download and install browser hijackers inadvertently and, therefore, they are categorized as potentially unwanted applications (PUAs).

What is Eight ransomware?

Eight is a malicious program, which is part of the Phobos ransomware family. It encrypts files and makes ransom demands for the decryption.

Eight renames files by adding the victim's ID and cyber criminals' email address (updated variants of this ransomware add different ones) and appending them with the ".eight" extension. For example, a file like "1.jpg" would appear similar to "1.jpg.id[1E857D00-2776].[use_harrd@protonmail.com].eight", and so on.

This ransomware also creates a ransom-demanding message within a text file (".info.txt") and displays another in a pop-up window ("info.hta").

What is PracticalRemote?

PracticalRemote is a rogue application classified as adware and also possessing browser hijacker traits. It operates by running intrusive advertisement campaigns and making modifications to browser settings in order to promote fake search engines. PracticalRemote promotes 0yrvtrh.com in this manner. 

On Google Chrome browsers, however, it promotes search.dominantmethod.com. Additionally, most adware and browser hijackers monitor users' browsing habits, and PracticalRemote is no exception. Due to the dubious techniques used to proliferate this app, it is classified as a Potentially Unwanted Application (PUA).

What is Streaming Lab Tab?

Streaming Lab Tab is classified as a browser hijacker, since it changes certain browser settings to streaming-lab.com (the address of a fake search engine). It is also likely to gather browsing-related information.

Note that users often download and install browser hijackers unintentionally and, therefore, programs such as Streaming Lab Tab are categorized as potentially unwanted applications (PUAs).

What is TiNx?

TiNx belongs to the Xorist ransomware family. Like other malware of this type, TiNx encrypts data, changes the filename of each encrypted file and generates a ransom message. It also appends the ".TiNx" extension to filenames. For example, it would rename a file called "1.jpg" to "1.jpg.TiNx", "2.jpg" to "2.jpg.TiNx", and so on.

This ransomware changes the desktop wallpaper, displays a pop-up window and creates the "HOW TO DECRYPT FILES.txt" text file in all folders that contain encrypted files (all contain a ransom message).

What is ZaCaPa ransomware?

Discovered by Michael Gillespie, ZaCaPa is a malicious program that is part of the Xorist ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all compromised files are appended with the ".ZaCaPa" extension.

For example, a file originally named "1.jpg" would appear as "1.jpg.ZaCaPa", "2.jpg" as "2.jpg.ZaCaPa", and so on following encryption. After completion of this process, identical ransom messages are created in a pop-up window, desktop wallpaper and "HOW TO DECRYPT FILES.txt" text files, which are dropped into affected folders.

What is Lampar?

Lampar is a part of the Scarab ransomware family. This ransomware renames encrypted files by replacing filenames with a string of random characters and appending the ".lampar" extension. For example, it would rename a file called "1.jpg" to "5D+8K+2UDZjTWGGI.lampar", "2.jpg" to "3F+7L+4BCZkMVCMZ.lampar", and so on.

It also generates the "DECRYPT.TXT" file containing the ransom message in every folder that contains encrypted files.

What is Now News Online?

Now News Online is a typical browser hijacker which promotes the address of a fake search engine (hnownewsonline.com) by changing certain browser settings.

Apps of this type often gather information relating to browsing activity. Note that users often download and install apps such as Now News Online inadvertently and are therefore categorized as potentially unwanted applications (PUAs). Research shows that Now News Online is distributed with another PUA called Hide My History.

What is DLLEscort?

DLLEscort is advertised as tool which fixes .dll, .exe, .sys, .ocx, and other errors, DirectX problems, maintain and keeps computers clean and fast, and prevents applications and systems from crashing. In fact, this program is distributed through installers of other programs and included into their set-ups as an 'additional offer'.

Commonly, users download and install programs that are distributed this way inadvertently. Therefore, they are categorized as potentially unwanted applications (PUAs).