Virus and Spyware Removal Guides, uninstall instructions

What is MAKB?

Discovered by xiaopao, MAKB is a malicious program belonging to the Scarab ransomware family. It renames the filenames of encrypted files to a string of random characters and appends the ".MAKB" extension. For example, it would rename "1.jpg" to "2g000000002o63SEiduTVesufmp7Ur50.MAKB", "2.jpg" to "2g000000002o75STiduTsaltarfmp7r35.MAKB", and so on.

Instructions about how to contact cyber criminals and various other details appear in the "HOW TO RECOVER ENCRYPTED FILES.TXT" text file. MAKB creates a copy of this file in every folder that contains encrypted files.

What is Ambrosia?

Ambrosia is a part of the Scarab ransomware family and was discovered by xiaopao. Like most malicious programs of this type, Ambrosia encrypts files, modifies their filenames and creates a ransom message. It renames encrypted files by changing their filenames to a string of random characters and appending the ".ambrosia" extension.

For example, it would rename a file called "1.jpg" to "2g000000000p0zw9VkBVWnK5dMRu2hk8.ambrosia", "2.jpg" to "2g0000000001G0zw9ltGFW4dMRunK1hk6.ambrosia", and so on. Ambrosia creates the "HOW TO RECOVER ENCRYPTED FILES.TXT" text file (containing the ransom message) and drops this file in every folder that contains encrypted files.

What is z6airr.com?

z6airr.com is a fake search engine. Rogue search tools such as z6airr.com are usually promoted by software classified as browser hijackers. They promote these search engines by making modifications to browser settings and restricting/denying access to them.

Additionally, browser hijackers and bogus search engines commonly track and collect information relating to browsing activity. One of the applications observed promoting z6airr.com is AccessibleBoost, which is categorized as adware with browser hijacker characteristics.

Due to the dubious methods used to proliferate adware and browser hijackers, they are classified as Potentially Unwanted Applications (PUAs).

What is Xati?

Discovered by Jakub Kroustek, Xati belongs to a family of ransomware called Dharma. It encrypts files, modifies their filenames, displays a ransom message in a pop-up window and creates another in a text file called "FILES ENCRYPTED.txt". Xati renames files by adding the victim's ID, xatixxatix@mail.fr email address and appending the ".xati" extension to filenames.

For example, it would rename a file called "1.jpg" to "1.jpg.id-1E857D00.[xatixxatix@mail.fr].xati", "2.jpg" to "2.jpg.id-1E857D00.[xatixxatix@mail.fr].xati", and so on.

What is the Photo Viewer Free adware?

Photo Viewer Free, also known as PhotoViewerFree, is a rogue application. Following successful installation, it runs intrusive advertisement campaigns (i.e. delivers intrusive, unwanted and possibly harmful ads). Therefore, Photo Viewer Free is classified as adware.

Additionally, most adware-type programs have data tracking capabilities, which are employed to monitor browsing activity. Since most users download/install Photo Viewer Free inadvertently, it is classified as a Potentially Unwanted Application (PUA).

What is ConnectedAnalog?

ConnectedAnalog is designed to operate as adware and a browser hijacker - it feeds users with ads and changes some of the browser's settings to an address of a fake search engine. Research shows that this app is designed to promote the 0yrvtrh.com address.

Another problem with apps like ConnectedAnalog is that they often are designed to gather various data. It is worthwhile to mention that adware-type apps, browser hijackers are categorized as potentially unwanted applications (PUAs), it is because users tend to download and install them unknowingly.

What is AccessibleBoost?

AccessibleBoost is an adware-type application with browser hijacker traits. It runs intrusive advertisement campaigns, makes modifications to browser settings and promotes a fake search engine. AccessibleBoost promotes z6airr.com in this manner. 

AccessibleBoost monitors browsing activity - most adware-type apps and browser hijackers have these data tracking capabilities. Due to the dubious techniques used to proliferate AccessibleBoost, it is classified as a Potentially Unwanted Application (PUA).

One of the proliferation methods used for this app is distribution via fake Adobe Flash Player updates. Bogus software updaters/installers are used to spread PUAs and also malware (e.g. Trojans, ransomware, etc.).

What is GET ransomware?

Discovered by Jakub Kroustek, GET is a part of the Dharma ransomware family. Typically, malware of this type encrypts files, renames them and displays (and/or creates) a ransom message. GET renames encrypted files by adding the victim's ID, the getscoin2@protonmail.com email address and appending the ".GET" extension to filenames.

For example, it would rename a file called "1.jpg" to "1.jpg.id-1E857D00.[getscoin2@protonmail.com].GET", "2.jpg" to "2.jpg.id-1E857D00.[getscoin2@protonmail.com].GET", and so on. An updated variant of GET ransomware appends the ".[getthefiles@protonmail.com].get" extension.

Instructions about how to contact cyber criminals behind this ransomware can be found in the "FILES ENCRYPTED.txt" text file and a pop-up window.

What is the Oonn ransomware?

Oonn is malicious software and part of the Djvu ransomware family. This malware is designed to encrypt data and demand payment for decryption tools. During the encryption process, all compromised files are appended with the ".oonn" extension. For example, a file such as "1.jpg" would appear as "1.jpg.oonn", "2.jpg" as "2.jpg.oonn", and so on.

After this process is complete, ransom-demand messages in text files named "_readme.txt" are dropped into affected folders.

What is Access TV Streaming?

Access TV Streaming is rogue software advertised as a tool for easy access to TV streaming websites. It operates by making modifications to browser settings to promote haccesstvstreaming.com (a bogus search engine). Access TV Streaming also has data tracking capabilities, which are employed to monitor users' browsing habits.

Due to the dubious techniques used to proliferate this browser hijacker, it is classified as a Potentially Unwanted Application (PUA). Access TV Streaming is often distributed with another PUA called Hide My History.