Virus and Spyware Removal Guides, uninstall instructions

What is .666 (njkwe RaaS) ransomware?

.666 (njkwe RaaS) is a malicious program belonging to the Paradise ransomware family. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption tools/software.

During the encryption process, all compromised files are renamed according to this pattern: original filename, cyber criminals' email address, unique ID and the ".666" extension. For example, a file originally named "1.jpg" would appear as something similar to "1.jpg_decryptdocs@msgsafe.io_{6roxTv}.666" following encryption.

Once this process is complete, ransom-demand messages ("nooode.txt") are dropped into affected folders.

What is "ZEUS VIRUS DETECTED !!!"?

"ZEUS VIRUS DETECTED !!!" is a fake notification relating to viruses and malicious applications - these are 'detected' by a deceptive website disguised as an official Apple site. In fact, this is a scam website designed to trick people into contacting scammers by calling them on the telephone number provided.

We strongly recommend that you ignore this scam and do not call these people. All malware detections mentioned on this web page are fake.

What is [TorS@Tuta.Io] ransomware?

Discovered by malware researcher, Ravi, [TorS@Tuta.Io] is a malicious program belonging to the GlobeImposter ransomware family. This malicious program is designed to encrypt data and demand payment for decryption tools. During the encryption process, files are appended with the ".[TorS@Tuta.Io]" extension.

For example, a file named something like "1.jpg" would appear as "1.jpg.[TorS@Tuta.Io]", and so on for all compromised files. Once this process is complete, a ransom message is created in HTML applications ("Help decrypt.hta"), and these files are dropped into all of the affected folders.

What is DynamicAnalog adware?

DynamicAnalog is rogue software categorized as adware and also possessing browser hijacker traits. Following successful infiltration, this application operates by running intrusive advertisement campaigns and making modifications to promote Safe Finder, a fake search engine.

Additionally, most adware-type apps and browser hijackers have data tracking capabilities employed to monitor users' browsing activity. Due to the dubious methods employed to proliferate DynamicAnalog, it is also classified as a Potentially Unwanted Application (PUA).

What is Josephnull ransomware?

Discovered by JAMESWT, Josephnull is malicious software classified as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. During the encryption process, all affected files are appended with the ".crypted" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.crypted" following encryption. After this process is complete, ransom messages are created in a pop-up window ("HOW_TO_DECYPHER_FILES.hta"), text files called "HOW_TO_DECYPHER_FILES.txt", and in a screen displayed when the user account is accessed.

What is "Windows Defender Alert (0x3e7)"?

The "Windows Defender Alert (0x3e7)" pop-up window appears when visiting a deceptive website. This is a fake error alert.

These notifications appear only on untrustworthy, potentially malicious websites that people end up visiting unintentionally - they are redirected to them by potentially unwanted applications (PUAs) that they have installed on their browsers or operating systems. Installation of these PUAs often occurs accidentally or unintentionally.

When installed, these apps cause redirects to dubious websites, deliver ads, and gather information.

What is Media Converter Pro Promos adware?

Media Converter Pro Promos is dubious software classified as adware. Following successful installation, it runs intrusive advertisement campaigns, delivering various annoying and even harmful ads. Additionally, this adware gathers information relating to users' browsing habits.

Due to the dubious techniques used to proliferate Media Converter Pro Promos, it is also classified as a Potentially Unwanted Application (PUA).

What is a browser hijacker?

When installed on devices, internet browsers automatically force-open fake or legitimate search engines (and/or other dubious websites). Typically, these redirects occur when attempts are made to search via the URL bar or when a new browser tab/window is opened.

Dubious software within the browser hijacker category achieves this by making certain modifications to browser settings. Additionally, most browser hijackers have data tracking capabilities, which are used to monitor browsing activity and collect sensitive information extracted from it.

Browser hijackers are also classified as Potentially Unwanted Applications (PUAs), since many users download/install them unintentionally.

What is Flare Search browser hijacker?

Flare Search is a browser hijacker. Following successful infiltration, it makes modifications to browser settings to promote a fake search engine. Flare Search promotes flaresearch.net in this way. This software also adds the "Managed by your organization" feature to Google Chrome browsers, for the purpose of ensuring persistence (i.e. complicating removal).

Flare Search also has data tracking capabilities, which are employed to monitor users' browsing activity. Due to the dubious methods used to spread Flare Search, it is classified as a Potentially Unwanted Application (PUA).

What is Repter ransomware?

Repter is a new variant of Fonix ransomware. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools/software. During the encryption process, all compromised files are renamed according to this pattern: original filename, cyber criminals' email address and the ".repter" extension.

For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.EMAIL=[repter@tuta.io]ID=[D45850C4].repter" following encryption. After this process is complete, a ransom message is created in a pop-up window ("How To Decrypt Files.hta").