Virus and Spyware Removal Guides, uninstall instructions

What is Easy Steps DIY Tab?

Easy Steps DIY Tab is a typical browser hijacker, which promotes a fake search engine (easystepsdiytab.com) by changing certain browser settings. These apps often gather information relating to users' browsing activities.

Note that people tend to download and install browser hijackers inadvertently and, for this reason, they are categorized as potentially unwanted application (PUAs). Research shows that Easy Steps DIY Tab is distributed with another PUA called Hide My History.

What is the fake "Philippine Overseas Employment Administration" email?

"Philippine Overseas Employment Administration" refers to a spam email campaign disguised as mail from the Philippine Overseas Employment Administration (POEA). The term "spam campaign" defines a large scale operation, during which thousands of deceptive emails are sent.

The messages of this spam campaign claim that recipients risk losing their licenses, unless they complete and submit the attached documents. In fact, these emails are fake and are in no way associated with the genuine POEA organization. The files attached to the scam emails are designed to infect systems with the NanoCore RAT (Remote Access Trojan).

What is havilizedkj[.]club?

When opened/visited, havilizedkj[.]club opens other bogus websites or loads dubious content. There are many websites similar to havilizedkj[.]club on the internet. Some examples are click-to-watch[.]live, bestdealfor21[.]life and cvazirouse[.]com.

People do not often visit them intentionally - they are opened through clicked deceptive advertisements, other dubious web pages, or by installed potentially unwanted applications (PUAs). These rogue apps are often designed to promote (open) sites such as havilizedkj[.]club, serve advertisements, and collect data.

What is Easy Coupon Finder?

Easy Coupon Finder hijacks browsers by changing certain settings to easycouponfindertab.com (the address of a fake search engine). These apps often track information relating to users' browsing habits. Commonly, people download and install apps such as Easy Coupon Finder inadvertently and, therefore, they are cateogorized as potentially unwanted applications (PUAs).

What is NHLP?

NHLP is a malicious program belonging to the Dharma ransomware family. Generally, malware of this type is designed to prevent victims from accessing/using their files by encryption, renaming every encrypted file, and displaying and/or creating a ransom message.

This particular ransomware renames files by adding the victim's ID, newhelper@protonmail.ch email address, and appending ".NHLP" extension to filenames.

For example, it changes the filename of "1.jpg" to "1.jpg.id-1E857D00.[newhelper@protonmail.ch].NHLP", "2.jpg" to "2.jpg.id-1E857D00.[newhelper@protonmail.ch].NHLP", etc. NHLP also displays a pop-up window and creates the "FILES ENCRYPTED.txt" file, both of which contain a ransom message.

What is Prnds ransomware?

Prnds is a malicious program belonging to the Dharma ransomware family. It operates by encrypting the data of infected systems in order to demand ransoms for decryption. During the encryption process, all affected files are renamed according to this pattern: original filename, unique ID assigned to the victim, cyber criminals' email address and the ".prnds" extension.

For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[prndssdnrp@mail.fr].prnds" following encryption. After this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is CoronaCrypt?

CoronaCrypt ransomware is designed to encrypt files, modify filenames, display a ransom message and create the "How_To_Restore_Your_Files.txt" text file (another ransom message). It renames files by adding its name, u.contact@aol.com email address, victim's ID, and appending the ".Encrypted" extension to filenames.

For example, CoronaCrypt would rename a file called "1.jpg" to "1.jpg.CoronaCrypt[u.contact@aol.com]-[ID-1E857D00].Encrypted", "2.jpg" to "2.jpg.CoronaCrypt[u.contact@aol.com]-[ID-1E857D00].Encrypted", etc.

What is Dtbc ransomware?

This malware belongs to the Dharma ransomware family. Like most malicious programs of this type, Dtbc is designed to encrypt data, rename encrypted files and provide instructions about how to contact the developers. It renames encrypted files by adding the victim's ID, databack2@protonmail.com email address and appending the ".dtbc" extension.

For example, it renames "1.jpg" to "1.id-1E857D00.[databack2@protonmail.com].dtbc", "2.jpg" to "2.id-1E857D00.[databack2@protonmail.com].dtbc", and so on. An updated variant provides the "databack3@protonmail.com" email address.

It also creates a ransom message with the "FILES ENCRYPTED.txt" file and displays another another in a pop-up window.

What is the Search Pro browser hijacker?

Search Pro is a rogue application endorsed as supposedly capable of providing reliable search results, popular search trends and other web-search related features. In fact, this app is categorized as a browser hijacker, due to the modifications it makes to browsers to promote hsearchpro.com (a bogus search engine).

Additionally, this application monitors users' browsing activity. Since most users download/install Search Pro unintentionally, it is also classified as a Potentially Unwanted Application (PUA).

What is EmailCheckNow?

EmailCheckNow is software classified as a browser hijacker. It is advertised as an easy access tool for email accounts. In fact, EmailCheckNow operates by making modifications to browser settings to promote emailchecknow.com (a fake search engine).

Most browser hijackers have data tracking capabilities, which are employed to monitor users' browsing activity - and it is highly likely that EmailCheckNow has this functionality as well. Since most users download/install this browser hijacker unintentionally, it is also classified as a Potentially Unwanted Application (PUA).