Virus and Spyware Removal Guides, uninstall instructions

What is the "Free up some memory urgently" scam?

"Free up some memory urgently" is a scam run on deceptive websites. It promote the Kalox APP browser hijacker, however, the scheme might also promote different browser hijackers, adware and other Potentially Unwanted Applications (PUAs). This scam could potentially also promote malware (e.g. ransomware, Trojans, etc.).

Like the name suggests, the scheme claims that users' devices are overloaded and states that they must immediately free up memory.

Note that no web page can detect issues or threats present in systems - any that make such claims are scams. Typically, users access these websites unintentionally - they are redirected to them by intrusive advertisements or PUAs already infiltrated into the device.

What is .support?

.support belongs to the MedusaLocker ransomware family and was discovered by Petrovic. It is designed to encrypt files, modify their filenames and create an HTML file named "Recovery_Instructions.html" (the ransom message). This ransomware places the ransom message in all folders that contain encrypted files.

It also renames files by appending the ".support" extension. For example, "1.jpg" would change to "1.jpg.support", "2.jpg" to "2.jpg.support", etc.

What is My Smart Converter?

My Smart Converter hijacks browsers by changing certain settings to mysmartconverter.com, the address of a fake search engine. It possible that this app will also record various browsing-related data. People do not often download or install browser hijackers intentionally and, for this reason, they are categorized as potentially unwanted applications (PUAs).

What is "Office had a contact with a coronavirus infected people"?

Cyber criminals behind this malspam campaign attempt to trick recipients into believing their office has been exposed to the coronavirus and reviewing (opening) the attached document. This email contains a malicious Microsoft Excel document causing installation on TrickBot, which is Trojan-type malware.

What is Zida ransomware?

Zida is malicious software belonging to the Djvu ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools. During the encryption process, all affected files are appended with the ".zida" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.zida" following encryption. After this process is complete, ransom messages within "_readme.txt" files are dropped into compromised folders.

What is .HOW ransomware?

Discovered by Jakub Kroustek, .HOW belongs to the Dharma ransomware family. This malware encrypts files, changes filenames, and generates ransom messages. It renames encrypted files by adding the victim's ID, how_decrypt@aol.com email address and appending the ".HOW" extension to filenames.

For example, it renames "1.jpg" to "1.jpg.id-1E857D00.[how_decrypt@aol.com].HOW", "2.jpg" to "2.jpg.id-1E857D00.[how_decrypt@aol.com].HOW", and so on. Instructions about how to contact cyber criminals behind .HOW are in a displayed pop-up window and text file named "FILES ENCRYPTED.txt".

What is hp.myway.com?

MyAudioTab is a browser hijacker designed by Mindspark Interactive Network. It supposedly provides quick access to various audio conversion tools. In fact, its main purpose is to promote hp.myway.com (the address of a fake search engine) by changing certain browser settings.

Typically, apps of this type collect browsing data and other information. People do not often download or install browser hijackers intentionally and, therefore, they are categorized as potentially unwanted applications (PUAs).

What is WastedLocker?

WastedLocker is a malicious program classified as ransomware. Systems infected with this malware suffer data encryption and users receive ransom demands for decryption.

There are multiple variants of this ransomware. During the encryption process, WastedLocker renames affected files by appending them with an extension consisting of three characters (which depend on the malware variant) and the word "wasted" (without a space between the three letters and the word).

The researched variants appended files with the ".bbawasted" extension, and another with ".rlhwasted". To elaborate, a file originally named "1.jpg" would appear as "1.jpg.bbawasted", "1.jpg.rlhwasted", or something similar to these examples. After the encryption process is complete, WastedLocker creates a ransom message for each encrypted file.

Ransom messages are named in accordance with encrypted files (e.g. "1.jpg.bbawasted_info", "1.jpg.rlhwasted_info", etc.). The text presented in these ransom demand messages is practically identical throughout the ransomware variants.

What is hp.myway.com?

There are many browser hijackers designed by Mindspark, including MyDocsHere. This app hijacks browsers by assigning certain settings to hp.myway.com (the address of a fake search engine). It is possible that this app might also be capable of collecting various data.

Typically, users do not download or install apps such as MyDocsHere intentionally and, therefore, they are categorized as potentially unwanted applications (PUAs).

What is keysdigita[.]com?

keysdigita[.]com is often visited by people unintentionally when they are opened by installed potentially unwanted applications (PUAs). When visited, the site opens a number of other bogus web pages or displays dubious content. There are many websites similar to keysdigita[.]com including, for example, zmusic-online[.]com, routemob[.]com and rministencew[.]club.

Note that PUAs not only promote bogus web pages, but also display ads and collect data.