Virus and Spyware Removal Guides, uninstall instructions

What is SearchHD?

SearchHD is software categorized as a browser hijacker that modifies browser settings to promote search-hd.com (a fake search engine). Furthermore, it monitors users' browsing activity. Since most users download/install SearchHD unintentionally, it is also classified as a Potentially Unwanted Application (PUA).

What is the "BBVA" email?

"BBVA" is a deceptive email designed to proliferate the Agent Tesla RAT (Remote Access Trojan). The text presented in these messages is in Spanish, and hence the intended targets are Spanish-speaking users. The email claims to contain information concerning due invoice payments.

Instead, the attached archived file contains the Agent Tesla malicious executable. RAT-type malware enables remote access and control over an infected system, thereby posing a serious threat to device and user safety.

What kind of website is yts[.]mx?

Yts[.]mx is one of many torrent websites. It is not safe to use these websites to download software, files or other content, since they are often used by cyber criminals to proliferate malicious programs. Furthermore, it is illegal to download copyrighted content via torrent web pages.

Research shows that this particular website uses rogue advertising networks, which lead visitors to other dubious, potentially malicious pages.

What is Sekhmet?

Discovered by dnwls0719, Sekhmet is ransomware. This malicious program operates by encrypting data and demanding ransom payments for decryption. During the encryption process, all affected files are appended with an extension, consisting of random characters (e.g. ".HrUSsw", ".WNgh", ".NdWfEr", etc.).

Note that these extensions do not differ simply from infection to infection, they can be different on the same device. Therefore, victims might find that some of their files have one extension, whilst others are different. After the encryption process is complete, a ransom message ( "RECOVER-FILES.txt") is dropped into every compromised folder.

What is WinOptimizer?

As its name suggests, WinOptimizer is software that supposedly analyzes and optimizes Windows computers. Like most programs of this type, it suggests that people can scan their computers for unnecessary files, registry entries and running services, invalid shortcuts, etc.

In fact, this program is categorized as a potentially unwanted application (PUA), since developers distribute it through the set-ups of other programs. Commonly, users download and install PUAs inadvertently.

What is Ramsay?

Ramsay is malware capable of scanning computers, removable drives and network shares/drives, which are isolated from unsecured networks (such as public internet, unsecured local area networks), for files such as Microsoft Office documents, PDF documents and ZIP archives.

In this way, it can steal files from compromised devices. Research shows that Ramsay is capable of spreading itself onto other computers as well.

What is the cooing[.]top site?

cooing[.]top is a deceptive website promoting a version of the "Latest version of Adobe Flash Player" scam. The scheme claims that the Adobe Flash Player installed on the system is outdated and requires updates. If fact, the updaters offered by cooing[.]top are fake.

At the time of research, this rogue updater installed a Potentially Unwanted Application (PUA) called Easy Mac Care. Yet the updater might install other PUAs such as adware and browser hijackers. Note that bogus update installers are used to distribute not only PUAs but also Trojans, ransomware and other malware.

Typically, sites like cooing[.]top are accessed via redirects caused by intrusive advertisements or PUAs.

What is "Polícia de Segurança Pública"?

There are various spam campaigns that are used to trick people into installing malicious programs on their computers. Generally, cyber criminals send emails that are disguised as important, official messages from legitimate companies/organizations and contain malicious attachments and/or website links.

Their main goal is to trick recipients into downloading the malicious file and executing it. In this case, cyber criminals send emails disguised as messages from Public Security Police that contain a malicious archive (ZIP) file. This archive contains a malicious file designed to install a remote administration Trojan (RAT) called NanoCore.

What is "Your Mac needs to be updated to improve compatibility"?

"Your Mac needs to be updated to improve compatibility" is a message in a deceptive pop-up window, which appears after launching a fake Adobe Flash Player installer. It is designed to trick users into thinking that by entering the password and clicking the "OK" button they will update the operating system.

In fact, it installs one, or multiple, potentially unwanted applications (PUAs) instead. Research shows that this fake installer is used to distribute PUAs such as MediaDownloader, MyCouponsmart, Easy Mac Care and promotes the searchmine.net address (fake search engine). It might also be designed to install or promote other PUAs and fake search engines.

Regardless, deceptive installers should never be used, since they often distribute and install malware.

What is the EpicSplit RAT?

Discovered by Blueteam 4 Life, EpicSplit is a malicious program classified as a Remote Access Trojan (RAT). Malware of this type allows remote access and control over an infected device. RATs can enable user-level control (or close to user-level control) of a machine.

These programs have a wide variety of functionalities, which can lead to likewise varied misuse. Remote Access Trojan infections are highly dangerous and, therefore, must be eliminated immediately.