Virus and Spyware Removal Guides, uninstall instructions

What is "Your Windows 10 is infected with 5 viruses!"?

"Your Windows 10 is infected with 5 viruses!" is a sentence from a fake virus alert message suggesting that the user's operating system is infected with viruses. Typically, these notifications appear on deceptive websites designed by scammers who seek to trick visitors into downloading and installing dubious software, which supposedly removes the viruses.

Note that scammers often encourage visitors to contact them by telephone. When contacted, however, they urge people to purchase dubious software or pay for their remote services. In any case, websites of this type can never be trusted and should be avoided.

What kind of malware is the FireBird RAT?

FireBird is a Remote Access Tool (or alternatively, when used in a malicious capacity, it is termed a Remote Access Trojan) or 'RAT'.

On initial inspection, this may seem to be a legitimate piece of software, however, its list of capabilities/features (e.g. anti-detection, functionality without input or permission of the connected machine's user, etc.) clearly indicate that FireBird was developed with malicious use in mind.

Furthermore, this program is offered for purchase in a cryptocurrency, the transactions of which are difficult/impossible to trace due to the lack of personal information required. Therefore, cyber criminals wishing to purchase this dangerous software can remain anonymous.

FireBird allows remote access and control over an infected device. It can be used in various dangerous ways that endanger system integrity and user safety.

What is pushpush[.]net?

pushpush[.]net is a rogue site, similar to glagolinius.com, androidrecaptcha.info, tatilyerlerim.com, secretvideos2020.com and many others. It operates by presenting visitors with dubious content and generating redirects to other untrustworthy, even malicious web pages.

Visitors to pushpush[.]net usually access it inadvertently. They are redirected by intrusive advertisements or Potentially Unwanted Applications (PUAs). Following successful installation, these apps cause redirects, deliver intrusive ads and monitor/gather browsing-related information.

What is Happychoose?

Happychoose is a part of the GlobeImposter ransomware family. Typically, software of this type encrypts files, changes filenames and creates ransom messages. Happychoose renames files by appending the ".happychoose" extension to filenames.

For example, it changes "1.jpg" to "1.jpg.happychoose", and so on. It also creates the "Decryption INFO.html" file (containing the ransom message) and drops it in every folder that contains encrypted data.

What is Jope?

Discovered by Michael Gillespie, Jope is one of many ransomware-type programs belonging to the Djvu family. It encrypts victims' files, adds a new extension to filenames and creates a ransom message. Jope renames encrypted files by appending the ".jope" extension to filenames.

For example, it renames "1.jpg" to "1.jpg.jope", "2.jpg" to "2.jpg.jope", etc. Instructions about how to contact cyber criminals, details such as size of ransom and other information are provided in a text file named "_readme.txt".

What is SearchYA?

SearchYA is one of many potentially unwanted applications (PUAs) that are categorized as browser hijackers. SearchYA supposedly improves the browsing experience, however, it actually promotes the feed.search-ya.com fake search engine (by changing browser settings) and collects information relating to users' browsing habits.

Note that people do not usually download browser hijackers or other PUAs intentionally.

What is SearchSystem?

SearchSystem is an adware-type app that runs intrusive advertisement campaigns. The ads it delivers are unwanted, deceptive and possibly even malicious. This application also has characteristics commonly attributed to browser hijackers, such as browser modification and fake search engine promotion.

Since few users install this app intentionally, SearchSystem is also classified as a Potentially Unwanted Application (PUA). Most PUAs (adware and browser hijackers included) can track browsing-related data. SearchSystem is proliferated using bogus Adobe Flash Player updaters/installers, which are used to distribute PUAs and also ransomware, Trojans and other malware.

What is PlusSpecial?

PlusSpecial is a rogue app classified as adware that possesses browser hijacker characteristics. This application enables the placement of intrusive advertisements on any visited website. It also makes modifications to browsers to promote fake search engines (Safe Finder via akamaihd.net).

Most adware-types and browser hijackers monitor users' browsing activity. Furthermore, since most users download/install PlusSpecial inadvertently, it is classified as a Potentially Unwanted Application (PUA).

What is ZyNoXiOn?

ZyNoXiOn is malicious software categorized as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption. During the encryption process, all compromised files are appended with the ".ZyNoXiOn" extension.

For example, a file named something like "1.jpg" would appear as "1.jpg.ZyNoXiOn" following encryption. After this process is complete, a text file ("HOW TO DECRYPT FILES.txt") is dropped into each affected folder and a pop-up window is displayed.

What is Tab Recovery?

Tab Recovery (also known as Tab Recovery - Save & Organize Your Tabs) is a browser hijacker that assigns certain browsers settings to tabrecovery.com and explormatrix.com. Therefore, it is classified as a potentially unwanted application (PUA). It promotes one fake and one dubious search engine.

Apps such as Tab Recovery are classified as PUAs, since people tend to download and install them inadvertently. Note that most promote fake search engines and gather information.