Virus and Spyware Removal Guides, uninstall instructions

What is Ada Covid?

Discovered by MalwareHunterTeam, Ada Covid is ransomware designed to prevent victims from accessing their files by encryption. As with many ransomware programs, it renames all encrypted files and creates/displays ransom messages. Ada Covid renames files by appending the ".pdf" extension to filenames twice.

For example, it renames "1.jpg" to "1.jpg.pdf.pdf", "2.jpg" to "2.jpg.pdf.pdf", etc. It also creates a ransom message within a text file named "Name of your explain.txt".

What is the CoViper malware?

CoViper is yet another Coronavirus/COVID-19-themed malware infection, most likely proliferated as a file related to the pandemic. It operates by rewriting the system Master Boot Record (MBR). It does not delete the original, but rather creates a backup and replaces it with a custom MBR.

Typically, malicious software that modifies MBRs do so to prevent the Operating System (OS) from being booted (i.e., started). It also displays a screen-encompassing message, often containing a ransom message - this disables user access to the device. Such malicious programs are categorized as MBRLockers/screenlockers or ransomware.

In the case of CoViper, it does not make any demands, such as ransoms, however, there is evidence to suggest that this malware is still in development and may be updated for these purposes in future.

What is ShkolotaCrypt?

ShkolotaCrypt ransomware was discovered by GrujaRS. Malware of this type encrypts files, modifies filenames and creates and/or displays ransom messages. This ransomware renames encrypted files by appending the ".crypted" extension to filenames.

For example, it would rename "1.jpg" to "1.jpg.crypted", "2.jpg" to "2.jpg.crypted", and so on. ShkolotaCrypt also creates a ransom message within a text file named "README!!!".

What is InteractiveSpeed?

InteractiveSpeed serves advertisements, collects various information (including sensitive data) and promotes Safe Finder via akamaihd.net. This app is classified as a potentially unwanted application (PUA) and adware. Typically, people download and install apps of this type inadvertently.

What is ScanMyReg?

ScanMyReg is one of many system optimization tools that supposedly fix various errors and improve computer performance in other ways. In fact, developers distribute these apps through the set-ups of other programs by including them as "additional offers".

Typically, people download and install these programs unintentionally and, therefore, they are classified as potentially unwanted applications (PUAs). Do not trust applications that are distributed in this way.

What is MSPLT?

Discovered by dnwls0719, MSPLT is a malicious program belonging to the Dharma ransomware family. Systems infected with this malware suffer data encryption and users receive ransom demands for decryption tools/software.

When this ransomware encrypts, all affected files are renamed with the following pattern: original filename, unique ID assigned to the victim, cyber criminals' email address and the ".MSPLT" extension. For example, after encryption, a file like "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[supermetasploit@aol.com].MSPLT", and so on.

Once this process is complete, a ransom message ("FILES ENCRYPTED.txt") is created and a pop-up window is displayed.

What is bmps.xyz?

bmps.xyz is the web address of a fake search engine, which promoted by applications named Nismo AP and SApp+. These two applications are classified as browser hijackers. Like most browser hijackers, Nismo AP and SApp+ promote bmps.xyz by changing browsers settings.

Commonly, apps of this type also collect user-system information. People often download and install browser hijackers inadvertently and, therefore, they are also known as potentially unwanted applications (PUAs).

What is NMoreira (Boot)?

Discovered by CollabVM, NMoreira (Boot) is a ransomware-type program that operates by encrypting data and demanding ransom payments for decryption tools/software. During the encryption process, all affected files are appended with the ".NMoreira" extension.

For example, a file named something like "1.jpg" would appear as "1.jpg.NMoreira" following encryption. After the encryption process is complete, a ransom-demand message is displayed when the system is rebooted, and a ransom message ("YOUR_DRIVE_HAS_BEEN_ENCRYPTED.TXT") is created.

What is the "IOS VPN profile" scam?

"IOS VPN profile" is a scam run on deceptive websites. This scheme claims that users' internet connections may not be secure and advises them to download/install a promoted VPN application. Software endorsed using such dubious tactics is typically nonfunctional, untrusted or even malicious.

Some of the rogue sites that display this fake error are delivered via the Amazon CloudFront service. People might also access these web pages through redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs) already installed on the system.

What is originalsecureus[.]com?

originalsecureus[.]com is a deceptive website, running several scams. These schemes claim that the user's device is (or might be) infected - this is to promote untrusted or possibly malicious software. The endorsed applications are supposedly capable of removing the nonexistent threats.

Note that no site can detect threats/issues present on users' systems, and any that claim to do so are scams. You are strongly advised against trusting originalsecureus[.]com and other similar sites.

Typically, these web pages are entered unintentionally - most people access them via redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs) already infiltrated into the system.