Virus and Spyware Removal Guides, uninstall instructions

What is LeadingModuleSearch?

Belonging to the AdLoad malware family, LeadingModuleSearch is an adware-type application that shares many similarities with browser hijackers. This app delivers intrusive ad campaigns and modifies browsers to promote fake search engines. Furthermore, most adware and browser hijackers monitor users' browsing activity.

Due to its dubious proliferation methods, it is also classified as a Potentially Unwanted Application (PUA). LeadingModuleSearch has been known to proliferate via fake Adobe Flash Player updaters and installers. Note that bogus software updaters/installers often spread adware, browser hijackers and other PUAs.

They can also infect systems with ransomware, Trojans and other malware.

What is Uzuvnkyh?

Uzuvnkyh was discovered by GrujaRS and is based on another ransomware infection called HiddenTear. Uzuvnkyh encrypts files, modifies their filenames and creates a ransom message. It appends the ".encrypted" extension to the filename of every encrypted file (e.g., "1.jpg" would be renamed to "1.jpg.encrypted", etc.) and creates a text file called "READ_IT.txt".

This message contains instructions about how to contact Uzuvnkyh's developers.

What is ATKL?

ATKL is malicious software belonging to the Matrix ransomware family. Systems infected with this program have their data encrypted and receive ransom demands for decryption.

During the encryption process, all compromised files are renamed according to the following pattern: cyber criminals' email address, random character string and the ".ATKL" extension (e.g. "[atomickule@cock.li].[random_string].ATKL").

For example, a file such as "1.jpg" would appear as something similar to "[atomickule@cock.li].EwjuqhUS-Nxw47YpM.ATKL" following encryption. After this process is complete, a ransom message ("!ATKL_README!.rtf") is dropped into every affected folder. Additionally, ATKL ransomware drops random files onto the desktop and deletes Shadow Volume Copies of files.

What kind of malware is GuLoader?

GuLoader (also known as CloudEyE) is a malware downloader used by cyber criminals to proliferate various Remote Access Trojans (RATs) and other Trojan-type programs. They use GuLoader to infect computers with malicious programs that can be used to steal sensitive information, infect computers with other malware, and perform other actions to help cyber criminals generate revenue.

What is ONION?

ONION is a malicious program belonging to the Dharma ransomware family. It operates by encrypting data and demanding payment for decryption tools/software. During the encryption process, all affected files are renamed according to the following pattern: original filename, unique ID, cyber criminals' email address and the ".ONION" extension.

For example, a file such as "1.jpg" would appear as something similar to "1.jpg.id-1E857D00.[onioncrypt@aol.com].ONION" following encryption. After this process is complete, a pop-up window is displayed and a text file ("FILES ENCRYPTED.txt") is created.

What kind of malware is IPM?

Discovered by Jakub Kroustek, IPM is a malicious program belonging to the Dharma ransomware family. It encrypts files and renames them by adding the victim's ID, decoding@qbmail.biz email address and appending the ".IPM" extension to filenames.

For example, it changes a file named "1.jpg" to "1.jpg.id-1E857D00.[Decoding@qbmail.biz].IPM", etc. IPM also creates a ransom message within the "FILES ENCRYPTED.txt" file and displays another in a pop-up window.

What is Logic Search?

Logic Search is a potentially unwanted application (PUA), a browser hijacker supposedly designed to improve the browsing experience (provide accurate search results and other features). In fact, it promotes a fake search engine (feed.logic-search.com) by changing browser settings and gathering various information.

People usually download and install browser hijackers (and other apps categorized as PUAs) unintentionally.

What are the "Increaseofprofit" sites?

"Increaseofprofit" is a group of deceptive websites, which promote various scams. They have been observed promoting "Dear Chrome User, Congratulations!" and "Latest version of Adobe Flash Player" schemes. Other scams might also be promoted via these sites.

Few users access these deceptive web pages intentionally - most are redirected by intrusive advertisements or Potentially Unwanted Applications (PUAs) already infiltrated into the device. Note that these apps do not need express permission to be installed onto the system.

What is Megabonus-point?

Megabonus-point is a family of untrusted web pages that attempt to deceive visitors into downloading and installing potentially unwanted applications (PUAs) or even malicious programs, providing personal information, and so on. You are strongly advised not to trust any Megabonus-point websites.

Typically, they are opened through clicked deceptive ads, other dubious web pages or PUAs that are installed on browsers and operating systems.

What is the "Arabitol GLOBAL TRADING" email?

"Arabitol GLOBAL TRADING" is a deceptive email claiming that recipients need to confirm a "new order". This is a phishing scam designed to steal recipients' email credentials (i.e., log-ins and passwords) thereby allowing scammers to gain full control over the email account. This could potentially endanger other accounts associated with the stolen email account.