Virus and Spyware Removal Guides, uninstall instructions

What is My Package Homepage?

The My Package Homepage app supposedly provides a package tracking service, however, this rogue software is categorized as a browser hijacker, a potentially unwanted application (PUA) that promotes a fake search engine (search.hmypackagehomepage.com) and gathers browsing data.

Like most browser hijackers, My Package Homepage promotes its associated URL (in this case, search.hmypackagehomepage.com) by changing browser settings. Note that people often download and install apps of this type inadvertently.

What is search.doc2pdfsearch.com?

Practically identical to doctopdfsupreme.com, search.pricklybears.com, and many others, search.doc2pdfsearch.com is a fake search engine and promoted by the DOC2PDF Convert browser hijacker. These rogue applications modify browsers and restrict/deny access to settings.

Additionally, most browser hijackers have data tracking abilities, which are employed to record browsing-related information. Due to the dubious methods used to distribute DOC2PDF Convert, it is also classified as a Potentially Unwanted Application (PUA).

What is doctopdfsupreme.com ?

doctopdfsupreme.com is a fake search engine which is promoted through a potentially unwanted application (PUA), a browser hijacker called docpdfsupreme (or docpdfsupreme - Search the web and convert PDF).

Typically, browser hijackers promote fake search engines by changing certain browser settings, however, most also gather details relating to users' browsing activities. Apps of this type are classified as PUAs, since people usually download and install them inadvertently.

What is "Your computer hacked!"?

Scammers behind this email claim that they have hacked the computer and taken control of the recipient's personal and financial data.

They threaten to delete the data unless the recipient pays a specific ransom amount. Extortion, however, is not their primary goal. They also attempt to trick people into opening a malicious attachment, which installs a malicious program called Emotet, a Trojan designed to steal sensitive information and spread other malware.

What is TRSomware is back?

TRSomware is a new variant of MMDecrypt ransomware. It operates by encrypting the data of infected systems so that criminals can demand payment for decryption tools/software. During encryption, filenames are appended with the ".TRSomware[is_back__New-Algorithm__By_MaMo434376]" extension.

For example, "1.jpg" would appear as "1.jpg.TRSomware[is_back__New-Algorithm__By_MaMo434376]" following encryption. Once this process is finished, a text file called "Beni Oku!!!.txt" ("Read Me!!!") is stored on the desktop. The file contains a ransom message in Turkish.

What is Devos?

Devos is a part of the Phobos ransomware family. Like most programs of this type, Devos blocks access to files by encryption, changes filenames and provides victims with instructions about how to recover their files. This ransomware renames all encrypted files by adding the victim's ID, developer's email address and appending the ".Devos" extension to filenames.

For example, it renames "1.jpg" to "1.jpg.id[1E857D00-2654].[qq1935@mail.fr].Devos", and so on. It provides victims with two ransom messages: one in a pop-up window ("info.hta" file) and another in a text file named "info.txt".

What is centerplaceofupgrade[.]pro?

centerplaceofupgrade[.]pro is a deceptive site promoting a fake Adobe Flash Player updater scam. The web page claims that the plug-in is outdated and recommends installation of the latest updates. Note that bogus software updates are typically used to proliferate nonoperational, untrustworthy and malicious content.

I.e., they can spread various Potentially Unwanted Applications (PUAs) such as adware and browser hijackers, and even malware (e.g. ransomware, trojans, etc.). Few people visit scam pages intentionally - most are redirected by intrusive ads or PUAs already installed on the system.

What is .777 (njkwe RaaS)?

.777 (njkwe RaaS) belongs to the Paradise ransomware family and was discovered by S!Ri. This ransomware encrypts data, renames all files by adding a string containing the operator's number, victim's personal ID and appending the ".777" extension to filenames. For example, it renames "1.jpg" to "1.jpg._911_{oIHdJK}.777", and so on.

Note that there is also another variant of .777 (njkwe RaaS), which renames files by adding "_babyfromparadise_{victim's_ID}.777" to filenames. For example, it renames "1.jpg" to "1.jpg_babyfromparadise_{oIHdJK}.777", and so on.

This ransomware creates the "---==%$$$OPEN_ME_UP$$$==---.txt" text file, also a ransom message.

What is PRT?

Discovered by GrujaRS, PRT is a malicious program belonging to the Paradise ransomware family. It operates by encrypting data and demanding payment for decryption tools/software. During the encryption process, all affected files are renamed according to the following pattern: original filename, victim's unique ID, developer's email address and ".PRT" extension.

For example, a file such as "1.jpg" might appear similar to "1.jpg[id-M9Zlorrk].[paradise@all-ransomware.info].PRT". After this process is complete, an HTML file ("#DECRYPT MY FILES#.html") is created on the desktop.

What is therightwaytofindplayering[.]pro?

therightwaytofindplayering[.]pro is a deceptive site running a scam claiming that Adobe Flash Player is outdated and must be updated immediately. In fact, this site promotes a fake Flash Player updater. These updaters are commonly used to proliferate untrustworthy and malicious content (e.g. trojans, ransomware and other malware).

At the time of research, the updater was bundled with the following untrusted applications: AnonymizerGadget version 4; CodecsSetup version 6.3.; nproject version 1.3, and; WebDiscover Browser 4.28.2.

Most users do not access scam web pages (including therightwaytofindplayering[.]pro) intentionally - they are redirected to them by intrusive advertisements or Potentially Unwanted Applications (PUAs) already infiltrated into the system.