Virus and Spyware Removal Guides, uninstall instructions

What is macsafesearch.net?

macsafesearch.net is a fake Internet search engine that, according to the developers, enhances the browsing experience by generating improved results. Judging on appearance alone, macsafesearch.net may seem similar to Google, Bing, Yahoo, and other legitimate search engines.

Therefore, many users believe that this website is also legitimate, however, developers promote macsafesearch.net using a browser-hijacking application called Mac Safe Search. Be aware that macsafesearch.net and Mac Safe Search collect information relating to users' Internet browsing activity.

What is Flash Player Premium SMS?

"Flash Player Premium SMS" is a scam promoted by deceptive websites. In most cases, users are redirected to these websites by potentially unwanted programs (PUPs) or intrusive advertisements displayed by dubious sites. PUPs typically infiltrate systems without permission.

As well as causing redirects, they deliver intrusive advertisements, gather sensitive information, and even run unwanted background processes.

What is WhiteRose?

First discovered by Michael Gillespie, WhiteRose is a ransomware-type virus that stealthily infiltrates the system and encrypts most stored data. Research shows that WhiteRose originates from the same ransomware family as the BlackRuby2 and Zenis viruses.

During encryption, WhiteRose renames files using the "[12_random_letters_and_digits]_ENCRYPTED_BY.WHITEROSE" pattern. For example, "sample.jpg" might be renamed to a filename such as "1D3AbF5EACFE_ENCRYPTED_BY.WHITEROSE".

Encrypted files become unusable and indistinguishable. Immediately after encryption, WhiteRose creates a text file ("HOW-TO-RECOVERY-FILES.TXT") and places a copy in every existing folder.

What is Sorry?

Sorry is a ransomware-type virus discovered by malware security researcher, Karsten Hahn. Research shows that Sorry is based on an open-source ransomware project called Hidden Tear. Immediately after infiltration, Sorry encrypts stored data using AES cryptography and appends filenames with the ".sorry" extension (e.g., "sample.jpg" is renamed to "sample.jpg.sorry").

Note that there is also another ransomware infection called Purge (Globe) that uses the same extension. Once files are encrypted, using them becomes impossible. Following successful encryption, Sorry creates a text file ("How Recovery Files.txt") and places a copy in every existing folder.

What is GlobeImposter ransomware?

GlobeImposter is a ransomware-type virus that mimics Purge (Globe) ransomware. Following infiltration, GlobeImposter encrypts various files and appends: ".[blellockr@godzym.me].bkc", ".IGAMI", ".tabufa", ".FIT", ".ANAMI", ".crypted_bizarrio@pay4me_in", ".FORESTGUST", ".[dsupport@protonmail.com]", ".BOOTY", ".ONYX", ".MARK", ".emilysupp", ".ALCO2+", ".ALCO4+", ".BUNNY+", ".CRAZY+", ".LIN+", ".CHAK2", ".SEXY3", .suddentax", ".$MENTOS$", ".DREAM", ".crypted!", ".FREEMAN", ".waiting4keys", ".[Traher@Dr.Com]", ".Nutella", ".encencenc", ".DIZEL", ".Codificado", ".Ipcrestore", ".PANDA", ".BIG1", ".SEXY", ".kimchenyn", ".AK47", ".rrr", "...doc", ".restorefile", “.CHAK”, “.LIN”, “.Chartogy”, ".POHU", ".crypt_fereangos@airmail_cc", ".{jeepdayz@aol.com}BIT", ".TRUE", ".VYA", ".pliNGY", ".ñ1crypt", ".foSTE", “.YAYA”, “.nWcrypt”, ".needkeys", ".490", ".4035", ".f41o1", ".911", ".clinTON", "..txt", ".BUSH", ".illNEST", ".write_on_email", ".needdecrypt", ".ReaGAN", ".zuzya", ".granny" ".zuzya", ".UNLIS", ".LEGO", ".NIGGA", ".0402", ".trump", ".BONUM", ".rumblegoodboy", "..txt", ".ACTUM", “.492”, “.astra”, “.coded”, ".mtk118", ".cryptch", ".PLIN", ".sea", ".help", "..726", ".RECT", ".ocean", ".rose", ".GLAD", ".725", ".[tramkal@protonmail.ch]cryptall", ".write_me_[btc2017@india.com]", ".BRT92", "p1crypt", ".MAKB", ".skunk", ".au1crypt", ".GOTHAM", ".s1crypt", ".GORO", ".707", ".3ncrypt3d", .626, .blcrypt, .blscrypt, .nopasaran, ".xyrpottim228@ya.ru", ".VAPE", ".crypt", ".pscrypt", ".oni", ".pizdosik", ".[File-Help1@Ya.Ru]",".[aezakmi@india.com]", ".GRAF", ".fix", ".virginprotection", ".(mstut@cock.li)", ".WRITE_US", ".MIXI", ".HAPP", ".troy", ".write_us_on_email", ".PRIAPOS", ".515", ".nCrypt", ".hNcrypt", ".medal", ".paycyka", ".2cXpCihgsVxB3", ".vdul", ".keepcalm", ".legally", ".crypt", ".wallet", ".lockis" or ".pizdec" extension to the name of each encrypted file.

For example, "sample.jpg" is renamed to "sample.jpg.crypt". Following successful encryption, GlobeImposter creates an HTA file ("HOW_OPEN_FILES.hta"), placing it in each folder containing encrypted files.

Some newer variants of this ransomware store their ransom demanding message in how_to_back_files.html, READ_this_FILE.html, Read_ME.html, !SOS!.html, here_your_files!.html, !back_files!.html, #DECRYPT_FILES#.html, READ_IT.html or !your_files!.html files. In addition, GlobeImposter opens a pop-up window.

What is search.hinstantlyconverter.com?

Developers state that Instantly Converter is a legitimate application that allows conversion of PDF files to other formats. Initially, this app may seem legitimate and useful, however, Instantly Converter is categorized as a potentially unwanted program (PUP) and a browser hijacker.

There are three main reasons for these negative associations: 1) stealth installation without users' consent; 2) promotion of a fake Internet search engine [search.himmediatelyconverter.com], and; 3) tracking of sensitive information.

What is UnzipPro?

UnzipPro is a deceptive application that supposedly allows users to extract and compress data. Judging on appearance alone, UnzipPro may seem legitimate and useful, however, this potentially unwanted program (PUP) often infiltrates systems without permission.

Furthermore, UnzipPro is categorized as adware - a form of unwanted software that feeds users with various intrusive advertisements.

What is Rapid 2.0?

First discovered by MalwareHunterTeam, Rapid 2.0 is an updated version of high-risk ransomware called Rapid. Immediately after infiltration, Rapid 2.0 encrypts most stored files and renames them using the "[7_random_digits].[5_random_letters]" pattern.

For example, "1.jpg" might be renamed to a filename such as "1390875.HWCLZ". From this point, using and distinguishing files becomes impossible. Once files are encrypted, Rapid 2.0 creates a text file ("DECRYPT.[5_random_letters].txt") and places a copy in every existing folder.

What is Something Went Wrong With Your Internet Service?

"Something Went Wrong With Your Internet Service" is another fake error message displayed by deceptive websites. Research shows that, in most cases, users visit these sites inadvertently - they are redirected by potentially unwanted programs (PUPs) or intrusive ads displayed by other rogue sites.

PUPs infiltrate systems without permission, cause redirects, deliver intrusive advertisements, gather various information, and misuse system resources without users’ permission.

What is L0cked?

L0cked is a ransomware-type virus discovered by Karsten Hahn. Immediately after infiltration, L0cked encrypts most stored data and appends filenames with the ".lckd" extension.

For example, "sample.jpg" is renamed to "sample.jpg.lckd". Once files are encrypted, using them becomes impossible. Following successful encryption, L0cked changes the desktop wallpaper and opens a pop-up window with a ransom-demand message.