Virus and Spyware Removal Guides, uninstall instructions

What kind of page is generalprotection[.]click?

Generalprotection[.]click is a rogue page that our researchers discovered during a routine inspection of dubious websites. It is designed to run scams and push spam browser notifications. Additionally, this webpage can redirect users to other (likely unreliable/dangerous) sites.

Visitors to generalprotection[.]click and pages akin to it access them primarily via redirects generated by websites that employ rogue advertising networks.

What kind of malware is Alvaro?

Alvaro is a ransomware-type program designed to encrypt files and demand ransoms for their decryption. After we launched a sample of Alvaro on our test system, it encrypted files and altered their filenames.

Titles of the affected files were appended with the attackers' email, a unique ID assigned to the victim, and a ".alvaro" extension. For example, a file named "1.jpg" appeared as "1.jpg.EMAIL = [alvarodecrypt@gmail.com]ID = [20240].alvaro". After this process was completed, a ransom-demanding message titled "FILE ENCRYPTED.txt" was dropped.

What kind of email is "Incoming Messages Were Not Delivered"?

Our inspection of the "Incoming Messages Were Not Delivered" email revealed that it is spam. This letter claims that several messages failed to reach the recipient's inbox. This mail targets email passwords, which are extracted through a phishing site disguised as an account sign-in page.

What kind of page is mca-track[.]online?

While inspecting suspicious websites, our research team discovered the mca-track[.]online and mcatrack[.]online rogue pages. They are designed to promote scams and browser notification spam. Additionally, such webpages can redirect visitors elsewhere (likely unreliable/malicious sites). Most users access pages like these via redirects caused by websites that utilize rogue advertising networks.

What is TursiopsTruncatus?

While checking the TursiopsTruncatus browser extension, we found troubling activities like adding the "Managed by your organization" feature to Chrome settings and collecting data. Our encounter with TursiopsTruncatus occurred when we investigated a harmful installer downloaded from an unreliable page.

What kind of email is "Product Request"?

After examining the "Product Request" email, we determined that it is spam. This message claims to contain documentation regarding an urgent purchase. The attachment is a phishing file targeting email account log-in credentials.

What kind of malware is Grounding Conductor?

During our inspection of malware samples uploaded to VirusTotal, our team discovered a ransomware variant dubbed Grounding Conductor. The purpose of Grounding Conductor is to prevent victims from accessing their files by zipping and encrypting them. Additionally, this ransomware places a ransom note (named "readme.txt") within ZIP files.

Also, Grounding Conductor renames files. It leaves the original filename and appends the victim's ID, and ".Grounding Conductor.zip" to names. For instance, it renames "1.jpg" to "1.jpg.{B9A9FF03-F898-813E-2B13-9DA770161220}.Grounding Conductor.zip", "2.png" to "2.png.{B9A9FF03-F898-813E-2B13-9DA770161220}.Grounding Conductor.zip", etc.

What kind of malware is S4b?

Our researchers found the S4b ransomware-type program while investigating new malware submissions to the VirusTotal website. This program is part of the Phobos ransomware family. S4b is designed to encrypt data and demand payment for its decryption.

On our test machine, this ransomware encrypted files and renamed them. Original titles were appended with a unique ID, the cyber criminals' email address, and a ".s4b" extension. For example, a file named "1.jpg" appeared as "1.jpg.id[9ECFA84E-3449].[submarine@cyberfear.com].s4b".

Once the encryption process was completed, ransom notes were created/displayed in a pop-up window ("info.hta") and text file ("info.txt").

What kind of application is MyWallPaper?

While assessing the MyWallPaper, it became apparent that its primary goal is to operate as a browser hijacker, with the objective of endorsing mywallpaper.co, a fraudulent search engine. This extension modifies web browser settings to establish control over it. To avoid potential damage, users with browsers hijacked by MyWallPaper should remove the app as soon as possible.

What is LavandulaAngustifolia?

During our assessment of the LavandulaAngustifolia browser extension, we identified concerning actions, such as enabling the "Managed by your organization" feature in Chrome browsers, controlling specific browser components, and gathering data. Our interaction with LavandulaAngustifolia took place while probing a harmful installer obtained from an untrustworthy source.