Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Ztax?

While browsing submissions to the VirusTotal site, our researchers discovered Ztax ransomware. This malicious program is part of the Dharma ransomware family.

On our test machine, Ztax encrypted files and altered their filenames. Original titles were appended with a unique ID assigned to the victim, the attackers' email address, and a ".Ztax" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.id-9ECFA84E.[taxz@cock.li].Ztax".

After the encryption process was finished, Ztax created ransom notes – in a pop-up window, and text files titled "manual.txt" dropped onto the desktop and into every encrypted directory.

What kind of page is karakorampeak[.]top?

Our researchers discovered the karakorampeak[.]top rogue page while investigating dubious websites. Upon inspection, we learned that this webpage promotes spam browser notifications and causes redirects to other (likely unreliable/hazardous) websites.

The majority of visitors to karakorampeak[.]top and similar pages access them via redirects generated by sites utilizing rogue advertising networks.

What kind of malware is NK?

Our researchers discovered NK – a ransomware-type program based on Chaos – while reviewing file submissions to the VirusTotal platform. Ransomware is designed to encrypt files and demand ransoms for the decryption.

After we launched a sample of NK on our testing machine, it encrypted files and appended their names with an extension composed of four random characters. For example, an original filename such as "1.jpg" looked like "1.jpg.we2b" following encryption.

After this process was concluded, this ransomware changed the desktop wallpaper and created a ransom-demanding message titled "read_it.txt".

What kind of software is SwiftSeek?

SwiftSeek is a browser hijacker. Our researchers found this extension in an installer promoted by a deceptive page, which was discovered during a routine investigation of suspicious websites.

Browser hijackers operate by making changes to browser settings to endorse (via redirects) fake search engines. Additionally, software within this classification often possesses data-tracking functionalities.

What kind of page is opalarmes2[.]space?

Opalarmes2[.]space is a rogue webpage that promotes dubious content and browser notification spam. It can also generate redirects landing on different (likely unreliable/dangerous) sites.

Most visitors to pages of this kind access them through redirects caused by sites using rogue advertising networks. In fact, our researchers discovered opalarmes2[.]space while investigating webpages that employ such networks.

What kind of page is diteringion[.]com?

Our researchers discovered diteringion[.]com while browsing dubious websites. This rogue page is designed to promote browser notification spam and redirect users to different (likely untrustworthy/dangerous) sites.

The majority of visitors to diteringion[.]com and similar webpages access them via redirects produced by websites utilizing rogue advertising networks.

What kind of email is "Join Zoom Meeting"?

Upon examining the "Join Zoom Meeting" email, we determined that it is spam. Presented as an invite to a Zoom videotelephony meeting, this fake message seeks to lure recipients into visiting a phishing website that targets account log-in credentials.

It must be stressed that this email is fraudulent, and this mail is not associated with the actual Zoom Video Communications, Inc.

What kind of page is bellpepa.co[.]in?

Bellpepa.co[.]in is a rogue page discovered by our researchers during a routine inspection of suspect websites. Upon investigation, we determined that this webpage promotes browser notification spam and generates redirects to different (likely untrustworthy/hazardous) sites.

Most visitors enter bellpepa.co[.]in and similar pages via redirects caused by websites utilizing rogue advertising networks.

What kind of email is "Your Transaction Has Been Released"?

After reading this "Your Transaction Has Been Released" email, we determined that it is spam. This fake message states that the recipient's funds have finally been released, and they are urged to contact the sender with their details for further information on how to claim the exorbitant sum. Once contacted, the scammers may request additional personal data or to send them money.

What kind of malware is HaroldSquarepants?

While browsing files submitted to the VirusTotal website, our researchers found the HaroldSquarepants ransomware. It is part of the GlobeImposter ransomware family. Like most programs within this classification, HaroldSquarepants encrypts data and demands ransoms for its decryption.

On our testing system, this ransomware encrypted files and added a ".247_haroldsquarepants" extension to their filenames. To elaborate, a file originally named "1.jpg" appeared as "1.jpg.247_haroldsquarepants", "2.png" as "2.png.247_haroldsquarepants", etc.

After this process was completed, HaroldSquarepants created a ransom-demanding message in an HTML file titled "how_to_back_files.html".