Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Elder?

Elder is malicious software belonging to the Phobos ransomware family. It is designed to encrypt data and keep it inaccessible until a ransom is paid (i.e., decryption software/tool is purchased). When Elder encrypts data, it renames files with the victim's unique ID number, developer's email address, and the ".elder" (or ".Elder") extension.

For example, "1.jpg" becomes "1.jpg.id[1E857D00-2397].[stocklock@airmail.cc].elder" and so on for all affected files. Once this process is complete, Elder stores two files on the desktop ("info.hta" and "info.txt"), which contain the ransom messages.

What is mylot[.]com ?

Typically, users arrive at mylot[.]com and similar sites after clicking deceptive advertisements, visiting bogus web pages, or when potentially unwanted applications (PUAs) are installed on browsers and/or operating systems. In any case, users do not often visit these sites intentionally.

Some examples of other pages similar to mylot[.]com are ahacdn[.]me, rex-news[.]org and samizdat-philosophy[.]com.

What is RobbinHood?

Ransomware-type programs are computer infections that cyber criminals use to prevent people from accessing their files and to blackmail them by making ransom demands. RobbinHood was discovered by Michael Gillespie and is an example of one of these programs. 

It encrypts data stored on the system, rendering files unusable. To regain access to their files, people are encouraged to purchase a specific decryption tool. RobbinHood renames each encrypted file with the following format: "Encrypted_random.enc_robbinhood" (the word "random" is replaced with a string of random numbers and characters).

For example, "1.jpg" might be renamed to a filename such as "Encrypted_1y5u5msd65321fd2.enc_robbinhood", and so on. This program creates an HTML file ("_Decryption_ReadMe.html") containing a ransom message, which provides instructions about how to make payment and receive a decryption tool.

What is mmk-news3[.]club?

Sharing many similarities with undertain.work, liveplayingnow.com, swindoors.work, jrg-news1.club and thousands of other sites on the web, mmk-news3[.]club is a rogue website. Visitors to this page are presented with dubious content and/or are redirected to other untrusted or possibly malicious sites.

Few users access mmk-news3[.]club intentionally - most are redirected to it by intrusive ads or by Potentially Unwanted Applications (PUAs) already installed on their devices. This software does not need explicit user permission to infiltrate systems. PUAs cause redirects, run intrusive advertisement campaigns and collect browsing-related information.

What is Aieou ransomware?

Discovered by malware researcher, S!Ri, Aieou is a malicious program categorized as ransomware. Systems infected with this ransomware experience data encryption and ransom demands are made for decryption. During the encryption process, files are appended with the ".aieou" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.aieou", and so on for all affected files. Once this process is complete, ransom-demand messages in "README.txt" files are dropped into compromised folders.

What is Update_3239?

Update_3239 is adware that is designed to serve advertisements, change certain browser settings (to promote a fake search engine), and collect sensitive information. In this way, Update_3239 functions as adware and a browser hijacker.

Users do not generally download or install these apps intentionally and, for this reason, Update_3239 is categorized as a potentially unwanted application (PUA). Developers distribute this app with another PUA called OriginalEngineSearch, which is distributed via a fake installer for Adobe Flash Player.

What is Lalaland ransomware?

Discovered by xiaopao, Lalaland is a new variant of VoidCrypt ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption tools/software.

During the encryption process, all affected files are renamed following this pattern: original filename, cyber criminals' email address, unique ID assigned to the victims and the ".lalaland" extension. For example, a file like "1.jpg" would appear as something similar to "1.jpg.[recover10@tutanota.com][JT1GILC9F526M43].lalaland" following encryption.

After this process is complete, ransom messages within "!INFO.HTA" files are dropped into compromised folders.

What is Exploit?

Discovered by xiaopao, Exploit is a ransomware-type program belonging to the VoidCrypt ransomware family. Exploit encrypts files, changes the filename of each encrypted file and creates the "!INFO.HTA" file, which is designed to create and display a ransom message.

It creates this file in all folders that contain encrypted files. Exploit renames files by adding the alix1011@mailfence.com email address and victim's ID, and appending the ".exploit" extension.

For example, "1.jpg" is renamed to "1.jpg.[alix1011@mailfence.com][V039OS21D4NYFXU].exploit", "2.jpg" to "2.jpg.[alix1011@mailfence.com][V039OS21D4NYFXU].exploit", and so on.

What is BNFD?

BNFD belongs to the Matrix ransomware family. It prevents victims from accessing/using their files by encrypting them and creates a ransom message (within the "BNFD_README.rtf" file) with instructions about how to contact the developers regarding decryption of files.

BNFD also renames files by replacing their filenames with the Benford333@criptext.com email address and a string or random characters, and appending ".BNFD" as the extension.

For example, "1.jpg" is renamed to "[Benford333@criptext.com].SbWbBnkT-4QQddgbX.BNFD", "2.jpg" to "[Benford333@criptext.com].DnQnVmjL-5HHkkloZ.BNFD", and so on.

What is Osx Uninstaller?

Osx Uninstaller is untrusted software, endorsed as a tool to optimize and carry out effective application uninstall processes, however, due to the dubious techniques used to proliferate Osx Uninstaller, it is classified as a Potentially Unwanted Application (PUA).

Software within this classification is typically nonoperational (i.e. the advertised features do not work) and can also have undisclosed dangerous capabilities.