Virus and Spyware Removal Guides, uninstall instructions

What is the "Nico International" scam email?

"Nico International Email Virus" refers to a spam email campaign designed to proliferate the Agent Tesla RAT (Remote Access Trojan). The term "spam campaign" is used to define a large-scale operation, during which thousands of deceptive emails are sent.

The messages distributed through this spam campaign are disguised as mail from Nico International - a legitimate company operating in the marine and industrial engineering spheres (shipbuilding and repair), which is based in Dubai, United Arab Emirates.

These scam emails ask recipients to verify a purchase order, however, upon opening the file attached to the messages, the infection process of Agent Tesla is triggered. These fake "Nico International" emails are not associated in any way with the genuine Nico International company.

What is Mundinter email virus?

In most cases, cyber criminals behind malspam campaigns disguise their messages as official and important, and sent from legitimate companies and organizations. Their main goal is to trick recipients into opening a malicious file attached to the email (or that can be downloaded through a link in the email) - the file installs malicious software.

This malspam campaign is disguised as a message from a Portuguese health and beauty shop called Mundinter and is sent to proliferate Agent Tesla, a Remote Access Trojan (RAT).

What is connection-protect[.]com?

connection-protect[.]com is a deceptive website, which promotes various scams. It has been observed promoting schemes that target Apple product users, primarily mobile device users. At the time of research, the scam run on connection-protect[.]com claimed that visitors' devices may have been compromised due to recently visited, harmful web pages.

It makes these false claims to trick users into downloading/installing and/or purchasing untrusted software. Typically, sites such as connection-protect[.]com are accessed via redirects caused by intrusive ads or Potentially Unwanted Applications (PUAs) already infiltrated into the system.

What kind of malware is Anubis?

Anubis is malware classified as an information stealer. It can be purchased on a hacker forum (starting from US$100). Cyber criminals can use it to steal cryptocurrency wallets, and information such as browsing cookies and passwords saved on browsers, and credit card details.

Therefore, if there is any reason to suspect that this (or other) malware is installed on your computer, remove it immediately.

What is StreamBrosSearch?

StreamBrosSearch is rogue software classified as a browser hijacker. Following successful infiltration, it makes changes to browser settings to promote streambrossearch.com (a fake search engine). Additionally, StreamBrosSearch monitors users' browsing habits.

Due to the dubious tactics employed to proliferate StreamBrosSearch, it is also classified as a Potentially Unwanted Application (PUA).

What is ViluciWare?

Discovered by JAMESWT, ViluciWare is designed to encrypt files, modify their filenames and prevent victims from using the computer (operating system) by locking the screen. In this way, ViluciWare functions as ransomware and a screenlocker. Research shows that it renames encrypted files by appending the ".locked" extension.

For example, it would rename "1.jpg" to "1.jpg.locked", "2.jpg" to "2.jpg.locked", etc.

What is FDFK22?

FDFK22 belongs to the Matrix ransomware family. Like other malicious programs of this type, FDFK22 is designed to prevent victims from accessing their files by encryption. It renames all encrypted files by replacing filenames with the FridaFarko@yahoo.com email address, a string of random characters, and appending the ".FDFK22" extension.

For example, "1.jpg" would be changed to "[FridaFarko@yahoo.com].49Vr2dSC-jD3GB53P.FDFK22", "2.jpg" to "[FridaFarko@yahoo.com].67Gr3sAV-kF4HN64L.FDFK22", and so on. It also creates a ransom message within the "FDFK22_INFO.rtf" file, placing this in all folders that contain encrypted files.

What is OperativeDevice?

OperativeDevice is dubious software categorized as adware. It also has browser hijacker traits. It operates by delivering intrusive advertisement campaigns and making alterations to browser settings to promote fake search engines. OperativeDevice promotes 0yrvtrh.com and the search.adjustablesample.com bogus web searchers.

Additionally, most adware and browser hijackers monitor users' browsing activity. Due to the questionable methods used to distribute OperativeDevice, it is classified as a Potentially Unwanted Application (PUA).

What is SkilledOrigin?

SkilledOrigin is a potentially unwanted application (PUA), which serves advertisements and collects sensitive information. SkilledOrigin is categorized as a PUA, since users often download and install this type of adware inadvertently. Note that this app might also be designed to promote a fake search engine address by changing certain browser settings.

What is WinkiSearch?

The WinkiSearch browser hijacker promotes winki-search.com (a fake search engine) by changing certain browser settings. It also gathers browsing-related information. Note that users often download and install browser hijackers inadvertently and, for this reason, they are classified as potentially unwanted applications (PUAs).