Virus and Spyware Removal Guides, uninstall instructions

What is the cooing[.]top site?

cooing[.]top is a deceptive website promoting a version of the "Latest version of Adobe Flash Player" scam. The scheme claims that the Adobe Flash Player installed on the system is outdated and requires updates. If fact, the updaters offered by cooing[.]top are fake.

At the time of research, this rogue updater installed a Potentially Unwanted Application (PUA) called Easy Mac Care. Yet the updater might install other PUAs such as adware and browser hijackers. Note that bogus update installers are used to distribute not only PUAs but also Trojans, ransomware and other malware.

Typically, sites like cooing[.]top are accessed via redirects caused by intrusive advertisements or PUAs.

What is "Polícia de Segurança Pública"?

There are various spam campaigns that are used to trick people into installing malicious programs on their computers. Generally, cyber criminals send emails that are disguised as important, official messages from legitimate companies/organizations and contain malicious attachments and/or website links.

Their main goal is to trick recipients into downloading the malicious file and executing it. In this case, cyber criminals send emails disguised as messages from Public Security Police that contain a malicious archive (ZIP) file. This archive contains a malicious file designed to install a remote administration Trojan (RAT) called NanoCore.

What is "Your Mac needs to be updated to improve compatibility"?

"Your Mac needs to be updated to improve compatibility" is a message in a deceptive pop-up window, which appears after launching a fake Adobe Flash Player installer. It is designed to trick users into thinking that by entering the password and clicking the "OK" button they will update the operating system.

In fact, it installs one, or multiple, potentially unwanted applications (PUAs) instead. Research shows that this fake installer is used to distribute PUAs such as MediaDownloader, MyCouponsmart, Easy Mac Care and promotes the searchmine.net address (fake search engine). It might also be designed to install or promote other PUAs and fake search engines.

Regardless, deceptive installers should never be used, since they often distribute and install malware.

What is the EpicSplit RAT?

Discovered by Blueteam 4 Life, EpicSplit is a malicious program classified as a Remote Access Trojan (RAT). Malware of this type allows remote access and control over an infected device. RATs can enable user-level control (or close to user-level control) of a machine.

These programs have a wide variety of functionalities, which can lead to likewise varied misuse. Remote Access Trojan infections are highly dangerous and, therefore, must be eliminated immediately.

What is Valak?

Valak is malicious software that downloads JScript files and executes them. What happens next depends on the actions performed by the executed JScript files. It is very likely that cyber criminals behind Valak attempt to use this malware to cause chain infections (i.e., using Valak to distribute other malware).

Research shows that Valak is distributed through spam campaigns, however, in some cases, it infiltrates systems when they are already infected with malicious program such as Ursnif (also known as Gozi).

What is ProgressExpert?

ProgressExpert is an adware-type app that has browser hijacker characteristics. It operates by running intrusive advertisement campaigns, making modifications to browser settings and promoting a fake search engine. ProgressExpert promotes Safe Finder through akamaihd.net.

Additionally, most adware programs and browser hijackers have data tracking capabilities employed to monitor users' browsing activity. Due to the questionable tactics used to distribute ProgressExpert, it is also classified as a Potentially Unwanted Application (PUA).

What is Cov19?

Cov19 is a malicious program belonging to the Scarab ransomware family. Systems infected with this malware experience data encryption and users receive ransom demands for decryption. During the encryption process, all affected files are renamed according to this pattern: random character string and the ".cov19" extension.

For example, a file like "1.jpg" could appear as something similar to "7QucYQjs1w48jA.cov19" following encryption. After this process is complete, a ransom message ("TO RECOVER.TXT") is dropped into all compromised folders.

What is the "Apex Enquiry" email?

"Apex Enquiry" is the name of deceptive emails, which are part of a spam campaign designed to proliferate the Agent Tesla RAT (Remote Access Trojan). These messages target users, companies, businesses and similar entities that deal with large orders.

The "Apex Enquiry" emails ask recipients to review an attached file, which supposedly contains shipment details and provides the necessary information to proceed with the order. In fact, opening the attached file starts installation of Agent Tesla malware.

What is nomadnews[.]club?

nomadnews[.]club is a rogue website, which cannot be trusted and should be avoided. Browsers usually open websites such as nomadnews[.]club due to installed potentially unwanted applications (PUAs). People not often visited these web pages intentionally.

When opened, however, sites such as nomadnews[.]club display dubious content or open other untrusted websites. Some examples of other websites similar to nomadnews[.]club are thediseasetracker[.]com, zpredir1[.]com and biz-4u[.]com. As well as promoting dubious websites, PUAs gather browsing data and display unwanted, intrusive advertisements.

What is HermesLookup?

HermesLookup is a rogue application categorized as adware, which also possesses browser hijacker traits. Following successful infiltration, this app runs intrusive advertisement campaigns (i.e., delivers unwanted and harmful ads), modifies browsers and promotes fake search engines.

Additionally, HermesLookup is likely to have data tracking capabilities, which are employed to monitor users' browsing activity. Due to the dubious methods used to proliferate HermesLookup, it is also classified as a Potentially Unwanted Application (PUA). One of the dubious techniques used to proliferate this application is via fake Adobe Flash Player updates.

Note that bogus updaters/installers commonly distribute Trojans, ransomware and other malware.