Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is OBSIDIAN ORB?

While reviewing new submissions to VirusTotal, our researchers discovered yet another malicious program based on the Chaos ransomware – called OBSIDIAN ORB. Malware within this classification is designed to encrypt data and demand ransoms for its decryption.

On our testing system, OBSIDIAN ORB ransomware encrypted files and appended their filenames with an extension consisting of four random characters. For example, a file initially titled "1.jpg" appeared as "1.jpg.q3uk". Afterwards, OBSIDIAN ORB changed the desktop wallpaper and created a ransom note named "read_It.txt".

What kind of malware is Guerilla?

Guerilla is the name of a malware that targets Android devices. Previous iterations of this malicious software operated predominantly as adware. Specifically, the program functioned by stealthily clicking advertisements – thus generating revenue for its developers via affiliate programs and similar mechanisms.

However, in the latest activity, Guerilla expanded to encompass stealer and backdoor/loader capabilities. The most alarming facet of this new activity is that this malware arrives pre-installed on Android devices.

At the time of writing, the exact distribution chain of the infected devices is uncertain. The number of compromised machines could exceed nine million and range from Android smartphones to smartwatches. The activity is global, with the most affected countries including the USA, Mexico, Indonesia, Thailand, and Russia.

Evidence links Guerilla malware with a threat actor dubbed Lemon Group (currently rebranded as "Durian Cloud SMS"). This group is connected to a variety of businesses relating to advertising and marketing.

What kind of page is newsfeedhome[.]com?

After analyzing newsfeedhome[.]com, our team discovered that the website employs a deceptive tactic by displaying a misleading message to manipulate visitors into granting permission for notifications. Additionally, newsfeedhome[.]com redirects users to other websites that employ clickbait techniques in order to obtain consent for displaying notifications.

What kind of pag is sembilme[.]com?

In our examination of websites employing deceitful advertising networks, we encountered sembilme[.]com, a deceptive website. Users who visit this site are confronted with misleading information (a fake CAPTCHA), aiming to deceive them into accepting notifications. Moreover, accessing sembilme[.]com may lead to other dubious websites.

What kind of malware is Itlock?

Itlock is one of the ransomware variants belonging to the MedusaLocker family. Our malware researchers discovered it while checking the VirusTotal page for recently submitted samples. Itlock encrypts files, appends the ".itlock20" extension to filenames (the number in the extension can vary), and provides its ransom note ("How_to_back_files.html").

An example of how Itlock modifies filenames: it changes "1.jpg" to "1.jpg.itlock20", "2.png" to "2.png.itlock20", and so forth.

What kind of software is Post and Search?

Our research team discovered the Post and Search browser extension during a routine investigation of dubious websites. After we analyzed this extension, we determined that it is a browser hijacker. Post and Search makes modifications to browser settings in order to cause redirects to the find.tnav-now.com fake search engine.

What kind of software is Galaxy Search?

While investigating suspicious sites, our research team discovered the Galaxy Search browser extension. It is endorsed as an extension that displays galaxy/space themed browser wallpapers. However, Galaxy Search operates as a browser hijacker, i.e., it alters browser settings to promote (via redirects) the find.nseeknow.com fake search engine.

What kind of email is "Mailbox Failed To Receive New Messages"?

Our inspection of the "Mailbox Failed To Receive New Messages" email revealed that is spam. This letter falsely claims that incoming messages are failing to reach the recipient's inbox. Hence, by attempting to rectify this nonexistent issue, users are tricked into providing their email account log-in credentials to a phishing website.

What kind of malware is Offx?

Offx is an information-stealing malware that is coded using the Python programming language. It is commonly distributed through deceptive websites that pretend to be legitimate download sites for video editing software. This malware is designed to capture sensitive data, including passwords, cookies, and information from messaging and cryptocurrency wallet applications.

What kind of page is butteraalsofour[.]xyz?

Our research team discovered the butteraalsofour[.]xyz rogue webpage while investigating suspicious sites. It is designed to endorse browser notification spam and redirect visitors to other (likely unreliable/hazardous) sites.

Users typically enter pages like butteraalsofour[.]xyz via redirects caused by websites that employ rogue advertising networks.