Virus and Spyware Removal Guides, uninstall instructions

What is nowtosearch.com?

Nowtosearch.com is the address (URL) of a fake search engine. While most sites of this kind cannot generate search results, this website is an exception. However, the results provided by nowtosearch.com can be irrelevant and include deceptive/harmful content.

In most cases, illegitimate search engines are promoted (through redirects) by browser hijackers. Additionally, these sites and the software endorsing them usually collect vulnerable information.

What kind of page is maincaptchanow[.]top?

During our investigation of pages that use shady advertising networks, we came across maincaptchanow[.]top. We found that this site employs clickbait tactics to deceive visitors into consenting to receive notifications and redirects them to scam websites. Thus, it is advisable to avoid visiting maincaptchanow[.]top.

What is Acessd ransomware?

Our research team found the Acessd ransomware-type program during a routine inspection of new submissions to VirusTotal. This program is part of the MedusaLocker ransomware family, and it is designed to encrypt data and demands ransoms for the decryption.

Once we executed a sample of Acessd on our test system, it began encrypting files and altered their names. Original filenames were appended with a ".acessd" extension, e.g., a file titled "1.jpg" appeared as "1.jpg.acessd", "2.png" as "2.png.acessd", etc. Afterwards, the ransomware created a ransom note named "How_to_back_files.html".

What is Soul?

Soul is the name of the malware framework. Cybercriminals behind it use a downloader that executes a loader dubbed SoulSearcher. This loader is accountable for the decryption, downloading, and loading of other modules of the Soul modular backdoor into memory. The usage of the Soul framework has been traced back to a minimum of 2017.

What is control-search.xyz?

Our tests of control-search.xyz revealed it to be a fake search engine that does not produce its own search results. It is important to note that these types of search engines are often promoted through browser-hijacking applications, and users often unintentionally add them to their browsers.

What kind of search engine is searchitonlinehome.com?

While testing searchitonlinehome.com, we found that it shows ads and may display questionable results. Thus, it is not a completely reliable search engine. It is common for dubious search engines to be promoted via browser hijackers. Apps of this type change web browser settings to force users to use shady search engines or other addresses.

What kind of page is usprotection[.]click?

Usprotection[.]click is a dubious website that presents deceitful content and prompts users to subscribe to notifications. Our team found usprotection[.]click during an investigation of websites that employ rogue advertising networks. It is not a website that users typically visit deliberately.

What is Mamai ransomware?

Mamai is the name of a ransomware-type program. It is part of the MedusaLocker ransomware family. Once we executed a sample of Mamai on our test machine, it began encrypting files and appended their filenames with a ".mamai10" extension.

Original filename like "1.jpg" appeared as "1.jpg.mamai10", "2.png" as "2.png.mamai10", etc. It is pertinent to mention that the number in the extension may vary depending on the ransomware's variant.

After the encryption process was finished, this ransomware created a ransom-demanding message – "How_to_back_files.html" – and dropped it onto the desktop. Based on the note therein, it is evident that Mamai targets companies rather than home users.

What is Zxc ransomware?

While investigating new malware submissions to VirusTotal, our researchers discovered the Zxc ransomware-type program. This malicious program belongs to the VoidCrypt ransomware family.

After we executed a sample of Zxc on our test machine, it encrypted files and modified their filenames. Original titles were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".zxc" extension. For example, a file named "1.jpg" appeared as "1.jpg.(MJ-KO1579824036)(hionly@tutanota.com).zxc".

Once the encryption process was finished, this ransomware created identical ransom notes in a pop-up window ("Decryption-Guide.HTA") and text file ("Decryption-Guide.txt").

What kind of email is "Webmail Security Changes"?

"Webmail Security Changes" was revealed to be a spam email by our inspection. This letter is presented as a notification from the recipient's mail service provider regarding unauthorized changes to the email account. This phishing letter targets recipients' log-in credentials in order to steal their email accounts.