Virus and Spyware Removal Guides, uninstall instructions

What is Stolen (Makop) ransomware?

While inspecting new submissions to VirusTotal, our researchers discovered the Stolen ransomware-type program. Malware within this category is designed to encrypt data and demand payment for decryption. This program belongs to the Makop ransomware family.

Once we executed a sample of Stolen (Makop) ransomware on our test machine, it began encrypting files and modified their filenames. Original titles were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".stolen" extension. For example, a file named "1.jpg" appeared as "1.jpg.[2AF20FA3].[decrypt2023@outlook.com].stolen", etc.

Afterwards, Stolen (Makop) ransomware created a ransom note titled "+README-WARNING+.txt" and dropped it onto the desktop.

What kind of malware is S1deload?

S1deload is the name of an information-stealing malware that targets Facebook and YouTube accounts. Also, it uses infected computers to mine cryptocurrency. This stealer is dubbed S1deload because it heavily utilizes DLL sideloading to evade detection. Cybercriminals use social engineering and comments on FaceBook pages to trick users into infecting computers.

What kind of email is is "TNT AWB"?

Upon examination, it has been determined that this is a phishing attempt aimed at tricking recipients into revealing personal information. The email contains an attachment that opens a phishing page designed to steal sensitive information. It is strongly recommended to ignore this and similar emails.

What is search.anytime-anywhere-tab.com?

Upon testing search.anytime-anywhere-tab.com, we discovered that it is a fake search engine. It is not uncommon for such search engines to be promoted through browser hijackers. Typically, these types of applications hijack web browsers by altering their settings. Search engines that are promoted through browser-hijacking applications should not be trusted.

What kind of scam is "Care For The Poor And Less Privileged"?

We have examined this email and found that it is a scam email promising a large sum of money. Typically, scammers behind such emails claim that the recipient has been identified as the beneficiary of a large sum of money from an inheritance, lottery, or some other source. These scams should be ignored.

What is AdvancedBrowser?

While reviewing new submissions to VirusTotal, our research team discovered the AdvancedBrowser app. After analyzing this piece of software, we determined that it is adware belonging to the AdLoad malware group. This application runs intrusive ad campaigns and may have other undesirable/harmful abilities.

What is Capital Buff?

While investigating suspicious software-promoting websites, we discovered the Capital Buff browser extension. The page endorsing it described this software as an efficiency-increasing tool that has a to-do list widget and is capable of organizing browser bookmarks.

After analyzing Capital Buff, we learned that it is a browser hijacker. In other words, this extension modifies browsers to promote the capital-buff.com fake search engine and spies on users' browsing activity.

What kind of email is "Retirement Funds"?

After inspecting the "Retirement Funds" email, we determined that it is spam operating as a phishing scam. This letter is disguised as a notification from Principal regarding recipients' retirement funds.

It must be emphasized that this email is fake, and it is in no way associated with Principal Financial Group – a global financial investment management and insurance company. This spam mail aims to steal recipients' Principal account log-in credentials through a phishing website.

What kind of email is "Mailbox Quota Exceeded"?

"Mailbox Quota Exceeded" is a phishing spam campaign. We inspected two email variants belonging to this campaign. Both versions inform recipients that their email account storage quota has been exceeded and needs to be increased.

When attempts are made to update the account, users get redirected to a phishing website disguised as an email sign-in page.

What kind of page is mypcdefenderplus[.]site?

We have examined mypcdefenderplus[.]site and found that this is a deceptive page running the "McAfee - Your PC is infected with 5 viruses!" scam. We also noticed that mypcdefenderplus[.]site wants to send notifications. Our team discovered this site while inspecting pages that use rogue advertising networks.