Virus and Spyware Removal Guides, uninstall instructions

What is Fast Downloader?

Our research team discovered the Fast Downloader browser extension during a routine investigation of suspicious websites. This extension is promoted as a tool capable of aiding with content downloading from the Web. However, our analysis revealed that Fast Downloader is advertising-supported software (adware).

What is Ads Buster?

While investigating deceptive websites, we discovered the Ads Buster browser extension. This piece of software is promoted as an adblocker – a tool capable of blocking online advertisements. However, our inspection of Ads Buster revealed that it operates as adware instead. In other words, this extension displays ads rather than removes them.

What kind of email is "Automatically Generated Invoice"?

After analyzing the "Automatically Generated Invoice" email, we determined that it is spam. This fake letter claims to contain an invoice attached to it. After inspecting this attachment, we learned that it operates as a phishing file targeting email account log-in credentials.

What is Blind Eye Locker ransomware?

Our research team discovered the Blind Eye Locker ransomware-type program while reviewing new malware submissions to VirusTotal.

Once we executed a sample of Blind Eye Locker ransomware on our test system, it began encrypting files and altered their filenames. During the encryption process, it displayed a fake Windows system update.

The affected files were renamed with a random character string, e.g., a file initially titled "1.jpg" appeared as "Mi5wbmc=", "2.png" as "NS5wcHR4", and so on. Afterwards, Blind Eye Locker created a message named "README_[random_digit].txt" and dropped it onto the desktop.

What is BlackLine?

BlackLine is the name of a stealer-type malware. Malicious software within this classification is designed to obtain vulnerable data from infected systems. It is considered that stealers pose severe privacy issues, which can evolve into significant financial losses and even identity theft.

What kind of malware is WhiteSnake?

WhiteSnake (also known as Gurcu) is an information-stealing malware that extracts a range of sensitive information from infected computers. The threat actors who developed WhiteSnake sell their malware on a hacker forum. This malware can be purchased for varying durations of access, with prices ranging from $120 for one month to $1500 for lifetime access.

What is RadianceChecked?

While investigating new submissions to VirusTotal, our research team discovered the RadianceChecked app. After analyzing this application, we determined that it is adware belonging to the AdLoad malware family.

What kind of application is Ocean Saver?

Upon conducting tests on the Ocean Saver browser extension, we determined that it is a browser hijacker developed to promote oceansaver.net, a fake search engine. This extension achieves this objective by modifying a web browser's settings. Typically, users download and install/add browser hijackers unintentionally.

What kind of malware is Lilmoon?

Lilmoon is ransomware belonging to the VoidCrypt family. We discovered Lilmoon while analyzing malware samples submitted to VirusTotal. In addition to encrypting data, Lilmoon appends the victim's ID, encrypt.ns@gmail.com email address, and the ".lilmoon" extension to filenames and creates a ransom note (the "Dectryption-guide.txt" file).

An example of how Lilmoon modifies filenames: it renames "1.jpg" to "1.jpg.[MJ-KN1806473259](encrypt.ns@gmail.com).lilmoon", "2.png" to "2.png.[MJ-KN1806473259](encrypt.ns@gmail.com).lilmoon", and so forth.

What is Ssaw ransomware?

Our researchers discovered the Ssaw ransomware during a routine inspection of new submissions to VirusTotal. Ransomware is designed to encrypt data and demand payment for its decryption.

After we launched a sample of Ssaw on our test machine, it encrypted files and appended their filenames with a ".ssaw" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.ssaw", "2.png" as "2.png.ssaw", etc. Once this process was finished, the ransomware changed the desktop wallpaper and created a file titled "как расшифровать файлы.txt". Both the wallpaper and text file contained identical ransom notes in Russian.

It is pertinent to mention that the wallpaper depicted the doll used by the Jigsaw Killer in the Saw movie franchise, and the ransom notes contained a play on a famous quote from this franchise – "I want to play a game". It must be stressed that the Ssaw ransomware is not associated with these films or any other related individuals or entities.