Virus and Spyware Removal Guides, uninstall instructions

What kind of page is foylosd[.]xyz?

Our team has examined securityguardplus[.]site and found that this page uses deceptive marketing to promote legitimate antivirus software. It shows deceptive messages to trick visitors into believing that their computers might be infected. We determined that securityguardplus[.]site runs the "You've visited illegal infected website" scam.

What is Stealc?

Stealc is the name of an information-stealing malware. It targets a wide variety of data associated with browsers, messaging software, cryptocurrency wallets, and other apps/extensions.

According to Stealc's developers, it was created by relying on Vidar, Raccoon, Mars, and RedLine stealers. Naturally, this malicious program shares similarities with the aforementioned malware. At the time of writing, Stealc is in active development – with the developers releasing new variants on a nearly weekly basis.

What kind of malware is MEDUSA?

MEDUSA is ransomware that encrypts data, appends the ".MEDUSA" extension to filenames, and drops the "!!!READ_ME_MEDUSA!!!.txt" file, which contains a ransom note. Our team discovered MEDUSA while examining samples submitted to VirusTotal.

An example of how MEDUSA modifies filenames: it renames "1.jpg" to "1.jpg.MEDUSA", "2.png" to "2.png.MEDUSA", and so forth.

What is search-good.com?

While investigating rogue installation setups, we found one promoting the search-good.com illegitimate search engine. Websites of this kind are typically endorsed (through redirects) by browser-hijacking software. During our analysis, we discovered search-good.com being promoted by a browser hijacker called Apps. However, other malicious extensions can cause redirects to this fake search engine as well.

What kind of malware is Jron?

During our analysis of malware samples submitted to the VirusTotal page, we came across a ransomware strain dubbed Jron. Upon further investigation, we determined that Jron belongs to the Dharma ransomware family. Jron encrypts data, alters file names, presents a pop-up window, and generates a text file ("info.txt") containing ransom demands.

Jron appends the victim's ID, jerd@420blaze.it email address, and the ".jron" extension to filenames. For instance, it renames "1.jpg" to "1.jpg.id-9ECFA84E.[jerd@420blaze.it].jron", "2.png" to "2.png.id-9ECFA84E.[jerd@420blaze.it].jron", and so forth.

What kind of page is topcaptchatoday[.]top?

While reviewing untrustworthy sites, our researchers encountered the topcaptchatoday[.]top rogue webpage. Our team discovered two appearance variants of this page; both employed a hoax CAPTCHA test to lure visitors into consenting to this spam browser notification delivery. It is worth mentioning that topcaptchatoday[.]top can also redirect visitors to different (likely unreliable/dangerous) websites.

Users primarily enter sites like topcaptchatoday[.]top via redirects caused by webpages that use rogue advertising networks.

What kind of malware is Insekt?

Insekt is the name of a remote access trojan (RAT). Malware of this type is designed to give an attacker remote access and control over a victim's computer system. Insekt RAT is developed using GoLang programming language and is compiled to run on both Windows and Linux systems.

What is Tils ransomware?

Tils is a ransomware-type program discovered by our researchers during a routine inspection of new submissions to VirusTotal. Malware within this category is designed to encrypt data and demand ransoms for its decryption.

After we executed a sample of Tils on our testing system, it encrypted files and added the ".tils" extension to their filenames. For example, a file originally titled "1.jpg" appeared as "1.jpg.tils", "2.png" as "2.png.tils", and so on for all of the affected files.

Once the encryption process was completed, a message titled "RECOVERY INFORMATION.txt" was dropped onto the desktop.

What kind of page is adsforcomputertech[.]com?

While investigating adsforcomputertech[.]com, we discovered that the website aims to deceive its visitors into consenting to receive notifications. Moreover, the site redirects users to similar web pages. Our team stumbled upon adsforcomputertech[.]com while examining pages that employ dubious advertising networks.

What kind of malware is SHTORM?

SHTORM is a ransomware variant that is part of the Phobos ransomware family. Our malware researchers discovered SHTORM while analyzing malware samples submitted to the VirusTotal page. They have found that SHTORM encrypts data, modifies filenames, and creates info.hta and info.txt files (ransom notes).

SHTORM appends the victim's ID, mjk20@tutanota.com email address, and the ".SHTORM" extension to filenames. For instance, it renames "1.jpg" to "1.jpg.id[9ECFA84E-3351].[mjk20@tutanota.com].SHTORM", "2.png" to "2.png.id[9ECFA84E-3351].[mjk20@tutanota.com].SHTORM", and so forth.