Virus and Spyware Removal Guides, uninstall instructions

What is Files Downloader Assist?

Our researchers discovered the Files Downloader Assist browser extension while checking out suspicious websites. According to the extension's "official" promotional webpage, this piece of software is a download management tool. However, our inspection of Files Downloader Assist revealed that is adware. This browser extension runs intrusive advertisement campaigns and collects browsing-related data.

What kind of page is advfandom[.]com?

Our researchers discovered the advfandom[.]com rogue page during a routine inspection of untrustworthy websites. This webpage is designed to push browser notification spam; at the time of research, it did so by using fake CAPTCHA verification. Additionally, this site can redirect visitors to other (likely dubious/malicious) webpages.

Users typically enter sites like advfandom[.]com via redirects caused by pages that use rogue advertising networks.

What kind of page is advatravel[.]com?

While investigating suspicious websites, our research team discovered the advatravel[.]com rogue page. It operates by pushing browser notification spam and redirecting users to other (likely unreliable/dangerous) sites.

Most visitors to advatravel[.]com and similar webpages enter them through redirects caused by sites that use rogue advertising networks.

What is ArchiveOperation?

ArchiveOperation is an application that we discovered while reviewing new submissions to VirusTotal. After analyzing this app, we learned that it is adware belonging to the AdLoad malware family.

What kind of page is advdomlab[.]com?

We have examined advdomlab[.]com and learned that the purpose of this page is to trick visitors into allowing it to show notifications. Also, advdomlab[.]com redirects visitors to other untrustworthy websites. Our team discovered advdomlab[.]com while inspecting pages that use shady advertising networks.

What kind of page is mediumhiquality[.]com?

Wave analyzed mediumhiquality[.]com and found that this page displays a deceptive message to trick visitors into allowing it to show notifications. Also, mediumhiquality[.]com redirects to other websites that use clickbait techniques to receive permission to display notifications.

What kind of application is Search-News Default Search?

While testing the Search-News Default Search application, we found that it functions as a browser hijacker. It promotes a fake search engine (search-news.xyz) by changing some of the settings of a web browser. We discovered Search-News Default Search on a shady web page.

What is "Access To This MAC Has Been Blocked"?

It is a fake virus message displayed by a deceptive website (a technical support scam site). The purpose of this page is to trick unsuspecting visitors into calling the provided number. None of the messages on this page are real. Thus, this website should be ignored.

What kind of page is venadvstar[.]com?

Venadvstar[.]com is one of the many websites that display deceptive messages to trick visitors into allowing them to show notifications. Additionally, venadvstar[.]com redirects visitors to other shady websites. We discovered venadvstar[.]com while inspecting sites that use shady advertising networks.

What is Nlb ransomware?

Our researchers discovered the Nlb ransomware while investigating new submissions to VirusTotal. This malicious program is part of the Dharma ransomware family.

Once we launched a sample of Nlb on our testing system, it encrypted files and altered their titles. Original filenames were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".nlb" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.id-9ECFA84E.[Rileyb0707@aol.com].nlb".

Afterward, this ransomware created ransom-demanding messages in the form of a pop-up window and a text file titled "FILES ENCRYPTED.txt".