Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Mekwyk?

Mekwyk is ransomware that makes files inaccessible by encrypting them. Also, it appends the victim's ID and the ".mekwy" extension to filenames and creates the "RESTORE_FILES_INFO.txt" file that contains a ransom note. We discovered Mekwyk while inspecting samples submitted to the VirusTotal website.

An example of how Mekwyk renames files: it changes "1.jpg" to "1.jpg.[ID-9ECFA84E].mekwyk", "2.doc" to "2.doc.[ID-9ECFA84E].mekwyk", and so forth.

What is Honkai (Paradise) ransomware?

Our researchers discovered the Honkai ransomware while inspecting new submissions to VirusTotal. This malicious program is part of the Paradise ransomware family.

When we executed a sample of Honkai (Paradise) ransomware on our test system, it began encrypting files and modifying their titles.

Original filenames were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".honkai" extension. For example, a file named "1.jpg" appeared as "1.jpg[id-f48tSVGB].[main@paradisenewgenshinimpact.top].honkai".

Afterwards, the ransomware dropped a ransom-demanding message titled "#DECRYPT MY FILES#.html" onto the desktop.

What kind of malware is GonaCry?

GonaCry is ransomware that encrypts files, modifies filenames of the encrypted files, changes the desktop wallpaper, and provides a ransom note (creates the "read_it.txt" file). GonaCry is based on Chaos ransomware. Our team discovered it while examining samples submitted to the VirusTotal page.

GonaCry a random extension to filenames. For instance, it renames "1.jpg" to "1.jpg.h954", "2.doc" to "2.doc.i6as", and so forth.

What kind of page is link2captcha[.]top?

While checking out suspicious websites, our researchers discovered the link2captcha[.]top rogue webpage. It promotes browser notification spam by using fake CAPTCHA verification. Additionally, this page can redirect users to different (likely untrustworthy/harmful) websites.

Most users access webpages like link2captcha[.]top via redirects caused by sites using rogue advertising networks.

What is BTC (Azadi) ransomware?

While investigating new submissions to VirusTotal, our researchers discovered the BTC (Azadi) ransomware. Malware within this classification operates by encrypting data and demanding payment for decryption.

Once we executed a sample of BTC (Azadi) on our test machine, it began encrypting files. The filenames of the affected files were modified, i.e., appended with the cyber criminals' email, a unique ID assigned to the victim, and the ".BTC" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.EMAIL=[azadi33@smime.ninja]ID=[4FC6718E700859F4].BTC". Afterward, this ransomware created a ransom note – "How To Restore Files.txt".

What kind of website is helllomedias[.]com?

While inspecting helllomedias[.]com, we found that it is a deceptive page that displays a fake message to lure visitors into agreeing to receive notifications. Also, helllomedias[.]com may redirect visitors to other shady sites. Thus, it is advisable not to trust helllomedias[.]com.

What kind of scam is "Big Sale Of Bitcoin And Ethereum"?

We have examined this email (and the website within this letter) and determined that it is a phishing email disguised as a letter regarding a Bitcoin and Ethereum cryptocurrency sale. Scammers behind it attempt to trick recipients into providing sensitive information. Thus, recipients should ignore this letter.

What kind of malware is Erop?

Erop is ransomware that encrypts files, appends the ".erop" extension to filenames of all encrypted files, and creates the "_readme.txt" file that contains a ransom note. Erop belongs to the Djvu ransomware family. It may be distributed alongside RedLine, Vidar, or another information stealer.

Our malware researchers discovered Erop while examining samples submitted to VirusTotal page. An example of how Erop renames files: it changes "1.jpg" to "1.jpg.erop", "2.png" to "2.png.erop", and so forth.

What kind of page is hot-investing-news[.]com?

Hot-investing-news[.]com is a rogue page that we discovered during a routine inspection of suspicious websites. This page is designed to promote deceptive content, push browser notification spam, and redirect visitors to other (likely untrustworthy/dangerous) websites.

Most users access webpages like hot-investing-news[.]com through redirects caused by sites that use rogue advertising networks.

What is AdjustableBox?

AdjustableBox is a rogue app that we discovered while inspecting new submissions to VirusTotal. Our analysis of this application revealed that it is advertising-supported software (adware). We also determined that AdjustableBox is part of the AdLoad malware family.