Virus and Spyware Removal Guides, uninstall instructions

What is $ucyLocker ransomware?

$ucyLocker is the name of a malicious program classed as ransomware. It is designed to encrypt data and make ransom demands for decryption.

On our test machine, $ucyLocker encrypted files and appended their filenames with a ".WINDOWS" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.WINDOWS", "2.png" as "2.png.WINDOWS", and so on. Once this process was completed, the ransomware created a text note named "READ_IT.txt" and displayed a pop-up window – both contained ransom notes.

What kind of malware is ENCODED?

ENCODED is the name of ransomware that our team discovered while inspecting malware samples submitted to VirusTotal. We found that ENCODED encrypts data, appends the ".ENCODED" extension to filenames, drops the "HOW TO DECRYPT FILES.txt" file, and changes the desktop wallpaper.

ENCODED's desktop wallpaper and text file contain ransom notes. An example of how ENCODED renames files: it changes "1.jpg" to "1.jpg.ENCODED", "2.png" to "2.png.ENCODED", and so forth.

What is TapScroll?

TapScroll is a rogue application that our research team discovered while inspecting new submissions to VirusTotal. Our analysis of this app revealed that it operates as adware. Additionally, we learned that TapScroll belongs to the AdLoad malware family.

What kind of application is ProcessorPremiere?

While testing the ProcessorPremiere application, our team noticed that it shows annoying advertisements. Thus, we classified ProcessorPremiere as adware. We also found that ProcessorPremiere can read sensitive information. It is worth mentioning that users rarely download and install adware on purpose.

What kind of page is eredhadbeen[.]xyz?

Our team has examined eredhadbeen[.]xyz and found that it displays a deceptive message to lure visitors into allowing it to show shady notifications. Also, eredhadbeen[.]xyz redirects visitors to other untrustworthy web pages. Typically, users open websites like eredhadbeen[.]xyz unintentionally.

What kind of malware is STEEL?

While examining malware samples submitted to the VirusTotal website, our team discovered ransomware belonging to the Phobos family called STEEL. This ransomware encrypts files and appends the victim's ID, codeofhonor@tuta.io email address, and the ".STEEL" extension to filenames.

Also, STEEL provides two ransom notes: "info.hta" and "info.txt". An example of how STEEL modifies filenames: it renames "1.jpg" to "1.jpg.id[9ECFA84E-3351].[codeofhonor@tuta.io].STEEL", "2.png" to "2.png.id[9ECFA84E-3351].[codeofhonor@tuta.io].STEEL", and so forth.

What kind of page is globaladvdomservices[.]com?

Our researchers discovered the globaladvdomservices[.]com rogue page while investigating dubious websites. It operates by promoting spam browser notifications, at the time of research, through the use of fake CAPTCHA verification. Additionally, this webpage can redirect visitors to other (likely unreliable/malicious) sites.

Most users access pages like globaladvdomservices[.]com via redirects caused by websites that use rogue advertising networks.

What is InstantFresh?

Our research team discovered the InstantFresh app while investigating new submissions to VirusTotal. Our inspection of this application revealed that it is advertising-supported software (adware) belonging to the AdLoad malware family. InstantFresh runs intrusive advertisement campaigns and may have additional harmful abilities.

What is GOGO ransomware?

GOGO is a ransomware-type program we discovered while checking out new submissions to VirusTotal. It belongs to the VoidCrypt ransomware family.

We executed a sample of GOGO ransomware on our testing system, and we learned that it encrypts files and appends their filenames with a unique ID assigned to the victim, the cyber criminals' email address, and a ".GOGO" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.(CW-IB5967382104)(gotocompute@tutanota.com).GOGO" following encryption.

Afterward, a ransom-demanding message titled "unlock-info.txt" was dropped onto the desktop.

What kind of page is wholenicefeed[.]com?

Our researchers discovered the wholenicefeed[.]com rogue page while inspecting suspicious websites. It operates by promoting spam browser notifications and redirecting visitors to other (likely dubious/malicious) sites. Users typically access webpages like wholenicefeed[.]com via redirects caused by websites using rogue advertising networks.