Virus and Spyware Removal Guides, uninstall instructions

What is Pdf ransomware?

While checking out new submissions to VirusTotal, our researchers discovered yet another malicious program belonging to the Dharma ransomware family – called Pdf.

After we launched a sample of Pdf ransomware on our test machine, it encrypted files and altered their filenames. Original titles were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".pdf" extension (not to be confused with the PDF document format). For example, a file named "1.jpg" appeared as "1.jpg.id-9ECFA84E.[3442516480@qq.com].pdf".

Once the encryption process was finished, this ransomware created/displayed ransom notes in a pop-up window and a text file titles "RETURN FILES.txt".

What kind of scam is "Unsuccessful Cash Box Delivery"?

We have inspected this email and determined that it is sent by scammers who aim to trick recipients into believing that they are supposed to receive ten million dollars. Typically, scam emails of this kind are used to extract sensitive information and (or) money from people. They should be marked as spam and deleted.

What kind of page is pro-shield2023[.]shop?

While examining pro-shield2023[.]shop, we learned that it runs the "McAfee - Your PC is infected with 5 viruses!" scam. Pro-shield2023[.]shop uses a scare tactic to trick visitors into purchasing antivirus software. Also, this deceptive page asks for permission to show notifications.

What kind of malware is Pouu?

Pouu is ransomware that belongs to a family called Djvu. Pouu encrypts data, appends the ".pouu" extension to filenames, and provides a ransom note (crates the "_readme.txt" file). Our malware researchers discovered Pouu while examining malware samples submitted to VirusTotal.

An example of how Pouu renames files: it changes "1.jpg" to "1.jpg.pouu", "2.png" to "2.png.pouu", and so forth. Cybercriminals may be distributing Pouu alongside RedLine, Vidar, or other information stealers.

What kind of malware is Poqw?

Poqw is malware belonging to a ransomware family called Djvu. We discovered Poqw while analyzing malware samples submitted to VirusTotal. Poqw encrypts files, appends its extension (".poqw") to filenames, and drops a ransom note (the "_readme.txt" file).

An example of how Poqw modifies filenames: it renames "1.jpg" to "1.jpg.poqw", "2.png" to "2.png.poqw", and so forth. Poqw may be distributed alongside information stealers like Vidar and RedLine.

What kind of page is aavpolse[.]xyz?

Our researchers discovered the aavpolse[.]xyz rogue page while investigating questionable websites. This webpage is designed to promote scams, push browser notification spam, and cause redirects to other (likely untrustworthy or malicious) sites.

Users typically enter aavpolse[.]xyz and similar pages through redirects caused by websites using rogue advertising networks.

What is Website Screen Protection?

While investigating suspicious sites, our research team discovered the Website Screen Protection browser extension. Its promotional material describes this piece of software as a parental control tool for manually blocking websites. However, our inspection revealed that this extension operates as advertising-supported software (adware) instead.

What kind of page is totalrecaptcha[.]top?

While investigating untrustworthy websites, our researchers discovered the totalrecaptcha[.]top rogue webpage. We found that it has two appearance variants (possibly more), which use deceptive content to trick visitors into allowing the page to deliver browser notification spam. Additionally, this site can redirect users to different (likely dubious/malicious) webpages.

Visitors to sites like totalrecaptcha[.]top usually access them through redirects caused by pages that use rogue advertising networks.

What is Kodex ransomware?

Kodex is a ransomware-type program. Typically, malware within this classification encrypts files and demands payment for their decryption. While Kodex's ransom note claims that this is how it operates – that is untrue.

After launching a sample of this ransomware on our test system, we learned that it does not encrypt data but compresses it into a password-locked .7z format archive.

Once this process was completed, Kodex created a ransom-demanding message titled "Read_me.html", which made false claims regarding encryption. There are multiple variants of this ransomware, and several of the passwords are known (more information below).

What kind of page is dybdended[.]com?

Dybdended[.]com is the address of a rogue page discovered by our research team during a routine inspection of suspicious websites. This webpage promotes scams and pushes browser notification spam. Furthermore, it can redirect visitors to other (likely untrustworthy/harmful) sites.

Most users access pages like dybdended[.]com via redirects caused by websites that use rogue advertising networks.