Virus and Spyware Removal Guides, uninstall instructions

What is Files Download Enhancer?

While checking out suspicious sites that endorse software, our research team discovered the Files Download Enhancer browser extension. It is presented as a download management tool. However, our analysis of this browser extension revealed that it operates as advertising-supported software (adware) instead.

What kind of page is menispirfly[.]com?

Our research team found the menispirfly[.]com rogue site during a routine inspection of untrustworthy webpages. It is designed to promote browser notification spam, and at the time of research – menispirfly[.]com did so by employing fake CAPTCHA verification. Additionally, this page can redirect visitors to other (likely dubious/malicious) websites.

Most users access webpages like menispirfly[.]com through redirects caused by sites that use rogue advertising networks.

What is goodsearchez.com?

We have tested goodsearchez.com and found that it is a fake search engine that does not generate unique results. Typically, fake and other untrustworthy search engines are promoted mainly via browser hijackers. Our team also found that goodsearchez.com is promoted via a fake Google Docs extension.

What is CIA ransomware?

CIA ransomware is a type of malware designed to encrypt data and make ransom demands for the decryption tools. There are two variants of this ransomware. Typically, programs of this kind alter the filenames of encrypted files; however, that is not the case with either of the CIA ransomware versions.

Once this malware finishes the encryption process, it changes the desktop wallpaper and creates a ransom note. The names of these messages are the same – "README.txt" – for both variants. Despite being titled "CIA", this ransomware does not further the deceit past using the agency's logo.

What is Teng Snake ransomware?

Our research team discovered yet another malicious program based on the Chaos ransomware titled Teng Snake. Malware within this classification operates by encrypting data and demanding payment for the decryption tools.

On our test machine, Teng Snake encrypted files and changed their filenames. Original titles were appended with an extension consisting of four random characters. For example, a file named "1.jpg" appeared as "1.jpg.nk3u", "2.png" as "2.png.cirb", and so on.

Afterwards, a ransom-demanding message "Red_Tel.txt" was created. Additionally, this ransomware changed the desktop wallpaper.

What kind of malware is Xllm?

Xllm is ransomware based on the Chaos ransomware. We discovered Xllm while inspecting malware samples submitted to VirusTotal. This ransomware encrypts files, appends the ".xllm" extension to filenames of all encrypted files, and creates a ransom note (the "read_it.txt" file).

An example of how files encrypted by Xllm ransomware are renamed: "1.jpg" to "1.jpg.xllm", "2.png" to "2.png.xllm", and so forth.

What kind of malware is Hebem?

Hebem is one of the Dharma ransomware variants. Our team discovered Hebem while inspecting malware samples submitted to the VirusTotal website. Hebem encrypts data and appends the victim's ID, hebem@msgsafe.io email address, and ".hebem" extension to the filenames of encrypted files. Also, it displays a pop-up window and creates the "info.txt" file.

The text file and pop-up window contain a ransom note. An example of how Hebem modifies filenames: it renames "1.jpg" to "1.jpg.id-9ECFA84E.[hebem@msgsafe.io].hebem", "2.png" to "2.png.id-9ECFA84E.[hebem@msgsafe.io].hebem", and so forth.

What kind of malware is Matu?

Matu is the name of a ransomware variant belonging to the Djvu family. We discovered it while checking the VirusTotal for recently submitted malware samples. Matu encrypts files, appends the ".matu" extension to filenames, and drops the "_readme.txt" file that contains a ransom note.

An example of how Matu modifies filenames: it renames "1.jpg" to "1.jpg.matu", "2.png" to "2.png.matu", and so forth. Cybercriminals may be distributing Matu alongside information stealers like RedLine and Vidar. It is known that threat actors often try to steal sensitive data before encrypting files with Djvu ransomware.

What kind of page is reportyourdefenderdata[.]site?

Reportyourdefenderdata[.]site is the address of a rogue website. Our researchers discovered this page while inspecting suspicious sites. The webpage promotes scams and spam browser notifications. Additionally, reportyourdefenderdata[.]site can redirect visitors to different (likely unreliable/dangerous) websites.

Most users access pages of this kind via redirects caused by sites that use rogue advertising networks.

What kind of extension is "Video Finder"?

While investigating untrustworthy sites, our research team discovered the Video Finder browser extension. This piece of software claims to allow users to download the videos and images presented on any website. However, our inspection of this extension revealed that it is adware. In other words, Video Finder runs intrusive advertisement campaigns and collects private data.