Virus and Spyware Removal Guides, uninstall instructions

What is InitialConnection?

While inspecting new submissions to VirusTotal, our researchers found the InitialConnection rogue application. Our analysis of this app revealed that it operates as adware and belongs to the AdLoad malware family. InitialConnection is designed to run intrusive advertisement campaigns, and it may have additional harmful abilities.

What kind of application is FocusAhead?

FocusAhead is an untrustworthy application that displays intrusive advertisements and can read sensitive information. Apps that show ads are called adware (advertising-supported software). Typically, users install adware on their computers unintentionally. We discovered FocusAhead while inspecting deceptive pages.

What kind of email is "Email Security Update Scam"?

"Email Security Update Scam" refers to an email spam campaign that we have analyzed. We determined that it is a phishing scam targeting email account log-in credentials (passwords). These fake emails attempt to extract this information from recipients by claiming that security issues have occurred on their mail accounts.

What kind of page is protect2023[.]xyz?

Protect2023[.]xyz is an untrustworthy website that runs the "McAfee - Your PC is infected with 5 viruses!" scam and wants to show notifications. All messages displayed on this page are fake. We discovered protect2023[.]xyz while examining dubious pages that use rogue advertising networks.

What kind of malware is Zatp?

Zatp is ransomware that belongs to the Djvu family. Our malware researchers discovered Zatp while checking the VirusTotal page for recently submitted samples. We found that Zatp encrypts files and appends its extension (".zatp") to filenames. Also, it drops the "_readme.txt" file that contains a ransom note.

It is important to mention that Djvu ransomware is often distributed with information stealers like Vidar and RedLine. An example of how files encrypted by Zatp ransomware are renamed: "1.jpg" is renamed to "1.jpg.zatp", "2.png" to "2.png.zatp", "3.doc" to "3.doc.zatp", and so forth.

What is bDAT ransomware?

bDAT is a piece of malicious software categorized as ransomware. We discovered this program while inspecting new submissions to VirusTotal. It is noteworthy that bDAT is part of the Dharma ransomware family.

After we executed a sample of bDAT on our test machine, it began encrypting files and appended their filenames with a unique ID, the cyber criminals' email address, and a ".bDAT" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.id-9ECFA84E.[bkpdata@msgsafe.io].bDAT".

Once the encryption process was completed, this ransomware created/displayed ransom-demanding messages in a pop-up window and text file named "info.txt".

What kind of malware is Zate?

Zate is one of the Djvu ransomware variants. It makes files inaccessible by encrypting them and renames files by appending its extension (".zate") to their filenames. Also, Zate drops its ransom note, a text file named "_readme.txt". Threat actors have been observed distributing Djvu ransomware alongside various information stealers (e.g., RedLine or Vidar).

Our team discovered this Djvu variant while inspecting malware samples submitted to VirusTotal. An example of how Zate renames files: it changes "1.jpg" to "1.jpg.zate", "2.png" to "2.png.zate", and so forth.

What kind of page is alltimesecuritysystem[.]live?

Alltimesecuritysystem[.]live is the address of a rogue webpage that our researchers discovered while looking through untrustworthy sites. It is designed to promote scams, push spam browser notifications, and redirect visitors to different (likely dubious/malicious) websites. Most users enter such pages via redirects caused by sites that use rogue advertising networks.

What is Dom ransomware?

Dom is a ransomware-type program that our research team discovered while checking out new submissions to VirusTotal. Programs of this kind operate by encrypting data and demanding payment for the decryption tools.

Once we executed a sample of Dom on our test machine, it began encrypting files and changed their titles. Original filenames were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".dom" extension. For example, a file titled "1.jpg" appeared as "1.jpg.[c44fb759f0].[dekrypt666@onionmail.org].dom".

Afterwards, Dom ransomware dropped a ransom-demanding message titled "ENCRYPTED.txt" onto the desktop.

What kind of page is newspoldays[.]site?

While inspecting untrustworthy sites, our researchers discovered the newspoldays[.]site rogue webpage. It pushes browser notification spam with the use of fake CAPTCHA, and newspoldays[.]site can redirect users elsewhere (likely unreliable/malicious websites).

Most visitors to notification-spam-promoting sites access them via redirects caused by pages that use rogue advertising networks.