Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is RPC?

RPC is ransomware that blocks access to files by encrypting them. Also, it renames files by appending the victim's ID, pcrec@tuta.io email address, and ".RPC" extension to filenames. RPC ransomware provides two ransom notes: it displays a pop-up window and creates the "recinfo.txt" file.

RPC is one of the Dharma ransomware variants. We discovered it while inspecting malware samples submitted to the VirusTotal website. An example of how RPC renames files: it changes "1.jpg" to "1.jpg.id-9ECFA84E.[pcrec@tuta.io].RPC", "2.png" to "2.png.id-9ECFA84E.[pcrec@tuta.io].RPC", and so forth.

What is Multicheck Checkbox Checker?

While inspecting suspicious sites, our researchers discovered one offering fake Chrome browser updates that installed the Multicheck Checkbox Checker browser extension. This piece of software is presented as a tool that simplifies the action of checking/unchecking boxes on the Web. Instead, Multicheck Checkbox Checker operates as adware - i.e., runs intrusive ad campaigns and spies on users' browsing activity.

What is Lock (Babuk) ransomware?

Lock is the name of a ransomware-type program discovered by our research team during a routine inspection of new submissions to VirusTotal. This malicious program is part of the Babuk ransomware family.

On our test machine, Lock (Babuk) ransomware encrypted files and appended their filenames with a ".lock" extension, e.g., a file titled "1.jpg" appeared as "1.jpg.lock", "2.png" as "2.png.lock", and so forth. After the encryption was completed, a ransom note named "How To Restore Your Files.txt" was dropped onto the desktop.

What is "Stromag" email virus?

After inspecting this "Stromag" email, we determined that it is fake. This spam letter is presented as a message from the Stromag power transmission component manufacturing company. It must be emphasized that this spam mail is not associated with said company.

The scam email attempts to trick recipients into opening a malicious attachment, which is designed to infect computers with the Agent Tesla RAT (Remote Access Trojan).

What kind of malware is INT?

INT is ransomware designed to encrypt files, change their filenames, and create a ransom note (the "+README-WARNING+.txt" file). We found that INT is part of the Makop ransomware family. It appends the victim's ID, an email address, and the ".INT" extension to filenames.

Our team discovered INT ransomware while inspecting malware samples submitted to VirusTotal. An example of how files are renamed by this ransomware: "1.jpg" is renamed to "1.jpg.[2AF20FA3].[integra2022@tutanota.com].INT", "2.png" to "2.png.[2AF20FA3].[integra2022@tutanota.com].INT", and so forth.

What kind of page is wilycaptcha[.]live?

Our researchers discovered the wilycaptcha[.]live rogue page while looking through suspicious websites. It is designed to promote spam browser notifications and redirect users to other (likely untrustworthy/hazardous) sites. Most visitors to pages like wilycaptcha[.]live access them through redirects caused by websites using rogue advertising networks.

What is ThinDev?

ThinDev is a rogue application, which our analysis revealed to be advertising-supported software (adware). It operates by running intrusive advertisement campaigns. Additionally, ThinDev belongs to the AdLoad malware family.

What kind of page is myhypenews[.]com?

Our team investigated myhypenews[.]com and found that it displays a deceptive message to lure visitors into agreeing to receive its notifications. We discovered myhypenews[.]com while examining sites that use rogue advertising networks (display shady ads and redirect to pages like myhypenews[.]com).

What kind of application is TemplateFrame?

While analyzing various deceptive websites, our team discovered an application named TemplateFrame. After installing and testing this app, we found that it generates advertisements. Therefore, we classified TemplateFrame as adware.

What is LODEINFO?

LODEINFO is a backdoor-type malware capable of causing chain infections and stealing sensitive information from infected devices. As of September 2022, six versions of this program have been detected. The latest variants improve upon the malware's anti-detection/anti-analysis capabilities and have streamlined functionalities.

LODEINFO is linked to the Chinese Cicada (APT10) threat actor and has been used in cyber-espionage attacks on Japanese governmental bodies, the public sector, media groups, and similar entities.