Virus and Spyware Removal Guides, uninstall instructions

What kind of scam is "Update Windows Defender"?

While examining suspicious pages, we found another page of this kind running a pop-up scam. This site uses a scare tactic to distribute malware. Its purpose is to lure unsuspecting visitors into believing that their computers are infected and executing a downloaded malicious file.

What kind of page is protectyour-device[.]com?

Our research team found the protectyour-device[.]com rogue webpage while checking out untrustworthy sites. This page promotes deceptive material, pushes spam browser notifications, and redirects visitors to other (likely dubious/malicious) websites.

Most users enter pages like protectyour-device[.]com through redirects caused by sites that employ rogue advertising networks.

What is IndexerPortal?

IndexerPortal is a piece of rogue software that our research team discovered while investigating new submissions to VirusTotal. After inspecting this app, we determined that it is adware belonging to the AdLoad malware family. IndexerPortal is designed to run intrusive ad campaigns, and it may have other harmful abilities.

What kind of page is defenderfocus[.]xyz?

While inspecting defenderfocus[.]xyz, we found that it runs the "McAfee - Your PC is infected with 5 viruses!" scam and wants to deliver untrustworthy notifications. This page should be ignored and never allowed to show notifications. Our team discovered defenderfocus[.]xyz while analyzing pages that use rogue advertising networks.

What kind of page is vipcaptcha[.]live?

While inspecting dubious webpages, our researchers discovered the vipcaptcha[.]live rogue site. It promotes browser notification spam and can cause redirects to different (likely deceptive/hazardous) websites. Users are most commonly redirected to pages like vipcaptcha[.]live by sites that use rogue advertising networks.

What is Bulwark ransomware?

Our research team discovered the Bulwark ransomware during a routine inspection of new submissions to VirusTotal. This malicious program belongs to the MedusaLocker ransomware family.

We launched a sample of Bulwark on our test machine, it encrypted files and appended their filenames with a ".bulwark7" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.bulwark7", "2.png" as "2.png.bulwark7", etc. However, the number in the extension varies depending on the ransomware's variant.

After the encryption process was concluded, Bulwark dropped a ransom-demanding message named "!-Recovery_Instructions-!.html" onto the desktop. The claims made by this note make it clear that this ransomware targets companies rather than home users.

What is multi-searches.com?

While testing multi-searches.com, our team discovered that it is a search engine that does not generate its own results (it shows results generated by another search engine). Therefore, we classified multi-searches.com as a fake search engine. Typically, search engines of this type are promoted via browser hijackers.

What kind of application is ViewOrigin?

While examining the ViewOrigin application, we learned that it shows annoying advertisements can read sensitive information. Apps whose purpose is to display advertisements are called advertising-supported apps (or adware). We discovered the ViewOrigin application on a deceptive web page claiming that it is required to update installed software.

What kind of malware is Cyberpunk?

We discovered a new Dharma ransomware variant called Cyberpunk. It encrypts files, appends the victim's ID, cyberpunk@onionmail.org email address, and ".CYBER" extension to filenames, and provides two ransom notes. Cyberpunk provides one ransom note in a pop-up window and another in the "CYBER.txt" file.

Our team found Cyberpunk while inspecting malware samples submitted to VirusTotal. An example of how this ransomware modifies filenames: it renames "1.jpg" to "1.jpg.id-9ECFA84E.[cyberpunk@onionmail.org].CYBER", "2.png" to "2.png.id-9ECFA84E.[cyberpunk@onionmail.org].CYBER", and so forth.

What kind of malware is ArrowRAT?

ArrowRAT is the name of a Remote Access Trojan (RAT) that allows threat actors to perform various malicious activities on infected/accessed computers. ArrowRAT is offered as Malware-as-a-Service (MaaS). Its creators offer three subscription plans: monthly ($100), three months ($300), and lifetime ($400).