Virus and Spyware Removal Guides, uninstall instructions

What kind of application is quick do?

After testing the quick do app, we found that it is a browser extension that changes the settings of a web browser to promote a fake search engine (quicknewtab.com). Moreover, this app does not allow users to undo its changes while it is added to a browser. Apps designed to promote fake search engines this way are called browser hijackers.

What is Getf**ked ransomware?

Getf**ked is the name of a ransomware-type program; throughout this article, the censoring asterisks will stand for the letters "u" and "c" respectively. We discovered this malware while inspecting new submissions to VirusTotal.

When we launched a sample of this ransomware on our test system, and it began encrypting data. The filenames of affected files were appended with a ".getf**ed" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.getf**ed", "2.png" as "2.png.getf**ed", etc.

Once this process was completed, a ransom-demanding message ("Message_Important.txt") was dropped onto the desktop.

What kind of malware is Ash?

Ash is the name of ransomware that encrypts files, modifies filenames of all encrypted files, and drops two files ("Decryptor.hta" and "ReadMe_Decryptor.txt") that contain ransom notes. Ash is part of the Dcrtr ransomware family. Our team discovered this ransomware variant while examining malware samples submitted to VirusTotal.

Ash renames files by appending the ashtray@outlookpro.net email address and ".ash" extension to filenames. For instance, it renames "1.jpg" to "1.jpg.[ashtray@outlookpro.net].ash", "2.png" to "2.png.[ashtray@outlookpro.net].ash", and so forth.

What is Flash ransomware?

Our researchers discovered the Flash ransomware-type program while checking out new submissions to VirusTotal. This piece of software belongs to the Dcrtr ransomware family.

After we executed a sample of Flash on our test machine, it began encrypting files and changed their filenames. Original titles were appended with the cyber criminals' emails address and a ".flash" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.[ashtray@outlookpro.net].flash".

Once the encryption process was finished, Flash ransomware created/displayed ransom notes in a pop-up window ("Decryptor.hta) and a text file ("ReadMe_Decryptor.txt").

What kind of malware is Omerta?

Omerta is ransomware belonging to the Scarab family. The purpose of ransomware is to encrypt files. We discovered Omerta while inspecting malware samples submitted to VirusTotal. In addition to encrypting data, Omerta replaces filenames with a string of random characters with the ".omerta" as the file extension and drops the "Инструкция.TXT" file (a ransom note).

An example of how Omerta ransomware renames files: it replaces "1.jpg" with "vFwOmmDtGtkWkKp8.omerta", "2.png" with "jRmFfC1eTS+RQtoH.omerta", and so forth.

What is Medusa Stealer?

Medusa Stealer is the name of a malicious program. Described by its promotional website as a data recovery/extraction and network testing tool - it is quite evident that Medusa Stealer's intended application is far less savory. This malware is capable of stealing data, launching DDoS attacks, and mining cryptocurrency.

What kind of website is defender-pro-2022[.]xyz?

While investigating defender-pro-2022[.]xyz, our team learned that it shows deceptive content to trick visitors into believing that their computers are infected and purchasing antivirus software. This page runs the "McAfee - Your PC is infected with 5 viruses!" scam. Also, it wants to/can show deceptive notifications.

What kind of malware is Ducktail PHP stealer?

Ducktail is the name of an information-stealing malware. Earlier, Ducktail (.NetCore version) was used to steal Facebook Business accounts (threat actors targeted people with Facebook Business Accounts).

Now, this malware (PHP version of Dukctail) is being used to steal all types of accounts (including regular users) and various sensitive information. The new version of Ducktail is called a PHP version because its main code is a PHP script.

What kind of page is vital-scanner[.]com?

We discovered the vital-scanner[.]com rogue webpage while inspecting dubious sites. This page is designed to promote scams, push spam browser notifications, and redirect users to different (likely unreliable/harmful) websites.

Most visitors to vital-scanner[.]com and similar webpages enter them via redirects caused by sites that use rogue advertising networks.

What kind of page is internal-scanning[.]com?

Internal-scanning[.]com is a rogue page that runs scams, promotes browser notification spam, and redirects visitors to other (likely unreliable/dangerous) sites.

Our researchers discovered this untrustworthy webpage while inspecting websites that use rogue advertising networks. Typically, pages like internal-scanning[.]com are accessed via redirects caused by sites that are monetized through said networks.