Virus and Spyware Removal Guides, uninstall instructions

What kind of page is defenderfocus[.]xyz?

While inspecting defenderfocus[.]xyz, we found that it runs the "McAfee - Your PC is infected with 5 viruses!" scam and wants to deliver untrustworthy notifications. This page should be ignored and never allowed to show notifications. Our team discovered defenderfocus[.]xyz while analyzing pages that use rogue advertising networks.

What kind of page is vipcaptcha[.]live?

While inspecting dubious webpages, our researchers discovered the vipcaptcha[.]live rogue site. It promotes browser notification spam and can cause redirects to different (likely deceptive/hazardous) websites. Users are most commonly redirected to pages like vipcaptcha[.]live by sites that use rogue advertising networks.

What is Bulwark ransomware?

Our research team discovered the Bulwark ransomware during a routine inspection of new submissions to VirusTotal. This malicious program belongs to the MedusaLocker ransomware family.

We launched a sample of Bulwark on our test machine, it encrypted files and appended their filenames with a ".bulwark7" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.bulwark7", "2.png" as "2.png.bulwark7", etc. However, the number in the extension varies depending on the ransomware's variant.

After the encryption process was concluded, Bulwark dropped a ransom-demanding message named "!-Recovery_Instructions-!.html" onto the desktop. The claims made by this note make it clear that this ransomware targets companies rather than home users.

What is multi-searches.com?

While testing multi-searches.com, our team discovered that it is a search engine that does not generate its own results (it shows results generated by another search engine). Therefore, we classified multi-searches.com as a fake search engine. Typically, search engines of this type are promoted via browser hijackers.

What kind of application is ViewOrigin?

While examining the ViewOrigin application, we learned that it shows annoying advertisements can read sensitive information. Apps whose purpose is to display advertisements are called advertising-supported apps (or adware). We discovered the ViewOrigin application on a deceptive web page claiming that it is required to update installed software.

What kind of malware is Cyberpunk?

We discovered a new Dharma ransomware variant called Cyberpunk. It encrypts files, appends the victim's ID, cyberpunk@onionmail.org email address, and ".CYBER" extension to filenames, and provides two ransom notes. Cyberpunk provides one ransom note in a pop-up window and another in the "CYBER.txt" file.

Our team found Cyberpunk while inspecting malware samples submitted to VirusTotal. An example of how this ransomware modifies filenames: it renames "1.jpg" to "1.jpg.id-9ECFA84E.[cyberpunk@onionmail.org].CYBER", "2.png" to "2.png.id-9ECFA84E.[cyberpunk@onionmail.org].CYBER", and so forth.

What kind of malware is ArrowRAT?

ArrowRAT is the name of a Remote Access Trojan (RAT) that allows threat actors to perform various malicious activities on infected/accessed computers. ArrowRAT is offered as Malware-as-a-Service (MaaS). Its creators offer three subscription plans: monthly ($100), three months ($300), and lifetime ($400).

What kind of page is suldo[.]click?

While inspecting suspicious websites, our research team discovered the suldo[.]click rogue page. Sites of this kind are designed to promote deceptive material, push browser notification spam, and redirect visitors to other (likely unreliable/malicious) pages.

When we investigated suldo[.]click, it ran the "You've visited illegal infected website" scam. Most users access sites of this kind - via redirects caused by webpages that employ rogue advertising networks.

What is NFT Tab?

NFT Tab is a rogue browser extension that our researchers discovered while inspecting untrustworthy sites. This extension is presented as a tool that provides easy access to trending NFTs (Non-Fungible Tokens) and other related news. Our analysis revealed that NFT Tab operates as a browser hijacker and promotes the srchingveno.com illegitimate search engine.

What is HARDBIT ransomware?

HARDBIT is a piece of malicious software categorized as ransomware. It is designed to encrypt data and demand payment for the decryption.

Once we executed a sample of HARDBIT on our test system, it began encrypting files and modified their titles. Original filenames were appended with a unique ID, the cyber criminals' email address, and a ".hardbit" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.[id-GSD557NO60].[boos@keemail.me].hardbit".

Afterward, HARDBIT changed the desktop wallpaper and created two files "Help_me_for_Decrypt.hta" (pop-up) and "How To Restore Your Files.txt" - all of which contain ransom notes.