Virus and Spyware Removal Guides, uninstall instructions

What is Scam ransomware?

While inspecting new submissions to VirusTotal, our research team discovered a ransomware-type program called Scam. It is yet another one based on the Chaos ransomware.

On our test machine, the Scam ransomware encrypted files and appended their filenames with a ".scam" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.scam", "2.png" as "2.png.scam", and so on for all of the affected files.

After the encryption process was finished, this ransomware changed the desktop wallpaper and created a text file named "read_it.txt". The wallpaper and file contained ransom notes.

What is QueueBuffer?

QueueBuffer is a piece of rogue software that our researchers discovered while inspecting new submissions to VirusTotal. Analyzing this app revealed that it operates as adware. Additionally, QueueBuffer belongs to the AdLoad malware family.

What kind of malware is FirstKill?

While examining malware samples submitted to the VirusTotal, our team discovered FirstKill - ransomware that encrypts files. It is used to blackmail victims by demanding to pay for a decryption tool. FirstKill not only encrypts but also renames files (appends the ".FirstKill" extension), changes the desktop wallpaper, and creates the "CO_SIĘ_STAŁO.html" file.

"CO_SIĘ_STAŁO.html" file contains a ransom note. An example of how FirstKill renames files: it changes "1.jpg" to "1.jpg.FirstKill", "2.png" to "2.png.FirstKill", "3.exe" to "3.exe.FirstKill", and so forth.

What kind of email is "DHL e-Shipping Invoice"?

After inspecting the "DHL e-Shipping Invoice" email, we determined that it is spam. This email spam campaign operates as a phishing scam. These letters claim to contain an invoice regarding a shipment, which recipients can view and inquire about by logging in with their email accounts. However, by attempting to do so - they will inadvertently disclose this data to scammers.

It must be stressed that this scam mail is in no way associated with the actual DHL logistics company, nor is it connected to the USPS (United States Postal Service), which the emails also mention.

What is "I Paid For Products From Your Store" email virus?

After inspecting this letter, our team concluded that its purpose is to trick recipients into infecting their computers with malware. We found that this email is disguised as a letter regarding a money refund and contains an attachment designed to download a file containing another (malicious) file.

What kind of malware is Demon?

Demon is a type of malware (ransomware) that encrypts files. We discovered it while examining malware samples submitted to the VirusTotal site. Threat actors behind it demand payment in return for decryption tools. Additionally, Demon ransomware appends ".demon" extension to filenames and creates the "How To Recover Your Files.txt" file that contains a ransom note.

An example of how Demon ransomware modifies filenames: it renames "1.jpg" to "1.jpg.demon", "2.png" to "2.png.demon", "3.exe" to "3.exe.demon", and so forth.

What is ProgressBoost?

While inspecting new submissions to VirusTotal, our researchers found the ProgressBoost application. The analysis of this software revealed that it operates as adware and belongs to the AdLoad malware family.

What is ProgramOpen?

ProgramOpen is a rogue application that our research team discovered while investigating new submissions to VirusTotal. After analyzing this piece of software, we learned that ProgramOpen is adware. Additionally, this app is part of the AdLoad malware family.

What is ModernLoader?

ModernLoader, also known as Avatar Bot and AvatarLoader, is a malicious program that has minimalistic loader and RAT (Remote Access Trojan) functionalities.

Loader-type malware is designed to infect devices with additional malicious programs, while RATs enable remote access/control over infected machines. ModernLoader is capable of executing basic commands and injecting malicious modules into systems.

What kind of application is refresh color?

refresh color is the name of a browser extension we discovered on a deceptive website. After downloading and adding it, we learned that it shows annoying advertisements. Apps of this type are classified as advertising-supported apps (adware).