Virus and Spyware Removal Guides, uninstall instructions

What kind of page is ylcufr[.]com?

During a routine investigation of untrustworthy sites, our researchers discovered the ylcufr[.]com rogue webpage. This page promotes browser notification spam with the use of deception. Furthermore, it can redirect visitors to other sites, which are likely dubious or malicious.

Most users enter ylcufr[.]com and websites akin to it via redirects caused by pages that use rogue advertising networks.

What kind of page is news-xebipi[.]com?

News-xebipi[.]com is the address of a rogue webpage that our researcher team discovered while inspecting suspicious websites. It is designed to push spam browser notifications and redirect visitors to other (likely untrustworthy or malicious) sites.

Users typically access pages like news-xebipi[.]com through redirects caused by websites using rogue advertising networks.

What is Escanor (Esca)?

Escanor, also known as Esca, is a Remote Access Trojan (RAT). Malware of this kind operates by enabling remote access and control over infected devices. RATs tend to be highly multifunctional and pose a wide range of threats. Escanor (Esca) is a cross-platform malware that targets both Windows and Android Operating Systems (OSes).

Significant Escanor (Esca) RAT activity has been noted in the Middle East, North America, Central America, and South-East Asia.

What is RecordBreaker?

RecordBreaker is a piece of malicious software classified as a stealer. Malware of this kind is designed to extract and exfiltrate vulnerable data and content. RecordBreaker has been actively spread through various websites offering "cracked" software.

What is Internet Download Manager?

Not to be confused with any legitimate software under the name of "Internet Download Manager", this extension is a browser hijacker.

While this fake extension is presented as a tool for advanced download management, it modifies browser settings to promote the smartwebfinder.com illegitimate search engine instead. Additionally, Internet Download Manager can display spam browser notifications and collects private data.

What is OpenSubtitles Uploader?

OpenSubtitles Uploader is a rogue application. After analyzing this app, we determined that it operates as advertising-supported software (adware). In other words, it enables the placement of third-party graphical content on various interfaces. OpenSubtitles Uploader may have additional undesirable/harmful abilities, such as data collecting.

What is Extension Settings?

While inspecting scam sites, our research team discovered a rogue installer containing the Extension Settings browser extension. After analyzing this piece of software, we determined that it is a browser hijacker that promotes the ardslediana.com fake search engine.

What is ZZZZZ (Scarab) ransomware?

Our research team found yet another program belonging to the Scarab ransomware family named ZZZZZ. Malware within the ransomware classification is designed to encrypt files and demand ransoms for the decryption.

After we launched a sample of ZZZZZ (Scarab) ransomware on our test system, it encrypted files and appended their filenames with a ".ZZZZZ" extension. For example, a file titled "1.jpg" appeared as "1.jpg.ZZZZZ", "2.png" as "2.png.ZZZZZ", and so forth.

Once this process was finished, a ransom-demanding message named "Инструкция.txt" was created on the desktop. The note within this text file was in Russian.

What kind of malware is DONKEYHOT?

DONKEYHOT is ransomware used to blackmail victims. It encrypts files and keeps them inaccessible until a ransom is paid. We discovered DONKEYHOT while checking VirusTotal for recently submitted malware samples. In addition to encrypting files, this ransomware modifies filenames and generates the "#HOW_TO_DECRYPT#.txt" file containing a ransom note.

DONKEYHOT appends a string of random characters, ICQ username, and the ".DONKEYHOT" extension to filenames. For example, it renames "1.jpg" to "1.jpg.[5deecd3145].[ICQ_DONKEYHOT].DONKEYHOT", "2.png" to "2.png.[5deecd3145].[ICQ_DONKEYHOT].DONKEYHOT", and so forth.

What kind of page is emyresumef[.]hair?

While examining emyresumef[.]hair, we found that it can show deceptive notifications (if allowed) and redirect visitors to other shady pages. It uses a clickbait technique to trick visitors into agreeing to receive notifications. Our team discovered emyresumef[.]hair while inspecting sites that use rogue advertising networks.