Virus and Spyware Removal Guides, uninstall instructions

What is RShell?

RShell refers to a backdoor-type malware targeting Mac Operating Systems (macOS). Malicious software within this classification can execute commands and is typically used to collect data and infect systems with additional malware.

RShell is infiltrated into macOS by trojanized the Chinese-language MìMì (MiMi, Mi) Electron messenger app. Research done by SEKOIA strongly suggests that RShell infections are linked to the APT27 (aka Iron Tiger, Luckymouse, Emissary Panda, Bronze Union, and TG-3390) cyber-espionage group, which primarily focuses its activities in Southeast Asia.

What is MultiPlug?

"MultiPlug" and variants of it are detection names used by some security vendors to identify content that operates as advertising-supported software (adware). It is designed to run intrusive advertisement campaigns. In other words, adware displays advertisements on various interfaces. Furthermore, this software usually collects private data.

What is smartanswersonline[.]com?

Smartanswersonline.com is one of the untrustworthy search engines generating misleading results. We discovered smartanswersonline.com after adding a browser hijacker to a web browser. That browser hijacker promotes smartanswersonline.com by making changes in the settings of a web browser.

What is Dark (VoidCrypt) ransomware?

While inspecting new submissions to VirusTotal, our researchers found another ransomware called Dark. It belongs to the VoidCrypt ransomware family. Once we executed a sample of this ransomware on our test system, it encrypted files and altered their filenames.

The file titles were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".dark" extension. For example, a file named "1.jpg" appeared as "1.jpg.(CW-CM9742068531)(Darksight@tutanota.com).dark". Afterwards, a ransom-demanding message - "unlock-info.txt" - was dropped onto the desktop.

What is discoverthebest.co?

While analyzing the discoverthebest.co site, we found that it is an untrustworthy search engine. We discovered discoverthebest.co after adding a shady extension to a web browser. That application promotes discoverthebest.co by hijacking a web browser (by changing its settings).

What is driversgalaxy.co?

While inspecting dubious installation setups, we found a piece of software promoting the driversgalaxy.co fake search engine. Websites of this kind are promoted by browser hijackers, which achieve this by making alterations to browser settings.

While driversgalaxy.co can provide search results, they are inaccurate and may contain dubious/malicious content. Additionally, this search engine likely collects information about its visitors.

What kind of application is PlatformFormat?

While inspecting deceptive websites offering to download "useful" applications, fake installers, etc., we discovered an application called PlatformFormat. While testing this app, we found that it functions as adware - it displays annoying/unwanted and untrustworthy advertisements. Thus, PlatformFormat should be uninstalled from computers as soon as possible.

What kinf of malware is Qqlo?

Qqlo is ransomware that encrypts files and appends the ".qqlo" extension to filenames. It also drops a text file ("_readme.txt") that contains a ransom note. We discovered Qqlo while analyzing malware samples submitted to the VirusTotal web page. Qqlo belongs to a ransomware family called Djvu.

An example of how Qqlo ransomware renames files: it changes "1.jpg" to "1.jpg.qqlo", "2.png" to "2.png.qqlo", "3.exe" to "3.exe.qqlo", and so forth.

What is Qqlc ransomware?

Our research team discovered the Qqlc ransomware-type program during a routine investigation of new submissions to VirusTotal. It is yet another program belonging to the Djvu ransomware family.

After we executed a sample of this malware on our test machine, it encrypted files and appended their filenames with a ".qqlc" extension. For example, a file named "1.jpg" appeared as "1.jpg.qqlc", "2.png" as "2.png.qqlc", etc. Once this process was finished, a ransom note titled "_readme.txt" was created.

What kind of malware is Qqmt?

While checking the VirusTotal page for recently submitted malware samples, we discovered a new Djvu ransomware called Qqmt. Malware of this type encrypts files to force victims to pay for a decryption tool. Usually, ransomware also provides a ransom note and modifies filenames. Qqmt drops the "_readme.txt" file and appends the ".qqmt" extension to filenames.

An example of how files encrypted by Qqmt are renamed: "1.jpg" is renamed to "1.jpg.qqmt", "2.png" is renamed to "2.png.qqmt", and so forth.