Virus and Spyware Removal Guides, uninstall instructions

What kind of email is "SIDDHIVINAYAK"?

Our analysis of this "SIDDHIVINAYAK" email revealed that it is malspam - malicious spam designed to infect recipients' systems with malware. These fake finance/purchase-themed letters proliferate the Agent Tesla RAT (Remote Access Trojan).

It must be emphasized that, as with all spam emails, these "SIDDHIVINAYAK" letters are in no way associated with any legitimate entities that they are presented as messages from or make mention of.

What is Police_Decrypt0r ransomware?

Discovered by Petrovic, Police_Decrypt0r is a piece of malicious software categorized as ransomware. We ran a sample of this malware on our testing machine, and it encrypted files as well as changed their filenames.

The names of the affected files were appended with a ".CRYPT" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.CRYPT", "2.png" as "2.png.CRYPT", etc.

Once the encryption process was finished, Police_Decrypt0r displayed a pop-up window, and another afterwards, lastly a text file named "Police_Decrypt0r.txt" was dropped onto the desktop.

What kind of page is updatepcmc[.]xyz?

While inspecting websites that use rogue advertising networks, we came across updatepcmc[.]xyz - a deceptive page that runs the "McAfee - Your PC is infected with 5 viruses!" scam. We also found that this site wants to show notifications. All messages displayed by updatepcmc[.]xyz are fraudulent. Thus, this page must be ignored.

What kind of page is device-undershield[.]com?

While inspecting unreliable webpages, our researchers found the device-undershield[.]com site. It operates by running scams, pushing browser notification spam, and redirecting visitors to different (likely dubious/malicious) websites. Users typically enter pages like device-undershield[.]com through sites that use rogue advertising networks.

What kind of malware is ELITEBOT?

While checking the VirusTotal page for recently submitted malware samples, we discovered ransomware called ELITEBOT. This ransomware is part of the Makop family. It encrypts files, appends a string of random characters, elitebot@msgden.net email address, and the ".bot" extension to filenames, changes the desktop wallpaper and drops the "+README-WARNING+.txt" file.

The created text file contains a ransom note. An example of how files encrypted by ELITEBOT are renamed: "1.jpg" is renamed to "1.jpg.[2AF20FA3].[elitebot@msgden.net].bot", "2.png" is renamed to "2.png.[2AF20FA3].[elitebot@msgden.net].bot", "3.exe" is renamed to "3.exe.[2AF20FA3].[elitebot@msgden.net].bot", and so forth.

What is Royroy ransomware?

During a routine inspection of new malware submissions to VirusTotal, our researchers discovered the Royroy ransomware. Additionally, it has to be mentioned that this malicious program is part of the ZEPPELIN ransomware family.

On our test system, Royroy encrypted files and appended their filenames with the ".royroy.[victim's_ID]" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.royroy.1C1-98A-33A". Once this process was completed, a ransom note - "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT" - was created on the desktop.

What is "Unusual Sign-in Activity" email scam?

After examining this email, we learned that the scammers behind it attempt to trick recipients into providing their login credentials. They claim that the email account has been suspended due to unusual sign-in activity. They aim to trick recipients into opening the provided page and entering their passwords.

What is RoundEmporium?

While performing a routine inspection of new submissions to VirusTotal, our research team discovered the RoundEmporium rogue application. Our analysis of this app revealed that it operates as advertising-supported software (adware). Additionally, we learned that RoundEmporium belongs to the AdLoad malware family.

What kind of malware is FIXED?

FIXED ransomware is part of the Babuk ransomware family. We have discovered this ransomware while examining the samples submitted to the VirusTotal page. FIXED prevents victims from accessing/using files by encrypting them, appends the ".FIXED" extension to filenames, and drops the "How To Restore Your Files.txt" file (a ransom note) on the desktop.

An example of how FIXED ransomware modifies filenames: it renames "1.jpg" to "1.jpg.FIXED", "2.png" to "2.png.FIXED", "3.exe" to "3.exe.FIXED", and so forth.

What kind of software is ActivateOptimization?

ActivateOptimization is the name of an application discovered by our team during an examination of shady websites distributing fake Adobe Flash Player installers. We found that ActivateOptimization is designed to display annoying ads. Therefore, we classified this app as adware.