Virus and Spyware Removal Guides, uninstall instructions

What kind of application is Extra Search?

We have discovered the Extra Search application while examining shady websites. After analyzing the app, we found that it is a browser hijacker. Extra Search modifies some of the settings of a web browser by changing them to search.extra-searches.com (a fake search engine).

What kind of page is subscribe-notifications[.]com?

While inspecting dubious websites, our researchers discovered the subscribe-notifications[.]com site. It promotes spam browser notifications and redirects visitors to other (likely unreliable and malicious) webpages.

Most users enter subscribe-notifications[.]com and sites akin to it through redirects caused by pages using rogue advertising networks.

What kind of application is ExplorerTrusted?

Our team has discovered ExplorerTrusted during an analysis of deceptive websites claiming that it is required to update the Adobe Flash Player (encouraging to download a fake installer). It was found that the purpose of ExplorerTrusted is to generate advertisements. Therefore, we categorized it as adware.

What kind of malware is Lux?

Lux is ransomware belonging to the Chaos ransomware family. Our team has discovered this ransomware while checking the VirusTotal page for recently submitted malware samples. We found that Lux renames files and appends the ".lux" extension to filenames. Also, it changes the desktop wallpaper and drops the "read_it.txt" file (a ransom note).

An example of how Lux modifies filenames: it renames "1.jpg" to "1.jpg.lux", "2.png" to "2.png.lux", "3.exe" to "3.exe.lux", and so forth.

What is ExploreTransaction?

During a routine inspection of new submissions to VirusTotal, our research team discovered the ExploreTransaction application. After analyzing this app, we determined that it operates as advertising-supported software (adware) and belongs to the AdLoad malware family.

What kind of malware is Yanluowang?

Yanluowang is ransomware that encrypts (and renames) files, ends all running processes, stops services, and creates the "README.txt" file containing a ransom note. It appends the ".yanluowang" extension to filenames. Cybercriminals behind Yanluowang are targeting enterprise entities and organizations in the financial sector.

Files encrypted by Yanluowang can be decrypted with this tool (it is possible to decrypt all files if the original file is larger than 3GB. If the original file is smaller than 3GB, then only smaller files can be decrypted).

An example of how Yanluowang renames files: it changes "1.jpg" to "1.jpg.yanluowang", "2.png" to "2.png.yanluowang", and so forth. Yanluowang used the RSA-1024 asymmetric algorithm for encryption.

What kind of malware is Dkrf?

We found a new ransomware called Dkrf while examining malware samples submitted to VirusTotal. It was found that Dkrf is part of the Djvu ransomware family. The purpose of Dkrf is to encrypt files. Additionally, it renames files by appending the ".dkrf" extension to filenames and creates the "_readme.txt" file (a ransom note).

An example of how files encrypted by Dkrf are renamed: "1.jpg" is renamed to "1.jpg.dkrf", "2.png" to "2.png.dkrf", and so forth.

What kind of malware is Eiur?

Eiur is the name of ransomware belonging to a ransomware family called Djvu. We have discovered Eiur during our analysis of malicious installers distributed using deceptive pages. It was found that this ransomware encrypts files, appends the ".eiur" extension to filenames, and provides a ransom note (creates the "_readme.txt" file).

An example of how Eiur modifies filenames: it renames "1.jpg" to "1.jpg.eiur", "2.png" to "2.png.eiur", "3.exe" to "3.exe.eiur", and so forth.

What kind of page is resourceslatest[.]com?

We discovered the resourceslatest[.]com rogue webpage while inspecting unreliable sites. It operates by promoting scams, pushing browser notification spam, and redirecting visitors to different (likely dubious/malicious) sites.

Users typically enter resourceslatest[.]com and similar pages via redirects caused by websites using rogue advertising networks.

What is REVENLOCK ransomware?

REVENLOCK is a ransomware-type program we discovered while inspecting new submissions to VirusTotal. We determined that this program is part of the MedusaLocker ransomware family.

REVENLOCK encrypts files and appends their filenames with an extension. The variant we executed on our test system appended files with ".REVENLOCK7". For example, a file initially titled "1.jpg" appeared as "1.jpg.REVENLOCK7", "2.png" as "2.png.REVENLOCK7", etc. It is noteworthy that the number in the extension may vary depending on REVENLOCK's version.

Once the encryption was completed, a ransom note - "HOW_TO_RECOVER_DATA.html" - was dropped onto the desktop. Based on the message within, we can surmise that REVENLOCK targets companies rather than home users.