Virus and Spyware Removal Guides, uninstall instructions

What kind of page is browser-under-protection[.]com?

Our researchers discovered the browser-under-protection[.]com rogue website during a routine inspection of untrustworthy pages. It is designed to promote scams, push browser notification spam, and redirect to other (likely dubious/malicious) sites.

These webpages are typically accessed via redirects caused by sites using rogue advertising networks.

What kind of application is Rapid Files Download?

Rapid Files Download is an application described as a tool allowing users to keep track of downloads and quickly access and manage them and create new downloads. Our team has discovered this app on a deceptive page that suggests that it may be required to add it to a browser. After downloading and adding it, we found that it functions as adware.

What kind of malware is Z61yt?

Z61yt is ransomware that belongs to the Hive ransomware family. Our team discovered Z61yt while examining malware samples submitted to the VirusTotal page. This ransomware encrypts files and appends a string of random characters and the ".z61yt" extension to filenames. Also, Z61yt creates the "1uZ5_HOW_TO_DECRYPT.txt" file with a ransom note in it.

An example of how Z61yt renames files: it renames "1.jpg" to "1.jpg.uciIWUOQ8gVSwncWRdG-4HvIGemehd3wf6t7Z_tY8oj_NAAAADQAAAA0.z61yt", "2.png" to "2.png.uciIWUOQ8gVSwncWRdG-4HvIGemehd3wf6t7Z_tY8oj_NAAAADQAAAA0.z61yt", and so forth.

What is KEEP CALM AND RECOVER YOUR FILES ransomware?

Discovered by the MalwareHunterTeam, KEEP CALM AND RECOVER YOUR FILES is a ransomware-type program. It is also a variant of the Chaos ransomware.

After launching a sample of KEEP CALM AND RECOVER YOUR FILES on our test system, we learned that it encrypts files and appends their filenames with an extension consisting of four random characters. For example, a file originally titled "1.jpg" appeared as "1.jpg.masz", "2.png" as "2.png.waeq", etc.

Once this process was completed, the ransomware changed the desktop wallpaper and created a ransom-demanding message named "read_it to decrypt.txt".

What is MemoryFunction?

MemoryFunction is a rogue app that we found while inspecting new submissions to VirusTotal. Our analysis of the application revealed that it operates as advertising-supported software (adware) and belongs to the AdLoad malware family.

What kind of malware is BianLian?

BianLian is the name of a banking Trojan targeting Android users. We have discovered this piece of malware while examining malware droppers (fake apps) uploaded to the Google Play store. BianLian performs overlay attacks to steal login credentials for banking applications and has additional capabilities.

What is EMPg296LCK ransomware?

While looking through new malware submissions to VirusTotal, our researchers found the EMPg296LCK malicious program that is classified as ransomware. We determined that this program is part of the MedusaLocker ransomware family, and we acquired a sample of it for testing.

On our test machine, EMPg296LCK encrypted files and appended their filenames with a ".EMPg296LCK" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.EMPg296LCK", "2.png" as "2.png.EMPg296LCK", and so forth.

Once the encryption process was finished, a ransom note - "!_HOW_RECOVERY_FILES_!.HTML" - was dropped onto the desktop.

What is IndexerSource?

IndexerSource is an application that our researchers discovered while inspecting new submissions to VirusTotal. After analyzing this piece of software, we learned that it operates as adware and is part of the AdLoad malware family.

What kind of page is hehighursoo[.]com?

Our researchers discovered the hehighursoo[.]com rogue webpage while inspecting untrustworthy websites. This page is designed to promote spam browser notifications and redirect visitors to different (likely questionable or malicious) sites.

Most users enter hehighursoo[.]com and pages akin to it via redirects caused by websites that use rogue advertising networks.

What kind of malware is SVCReady?

SVCReady is the name of a malware loader that can collect information about the infected system and communicate with a command and control (C2) server. We have discovered this loader while examining an email containing a malicious MS Word document.

One of the known payloads delivered using the SVCReady loader is an information stealer called RedLine Stealer.