Virus and Spyware Removal Guides, uninstall instructions

What kind of page is freeadvcity[.]com?

We discovered the freeadvcity[.]com rogue webpage during a routine inspection of shady sites. It promotes browser notification spam and redirects visitors to other (likely dubious/malicious) websites.

Freeadvcity[.]com and similar pages are seldom accessed intentionally; most users enter them via redirects caused by sites using rogue advertising networks.

What kind of application is Baro Ds?

Baro Ds is a browser hijacker used to promote the barosearch.com address, a fake search engine. It hijacks a web browser by changing its settings. Our team has discovered Baro Ds on a deceptive website that recommended installing this app to improve the browsing experience.

What is Phmqdw ransomware?

Our researchers found the Phmqdw malicious program while inspecting new submissions to VirusTotal. We learned that it belongs to the Makop ransomware family.

Once launched onto our test machine, this ransomware began encrypting files and appending their filenames with a unique ID assigned to the victim and the ".phmqdw" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.[ID-9ECFA84E].phmqdw". Afterwards, a ransom-demanding message - "_readme.txt" - was created.

What kind of malware is ColdStealer?

ASEC Analysis Team has discovered a new information stealer called ColdStealer. It was found that this malware steals various user information and sends it to Command and Control (C2) server. Cybercriminals distribute ColdStealer using a dropper and downloader malware that downloads ColdStealer from the C2 server. The dropper for this stealer is distributed via fake software cracking tools.

What kind of page is thispcprotected[.]com?

During a routine inspection of dubious websites, our researchers discovered thispcprotected[.]com. This rogue webpage is designed to host deceptive content (scams), push browser notification spam, and redirect visitors to other (likely untrustworthy/malicious) sites. Most users enter such pages via redirects caused by websites using rogue advertising networks.

What kind of malware is Fakecalls?

Fakecalls is the name of a Trojan targeting Android users. This malware imitates calls with bank employees (customer support). Fakecalls is disguised as a banking application (at least two banking apps called Kookbik Bank and KakaoBank). Cybercriminals can use Fakecalls Trojan to extract sensitive information.

What is Democracy Whisperers ransomware?

Democracy Whisperers is the name of a malicious program classified as ransomware. Our research team discovered it while inspecting new malware submissions on VirusTotal. We determined that it belongs to the Babuk ransomware family.

After being launched onto our test machine, Democracy Whisperers encrypted files and changed their filenames by appending them with a ".democ" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.democ", "2.png" as "2.png.democ", etc. Once the encryption process was completed, a ransom note - "Restore Files.txt" - was dropped onto the desktop.

What kind of malware is Session?

Session is the name of ransomware belonging to a ransomware family called Makop. We discovered it while analyzing malware samples submitted to VirusTotal. Session ransomware encrypts and renames files and creates a ransom note (the "+README-WARNING+.txt" file). It appends a string of random characters and the ".session" extension to filenames.

An example of how Session modifies filenames: it renames "1.jpg" to "1.jpg.[87C29B86].[].session", "2.png" to "2.png.[87C29B86].[].session", and so forth. Unlike most variants belonging to the Makop family, Session does not append an email address (after the string of random characters) to filenames.

What kind of page is notcomp[.]com?

Our research team discovered the notcomp[.]com rogue webpage while inspecting shady sites. It is designed to push browser notification spam and redirect visitors to other (likely unreliable/malicious) websites.

Notcomp[.]com and sites akin to it are rarely accessed intentionally. Most users enter them through redirects caused by pages using rogue advertising networks, spam notifications, intrusive advertisements, mistyped URLs, or installed adware.

What kind of page is yourdesktopdefence[.]com?

During a routine inspection of untrustworthy websites, our researchers discovered the yourdesktopdefence[.]com webpage. It promotes scam content, pushes spam browser notifications, and redirects visitors to other (likely unreliable/malicious) sites.

Most users enter yourdesktopdefence[.]com and similar webpages via redirects caused by sites using rogue advertising networks.