Virus and Spyware Removal Guides, uninstall instructions

What is flow dark?

While researching dubious download pages, we discovered the flow dark browser extension, which promises to enable dark mode for simple design websites. After analyzing this extension, we determined that this piece of software operates as a browser hijacker that promotes the getsins.com fake search engine.

What is 3N7gh7mg4hyxnwGTFUpjHfpZh154Eu7rYD malware?

While inspecting "cracked" software download websites, our research team discovered the "3N7gh7mg4hyxnwGTFUpjHfpZh154Eu7rYD" malware. Malicious programs within this classification are also known as clipboard hijackers, as they are designed to change the data copied into the infected system's clipboard.

Typically, the purpose of clippers is to change copied cryptocurrency wallet addresses to those belonging to the attackers - during outgoing transactions.

It is pertinent to mention that the installation setup proliferating this malware also installed adware and other harmful software onto our test machine.

What kind of page is dating-point[.]top?

Dating-point[.]top is a deceptive website designed to trick visitors into allowing it to show notifications. Our team has discovered dating-point[.]top while examining other shady websites (e.g., illegal movie streaming, torrent sites) that use questionable advertising networks. It is very uncommon for pages of this type to be visited intentionally.

What kind of website is exclusivedealsfinder[.]com?

We have discovered the exclusivedealsfinder[.]com website while inspecting other pages that use rogue advertising networks. Exclusivedealsfinder[.]com runs a fake endorsement for a CBD company and asks for permission to show notifications. It is strongly advisable not to trust this site or agree to receive notifications from it.

What is "DHL Express Import Shipment On Hold" email virus?

We have examined this email and found that the cybercriminals behind it attempt to trick recipients into executing a malicious file extracted from the attached file. It is disguised as a letter from DHL (a legitimate logistics company) regarding shipping documents that require review.

What is SMSSpy?

SMSSpy refers to a piece of malicious software masquerading as various applications of legitimate e-commerce platforms. This malware aims to obtain victims' online banking credentials and thus gain access to the funds stored in the accounts. At the time we researched SMSSpy, it targeted Malaysian users exclusively. The malicious program has the capability to extract the credentials of eight popular banks that offer their services in Malaysia.

According to a report on ESET's welivesecurity.com website, campaigns spreading SMSSpy were first identified in late 2021. The malware was presented as an app of Maid4u - a legitimate cleaning service, and it was promoted via malvertising on Facebook.

What kind of malware is Sapphire?

Sapphire is the name of a cryptocurrency miner. This malware is sold in hacker forums for 75 euros. Sapphire can mine XMR (Monero), ERGO, ETC (Ethereum Classic), and ETH (Ethereum) cryptocurrencies.

Additionally, this miner can avoid being detected by Windows Defender, hide from Task Manager and ProcessHacker tools, and launch itself with administrator privileges.

What is Ghas ransomware?

During a routine inspection of VirusTotal submissions, our research team discovered yet another ransomware-type program belonging to the Djvu family. The program in question is named - Ghas.

Once launched onto our test machine, this ransomware began encrypting files and appending their filenames with the ".ghas" extension. To elaborate, a file originally titled "1.jpg" appeared as "1.jpg.ghas", "2.png" as "2.png.ghas", and so on for all of the affected files. Afterwards, Ghas created a text file - "_readme.txt" - containing the ransom note.

What kind of malware is MATILAN?

We have discovered MATILAN while inspecting malware samples submitted to VirusTotal. It was found that MATILAN is ransomware designed to encrypt files, append the ".MATILAN" extension to filenames, and generate three ransom notes.

Before logging into Windows, a ransom note appears on a black screen. The second ransom note appears in a browser notification after logging in. MATILAN provides a third ransom note in the "RESTORE_FILES_INFO.txt" file. An example of how MATILAN renames files: it renames "1.jpg" to "1.jpg.MATILAN", "2.png" to "2.png.MATILAN", and so on.

What is Qall ransomware?

Qall is a ransomware-type program that our researchers found while inspecting new malware submissions to VirusTotal. We determined that this malicious program belongs to the Djvu ransomware family.

After being executed on our test system, this ransomware encrypted files and appended their filenames with the ".qall" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.qall", "2.png" as "2.png.qall", etc. Once this process was completed, a ransom note - "_readme.txt" - was created.