Virus and Spyware Removal Guides, uninstall instructions

What is Dark Browse?

Dark Browse is an adware-type browser extension promoted as a tool that enables dark mode for websites. While the functionalities promised by advertising-supported software are usually fake, after analyzing Dark Browse we learned that its promised function is operational. However, this browser extension still works as adware - displays various advertisements and collects private data.

What is Mxf1bd ransomware?

Mxf1bd is the name of a ransomware-type program, which our researchers discovered while looking through new submissions on VirusTotal.

On our test system, this ransomware encrypted files and appended their filenames with a ".mxf1bd" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.mxf1bd", "2.png" as "2.png.mxf1bd", and so on.

After the encryption was completed, Mxf1bd restarted the machine. This ransomware displayed a message in a dark screen, preceding the log-in window - and it did so every time the system was (re)started. Additionally, a ransom note - "Инструкция.txt" - was dropped onto the desktop. Both of the messages were in Russian.

What kind of page is anedukera[.]xyz?

Anedukera[.]xyz is a deceptive website that asks for permission to show notifications and redirects visitors to other pages of this type. We have discovered anedukera[.]xyz while analyzing websites that use rogue advertising networks (display shady ads and open dubious pages).

What is Ginzo?

Ginzo (also known as ZingoStealer) is the name of an information-stealing malware that steals passwords, cookies, and other information from infected computers. We have found that cybercriminals use Telegram to distribute Ginzo. They offer to download it free of charge.

What kind of malware is Soviet Locker?

Soviet Locker ransomware is malware that was discovered by MalwareHunterTeam. It encrypts files and displays a pop-up window with a timer and an input field for entering a decryption password. Cybercriminals behind Soviet Locker do not demand payment. Files encrypted by this malware can be decrypted using the password provided below.

What kind of malware is Wdlo?

Wdlo is one of the ransomware variants belonging to a ransomware family called Djvu. We have discovered this variant while examining the samples submitted to VirusTotal. After analyzing Wdlo, we have found that it encrypts files, appends its extension (".wdlo") to filenames, and generates a text file ("_readme.txt") as its ransom note.

An example of how Wdlo ransomware modifies filenames: it renames a file named "image.jpg" to "image.jpg.wdlo", "document.txt" to "document.txt.wdlo", and so on.

What kind of page is inancukan[.]xyz?

Our researchers found inancukan[.]xyz while inspecting untrustworthy sites. This webpage is designed to promote browser notification spam and redirect visitors to other (likely dubious/malicious) websites. Most users enter pages like inancukan[.]xyz via redirects caused by sites using rogue advertising networks.

What is Explus ransomware?

Explus is a piece of malicious software classified as ransomware. Our researchers found it while inspecting new submissions on VirusTotal.

After being launched on our test machine, this ransomware encrypted files and appended their filenames with a ".explus" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.explus", "2.png" as "2.png.explus", etc. Once the encryption was completed, a ransom note - "RECOVERY INFORMATION.txt" - was created.

What is SoftwareHelper?

SoftwareHelper is an adware-type application that our research team discovered while inspecting new submissions to VirusTotal. This piece of software operates by running intrusive advertisement campaigns (displaying ads), and it can have other harmful functionalities. We also learned that it belongs to the AdLoad malware family.

What kind of page is separashpar[.]xyz?

Separashpar[.]xyz is an untrustworthy web page that uses a clickbait technique to trick visitors into allowing it to show notifications. Also, it redirects visitors to other questionable sites. Our team has discovered separashpar[.]xyz while examining pages that use shady advertising networks.