Virus and Spyware Removal Guides, uninstall instructions

What is the "Validate Now" email?

After analyzing the "Validate Now" email, we determined that it is a phishing email. This letter attempts to lure recipients into providing their email log-in credentials by claiming that their email accounts will be closed.

What kind of application is SearchTab Default Search?

Our malware researchers have discovered the SearchTab Default Search browser extension while examining questionable websites that use advertising networks. They found that this app promotes searchtab.xyz (a fake search engine) by changing the settings of a browser. Thus, it was concluded that SearchTab Default Search is a browser hijacker.

What kind of malware is ZEON?

ZEON was discovered by dnwls0719. After doing our research, we learned that ZEON is ransomware written in the Python programming language. It encrypts files, changes the desktop wallpaper, and appends the ".zeon" extension to filenames.

For instance, it renames "1.jpg" to "1.jpg.zeon", "2.png" to "2.png.zeon". A ransom note is provided in the "re_ad_me.txt" file.

What is Pro Dark?

Our researchers discovered the Pro Dark browser extension while inspecting content promoted by deceptive download webpages. This piece of software promises to enable dark mode for websites. However, after analyzing Pro Dark, we determined that it operates as adware.

What is NOKOYAWA ransomware?

NOKOYAWA is a piece of malicious software classified as ransomware, which our research team found and sampled from VirusTotal. It is designed to encrypt data and demand payment for the decryption.

On our test machine, this ransomware encrypted files and appended their filenames with a ".NOKOYAWA" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.NOKOYAWA", and so on for all of the affected files. Once this process was completed, a ransom note - "NOKOYAWA_readme.txt" - was created on the desktop.

Research done by Trend Micro suggests that NOKOYAWA may be related to the Hive ransomware family.

What kind of scam is "Email policy & privacy violation"?

Our team has examined this email and learned that scammers use it to steal sensitive information. It is disguised as a letter from Microsoft. It also contains a hyperlink designed to open a phishing website requesting an email address and password.

What is HorizonLiving?

HorizonLiving is an adware-type application our researchers discovered while inspecting new submissions to VirusTotal. It is designed to run intrusive advertisement campaigns, and this app has data tracking abilities. Additionally, we have determined that HorizonLiving belongs to the AdLoad malware family.

What kind of scam is "McAfee Total Protection - Your PC might be infected with viruses!"?

Our team has discovered this scam while visiting pages that use shady advertising networks. After examining the page, we learned that it is a pop-up scam that uses a scare tactic to promote antivirus software (to trick users into purchasing its subscription). It claims that a computer is infected with viruses.

What is ShareAdvantage?

ShareAdvantage is a rogue app that our researchers found when a user reported it on a support forum. After analyzing this application, we determined that it operates as advertising-supported software (adware). Furthermore, ShareAdvantage is part of the AdLoad malware family.

What is RURansom ransomware?

RURansom is a piece of malicious software classified as ransomware. Typically, malware within this classification operates by encrypting files (rendering them inaccessible) to make ransom demands for the decryption (access recovery). However, we learned from the message created by RURansom that this program's goal is to irreversibly encrypt the data of Russian users - as a response to the war in Ukraine.

When we launched a sample on our test system, it encrypted files - but unlike most ransomware-type programs - it did not alter their filenames. Once the encryption process was completed, RURansom dropped a text file titled "Полномасштабное_кибервторжение.txt" onto the desktop and into various folders.