Virus and Spyware Removal Guides, uninstall instructions

What is Bloom adware?

Bloom is a piece of advertising-supported software (adware), which our research team discovered while inspecting shady download pages. We have also noted that this application is practically identical to Tone adware.

What kind of malware is XRED?

XRED is ransomware that encrypts files (makes them unusable), creates the "read_it.txt" file, changes the desktop wallpaper, and appends four random characters to filenames. Our malware researchers have discovered this ransomware while examining the samples submitted to VirusTotal.

An example of how XRED modifies filenames: it renames "1.jpg" to "1.jpg.3f2a", "2.png" to "2.png.pu9o", and so forth. The text file created by XRED contains a ransom note.

What is Plus Darker?

Plus Darker is a browser extension advertised as a tool capable of enabling dark mode for simple websites. We have determined that this piece of software operates as a browser hijacker. Plus Darker changes browser settings to promote the getsins.com fake search engine, and it spies on users' browsing activity.

What kind of malware is DIKE?

DIKE is ransomware that cybercriminals use to blackmail victims. It encrypts files and generates "info.hta" and "info.txt" files that contain ransom notes. We have discovered DIKE while checking VirusTotal for submitted malware samples. It was found that DIKE is part of the Phobos ransomware family.

Additionally, DIKE renames encrypted files by appending the victim's ID, taoshan@privatemail.com email address, and ".DIKE" (extension) to filenames. For example, it renames "1.jpg" to "1.jpg.id[9ECFA84E-3316].[taoshan@privatemail.com].DIKE", "2.jpg" to "2.jpg.id[9ECFA84E-3316].[taoshan@privatemail.com].DIKE".

What kind of page is allowww[.]com?

Discovered by our researchers while inspecting untrustworthy websites, allowww[.]com is a rogue webpage. It operates by promoting browser notification spam and redirecting visitors to unreliable/malicious sites.

Most users enter allowww[.]com and similar websites inadvertently. Users can access them via mistyped URLs or redirects caused by pages that use rogue advertising networks, spam notifications, intrusive advertisements, or installed advertising-supported software (adware).

What kind of page is next-message[.]com?

Next-message[.]com is an untrustworthy website designed to trick visitors into allowing it to show notifications. It uses a clickbait technique/displays deceptive content to get that permission. Our team has discovered next-message[.]com while inspecting pages that use rogue advertising networks.

What kind of scam is "Request to close your email"?

Our team has analyzed this email and found that it is disguised as a letter from the email service provider. It contains a hyperlink that opens a phishing website asking to provide login credentials. The purpose of this phishing email is to trick recipients into providing their email account passwords.

What kind of page is yoursecuresoft[.]com?

Yoursecuresoft[.]com is a rogue website that promotes deceptive material, pushes browser notification spam, and redirects visitors to other unreliable/malicious sites.

Our research team found this page while inspecting shady websites. Most users access yoursecuresoft[.]com and similar webpages via redirects caused by sites using rogue advertising networks.

What is 1k3pl ransomware?

Discovered by our research team while inspecting new malware submissions on VirusTotal, 1k3pl is a piece of malicious software categorized as ransomware.

After being executed on our test system, 1k3pl began encrypting files and renaming them by appending the filenames with a random character string and the ".1k3pl" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.EurKwTJRH6qkQ16EevMwYO4Yny-zeqG_06JmClxjZQ3_KgAAACoAAAA0.1k3pl".

Once this process was completed, a ransom note "HXUo_HOW_TO_DECRYPT.txt" was created. We can surmise that 1k3pl targets companies rather than home users - since the information provided by its text file and website implies this. It is noteworthy that enterprise-targeting ransomware infections can be highly customized and vary from victim to victim.

What is S-400 malware?

S-400 is the name of a Remote Access Trojan (RAT) that our research team found while inspecting new malware submissions to VirusTotal. Trojans of this type enable stealthy remote access and control over infected devices. RATs typically have a broad range of functionalities that allow them to perform various malicious actions.