Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is reL?

We detected the reL ransomware variant (which belongs to the Dharma ransomware family) while checking the samples submitted to VirusTotal. We found that reL encrypts files and appends the victim's ID, release@techmail.info email address, and the ".reL" extension to filenames. Also, it displays a pop-up window and creates the "info.txt" file (ransom notes).

An example of how reL renames files: it changes "1.jpg" to "1.jpg.id-9ECFA84E.[release@techmail.info].reL", "2.png" to "2.png.id-9ECFA84E.[release@techmail.info].reL", and so forth.

5What kind of website is protecthub[.]xyz?

Protecthub[.]xyz displays deceptive content to fraudulently promote legitimate software and asks for permission to show notifications. Additionally, it might be designed to redirect visitors to other shady websites. Our team has discovered protecthub[.]xyz while examining sites that use rogue advertising networks.

What kind of application is Data Shield for Chrome?

Data Shield for Chrome is a browser hijacker designed to promote search.wiseghostapp.com - a fake search engine. It hijacks a web browser by changing its settings. Our malware researchers have found Data Shield for Chrome on a deceptive website promoted via other sites that use questionable advertising networks.

What kind of page is read-new-post[.]com?

Read-new-post[.]com displays deceptive content to get permission to feed visitors with shady advertisements. It also redirects to untrustworthy pages. We have discovered it while inspecting pages that use rogue advertising networks (illegal movie streaming pages, torrent sites, etc.).

What kind of page is detectvid[.]com?

Detectvid[.]com is a rogue webpage that we discovered during a routine inspection of shady sites. It is designed to trick visitors into enabling its spam browser notifications and cause redirects to other untrustworthy/malicious websites. Users typically enter such pages via redirects caused by sites using rogue advertising networks.

What kind of page is masterofkeeps[.]xyz?

We discovered the masterofkeeps[.]xyz webpage while researching untrustworthy sites. This rogue page loads deceptive content, pushes browser notification spam, and redirects visitors to other unreliable/hazardous websites. Most users enter sites like masterofkeeps[.]xyz through others that use rogue advertising networks.

What is LKS ransomware?

LKS is a piece of malicious software classified as ransomware that our research team discovered during a routine inspection of new submissions to VirusTotal. After analyzing this program, we determined that it belongs to the Phobos ransomware family.

Once a sample was executed on our test system, LKS encrypted files and changed their filenames. The renaming pattern consisted of the file's original name, a unique ID, the cyber criminals' email address, and the ".LKS" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.id[9ECFA84E-3314].[cvqwlkpmbc@aol.com].LKS". Afterwards, this ransomware displayed/created ransom notes in a pop-up window ("info.hta") and text file ("info.txt").

What is the "Your Windows 10 is infected with viruses" pop-up?

During a routine inspection of rogue websites, our researchers discovered the masterofkeeps[.]xyz website, which in turn resulted in us learning of the "Your Windows 10 is infected with viruses" scam. This scheme makes false claims about visitors' devices being infected in order to gain and subsequently abuse users' trust. Typically, such scams are used to endorse untrustworthy/harmful software and/or obtain funds through fraud.

It must be emphasized that while "Your Windows 10 is infected with viruses" employs the names of genuine products/companies, it is in no way associated with either the Microsoft Corporation or McAfee Corp.

What kind of malware is Escobar?

Our malware researchers have found Escobar while inspecting hacker forums. It is a banking Trojan targeting Android users. We learned that at the moment, its developer is offering to purchase a monthly subscription of the Beta version for $3000.

What is Koobn ransomware?

Koobn is a ransomware-type program that our research team sampled from VirusTotal. Malware of this type is designed to render data inaccessible and demand ransoms for the recovery.

Once launched on our test machine, this ransomware encrypted files and appended their filenames with a random character string and the ".koobn" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.eiIZ7Mio4ZN1Jp55iKjeRGir8QNGGVc8oEdwJplOOHf_mwWz_OGsrdM0.koobn".

After the encryption process was completed, Koobn dropped a ransom note - "7CYT_HOW_TO_DECRYPT.txt" - onto the desktop. Based on the message in this file, we can surmise that this ransomware targets companies rather than home users.