Virus and Spyware Removal Guides, uninstall instructions

What kind of page is safewinodws[.]com?

During a routine inspection of rogue sites, our researchers discovered safewinodws[.]com. This webpage is designed to load deceptive content, promote browser notification spam, and redirect visitors to other unreliable/harmful pages.

Most visitors to safewinodws[.]com and websites akin to it - enter them via redirects caused by pages that use rogue advertising networks. Different ways of entering include mistyped URLs or redirects caused by intrusive ads, spam notifications, or installed adware.

What kind of application is SearchAim?

We have discovered the SearchAim application after executing a fake Adobe Flash Player installer downloaded from a deceptive page. While installed, SearchAim displayed various untrustworthy advertisements. Thus, we have concluded that SearchAim is an advertising-supported application.

What is the "OpenSea" scam email?

The "OpenSea email scam" refers to a phishing spam campaign targeting OpenSea - NFT (Non-Fungible Token) marketplace accounts. These fake letters lure recipients into disclosing their account log-in credentials by claiming that they need to move their listings to avoid their expiration and additional fees. According to the news available online, this phishing scam has already resulted in million-dollar losses for OpenSea users.

What kind of website is ourcoolposts[.]com?

Ourcoolposts[.]com is a website that uses a clickbait technique to trick visitors into allowing it to show notifications. We have discovered ourcoolposts[.]com while clicking on shady ads and visiting pages that use questionable advertising networks. In most cases, sites like ourcoolposts[.]com get visited inadvertently.

What is Gcyi ransomware?

Gcyi is a ransomware-type program designed to encrypt data and demand ransoms for the decryption. Our researchers found and obtained a sample of this malware from VirusTotal.

We have determined that Gcyi belongs to the Djvu ransomware family. During analysis, this ransomware appended the filenames of encrypted files with a ".gcyi" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.gcyi", "2.jpg" as "2.jpg.gcyi", and so on. Afterwards, a ransom note - "_readme.txt" - was created.

What kind of malware is MURK?

MURK is ransomware that was discovered by our team while examining the malware samples submitted to VirusTotal. It was found that MURK encrypts files (and modifies their filenames) and generates two files containing ransom notes - "info.txt" and "info.hta". It is part of the Phobos ransomware family.

It appends the victim's ID, 24recovery@onionmail.org email address, and the ".MURK" extension to filenames. For instance, MURK renames "1.jpg" to "1.jpg.id[9ECFA84E-3308].[24recovery@onionmail.org].MURK", "2.jpg" to "2.jpg.id[9ECFA84E-3308].[24recovery@onionmail.org].MURK", and so on.

What kind of application is TradeValor?

We have discovered the TradeValor application after clicking on a pop-up displayed by a deceptive page, implying that Adobe Flash Player is out of date. After installation, TradeValor started showing annoying advertisements. Thus, we concluded that TradeValor is an advertising-supported application.

What kind of page is worthyrid[.]com?

During a routine inspection of rogue websites, our research team found the worthyrid.com site. It pushes browser notification spam and redirects visitors to other untrustworthy/harmful pages. Users typically access webpages like worthyrid[.]com via redirects caused by sites using deceptive advertising networks.

What is SpeedTestMe?

Discovered by our researchers while inspecting sites that use rogue advertising networks, SpeedTestMe is a browser extension endorsed as an Internet speed testing tool. It is supposedly capable of measuring webpage loading times, download speeds, etc. Having analyzed this extension, we can conclude that it operates as adware.

What is Qmam4 ransomware?

Qmam4 is a piece of malicious software categorized as ransomware. Our research team found this malware during a routine inspection of new submissions on VirusTotal.

While analyzing a sample of Qmam4, we learned that it renames the encrypted files by appending their filenames with a random character string and the ".qmam4" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.r8vPZRn3AswCHnMkuNqTujoCI0uaPEqooovazZCT1zD_FgAAABYAAAA0.qmam4" after encryption.

Once this process was completed, the ransomware created a ransom note - "C3QW_HOW_TO_DECRYPT.txt" - on our test machine's desktop.