Virus and Spyware Removal Guides, uninstall instructions

What is crDypted ransomware?

crDypted is a ransomware-type program designed to encrypt data (render files inaccessible) and demand ransoms for the decryption.

After launching a sample obtained from VirusTotal on our test machine, it encrypted files and appended them with a ".crDypted000007" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.crDypted000007", and so forth.

Once the encryption process was finished, crDypted created a ransom note - "README1.txt", changed the desktop wallpaper, and made a new user account named "Hack".

What kind of application is Search-Power?

While testing the Search-Power application, our team has learned that it is a browser hijacker used to promote the searchpower.xyz address (a fake search engine). It hijacks a web browser by modifying its settings. We have discovered Search-Power while visiting pages that use rogue advertising networks.

What kind of software is DecipherPerformance?

Our team has tested the DecipherPerformance application and learned that it functions as a browser hijacker and an advertising-supported software: it changes the web browser's settings to promote a fake search engine and displays advertisements. We discovered DecipherPerformance while examining shady, deceptive pages.

What is ActiveProgram?

ActiveProgram is another app from the AdLoad malware family, which our research team found when looking through new submissions on VirusTotal.

After a sample was launched on our test system, we determined that this application operates as adware. While it did not show any browser hijacker behavior, our experience with AdLoad software suggests that it might have such functionalities.

What is Nuhtab?

Nuhtab is a rogue browser extension that promises to allow desktop customization. When our researchers tested this software, it operated as a browser hijacker. In other words, Nuhtab altered browser settings to promote the nuhtab.com fake search engine and spied on users' browsing activity.

What kind of page is securestuff[.]xyz?

Detected by our research team when inspecting untrustworthy websites, securestuff[.]xyz is a rogue page. It is designed to load dubious content (e.g., "McAfee - Your PC is infected with 5 viruses!" scam), promote browser notification spam, and/or redirect visitors to other unreliable and malicious sites.

Webpages like securestuff[.]xyz are primarily accessed via redirects caused by sites that use rogue advertising networks.

What is the "OpenSea" scam?

The "OpenSea" scam refers to phishing sites disguised as the OpenSea online NFT (Non-Fungible Token) marketplace. The goal of this scheme is to extract users' cryptowallet log-in credentials and subsequently gain access/control over the wallets.

The address of the scam website our researchers have studied is close to OpenSea's; hence, we cannot exclude the possibility of users accessing it by mistyping the URL.

What is the "Coinbase" scam?

The "Coinbase" scam is classified as phishing. It is presented as the sign-in page of Coinbase - the cryptocurrency exchange platform offering various crypto-related services. Attempts to log in through these phishing sites can result in Coinbase account theft and other serious issues.

What is Bl ransomware?

When looking into new submissions on VirusTotal, our researchers found another malicious program belonging to the Dharma ransomware family - called Bl.

Once executed on our test system, this ransomware encrypted files and changed their names. Affected files were retitled according to this pattern - original filename, unique ID, cyber criminals' email address, and the ".Bl" extension. For example, a file like "1.jpg" appeared as "1.jpg.id-9ECFA84E.[mr.black@disroot.org].Bl".

Following the completion of this process, Bl displayed/created ransom notes in a pop-up window and text file named "info.txt".

What is Shortcuts adware?

Shortcuts is a rogue app, promoted as an easy-access (shortcut) tool to various applications like Netflix, Amazon, CNN, Facebook, calculator, etc. After downloading and launching a sample on our testing machine, we observed this piece of software operating as adware.