Virus and Spyware Removal Guides, uninstall instructions

What is DefaultExplorer?

DefaultExplorer is rogue software designed to deliver intrusive advertisements and promote fake search engines by making modifications to browser settings. Therefore, this application is classified as adware and is considered to have browser hijacker traits.

In addition, most apps of this type collect browsing-related information. Due to the dubious tactics employed to distribute DefaultExplorer (e.g., via fake Adobe Flash Player updates), it is categorized as a Potentially Unwanted Application (PUA).

What is STEEL?

Ransomware is a type of malware that prevents victims from accessing their computers or files stored on them. The program encrypts data and displays (or creates) a ransom message demanding payment to release files.

STEEL encrypts and renames files by appending a string of random characters as the file extension. For example, "1.jpg" is renamed to "1.jpg.TQ9t7", "2.jpg" to "2.jpg.TQ9t7", and so on. It also creates the "HOW_TO_RESTORE_FILES.txt" file (ransom message), which can be found in all folders that contain affected data.

What is CORONA LOCKER?

CORONA LOCKER is a ransomware-type program, an updated variant of Aurora. It operates by encrypting the data stored on infected systems to demand ransoms for decryption.

When CORONA LOCKER encrypts, files are appended with the ".systems32x" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.systems32x", "2.jpg" as "2.jpg.systems32x", and so on.

After this process is complete, identical ransom messages are created as "@_FILES_WERE_ENCRYPTED_@.TXT", "@_HOW_TO_PAY_THE_RANSOM_@.TXT", and "@_HOW_TO_DECRYPT_FILES_@.TXT" text files, which are dropped into affected folders.

What is SubVideoTube?

Developers of apps such as SubVideoTube use deceptive tactics to distribute their apps. Users often download and install them inadvertently and, therefore, they are classified as potentially unwanted applications (PUAs).

It is likely that the installer for SubVideoTube comes bundled with adware, a browser hijacker, or other PUAs. Therefore, SubVideoTube and other PUAs installed on browsers or operating systems should be removed immediately.

What is artepigr[.]com?

artepigr[.]com is similar to maincaptchasource[.]com, vossulekuk[.]com, continue-site[.]site, and other rogue pages that show/load dubious content or open other bogus web pages.

Users do not often open sites like artepigr[.]com intentionally - they are opened through deceptive ads, other dubious pages, or by installed potentially unwanted applications (PUAs).

PUAs can promote untrusted web pages, gather information about users, and generate advertisements.

What is PDFSearchWeb?

Typically, users download and install browser hijackers inadvertently. Therefore, PDFSearchWeb and other applications of this kind are classified as potentially unwanted applications (PUAs).

The main purpose of browser hijackers is to modify browser settings to promote specific addresses (fake search engines). They also gather browsing-related (and other data). Therefore, you should remove PDFSearchWeb from browsers/computers.

What is BleachGap ransomware?

BleachGap is a ransomware-type program. It operates by encrypting data and demanding payment for decryption. I.e., the files affected by BleachGap are rendered inaccessible and victims are asked to pay a ransom to regain access.

During the encryption process, files are appended with the ".lck" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.lck" following encryption.

At the time of research, BleachGap seemingly had an unintentional flaw: it left the original file and created two encrypted copies (e.g., "1.jpg.lck" and "1.jpg.lck.lck"). The original was likely intended for deletion, with only the compromised copy remaining.

After the encryption process is complete, ransom messages are dropped onto the desktop. This ransomware creates 100 copies of the message, named as follows: "Pay2Decrypt1.txt", "Pay2Decrypt2.txt", "Pay2Decrypt3.txt", and so on up to "Pay2Decrypt100.txt".

What is Ades?

Information stealers are malware programs that can be designed to record keystrokes, take screenshots, and gather other data in order to send it to the attackers. Malware of this type can run stealthily in the background so that victims do not suspect infection.

Ades is a stealer written in the C# multi-paradigm programming language and uses Telegram as its command & control (C2) platform.

Ades is for sale on hacker forums and costs 4000 RUB, or purchased through a subscription for 400 RUB per month.

What is DefaultTool?

DefaultTool is a piece of dubious software, which operates as adware and a browser hijacker. It delivers intrusive advertisements and promotes fake search engines by making changes to browser settings. Due to the dubious techniques used to proliferate DefaultTool, it is also categorized as a Potentially Unwanted Application (PUA).

Most PUAs collect browsing-related information, and DefaultTool likely has these data tracking capabilities as well. This app has been observed being proliferated via fake Adobe Flash Player updates. Note that bogus software updaters/installers are employed to spread PUAs, trojans, ransomware, and other malware as well.

What is Urs ransomware?

Usually, ransomware prevents victims from accessing their files or the entire system. It encrypts files and demands payment (typically, in Bitcoins) in exchange for a decryption tool (software, key).

Urs encrypts files and adds the victim's ID, necurs@aol.com email address, and appends the ".urs" extension. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[necurs@aol.com].urs", "2.jpg" to "2.jpg.id-C279F237.[necurs@aol.com].urs", and so on.

Urs also displays a pop-up window and creates the "FILES ENCRYPTED.txt" file (ransom message).

Note that Urs is part of the Dharma ransomware family.