Virus and Spyware Removal Guides, uninstall instructions

What is the fake "IRS Crypto" website?

After inspecting "IRS Crypto", we determined that it is a scam. It imitates the IRS (Internal Revenue Service); specifically, it is presented as a portal for handling taxes on cryptocurrency.

When users connect their digital wallets to this fake website, it begins operating as a crypto drainer. Essentially, this scheme is designed to steal digital assets from victims.

What kind of application is World Wide Web?

This app named "World Wide Web" is a PUA (Potentially Unwanted Application). Software within this classification typically possesses undesirable and even harmful functionalities.

The installer we discovered promoting the World Wide Web application included other suspicious software. It is noteworthy that this app may infiltrate systems alongside the Artificius rogue browser.

What kind of website is laxsearch.com?

Laxsearch.com is the address of a fake search engine endorsed by the Lax Search browser hijacker. It makes modifications to browser settings in order to generate redirects to the laxsearch.com site. It is likely that Lax Search also spies on users' browsing activity.

What is Universal Browser?

After examining the Universal Browser app, its actual purpose remained unclear, although the app's name suggests that it is a web browser. It is important to note that multiple security vendors flagged both the installer distributing Universal Browser and the app itself as malicious. Thus, users should avoid installing Universal Browser on their computers.

What kind of application is Jirin.app?

Our examination of the Jirin.app has revealed that this app is one of the many adware-type apps belonging to the Pirrit family. The purpose of this program is to deliver intrusive and potentially misleading advertisements to users. Thus, Jirin.app should be uninstalled from devices.

What kind of page is alladvertisingdomclub[.]club?

Upon examining alladvertisingdomclub[.]club, we concluded that the purpose of this page is to deceive unsuspecting visitors into allowing it to show notifications. Also, alladvertisingdomclub[.]club can redirect users to other web pages. Overall, alladvertisingdomclub[.]club is an unreliable website that users should avoid visiting.

What kind of malware is Scrypt?

While investigating new file submissions to the VirusTotal platform, our research team discovered Scrypt ransomware. Its purpose is to encrypt files and demand payment for their decryption.

On our testing system, this ransomware encrypted files and appended their filenames with a ".scrypt" extension. For example, a file initially named "1.jpg" looked like "1.jpg.scrypt", "2.png" like "2.png.scrypt", etc.

After the encryption process was completed, a ransom-demanding message titled "readme.txt" was dropped. This note lacked critical information, which suggests that this iteration of Scrypt is still in development.

What is the fake "Hedgies Giveaway"?

During our examination of nft-hedgies[.]com, we discovered that it is a scam website pretending to be a cryptocurrency airdrop (giveaway) launched by Hedgies (hedgies[.]wtf). Scammers behind nft-hedgies[.]com aim to lure potential participants into performing actions allowing scammers to steal cryptocurrency from victims. Overall, nft-hedgies[.]com is not a trustworthy page.

What kind of malware is Vehu?

Vehu is ransomware that we discovered while examining malware samples uploaded to VirusTotal. Our findings are that Vehu belongs to the Djvu family, encrypts files, appends the ".vehu" extension to filenames, and provides a ransom note ("_README.txt"). It is worth noting that ransomware from the Djvu family tends to be distributed together with RedLine, Vidar, or similar malware.

An example of how Vehu changes filenames: it renames "1.jpg" to "1.jpg.vehu", "2.png" to "2.png.vehu", and so forth.

What kind of malware is Paaa?

Paaa is a ransomware variant from the Djvu family. We discovered Paaa during our analysis of samples submitted to the VirusTotal site. This ransomware uses encryption to prevent victims from accessing their files. Additionally, it appends the ".paaa" extension to filenames and drops the "!!!README!!!.txt" file (a ransom note).

An example of how Paaa modifies filenames: it renames "1.jpg" to "1.jpg.paaa", "2.png" to "2.png.paaa", and so on. It is important to mention that Paaa might be distributed alongside information stealers (e.g., RedLine or Vidar).