Virus and Spyware Removal Guides, uninstall instructions

What is ObliqueRAT?

A Remote Access (Administration) Trojan or RAT is a type of malware that allows cyber criminals to remotely access and control infected machines. Typically, RATs are used to distribute other malware (infect computers with other malicious software), monitor victims and collect sensitive information, and perform DDoS (distributed denial-of-service) attacks.

ObliqueRAT has already been updated several times (there are at least five variants). Note that the campaign distributing ObliqueRAT started in April 2020 and targets organizations in South Asia, and is still in progress.

What is the "Consignment was booked via DHL Express" scam email?

"Consignment was booked via DHL Express email virus" refers to a malware-spreading spam campaign. This term defines a mass-scale operation during which thousands of deceptive/scam emails are sent. These messages are presented as arranged shipment notifications from DHL International, a legitimate courier, package delivery, and express mail service.

Note that the "Consignment was booked via DHL Express" scam emails are in no way associated with the genuine DHL International GmbH. The goal of this spam campaign is to infect recipients' devices with the GuLoader malware.

Examples of this spam email have also been seen spreading FormBook malware.

What is Maxi ransomware?

Maxi is a type of malware that encrypts files and keeps them inaccessible unless they are decrypted with tools held only by the attackers.

Maxi also renames encrypted files by adding the maxicrypt@cock.li email address and appending the ".maxi" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.[maxicrypt@cock.li].maxi", "2.jpg" to "2.jpg.[maxicrypt@cock.li].maxi", and so on.

Usually, ransomware creates or displays ransom messages. Maxi creates the "HOW TO RECOVER ENCRYPTED FILES.TXT" file, which it places in all folders that contain affected data/encrypted files.

Note that Maxi belongs to the Amnesia ransomware family.

What is LauncherSetup?

Related to VideoBoxApp, LauncherSetup is an adware-type application with browser hijacker traits. Following successful installation, it runs intrusive advertisement campaigns and modifies browsers to promote fake search engines. Additionally, adware and browser hijackers typically monitor users' browsing activity.

Due to the dubious techniques employed to proliferate LauncherSetup, it is classified as a Potentially Unwanted Application (PUA). This app has been observed being spread via fake Adobe Flash Player updates. Bogus software updaters/installers proliferate PUAs, trojans, ransomware, and other malware.

What is Big Linker?

Browser hijackers are potentially unwanted applications (PUAs) used to promote fake search engines by changing the settings of web browsers. The Big Linker browser hijacker promotes keysearchs.com in this way and collects browsing histories. It might also access other data.

Apps such as Big Linker fall into the category of PUAs because most users download and install them unintentionally.

What is DefaultExplorer?

DefaultExplorer is rogue software designed to deliver intrusive advertisements and promote fake search engines by making modifications to browser settings. Therefore, this application is classified as adware and is considered to have browser hijacker traits.

In addition, most apps of this type collect browsing-related information. Due to the dubious tactics employed to distribute DefaultExplorer (e.g., via fake Adobe Flash Player updates), it is categorized as a Potentially Unwanted Application (PUA).

What is STEEL?

Ransomware is a type of malware that prevents victims from accessing their computers or files stored on them. The program encrypts data and displays (or creates) a ransom message demanding payment to release files.

STEEL encrypts and renames files by appending a string of random characters as the file extension. For example, "1.jpg" is renamed to "1.jpg.TQ9t7", "2.jpg" to "2.jpg.TQ9t7", and so on. It also creates the "HOW_TO_RESTORE_FILES.txt" file (ransom message), which can be found in all folders that contain affected data.

What is CORONA LOCKER?

CORONA LOCKER is a ransomware-type program, an updated variant of Aurora. It operates by encrypting the data stored on infected systems to demand ransoms for decryption.

When CORONA LOCKER encrypts, files are appended with the ".systems32x" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.systems32x", "2.jpg" as "2.jpg.systems32x", and so on.

After this process is complete, identical ransom messages are created as "@_FILES_WERE_ENCRYPTED_@.TXT", "@_HOW_TO_PAY_THE_RANSOM_@.TXT", and "@_HOW_TO_DECRYPT_FILES_@.TXT" text files, which are dropped into affected folders.

What is SubVideoTube?

Developers of apps such as SubVideoTube use deceptive tactics to distribute their apps. Users often download and install them inadvertently and, therefore, they are classified as potentially unwanted applications (PUAs).

It is likely that the installer for SubVideoTube comes bundled with adware, a browser hijacker, or other PUAs. Therefore, SubVideoTube and other PUAs installed on browsers or operating systems should be removed immediately.

What is artepigr[.]com?

artepigr[.]com is similar to maincaptchasource[.]com, vossulekuk[.]com, continue-site[.]site, and other rogue pages that show/load dubious content or open other bogus web pages.

Users do not often open sites like artepigr[.]com intentionally - they are opened through deceptive ads, other dubious pages, or by installed potentially unwanted applications (PUAs).

PUAs can promote untrusted web pages, gather information about users, and generate advertisements.