Virus and Spyware Removal Guides, uninstall instructions

What is Yulnedxmo?

A ransomware attack is a type of malware attack in which the attacker (the ransomware) encrypts the victim's data and then demands payment to decrypt data.

Usually, files are encrypted and renamed. Yulnedxmo renames files by appending the ".yulnedxmo" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.yulnedxmo", "2.jpg" to "2.jpg.yulnedxmo", and so on.

Ransomware often displays and/or creates ransom messages. Yulnedxmo creates the "HOW TO RESTORE YOUR FILES.TXT" file, which can be found in all folders that contain encrypted files.

Note that this ransomware belongs to the Snatch ransomware family.

What is Paras1te?

Ransomware is a type of malware that prevents victims from accessing their computers or the files that are stored on them. This is an updated version of Parasite ransomware.

Paras1te blocks access to files by encryption. It also renames every encrypted file by appending the ".paras1te" to its filename. For example, "1.jpg" is renamed to "1.jpg.paras1te", "2.jpg" to "2.jpg.paras1te", and so on.

Paras1te instructs victims to follow the instructions in a pop-up window ("info.hta"), which it displays once the computer is infected.

What kind of malware is Micro ransomware?

Micro is a malicious program, which is part of the CryptoWall ransomware family. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption (the stored files are rendered inaccessible and renamed).

When this ransomware encrypts, affected files are appended with the ".micro" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.micro", "2.jpg" as "2.jpg.micro", "3.jpg" as "3.jpg.micro", and so on.

Once this process is complete, identical ransom messages within "help_recover_instructions.txt", "help_recover_instructions.HTM", and "help_recover_instructions.png" files are dropped into compromised folders.

What kind of page is update-for-today[.]com?

Update-for-today[.]com is a deceptive website promoting various pop-up scams. At the time of research, this site ran a scheme targeting Android device users. The scam implies that the device's cleaning/protection software (essentially, the anti-virus tool) is outdated.

Schemes of this type are commonly used to promote a variety of untrusted software, including fake anti-viruses, adware, browser hijackers, and other Potentially Unwanted Applications (PUAs). In some cases, these scams even proliferate Trojans, ransomware, and other malware.

What is greenmode[.]biz?

Pages such as greenmode[.]biz are rogue: the content of these pages is deceptive and is used to promote other dubious web pages. Users are forced to visit pages such as greenmode[.]biz against their will. These pages are usually promoted through dubious advertisements, bogus websites or potentially unwanted applications (PUAs). Note also that users do not often download or install PUAs intentionally.

More examples of pages like greenmode[.]biz are zvideo-live[.]com, fastcaptchasolver[.]com, and fypretailo[.]top.

What is PDFSearchly?

Browser hijackers are potentially unwanted applications (PUAs) that modify browser settings to force users to visit certain websites (typically, to use fake search engines). PDFSearchly assigns browser settings to pdfsearchly.com.

Apps of this type are classified as PUAs because most users download and install them inadvertently. As well as changing browser settings, browser hijackers collect browsing (and other) data.

What is TRU8?

The main purpose of TRU8 is to encrypt files (prevent victims from accessing their data) and keep them encrypted until a ransom is paid. This ransomware also modifies the filenames of all encrypted files and creates "!README_TRU8!.rtf" text files in folders that contain encrypted files.

TRU8 renames files by replacing their filenames with the tru888@qq.com email address, a string of random characters, and the ".TRU8" extension. For example, "1.jpg" is renamed to "[TRU888@QQ.COM].ChQ3nDlk-Hth6l9hM.TRU8", "2.jpg" to "[TRU888@QQ.COM].MbO5gFpb-frj4p3lO.TRU8", and so on.

Note that TRU8 belongs to the family of ransomware called Matrix.

What is system-protection-required[.]com?

Typically, pages such as system-protection-required[.]com display fake notifications suggesting that a device may be not safe, or is already infected with viruses or other threats, and encourage visitors to download and install an application to supposedly remove the viruses, protect the device, etc.

Frequently, users arrive at this site after visiting other dubious web pages, clicking deceptive ads, or when they have potentially unwanted applications (PUAs) installed on the device (or browser). I.e., system-protection-required[.]com and similar sites are not often visited by users intentionally.

What is Dong page browser hijacker?

Dong page is a browser hijacker, promoting the keysearchs.com bogus search engine. Typically, software within this classification promotes various fake search engines by making modifications to browser settings, however, Dong page does not actually modify browsers in this way (see below).

Additionally, this browser hijacker has data tracking capabilities, which are used to collect browsing-related information. Due to the dubious methods employed in browser hijacker distribution, these programs are also classified as Potentially Unwanted Applications (PUAs).

What is zvideo-live[.]com?

Sharing many common traits with fastcaptchasolver.com, fypretailo.top, uploadhub.co, financeflick.com and countless others, zvideo-live[.]com is a rogue website. Visitors to these web pages are presented with dubious material and redirected to other bogus and malicious websites.

Typically, users encounter zvideo-live[.]com and similar websites unintentionally. Most users are redirected to them by intrusive ads or by Potentially Unwanted Applications (PUAs) already installed on their systems. This software does not require explicit user consent to infiltrate devices.