Virus and Spyware Removal Guides, uninstall instructions

What is the "Burofax Online" scam email?

"Burofax Online" refers to a spam email campaign spreading the Mekotio Trojan. The term "spam campaign" describes a large-scale operation, during which thousands of deceptive/scam emails are sent.

The messages sent in this particular campaign are disguised as notifications concerning an unspecified shipment, however, instead of containing any information about the fake shipment, the link in the emails initiates the infection process of Mekotio malware. This Trojan is designed to target banking information and is highly dangerous.

What is Fcorp?

Discovered by GrujaRS, Fcorp is based on open-source ransomware called Hidden Tear.

Fcorp encrypts files and appends the ".fcorp" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.fcorp", "2.jpg" to "2.jpg.fcorp", etc. This ransomware also replaces the desktop wallpaper with its ransom message and creates the "READ_IT.txt" text file (a second ransom message).

ByteLocker ransomware removal instructions

What is ByteLocker?

Discovered by GrujaRS, ByteLocker is a ransomware-type program based on the Hidden Tear (HiddenTear) open-source project. Systems infected with this malware experience data encryption and users receive ransom demands for decryption.

Typically, ransomware encrypts files and changes associated filenames, however, this is not the case with ByteLocker - files are encrypted but maintain their original names.

Once the encryption process is complete, a ransom message is created in a pop-up window.

What is ProductChannel?

ProductChannel displays advertisements, changes browser settings, and collects sensitive information. ProductChannel is a type of app that functions as adware, a browser hijacker, and data collector.

These apps are often downloaded and installed by users unintentionally and, for this reason, they are categorized as potentially unwanted applications (PUAs).

What kind of malware is BLADABINDI?

BLADABINDI is a backdoor threat, designed to inject systems with malicious payloads. I.e., following successful infiltration, it stealthily downloads/installs malware onto affected systems. At the time of research, BLADABINDI has been observed being proliferated by and bundled with Windscribe VPN installers.

"Bundling" is the term used to describe a deceptive marketing technique of packing ordinary software with unwanted or malicious additions. Note that Windscribe is a legitimate cyber-security and privacy company offering tools geared towards device and online security/privacy.

The BLADABINDI backdoor bundled with the aforementioned VPN application was not distributed through official channels (e.g. Windscribe's website, Google or Apple stores) - cyber criminals promoted the modified installers through unofficial and third party download sources.

What is the Junkie web browser hijacker?

Junkie web is a browser hijacker, which promotes the keysearchs.com fake search engine. Software within this classification usually operates by making modifications to browser settings in order to promote bogus search engines. Despite this, Junkie web does not always modify browsers when promoting keysearchs.com (see below).

Additionally, this browser hijacker monitors users' browser activity. Due to the dubious methods employed to proliferate Junkie web, it is also classified as a Potentially Unwanted Application (PUA).

What is systemnotices[.]com?

There are many deceptive websites that display fake virus notifications stating that the device (typically, iPhone) is infected and/or there are other problems that must be resolved immediately, otherwise more damage will be done. Note that systemnotices[.]com also has this behavior.

The main purpose of these bogus web pages is to scare visitors into downloading potentially unwanted applications (PUAs).

What is InitialProgram?

InitialProgram is untrusted software classified as adware, which also has browser hijacker traits. Following successful infiltration, this application delivers intrusive advertisement campaigns (resulting in various unwanted ads) and makes changes to browser settings to promote bogus search engines.

Due to the dubious tactics employed in InitialProgram's distribution, it is also categorized as an unwanted application. Furthermore, most apps of this kind have data tracking capabilities, which are used to monitor users' browsing habits.

InitialProgram has been observed being proliferated via fake Adobe Flash Player updates. These bogus software updaters spread shady apps and also Trojans, ransomware and other malware.

What is Dexx ransomware?

Dexx is malicious software and part of the Dharma ransomware group. It operates by encrypting data and demanding payment for decryption. When Dexx ransomware encrypts, it renames files following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address, and the ".dexx" extension.

For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[decryptex@airmail.cc].dexx" after encryption. Once this process is complete, ransom-demand messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is freshnewmessage[.]com?

Typically, users do not often visit addresses such as freshnewmessage[.]com intentionally, they are opened after deceptive ads are clicked or other bogus websites are visited. These sites are also opened when potentially unwanted applications (PUAs) are installed on browsers and/or operating systems.

More examples of web pages similar to freshnewmessage[.]com include pointcaptchaspot[.]com, check-me[.]online, and holanews[.]biz.