Virus and Spyware Removal Guides, uninstall instructions

What is XcodeSpy?

XcodeSpy malware targets Apple developers and spreads through malicious (trojanized) Xcode projects (Run Script feature in Xcode IDE). Research shows that one of these malicious Xcode projects (called TabBarInteraction) supposedly includes features for animating the iOS Tab Bar.

It is likely that there is more than one trojanized Xcode project. Malicious code used by XcodeSpy can easily be hidden and launched in any third-party Xcode project.

XcodeSpy (or rather the backdoor it injects) can record audio using the microphone, video using camera, and keyboard input. It can also download and upload files.

What is the DiStUrBeD ransomware?

DiStUrBeD is a malicious program belonging to the Xorist ransomware family. It operates by encrypting data (thereby making the files inaccessible) and demanding payment for decryption.

During the encryption process, files are appended with the ".DiStUrBeD" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.DiStUrBeD" following encryption.

After this process is complete, identical ransom messages are created in a pop-up window and "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt" text file.

Note that if the compromised system does not have the Cyrillic alphabet, the text presented in the pop-up will appear as nonsensical gibberish.

What kind of malware is CopperStealer?

CopperStealer, also known as Mingloa, is a malicious program designed to steal sensitive/personal information. It also has the capability to cause chain infections (i.e., download/install additional malware).

Significant activity of CopperStealer has been observed in Brazil, India, Indonesia, Pakistan, and the Philippines. At the time of research, this malware had been noted being spread via websites offering illegal activation tools ("cracks") for licensed software products.

What is "Error Code: #0x564897"?

"Error Code: #0x564897" is a technical support scam run on various deceptive websites. This scheme has been observed being promoted via the Amazon AWS service.

Scams of this type operate by informing users of (nonexistent) viruses detected on their devices to trick them into contacting fake tech support. No web page can detect threats/issues present on systems, and any that make such claims are scams.

Users rarely access these deceptive sites intentionally - most enter them via mistyped URLs, redirects caused by intrusive ads, and installed unwanted applications.

What is Error Code: #2c522hq8wwj791?

Typically, scammers behind technical support scam websites like this one try to trick visitors into believing that their devices are infected and calling the provided number to resolve the problem (remove viruses, errors).

Scammers use these websites to trick users into paying for unnecessary fake software, services, and allowing remote access to their computers.

Note that users do not often visit tech support scam pages intentionally they are opened through dubious advertisements, other bogus web pages, or installed potentially unwanted applications (PUAs).

What is news-hot[.]xyz?

Most users do not open pages such as news-hot[.]xyz intentionally - they are opened by browsers that have potentially unwanted applications (PUAs) installed on them, through deceptive ads and other dubious pages.

These apps are classified as PUAs, since they are commonly downloaded and installed by users inadvertently.

There are many pages similar to news-hot[.]xyz on the internet. Some examples are ro01[.]biz, appzery[.]com, finddealsdaily[.]com.

What is the PROM ransomware?

PROM is a malicious program classified as ransomware. Systems infected with this malware have their data encrypted and users receive ransom demands for decryption tools. I.e., the files are rendered inaccessible and victims are asked to pay to recover access to their data.

During the encryption process, affected files are appended with the ".PROM[prometheushelp@mail.ch]" extension, which contains the cyber criminals' email address. For example, a file initially named something like "1.jpg" would appear as "1.jpg.PROM[prometheushelp@mail.ch]", "2.jpg" as "2.jpg.PROM[prometheushelp@mail.ch]", and so on.

After this process is complete, "RESTORE_FILES_INFO.hta" (pop-up window) and "RESTORE_FILES_INFO.txt" files are created, which contain identical ransom messages.

What is Hard?

Ransomware is a type of malware that cyber criminals use to block victims from accessing their files. It encrypts files and keeps them unusable/inaccessible until they are decrypted with a software key that the attackers encourage to purchase from them.

Hard ransomware encrypts and renames files by appending the ".hard" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.hard", "2.jpg" to "2.jpg.hard", and so on.

Hard also creates the "RESTORE_FILES_INFO.txt" text file (ransom message) in each folder that contains encrypted data.

What is Tag Search?

Tag Search (or TagSearch) is a browser hijacker promoting the search-land.com fake search engine. Typically, software within this category promotes bogus search engines by making alterations to browser settings, however, Tag Search does not always modify browsers when promoting search-land.com (see below).

This dubious browser extension also collects browsing-related information. Since most users download/install browser hijackers inadvertently, they are also classified as Potentially Unwanted Applications (PUAs).

What is Direct Search Online?

Direct Search Online is an application that hijacks browsers by changing certain settings to search.directsearchonline.com, the address of a fake search engine.

In addition to changing browser settings, many browser hijackers gather browsing-related information.

Most users download and install apps such as Direct Search Online (browser hijackers) inadvertently and, therefore, they are classified as potentially unwanted applications (PUAs).