Virus and Spyware Removal Guides, uninstall instructions

What is LANDSLIDE?

LANDSLIDE encrypts and renames files, and creates "#ReadThis.HTA" and "#ReadThis.TXT" files, which contain instructions about how to contact the developers. LANDSLIDE renames files by prepending the nataliaburduniuc96@gmail.com email address, victim's ID, and appending the ".LANDSLIDE" extension to filenames.

For example, "1.jpg" is renamed to "[nataliaburduniuc96@gmail.com][id=C279F237]1.jpg.LANDSLIDE", "2.jpg" to "[nataliaburduniuc96@gmail.com][id=C279F237]2.jpg.LANDSLIDE", and so on.

What is Cat (Xorist) ransomware?

Cat is a malicious program, which is part of the Xorist ransomware family. Systems infected with this program suffer data encryption and users receive ransom demands for decryption. During the encryption process, all affected files are appended with the ".cat" extension.

For example, a file originally named something like "1.jpg" would appear as "1.jpg.cat", "2.jpg" as "2.jpg.cat", and so on. After this process is complete, ransom messages are created in a pop-up window and "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt" text files, which are dropped into compromised folders.

The messages in both are identical, however, whether the text presented in the pop-up is displayed properly depends if the Russian alphabet is installed on the system. It is highly likely that Cat (Xorist) ransomware is still in development, as its messages do not contain crucial information.

What is SysKey?

Typically, browser hijacking apps promote fake search engines by modifying certain browser settings. SysKey promotes fxsmash.xyz in this way. It can also read browsing history, and possibly other data.

Commonly, users download and install browser hijackers inadvertently and, for this reason, they are categorized as potentially unwanted applications (PUAs).

What is Movie Tab?

Movie Tab is a browser hijacker designed to promote tailsearch.com (a bogus search engine). Browser hijackers usually operate by making modifications to browser settings to promote fake search engines (including tailsearch.com). In fact, Movie Tab does not always modify browsers in this way (see below).

Additionally, this browser hijacker monitors users' browsing habits. Due to the dubious techniques used to proliferate Movie Tab, it is also categorized as a Potentially Unwanted Application (PUA).

What is SkillFormat?

SkillFormat generates advertisements and promotes a fake search engine address, and thus functions as adware and a browser hijacker. Additionally, it is possible that SkillFormat gathers information relating to users' browsing habits and other data. This app is distributed via a deceptive installer that is disguised as the installer for Adobe Flash Player.

Typically, users download and install apps such as SkillFormat inadvertently and, for this reason, they are classified as potentially unwanted applications (PUAs).

What is GLB ransomware?

GLB is malicious software belonging to the Dharma ransomware family. It operates by encrypting data in order to demand payment for decryption. When this ransomware encrypts, all compromised files are renamed following this pattern: original filename, unique ID assigned to the victims, cyber criminals' email address, and the ".GLB" extension.

For example, a file originally named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[gonald58@cock.li].GLB" following encryption. Once this process is complete, ransom messages are created in a pop-up window and "FILES ENCRYPTED.txt" text file.

What is Tsar ransomware?

Tsar belongs to the VoidCrypt ransomware family. It prevents victims from accessing their files by encryption, renames every encrypted file, and generates a ransom message. Tsar renames files by adding the decodetsar@gmail.com email address, victim's ID, and appending ".Tsar" as the file extension.

For example, "1.jpg" is renamed to "1.jpg.[decodetsar@gmail.com][TRB82LEU41OKPVW].Tsar", "2.jpg" to "2.jpg.[decodetsar@gmail.com][TRB82LEU41OKPVW].Tsar", and so on. It creates a ransom message within the "!INFO.HTA" file, storing it in all folders that contain encrypted files

What is SkilledObject?

Typically, apps that are classified as adware serve advertisements, however, this particular app promotes a fake search engine by making certain changes to browser settings. It might also collect data. In this way, SkilledObject functions both as adware and as a browser hijacker.

SkilledObject is distributed via a fake installer designed to appear like an installer for Adobe Flash Player. Typically, users do not download or install these apps intentionally and, for this reason, they are classified as potentially unwanted applications (PUAs).

What is the TakeMyFile PUA?

TakeMyFile is an untrusted application, which is endorsed as a tool that allows users to share files (e.g. apps, audio, documents, photographs, presentations, videos, etc.). Due to the dubious methods used to proliferate this app, it is classified as a Potentially Unwanted Application (PUA).

Despite its often legitimate appearance, software within this classification tends to be nonoperational and may have undisclosed, dangerous capabilities. Furthermore, though bundling - a deceptive technique used to spread unwanted apps - they can infiltrate systems in multitudes.

This has been observed in TakeMyFile's proliferation. At the time of research, this application was installed alongside the WebDiscover, Valerie, and Ober PUAs.

What is LoveSportsSearch?

LoveSportsSearch changes certain browser settings to lovesportssearch.com, the address of a fake search engine.

It is also likely to collect browsing data and other information. Note that browser hijackers are categorized as potentially unwanted applications (PUAs), since, in most cases, users download and install them unintentionally.