Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is MesaCorp?

During a routine investigation of new file submissions to the VirusTotal platform, our research team found the MesaCorp ransomware. This malicious program is based on the Chaos ransomware. MesaCorp is designed to encrypt files and demand ransoms for their decryption.

On our test machine, this malware encrypted files and appended their filenames with a ".MesaCorp" extension. To elaborate, a file initially named "1.jpg" appeared as "1.jpg.MesaCorp", "2.png" as "2.png.MesaCorp", and so on. Afterward, MesaCorp changed the desktop wallpaper and dropped a ransom note titled "read_it.txt".

What kind of page is news-gavewe[.]com?

While checking out suspicious sites, our research team discovered the news-gavewe.com rogue webpage. It is designed to promote spam browser notifications and redirect users to different (likely dubious/malicious) websites.

Visitors to news-gavewe[.]com and similar pages access them primarily through redirects generated by sites that utilize rogue advertising networks.

What kind of malware is Crypto?

Crypto is ransomware belonging to the MedusaLocker family. It has been discovered during the analysis of samples on the VirusTotal website. Once on the system, Crypto encrypts files, changes filenames of all encrypted files, and leaves a ransom note ("How_to_back_files.html").

Crypto alters filenames by adding an extension like ".crypto1317" or a variation thereof (with potential variations in the extension's numeric values). For instance, it renames "1.jpg" to "1.jpg.crypto1317", "2.png" to "2.png.crypto1317", and so forth.

What kind of software is Horoscope Harmony?

Our researchers discovered the Horoscope Harmony browser extension while inspecting deceptive sites. It promises to provide easy access to horoscopes.

After examining this extension, we determined that it is a browser hijacker. Horoscope Harmony makes changes to browser settings in order to promote the rsrcunow.com fake search engine. Additionally, this piece of software collects sensitive user information.

What is "American Express - Account Validation Required"?

Upon examination, it has been determined that the purpose of this email is to lure recipients into opening the attached file and entering personal information. This email is disguised as a letter from American Express - a legitimate bank holding company. Emails of this type are known as phishing emails.

What kind of malware is Ptqw?

While analyzing malware samples on VirusTotal, we have found a ransomware variant called Ptqw. This ransomware encrypts files and changes filenames by adding the ".ptqw" extension. Additionally, Ptqw creates a ransom note that can be found in a file named "_readme.txt".

Ptqw modifies filenames as follows: it changes a file like "1.jpg" into "1.jpg.ptqw" and "2.png" into "2.png.ptqw". It is worth noting that Ptqw is part of the Djvu ransomware family, and cybercriminals might distribute it alongside information-stealing malware such as RedLine or Vidar.

What kind of malware is Pthh?

In a thorough analysis of the samples submitted to VirusTotal, we identified the presence of the Pthh ransomware, a member of the Djvu family. This malicious program is responsible for encrypting data and appending the ".pthh" extension to the files it affects. Once the encryption process is finalized, Pthh leaves behind a ransom note (file named "_readme.txt).

Pthh adheres to a specific naming convention when altering the filenames of the files it encrypts. For instance, it converts "1.jpg" to "1.jpg.pthh" and "2.png" to "2.png.pthh". Being part of the Djvu family, Pthh has the potential to be disseminated alongside information stealers such as RedLine and Vidar.

What kind of page is news-nosate[.]com?

Our research team discovered the news-nosate[.]com rogue webpage while investigating dubious sites. This page promotes browser notification spam and redirects visitors to other (likely unreliable/malicious) websites.

Users primarily access news-nosate[.]com and webpages akin to it via redirects caused by sites that employ rogue advertising networks.

What kind of software is Sebux?

While investigating deceptive sites, our researchers discovered the Sebux rogue browser extension. After analyzing this piece of software, we determined that it is adware. Sebux runs intrusive advertisement campaigns and spies on users' browsing activity.

What kind of page is stoneheartseeker[.]top?

Our researchers discovered the stoneheartseeker[.]top rogue page during a routine inspection of questionable websites. It is designed to push browser notification spam and redirect visitors to other (likely untrustworthy/harmful) sites. Most users enter webpages like stoneheartseeker[.]top via redirects caused by sites utilizing rogue advertising networks.