Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Agniane?

Agniane is a stealer – a type of malware designed to extract and exfiltrate sensitive information from infected machines. This stealer is heavily focused on stealing cryptocurrency-related data.

What kind of malware is NightClub?

NightClub is the name of a malware that has spyware and data-stealing capabilities. This program has at least four versions, with the earliest variant dating back to 2014.

NightClub malware is used by a threat actor dubbed MoustachedBouncer. This group has been around for nearly a decade and almost exclusively targets foreign embassies in Belarus. Known attacks include the embassies of four countries; two located in Europe and one each in Africa and South Asia. Aside from NightClub, this threat actor uses another toolset referred to as Disco.

What kind of application is MotionOptimizer?

We discovered the MotionOptimizer application during a routine investigation of new submissions to the VirusTotal site. Our analysis revealed that this app is advertising-supported software (adware) and that it belongs to the AdLoad malware family.

What kind of software is XI New Tab?

XI New Tab is a rogue extension promising to display browser wallpapers. Our research team discovered it while investigating untrustworthy websites.

After analyzing XI New Tab, we learned that it makes modifications to browser settings in order to promote (through redirects) the xitabs.com fake search engine. Due to this behavior, this extension is classed as browser-hijacking software.

What kind of malware is Knight?

Knight ransomware is the rebrand of Cyclops. Malware within this classification is designed to encrypt files and demand ransoms for their decryption.

When we executed a sample of Knight on our test system, it began encrypting files and appended their filenames with a ".knight_l" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.knight_l", "2.png" as "2.png.knight_l", etc. Afterward, a ransom note – "How To Restore Your Files.txt" – was dropped into every encrypted folder on the system.

It is pertinent to mention that the group behind Knight operates it as Ransomware-as-a-Service, and these threat actors also offer information-stealing malware. Hence, there is a possibility that these ransomware infections could have a double-extortion element to them. The variant we investigated mentioned the use of such tactics.

What kind of malware is Tasa?

While inspecting new submissions to the VirusTotal website, our researchers discovered the Tasa malicious program. It is part of the Djvu ransomware family. Programs within this classification operate by encrypting data and making ransom demands for its decryption.

After we launched a sample of Tasa ransomware on our test machine, it encrypted files and added the ".tasa" extension to their filenames. For example, a file initially named "1.jpg" appeared as "1.jpg.tasa", "2.png" as "2.png.tasa", etc. Once this process was finished, a ransom note titled "_readme.txt" was created.

It is worth mentioning that Djvu ransomware commonly infiltrates systems alongside data stealers such as RedLine, Vidar, and others.

What kind of malware is Taoy?

Our research team discovered another ransomware from the Djvu family called Taoy during a routine inspection of new submissions to the VirusTotal website. Ransomware is designed to encrypt data and demand payment for its decryption.

On our test machine, Taoy encrypted files and appended their titles with a ".taoy" extension. To elaborate, a file initially named "1.jpg" appeared as "1.jpg.taoy", "2.png" as "2.png.taoy", and so on for all of the affected files. Once the encryption process was completed, Taoy ransomware created a ransom-demanding message titled "_readme.txt".

It is pertinent to mention that Djvu ransomware is commonly distributed alongside information-stealing malware such as RedLine, Vidar, or others. Therefore, in addition to data loss, these infections may seriously threaten victims' privacy.

What kind of software is MediaScape - New Tab?

Our research team found the MediaScape - New Tab browser extension while investigating dubious websites. This extension promises to display browser wallpapers.

After analyzing this piece of software, we determined that it is a browser hijacker. MediaScape - New Tab make the changes to browser settings in order to promote (through redirects) the tubeextension1.com fake search engine.

What kind of malware is S.H.O?

Our researchers discovered S.H.O ransomware during a routine review of new submissions to the VirusTotal website. Malicious programs within the ransomware classification are designed to encrypt data and demand payment for its decryption.

Once we executed a sample of S.H.O on our test system, it began encrypting files and altered their filenames. Original titles were appended with an extension comprising a ransom character string, e.g., a file initially named "1.jpg" appeared as "1.jpg.5zsMS", "2.png" as "2.png.s6NmE", etc. Afterwards, the ransomware changed the desktop wallpaper and created a ransom note titled "Readme.txt".

What kind of email is "Capital One SECURITY MESSAGE"?

"Capital One SECURITY MESSAGE" is a phishing email. It is disguised as a notification from Capital One regarding an incoming payment to the recipient's account. Supposedly, the payment verification process requires them to sign in through an attached HTML document, which is a phishing file that records entered information.

It must be stressed that this fake email is in no way associated with the real Capital One bank holding company.