Virus and Spyware Removal Guides, uninstall instructions

What kind of page is gehoochosurvey[.]top?

Through our investigation, we have determined that gehoochosurvey[.]top is an untrustworthy website engaged in fraudulent survey activities. Additionally, this site employs tactics to entice users to enable notifications and may redirect them to other unreliable pages. It is important to note that users do not intentionally visit sites like gehoochosurvey[.]top.

What kind of page is fadszone[.]com?

While investigating web pages associated with suspicious advertising networks, our team encountered fadszone[.]com. Upon analysis, we have determined that fadszone[.]com engages in a deceptive practice by utilizing a clickbait technique to deceive visitors into subscribing to its notifications. It is worth noting that most users stumble upon such pages inadvertently, without any intention of visiting them.

What kind of malware is NURRI?

NURRI is ransomware our malware researchers discovered while inspecting samples on the VirusTotal page. We found that NURRI is part of the Phobos family. It encrypts files, appends the ".NURRI" extension to filenames (along with the victim's ID and nury_espitia@tuta.io email address), and provides two ransom notes ("info.hta" and "info.txt").

An example of how NURRI renames encrypted files: it changes "1.jpg" to "1.jpg.id[9ECFA84E-3352].[nury_espitia@tuta.io].NURRI", "2.png" to "2.png.id[9ECFA84E-3352].[nury_espitia@tuta.io].NURRI", and so forth.

What kind of page is not-robot[.]top?

Not-robot[.]top is a rogue webpage that is designed to promote spam browser notifications and redirect users to other (likely unreliable/harmful) sites.

Most visitors to this and similar pages access them via redirects caused by websites using rogue advertising networks. Our research team discovered not-robot[.]top while investigating sites that utilize said networks.

What kind of email is "MailBox Warning"?

Our inspection of the "MailBox Warning" email revealed that it is fake. This spam letter falsely claims that irregular activity was detected on the recipient's email account. The goal of this phishing mail is to trick recipients into disclosing their account credentials.

What kind of email is "Account Status At Risk"?

After reviewing the "Account Status At Risk" email, we determined that it is spam. By making false claims that the recipient's email account will be suspended, it aims to trick them into providing their log-in credentials to a phishing website.

What kind of email is "Microsoft Outlook Account Will Be Disconnected"?

After investigating the "Microsoft Outlook Account Will Be Disconnected" letter, we determined that it is a phishing email targeting log-in credentials. The recipient is warned that due to unresolved issues, their Microsoft Outlook account will be deactivated. However, this is a ploy to trick them into disclosing their email passwords.

What kind of malware is CustomerLoader?

CustomerLoader is a malicious program designed to cause chain infections. In other words, it loads additional malicious components and programs onto compromised devices. All known CustomerLoader infections relied on the DotRunpeX injector trojan to infiltrate the final payload. Over forty malware families were proliferated in this manner.

The cybersecurity community has first become aware of CustomerLoader's existence in June of 2023; however, there is some evidence suggesting that this malware has been active since at least May of the same year.

Due to the variety of distribution methods implemented for CustomerLoader, it is likely that the program's developers are offering it as a service – thus, the malware is used by multiple threat actors.

What kind of scam is "Zelis Payment" campaign?

While examining this email, our team determined that it is a fraudulent phishing attempt. The email is crafted by scammers who falsely claim to represent Zelis, a genuine company operating in the healthcare technology sector. The intention of these scammers is to deceive recipients into divulging sensitive via the attached file.

What kind of malware is Available_for_trial?

While examining malware samples on VirusTotal site, our team discovered a ransomware variant named Available_for_trial. The purpose of Available_for_trial is to encrypt data. In addition to encrypting files, Available_for_trial renames files and creates a ransom note ("how_to_decrypt.hta").

Available_for_trial renames files using the "available_for_trial.[random_string]._locked" pattern. For instance, it replaces "1.jpg" with "available_for_trial.835qq2k5633278334k67s214c.rhtaoe._locked", "2.png" with "available_for_trial. c42233k2675836534s214876q.gcb3a._locked", and so forth.