Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Thx?

Thx is ransomware that falls under the Dharma family. Its main objective is to encrypt data. As part of the encryption process, Thx adds the victim's ID, cluster1@outlook.sa email address, and the ".thx" extension to the original filenames.

For example, a file named "1.jpg" would be renamed to "1.jpg.id-1E857D00.[cluster1@outlook.sa].thx", and "2.png" would become "2.png.id-1E857D00.[cluster1@outlook.sa].thx", and so on. The Thx ransomware also exhibits a pop-up window and generates a file named "info.txt" containing a ransom note.

What kind of malware is Neon?

Neon, a variant of the Djvu ransomware family, is ransomware that encrypts files on the victim's computer and demands a ransom payment in exchange for the decryption tools. Our team came across Neon during our examination of recently submitted malware samples on VirusTotal. It is important to be aware that Neon may be distributed alongside other malware, such as RedLine or Vidar.

Once Neon infects a computer, it alters the filenames of encrypted files by appending the ".neon" extension. For instance, a file originally named "1.jpg" gets renamed to "1.jpg.neon", "2.png" to "2.png.neon", etc. Additionally, Neon generates a ransom note called "_readme.txt".

What kind of malware is Nerz?

During our examination of samples on VirusTotal, our team recently discovered a variant of the Djvu ransomware family named Nerz. Nerz encrypts data and appends the ".nerz" extension to the files it affects. Once the encryption process is complete, the ransomware leaves a ransom note titled "_readme.txt".

Nerz follows a file renaming pattern where it modifies names such as "1.jpg" to "1.jpg.nerz", "2.png" to "2.png.nerz", and so forth. Given its association with the Djvu family, Nerz might be distributed alongside other malicious software like RedLine, Vidar, and other information stealers.

What kind of page is juble[.]click?

During our examination of juble[.]click, we discovered that it employs a deceptive strategy to persuade visitors into granting it permission to send notifications. Moreover, juble[.]click has the potential to redirect visitors to dubious websites. We encountered juble[.]click while investigating pages associated with untrustworthy advertising networks.

What kind of page is dev-defense[.]com?

Dev-defense[.]com is a rogue webpage designed to promote dubious content and browser notification spam. It is also capable of redirecting visitors to different (likely unreliable/hazardous) sites.

Users primarily access pages like dev-defense[.]com through redirects generated by websites that employ rogue advertising networks. Our researchers discovered dev-defense[.]com while investigating sites that use said networks.

What kind of malware is NBR?

NBR is ransomware belonging to the Dharma family. The purpose of NBR is to encrypt data. Additionally, this ransomware appends the victim's ID, harry023m@aol.com email address, and the ".NBR" extension to filenames. For instance, it renames "1.jpg" to "1.jpg.id-1E857D00.[Harry023m@aol.com].NBR", "2.png" to "2.png.id-1E857D00.[Harry023m@aol.com].NBR", etc.

Also, NBR ransomware displays a pop-up window and creates a file named "README!!!.txt" containing a ransom note.

What kind of page is eukeuktyouex[.]xyz?

Eukeuktyouex[.]xyz is a rogue page that we discovered while inspecting suspect websites. This webpage promotes browser notification spam and redirects users to different (likely unreliable/dangerous) sites.

Visitors to eukeuktyouex[.]xyz and similar pages access them primarily through redirects generated by websites that employ rogue advertising networks.

What kind of page is fumuluckt[.]com?

While inspecting suspect sites, our researchers discovered the fumuluckt[.]com rogue webpage. It is designed to push spam browser notifications and redirect visitors to other (likely unreliable/malicious) websites. Most users access pages like fumuluckt[.]com via redirects generated by sites that use rogue advertising networks.

What kind of page is besteasyclick[.]com?

Our researchers found the besteasyclick[.]com rogue page while checking out untrustworthy websites. This webpage operates by promoting browser notification spam and redirecting visitors to different (likely unreliable/hazardous) websites.

Users primarily access pages like besteasyclick[.]com through redirects caused by sites employing rogue advertising networks.

What kind of malware is Horabot?

Horabot is part of the campaign where threat actors infect machines with a banking Trojan and spam tool. This campaign primarily focuses on Spanish-speaking users in the Americas. Horabot enables attackers to manipulate Outlook mailboxes, extract email addresses, distribute phishing emails with harmful attachments, and acquire login credentials and security codes.