Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Kifr?

Kifr belongs to the Djvu family of ransomware and follows the pattern of encrypting files and appending the ".kifr" extension to their names. The ransomware also creates a "_readme.txt" file with instructions on how to pay the ransom. Our researchers discovered Kifr while analyzing malware samples submitted to VirusTotal.

An example of how Kifr renames files: it changes "1.jpg" to "1.jpg.kifr", "2.png" to "2.png.kifr", and so forth. It is possible that Kifr ransomware is being distributed in conjunction with other malware, such as RedLine or Vidar, which are known to steal information.

What kind of application is SkipAds for Youtube?

During our investigation of SkipAds for Youtube, we discovered that it presents intrusive advertisements, which led us to classify this browser extension as adware. Ironically, its name suggests that it blocks ads. It is important to note that users often unintentionally download and install adware.

What kind of malware is Proton?

Proton is ransomware that our team discovered on VirusTotal while checking the page for recently submitted malware samples. We found that Proton encrypts files, appends the kigatsu@tutanota.com email address, victim's ID, and, depending on the variant, ".Proton" or ".kigatsu" extension to filenames, and creates a ransom note ("README.txt").

An example of how Proton ransomware modifies filenames: it renames "1.jpg" to "1.jpg.[DoraRec@onionmail.org].Proton" or "1.jpg.[Kigatsu@tutanota.com][719149DF].kigatsu", "2.png" to "2.png.[DoraRec@onionmail.org].Proton" or "2.png.[Kigatsu@tutanota.com][719149DF].kigatsu" or , and so forth.

What kind of malware is Rorschach?

Rorschach (also known as BabLock) is ransomware that encrypts files. The attackers aim at small and medium-sized businesses as well as industrial companies. Along with encrypting data, Rorschach also adds a random string of characters and a two-digit number (ranging from 00 to 98) to the end of filenames.

Also, it drops a ransom note ("_r_e_a_d_m_e.txt") and changes the desktop wallpaper. An example of how Rorschach modifies filenames: it changes "1.jpg" to "1.jpg.slpqne.37", "2.png" to "2.png.slpqne.39", and so forth. The appended string of random characters may vary depending on the ransomware variant.

What kind of application is Sports Engine?

While examining the Sports Engine browser extension, we found that it hijacks a web browser by changing its settings. The purpose of this browser-hijacking app is to promote a fake search engine (sportengine.info). Additionally, Sports Engine can read certain data.

What is "Security Breach - Stolen Data"?

Upon scrutinizing this email, we have ascertained that it is a fraudulent extortion letter. This phishing campaign comprises of at least two versions of the letter, with the perpetrators employing the names of well-known cybercriminals to intimidate and lend credibility to their threats.

What is "Messages Are Restrained Due To Low Bandwidth"?

After reviewing this email, we determined that it is a phishing letter masquerading as a notification from an email service regarding mail delivery status. There are at least two variants of this letter in the phishing campaign. Scammers use both of them to lure unsuspecting recipients into providing personal information.

What is a malicious self-extracting archive (SFX) file?

Self-extracting (SFX) archive files have traditionally been used to share compressed data with individuals who do not have the software to unpack and view the contents of a standard archive file. Nevertheless, these files can harbor covert malicious functionality that is not readily apparent to users and may evade detection by technology-based security measures.

What kind of malware is Predator?

Predator is the name of spyware (malicious software) targeting Android users. Between August and October 2021, the attackers utilized zero-day exploits that targeted Chrome and the Android OS to install Predator spyware implants on Android devices, even those that were fully up-to-date.

What kind of page is lepigthree[.]xyz?

While examining lepigthree[.]xyz, we noticed that it wants to show untrustworthy notifications. Lepigthree[.]xyz displays a deceptive message to lure visitors into agreeing to receive its notifications. We discovered lepigthree[.]xyz while inspecting other dubious websites.