Virus and Spyware Removal Guides, uninstall instructions

What kind of scam email is "Documents Inquiry"?

After inspecting the email, we have confirmed that it is a phishing scam disguised as a letter regarding some important inquiry. The scammers aim to deceive the recipients into giving away their personal information. Therefore, we recommend marking the email as spam and deleting it.

What is searchessuggestions.com?

Our team has inspected searchessuggestions.com and found that it is a shady search engine that may lead to untrustworthy pages. It is important to note that search engines of this kind usually are promoted through apps that modify the settings of web browsers, known as browser hijackers.

What kind of application is Clipbox Tab?

While testing the Clipbox Tab application, we learned that this browser extension functions as a browser hijacker. The purpose of this browser-hijacking app is to promote two fake search engines: find.asrcgetit.com and clipboxtab.com. Clipbox Tab hijacks a browser by altering its settings.

What is Reopen ransomware?

While inspecting new submissions to VirusTotal, our researchers discovered the Reopen ransomware-type program. We also determined that Reopen is part of the VoidCrypt ransomware family. Malware within this classification is designed to encrypt data and demand ransoms for its decryption.

After we executed a sample of Reopen ransomware on our testing system, it encrypted files and modified their filenames. Original titles were appended with the cyber criminals' email address, a unique ID assigned to the victims, and the ".reopen" extension. For example, a file named "1.jpg" appeared as "1.jpg.[Reopenthefile@gmail.com][MJ-BK9065718342].reopen".

Once the encryption process was finished, two identical ransom notes were created, titled "INFORMATION.HTA" and "INFORMATION.txt", respectively.

What kind of email is "ATLANTIS TRANS LOGISTIK"?

We examined this email and uncovered that the sender disguised it as a letter from Atlantis Translogistik, a freight forwarding service company in North Jakarta. Additionally, the email includes two harmful attachments used to distribute malware. Therefore, recipients are advised to ignore the email and not open its contents.

What kind of malware is Goba?

Goba is a ransomware variant that utilizes encryption to lock files, and as part of its process, it adds the ".goba" extension to the filenames of all encrypted files. This malware also creates a ransom note, which is saved as "_readme.txt". Goba is part of the Djvu ransomware family and may be disseminated in conjunction with other malware such as RedLine or Vidar.

Our team of malware analysts discovered Goba during their review of samples submitted to VirusTotal page. An illustration of how Goba modifies filenames: it changes "1.jpg" to "1.jpg.goba", "2.png" to "2.png.goba", and so forth.

What kind of malware is Goaq?

During our analysis of malware samples submitted to VirusTotal, we came across Goaq, a ransomware belonging to the Djvu family. Goaq encrypts files and adds the ".goaq" extension to the filenames of encrypted files. It also creates a text file called "_readme.txt" that contains a ransom note.

As an example, Goaq renames "1.jpg" to "1.jpg.goaq" and "2.png" to "2.png.goaq". It's worth noting that Goaq may be distributed alongside other information stealers such as Vidar and RedLine, since it belongs to the Djvu family.

What kind of malware is Gosw?

Gosw is a type of ransomware that is part of the Djvu family. When Gosw infects a system, it encrypts files and appends the ".gosw" extension to the file names. It also creates a ransom note in the form of a "_readme.txt" file. Our researchers identified Gosw during an analysis of malware samples submitted to VirusTotal.

To give an example of how Gosw renames files, it changes "1.jpg" to "1.jpg.gosw", "2.png" to "2.png.gosw", and so on. It is possible that cybercriminals are distributing Gosw alongside other malware, such as RedLine or Vidar, which are information stealers.

What is Bizzy Beaver?

Our research team discovered the Bizzy Beaver browser extension during a routine investigation of untrustworthy sites. It is endorsed as a productivity tool. However, our analysis uncovered that this extension modifies browsers to promote (thorough redirects) the search.bizzy-beaver.com fake search engine. Due to this behavior, Bizzy Beaver is categorized as a browser hijacker.

What is MetAI assistant?

While inspecting deceptive websites, our research team discovered a page promoting an installer containing the MetAI assistant browser extension. It is endorsed as a tool that allows users to employ "OpenAI" (likely the ChatGPT chatbot developed by OpenAI) on the Facebook social networking platform.

However, our analysis of this extension revealed that it operates as adware, i.e., it displays advertisements and collects sensitive information.