Virus and Spyware Removal Guides, uninstall instructions

What kind of page is arashpar[.]xyz?

Arashpar[.]xyz is a rogue webpage that we discovered while inspecting questionable websites. It is designed to promote browser notification spam and redirect users to different (likely unreliable/harmful) sites. Most visitors to arashpar[.]xyz and similar pages access them via redirects caused by websites that use rogue advertising networks.

What kind of malware is WhiskerSpy?

WhiskerSpy is the name of backdoor malware. Malware of this type is used to gain remote access to computers. It is known that WhiskerSpy is capable of executing shell commands, injecting code into another process, exfiltrating specific files, taking screenshots, and more. It should be removed from compromised systems as soon as possible.

What is Saw ransomware?

While investigating new submissions to VirusTotal, we found a malicious program called Saw. It is part of the Xorist ransomware family, and like all programs within this group – Saw is designed to encrypt data and demand payment for its decryption.

After we executed a sample of Saw ransomware on our test machine, it encrypted files and appended their filenames with a ".saw" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.saw", "2.png" as "2.png.saw", and so forth.

Once this process was finished, Saw created two identical ransom notes in Russian – a pop-up window and a text file named "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt". If the operating system does not use the Cyrillic alphabet, the message in the pop-up will appear as nonsensical gibberish.

Additionally, this ransomware changed the desktop wallpaper into one depicting the doll used by the Jigsaw Killer in the Saw movie franchise. The notes also contained a play on a famous quote from this franchise – "I want to play a game". It must be emphasized that this malware is in no way associated with these movies or any other related individuals or entities.

What kind of page is getnomadtblog[.]com?

Getnomadtblog[.]com is a deceptive website that attempts to trick visitors into subscribing to its notifications. This site may also redirect visitors to other pages of similar nature. Our team uncovered getnomadtblog[.]com while investigating illegal movie streaming websites, torrent sites, and similar pages that employ fraudulent advertising networks.

What kind of malware is BRUH?

BRUH is ransomware based on Chaos ransomware. We discovered this ransomware strain while inspecting malware samples submitted to the VirusTotal page. BRUH encrypts data, appends a random extension (four random characters) to filenames, changes the desktop wallpaper, and drops the "read_it.txt" file (a ransom note).

An example of how BRUH modifies filenames: it changes "1.jpg" to "1.jpg.88a4", "2.png" to "2.png.aoxg", and so forth.

What kind of malware is Iotr?

Iotr is ransomware that belongs to the Djvu ransomware family. Our team discovered this ransomware on VirusTotal while analyzing malware samples submitted to the page. Iotr encrypts files and adds the ".iotr" extension to their filenames. Additionally, it drops the "_readme.txt" file, which contains a ransom note.

To illustrate how Iotr renames files, here is an example: it changes "1.jpg" to "1.jpg.iotr", "2.png" to "2.png.iotr", "3.exe" to "3.exe.iotr", and so on. This ransomware may be distributed alongside Vidar, RedLine, or other information-stealing malware.

What kind of malware is Iowd?

Our analysis of malware samples submitted to VirusTotal has revealed the existence of a new variant of the Djvu ransomware family, dubbed Iowd. Its main objective is to encrypt files on an infected system. Also, Iowd appends the ".iowd" extension to filenames and creates the "_readme.txt" file with instructions on how to pay the ransom to obtain the decryption key.

It should be noted that Iowd could potentially be distributed in conjunction with other information stealers such as RedLine or Vidar. An example of how Iowd renames files: it changes "1.jpg" to "1.jpg.iowd", "2.png" to "2.png.iowd", and so forth.

What kind of malware is Ioqa?

After analyzing malware samples submitted to VirusTotal, we have identified a new ransomware variant known as Ioqa, which is a member of the Djvu ransomware family. The primary objective of Ioqa is to encrypt files on the infected system. As part of the encryption process, Ioqa renames the affected files by appending the ".ioqa" extension to their original names.

For example, it renames "1.jpg" to "1.jpg.ioqa", "2.png" to "2.png.ioqa", and so forth. Ioqa also generates a ransom note ("_readme.txt" file), which provides instructions on how to pay the ransom to obtain the decryption key. Since this ransomware is part of the Djvu family, it may be distributed alongside RedLine, Vidar, or other information stealers.

What kind of page is itspeedg[.]com?

Itspeedg[.]com is a rogue webpage discovered by our researchers during a routine investigation of untrustworthy websites. This page is designed to promote dubious/hazardous software and browser notification spam. Furthermore, it can redirect visitors to other (likely unreliable/malicious) sites.

Users typically enter websites like itspeedg[.]com through redirects caused by pages that use rogue advertising networks.

What kind of page is ibuhaughuss[.]com?

While checking out questionable websites, our research team found the ibuhaughuss[.]com rogue page. It is designed to endorse browser notification spam and redirect visitors to other (likely untrustworthy/harmful) sites. Most users enter webpages like ibuhaughuss[.]com through redirects caused by websites that use rogue advertising networks.