Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Hhoo?

During the inspection of malware samples submitted to VirusTotal, our team discovered a ransomware variant belonging to the Djvu family dubbed Hhoo. Hhoo encrypts files and adds its own extension (".hhoo") to the original filenames.

For instance, "1.jpg" becomes "1.jpg.hhoo", "2.png" becomes "2.png.hhoo", and so on. Additionally, Hhoo creates a ransom note named "_readme.txt". It is important to note that ransomware strains belonging to the Djvu family often are distributed alongside RedLine, Vidar, or other stealers.

What kind of page is topreqdusa[.]com?

Topreqdusa[.]com is a rogue site that we discovered while investigating untrustworthy websites. This page is designed to promote browser notification spam and – at the time of research – did so by employing fake CAPTCHA verification. The webpage in question can also redirect users to different (likely unreliable/dangerous) sites.

Visitors to topreqdusa[.]com and pages akin to it – access them primarily via redirects caused by websites that use rogue advertising networks.

What kind of page is topadvastudio[.]com?

While inspecting questionable sites, our researchers discovered the topadvastudio[.]com rogue pages. This webpage is designed to push spam browser notifications. Furthermore, it can redirect visitors to different (likely untrustworthy/hazardous) websites.

Most users enter sites like topadvastudio[.]com via redirects caused by pages that use rogue advertising networks.

What is Mikel ransomware?

Mikel is a variant of the Proxima ransomware. Malware within this classification is designed to encrypt data and demand payment.

When we executed a sample of Mikel ransomware on our test machine, it encrypted files and appended their filenames with a ".mikel" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.mikel", "2.png" as "2.png.mikel", etc. Afterwards, a ransom note – "Mikel_Help.txt" – was created.

What kind of page is odestech[.]com?

Odestech[.]com is a website that presents misleading messages to entice visitors into consenting to receive notifications. Typically, users arrive at these pages inadvertently. Our team found odestech[.]com while inspecting pages that use questionable advertising networks.

What is Proxima ransomware?

Proxima is the name of a ransomware-type program. It is designed to encrypt data for the purpose of making ransom demands for decryption.

After we executed a sample of Proxima on our test machine, it encrypted files and appended their filenames with a ".proxima" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.proxima", "2.png" as "2.png.proxima", and so forth.

Once this process was finished, the ransomware dropped a ransom-demanding message – "Proxima_Readme.txt" – onto the desktop.

What kind of scam is "Intesa Sanpaolo" email scam?

We have inspected this letter and determined that it is a phishing email. Scammers behind it pose as a legitimate banking company (Intesa Sanpaolo). Their goal is to lure recipients into providing login information on a fake web page. Recipients should ignore this letter.

What is DarkBit ransomware?

DarkBit is a ransomware we discovered while investigating new malware submissions to VirusTotal. It operates by encrypting data and demanding ransoms for decryption.

Once we launched a sample of DarkBit on our testing system, it began encrypting files and altering their filenames. Affected files were renamed with a random character string and the ".Darkbit" extension. To elaborate, a file initially titled "1.jpg" appeared as "3oDWq7Fp1676362581.Darkbit", "2.png" appeared as "QV3xwMP11676362581.Darkbit", and so on.

After the encryption process was finished, this ransomware created a ransom note named "RECOVERY_DARKBIT.txt" and dropped it onto the desktop.

What kind of malware is Pdb?

While checking the VirusTotal site for recently submitted malware samples, our team discovered a ransomware strain dubbed Pdb. This ransomware encrypts data, appends the ".pdb" extension to filenames, and drops the "pdb.txt" file that contains a ransom note.

An example of how Pdb ransomware renames files: it changes "1.jpg" to "1.jpg.pdb", "2.doc" to "2.doc.pdb", and so forth.

What kind of page is blockedvideos[.]xyz?

Blockedvideos[.]xyz is a rogue page we discovered while inspecting dubious websites. It operates by promoting browser notification spam and redirecting visitors to different (likely untrustworthy/harmful) sites.

Most users access pages like blockedvideos[.]xyz through redirects caused by webpages that use rogue advertising networks. However, they may also be entered via misspelled URLs, spam notifications, intrusive ads, or installed adware.