Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Pay?

While analyzing malware samples submitted to VirusTotal, our team discovered a ransomware strain dubbed Pay. We found that Pay is part of the VoidCrypt ransomware family. It encrypts files, appends the paydecryption@gmail.com email address, victim's ID, and ".pay" extension to filenames, and drops a ransom note (a file named "큸").

An example of how Pay modifies filenames: it renames "1.jpg" to "1.jpg.[PayDecryption@gmail.com][MJ-HR8357129406].pay", "2.png" to "2.png.[PayDecryption@gmail.com][MJ-HR8357129406].pay", and so forth.

What kind of page is ninoglostoay[.]com?

While analyzing ninoglostoay[.]com, we found that it shows a deceptive message and asks for permission to show shady notifications. Our team discovered ninoglostoay[.]com while examining sites that use rogue advertising networks. It is uncommon for pages like ninoglostoay[.]com to be accessed intentionally.

What kind of malware is Hhee?

The Hhee ransomware is a variant of the Djvu family that our team discovered during an analysis of samples on VirusTotal. Hhee operates by encrypting data and adding the ".hhee" extension to the affected files. Upon completion of the encryption process, the ransomware drops a ransom note in the form of the "_readme.txt" file.

Hhee changes the names of files in the following manner: "1.jpg" becomes "1.jpg.hhee", "2.png" becomes "2.png.hhee", and so on. Given its association with the Djvu family, Hhee may be distributed alongside other malicious software such as RedLine, Vidar, and information stealers.

What kind of malware is Hhmm?

Our cybersecurity team recently uncovered a new strain of ransomware called Hhmm while analyzing malware samples submitted to VirusTotal. Further investigation revealed that Hhmm is a member of the notorious Djvu ransomware family. The malware operates by encrypting files, appending the ".hhmm" extension to each file name, and leaving a ransom note in a "_readme.txt" file.

We observed that Hhmm follows a distinctive pattern in renaming the files. For example, it changes the file name "1.jpg" to "1.jpg.hhmm", "document.txt" to "document.txt.hhmm", and so on. Since Hhmm is part of the Djvu family, it may be distributed along with other malicious software such as RedLine, Vidar, and information-stealing malware.

What kind of page is transitnotice[.]com?

Transitnotice[.]com is a rogue page that we discovered while checking out suspicious websites. It is designed to push browser notification spam and redirect users to other (likely unreliable/hazardous) sites. Most visitors to transitnotice[.]com and similar webpages enter them via redirects caused by sites using rogue advertising networks.

What kind of page is onenomadtstore[.]com?

While investigating suspicious websites, our researchers discovered the onenomadtstore[.]com rogue page. It endorses browser notification spam and redirects visitors to other (likely unreliable/harmful) sites. Users typically access such webpages via redirects caused by websites that use rogue advertising networks.

What kind of page is datingsecret[.]top?

While investigating suspicious sites, our researchers found the datingsecret[.]top rogue webpage. It operates by pushing browser notification spam and redirecting visitors to other (likely unreliable/harmful) pages. Most users access sites like datingsecret[.]top via redirects caused by websites that use rogue advertising networks.

What kind of email is "Payment For Apple Gift Card"?

We have examined this email and determined that it is a scam. Typically, scammers behind such emails attempt to trick recipients into giving away their personal information or money. These emails often appear to come from reputable sources and contain a sense of urgency to convince recipients to act quickly.

What kind of page is buygadsgroup[.]com?

Our researchers discovered the buygadsgroup[.]com rogue webpage while inspecting dubious websites. At the time of research, this page promoted browser notification spam using fake CAPTCHA verification. Additionally, this website can redirect visitors to different (likely unreliable/harmful) pages.

Buygadsgroup[.]com and webpages akin to it – are most commonly entered via redirects caused by sites that use rogue advertising networks.

What is ScareCrow ransomware?

ScareCrow is a ransomware-type program that our research team discovered while investigating new submissions to VirusTotal.

After we executed a sample of this ransomware on our test system, it encrypted files and appended their titles with a ".CROW" extension. For example, an original filename like "1.jpg" appeared as "1.jpg.CROW", "2.png" as "2.png.CROW", etc. Once the encryption was finished, a ransom note – "readme.txt" – was created.