Virus and Spyware Removal Guides, uninstall instructions

What is ArchiveOperation?

ArchiveOperation is an application that we discovered while reviewing new submissions to VirusTotal. After analyzing this app, we learned that it is adware belonging to the AdLoad malware family.

What kind of page is advdomlab[.]com?

We have examined advdomlab[.]com and learned that the purpose of this page is to trick visitors into allowing it to show notifications. Also, advdomlab[.]com redirects visitors to other untrustworthy websites. Our team discovered advdomlab[.]com while inspecting pages that use shady advertising networks.

What kind of page is mediumhiquality[.]com?

Wave analyzed mediumhiquality[.]com and found that this page displays a deceptive message to trick visitors into allowing it to show notifications. Also, mediumhiquality[.]com redirects to other websites that use clickbait techniques to receive permission to display notifications.

What kind of application is Search-News Default Search?

While testing the Search-News Default Search application, we found that it functions as a browser hijacker. It promotes a fake search engine (search-news.xyz) by changing some of the settings of a web browser. We discovered Search-News Default Search on a shady web page.

What is "Access To This MAC Has Been Blocked"?

It is a fake virus message displayed by a deceptive website (a technical support scam site). The purpose of this page is to trick unsuspecting visitors into calling the provided number. None of the messages on this page are real. Thus, this website should be ignored.

What kind of page is venadvstar[.]com?

Venadvstar[.]com is one of the many websites that display deceptive messages to trick visitors into allowing them to show notifications. Additionally, venadvstar[.]com redirects visitors to other shady websites. We discovered venadvstar[.]com while inspecting sites that use shady advertising networks.

What is Nlb ransomware?

Our researchers discovered the Nlb ransomware while investigating new submissions to VirusTotal. This malicious program is part of the Dharma ransomware family.

Once we launched a sample of Nlb on our testing system, it encrypted files and altered their titles. Original filenames were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".nlb" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.id-9ECFA84E.[Rileyb0707@aol.com].nlb".

Afterward, this ransomware created ransom-demanding messages in the form of a pop-up window and a text file titled "FILES ENCRYPTED.txt".

What kind of malware is R0n?

R0n is ransomware that encrypts files and appends the victim's ID, ronvest@tutanota.de email address, and the ".r0n" extension to filenames. Also, R0n provides two ransom notes: it displays a pop-up window and creates the "info.txt". Our team discovered R0n while inspecting malware samples submitted to VirusTotal.

We also found that R0n is part of the Dharma ransomware family. An example of how R0n renames files: it changes "1.jpg" to "1.jpg.id-9ECFA84E.[ronvest@tutanota.de].r0n", "2.png" to "2.png.id-9ECFA84E.[ronvest@tutanota.de].r0n", and so forth.

What kind of malware is Mztu?

Mztu is one of the ransomware variants belonging to the Djvu family. Our team discovered it while inspecting malware samples submitted to VirusTotal. The purpose of Mztu is to encrypt files. Also, this ransomware appends the ".mztu" extension to filenames and creates the "_readme.txt" file (a ransom note).

An example of how Mztu modifies filenames: it renames "1.jpg" to "1.jpg.mztu", "2.doc" to "2.doc.mztu", and so forth. In some cases, threat actors steal sensitive data using malware like RedLine and Vidar before encrypting files with Djvu ransomware.

What kind of page is dfewasflyin[.]xyz?

While examining dfewasflyin[.]xyz, we found that this page displays a deceptive message to lure visitors into agreeing to receive notifications. It also redirects to other shady websites. Users do not normally visit sites like dfewasflyin[.]xyz on purpose.