Virus and Spyware Removal Guides, uninstall instructions

What kind of website is bikemolktwo[.]xyz?

After examining bikemolktwo[.]xyz, we learned that it runs the "McAfee - Your PC is infected with 5 viruses" scam. It uses deceptive marketing to promote legitimate antivirus software. Also, bikemolktwo[.]xyz wants to show notifications. Our team discovered bikemolktwo[.]xyz while analyzing pages that use shady advertising networks.

What is Weekly Stock Loader?

While checking out deceptive sites, we discovered the Weekly Stock Loader browser extension. It is promoted as a tool that provides weekly information about users' favorite stocks. However, our analysis of Weekly Stock Loader revealed that it operates as advertising-supported software (adware).

What is Encrypto ransomware?

Encrypto is a ransomware-type program that our researchers discovered during a routine inspection of new submissions to VirusTotal.

When we executed a sample of Encrypto on our testing system, it encrypted files and appended their filenames with a ".Encrypto" extension. To elaborate, a file initially named "1.jpg" appeared as "1.jpg.Encrypto", "2.png" as "2.png.Encrypto", and so on for all of the affected files.

Afterwards, this ransomware displayed a full-screen pop-up window and created a text file titled "Encrypto.txt", the latter contained the ransom note.

What kind of email is "Pending Payment"?

Our inspection of the "Pending Payment" email revealed that it is spam. The fake letter is presented as a final warning regarding a pending payment. This mail aims to lure recipients into following the provided link that leads to the download of a likely malicious file.

What is Loading Timer?

While examining the Loading Timer browser extension, our team found that it shows unwanted intrusive advertisements. Apps that display ads are categorized as advertising-supported applications. Users rarely download and install (or add) adware knowingly. We discovered multiple deceptive websites promoting Loading Timer.

What kind of page is alltimetopdefender[.]site?

While inspecting questionable websites, our researchers discovered the alltimetopdefender[.]site rogue webpage. It operates by running scams, promoting browser notification spam, and redirecting visitors to other (likely unreliable/dangerous) websites.

Most users access sites like alltimetopdefender[.]site through redirects caused by pages that use rogue advertising networks.

What kind of malware is G-Stars?

While checking the VirusTotal page for recently submitted samples, our team discovered ransomware dubbed G-Stars. This malware encrypts files to prevent victims from accessing/opening them. Also, G-Stars appends a string of random characters and the ".G-Stars" extension to filenames and drops its ransom note (the "WE CAN RECOVER YOUR DATA.txt" file).

An example of how G-Stars renames files: it changes "1.jpg" to "1.jpg.[1F587D66].G-Stars", "2.png" to "2.png.[1F587D66].G-Stars", and so forth.

What is Crypto Currency Converter?

While inspecting dubious websites, our research team discovered a page endorsing the Crypto Currency Converter browser extension. It is presented as a tool that converts cryptocurrencies, thus allowing users to compare conversion rates easily.

Our inspection of this piece of software revealed that it is a browser hijacker. Typically, software within this classification promotes fake search engines (that due to their inability to produce search results) redirect to genuine ones. However, Crypto Currency Converter causes redirects to the legitimate Bing search engine.

What kind of application is UniversalSource?

While testing the UniversalSource application, our team noticed that it displays intrusive advertisements. Therefore, we categorized UniversalSource as adware (advertising-supported software). In most cases, users install adware unintentionally. We discovered UniversalSource while inspecting deceptive web pages.

What is Crustom ransomware?

Crustom is a ransomware-type program. It operates by encrypting victims' files to demand ransoms for the data decryption.

After we executed a sample of Crustom on our test machine, it encrypted files and changed their filenames. The affected files were renamed with a random character string, e.g., a file originally titled "1.jpg" appeared as "5wrtdyBfvDK64SQz", "2.png" as "NCmG6oZZeV4pV8xt", etc.

Once the encryption process was concluded, a ransom note named "INSTRUCTIONS.txt" was created, and the desktop wallpaper was changed.