Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Theva?

Theva is ransomware that encrypts data and appends the sql772@aol.com email address and its extension (".theva") to filenames. Also, Theva changes the desktop wallpaper and drops a ransom note (the "#_README_#.inf" file). Our team discovered Theva while analyzing malware samples submitted to VirusTotal.

An example of how Theva modifies filenames: it renames "1.jpg" to "1.jpg.[sql772@aol.com].theva", "2.png" to "2.png.[sql772@aol.com].theva", and so forth.

What kind of malware is Znsm?

Znsm is ransomware that employs encryption to prevent victims from accessing their files. It belongs to a ransomware family known as Djvu. Our team discovered Znsm while analyzing malware samples submitted to VirusTotal. Djvu ransomware is often distributed along with information stealers like Vidar and RedLine.

Znsm encrypts files, appends the ".znsm" extension to filenames (e.g., renames "1.jpg" to "1.jpg.znsm", "2.png" to "2.png.znsm"), and drops the "_readme.txt" file containing a ransom note.

What kind of scam is "DHL - Your Parcel Delivery Arrived Today"?

We have examined this email and concluded that it is written by scammers who pretend to be DHL - a legitimate logistics company. The purpose of this scam email is to trick recipients into providing sensitive information. Emails of this type are called phishing emails. This fake DHL letter should be marked as spam and ignored.

What kind of malware is Rans_recovery?

Rans_recovery is ransomware that encrypts files to prevent victims from accessing them. Also, Rans_recovery appends the ".rans_recovery" extension to filenames, drops the "Recovery.txt" file containing a ransom note, and changes the desktop wallpaper. We discovered Rans_recovery while inspecting samples submitted to VirusTotal.

An example of how Rans_recovery modifies filenames: it renames "1.jpg" to "1.jpg.rans_recovery", "2.png" to "2.png.rans_recovery", and so forth.

What kind of page is DefaultFormat?

While testing the DefaultFormat application, we noticed that various unwanted advertisements were coming from it. Apps that show ads are called advertising-supported applications. Typically, users download and install apps such as DefaultFormat inadvertently. We discovered DefaultFormat while inspecting deceptive websites.

What kind of page is dokookamida[.]com?

We have analyzed dokookamida[.]com and found that it uses a clickbait technique (shows a deceptive message) to trick visitors into allowing it to show notifications. Our team has discovered dokookamida[.]com while inspecting pages that use shady advertising networks. Typically, users open pages like dokookamida[.]com unintentionally.

What kind of application is LinkDownloader?

While inspecting the LinkDownloader application, we discovered that it is a browser extension that functions as adware. While added to a web browser, LinkDownloader shows annoying advertisements. Most users install/add adware unintentionally. We discovered multiple deceptive pages promoting LinkDownloader.

What kind of page is proprotect2023[.]xyz?

Proprotect2023[.]xyz is one of the many deceptive pages running the "McAfee - Your PC is infected with 5 viruses!" scam. This page shows fake virus alerts to trick visitors into purchasing legitimate software. Also, proprotect2023[.]xyz asks for permission to show shady notifications. Thus, it cannot be trusted.

What kind of malware is Worry?

Worry is one of the ransomware variants belonging to the Phobos family. It encrypts data, modifies filenames of all encrypted files, and creates two ransom notes ("info.hta" and "info.txt"). Our malware researchers discovered Worry while checking the VirusTotal for recently submitted samples.

Worry ransomware appends the victim's ID, d0ntw0rry@cyberfear.com email address, and the ".worry" extension to filenames. For instance, it renames "1.jpg" to "1.jpg.id[1e857d00-2994].[d0ntw0rry@cyberfear.com].worry", "2.png" to "2.png.id[1e857d00-2994].[d0ntw0rry@cyberfear.com].worry", and so forth.

What is kind of email is "Contract Document"?

We have examined this email and concluded that it is sent by scammers who aim to trick recipients into providing sensitive information on a phishing website. It is disguised as a letter regarding some contract document shared with recipients. This email should be marked as spam and deleted.