Virus and Spyware Removal Guides, uninstall instructions

What kind of email is "Storage Capacity"?

We inspected this email and learned that it is a scam email created to trick recipients into entering sensitive information on the provided phishing website. It is disguised as a letter from an email service provider regarding low email storage capacity. Scam emails should be marked as spam and deleted.

What is DATAF LOCKER ransomware?

While investigating new submissions to VirusTotal, our researchers discovered the DATAF LOCKER ransomware-type program. It is part of the Babuk ransomware family. DATAF LOCKER is designed to render data inaccessible by encrypting it and demand ransoms for access recovery - decryption.

On our test system, this ransomware encrypted files and altered their filenames. Initial titles were appended with a ".dataf" extension, e.g., a file named "1.jpg" appeared as "1.jpg.dataf", "2.png" as "2.png.dataf", and so on.

After the encryption process was completed, DATAF LOCKER created a text file - "How To Restore Your Files.txt" - containing the ransom note.

What kind of application is WebSurf Guard?

WebSurf Guard is advertised as an ad blocker - the most advanced ad blocker for Youtube. However, we tested this browser extension and found that it shows advertisements. Thus, we classified WebSurf Guard as adware. Our team discovered WebSurf Guard on a deceptive web page.

What kind of email is "Missed Call"?

After inspecting the "Missed Call" email, we determined that it is spam operating as a phishing scam. This mail promotes a phishing website that requests visitors to sign in with their email accounts. Hence, by trusting this fake letter - users can lose their email accounts and the content connected to them.

What kind of application is Video Player Pro?

Our team tested the Video Player Pro browser extension and learned that it shows annoying advertisements. Also, it can manage downloads and read and change data on all websites. Apps that generate ads are called adware (advertising-supported software). Users rarely install adware on purpose.

What kind of malware is Gqlmcwnhh?

Gqlmcwnhh is ransomware (a ransomware variant from the Snatch family). It encrypts data, appends ".gqlmcwnhh" extension to filenames, and drops the "HOW TO RESTORE YOUR FILES.TXT" file (a ransom note). Our malware researchers discovered Gqlmcwnhh while examining samples submitted to VirusTotal.

An example of how Gqlmcwnhh modifies filenames: it renames "1.jpg" to "1.jpg.gqlmcwnhh", "2.png" to "2.png.gqlmcwnhh", and so forth.

What kind of malware is Titan?

While investigating malware samples submitted to VirusTotal, our team discovered an information stealer called Titan. Malware of this type gathers sensitive data from the infected system and sends it to the attacker. Typically, cybercriminals behind information stealers are financially motivated.

What is Tab Session?

While checking out deceptive websites, our researchers discovered the Tab Session browser extension. It is presented as a productivity improvement tool that promises easy access and navigation on browsers. However, Tab Session operates as adware. This browser extension runs intrusive ad campaigns and spies on users' browsing activity.

What is XStealer?

XStealer is a piece of malicious software designed to steal data. This stealer malware can exfiltrate browsing and user information. Therefore, XStealer infections endanger victims' privacy and safety.

What is Cipher ransomware?

While reviewing new submissions to VirusTotal, our research team found the Cipher ransomware. This malicious program is part of the MedusaLocker ransomware family.

After a sample of Cipher was executed on our testing system, it began encrypting files and appended their names with a ".cipher" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.cipher", "2.png" as "2.png.cipher", and so on for all of the affected files. Other variants of Cipher ransomware append the same extension that also contains a digit (e.g., ".cipher4", (".cipher7", ".cipher9", etc.).

Once the encryption process was completed, an HTML file named "!-Recovery_Instructions-!.html" was dropped onto the desktop. It contained the ransom note, which makes it evident that this ransomware targets companies rather than home users.