Virus and Spyware Removal Guides, uninstall instructions

What kind of email is "Incoming Failed Messages"?

After investigating this email, we found that it is a fake letter from an email service provider. It is created by scammers who aim to trick recipients into providing sensitive information on a phishing website. This email must be ignored.

What kind of email is "Annual Salary Adjustment"?

After inspecting the "Annual Salary Adjustment" email, we determined that it is spam. This mail operates as a phishing scam. It aims to deceive recipients into disclosing their email log-in credentials by promoting a fake file-sharing website that requests this information for identity confirmation.

What kind of malware is CrySpheRe?

CrySpheRe is one of the Xorist ransomware variants designed to encrypt files. We discovered CrySpheRe ransomware while checking the VirusTotal page for recently submitted malware samples. While investigating CrySpheRe, we learned that it appends the ".CrySpheRe" extension to filenames, displays a pop-up window, and creates the "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt" file.

CrySpheRe's pop-up window and text file contain the same ransom note. An example of how CrySpheRe renames files: it changes "1.jpg" to "1.jpg.CrySpheRe", "2.png" to "2.png.CrySpheRe", and so forth.

What is the Ouroboros browser?

Ouroboros is a rogue browser that our research team discovered while inspecting suspicious software-promoting websites.

This browser likely has advertising-supported software (adware) functionalities. Ouroboros also shares traits with browser hijackers in that it can cause redirects to fake search engines, specifically the ouroborosbrowser.com website. It is pertinent to mention that this browser likely spies on users' browsing activity as well.

Due to the dubious methods used to distribute Ouroboros, it is classified as a PUA (Potentially Unwanted Application).

What kind of page is erbi90s[.]click?

We examined erbi90s[.]click and found that it displays deceptive messages to trick visitors into believing that their computers are infected and purchasing antivirus software. It runs the "McAfee - Your PC is infected with 5 viruses!" scam. Also, erbi90s[.]click can show untrustworthy notifications (if allowed).

What kind of malware is RPC?

RPC is ransomware that blocks access to files by encrypting them. Also, it renames files by appending the victim's ID, pcrec@tuta.io email address, and ".RPC" extension to filenames. RPC ransomware provides two ransom notes: it displays a pop-up window and creates the "recinfo.txt" file.

RPC is one of the Dharma ransomware variants. We discovered it while inspecting malware samples submitted to the VirusTotal website. An example of how RPC renames files: it changes "1.jpg" to "1.jpg.id-9ECFA84E.[pcrec@tuta.io].RPC", "2.png" to "2.png.id-9ECFA84E.[pcrec@tuta.io].RPC", and so forth.

What is Multicheck Checkbox Checker?

While inspecting suspicious sites, our researchers discovered one offering fake Chrome browser updates that installed the Multicheck Checkbox Checker browser extension. This piece of software is presented as a tool that simplifies the action of checking/unchecking boxes on the Web. Instead, Multicheck Checkbox Checker operates as adware - i.e., runs intrusive ad campaigns and spies on users' browsing activity.

What is Lock (Babuk) ransomware?

Lock is the name of a ransomware-type program discovered by our research team during a routine inspection of new submissions to VirusTotal. This malicious program is part of the Babuk ransomware family.

On our test machine, Lock (Babuk) ransomware encrypted files and appended their filenames with a ".lock" extension, e.g., a file titled "1.jpg" appeared as "1.jpg.lock", "2.png" as "2.png.lock", and so forth. After the encryption was completed, a ransom note named "How To Restore Your Files.txt" was dropped onto the desktop.

What is "Stromag" email virus?

After inspecting this "Stromag" email, we determined that it is fake. This spam letter is presented as a message from the Stromag power transmission component manufacturing company. It must be emphasized that this spam mail is not associated with said company.

The scam email attempts to trick recipients into opening a malicious attachment, which is designed to infect computers with the Agent Tesla RAT (Remote Access Trojan).

What kind of malware is INT?

INT is ransomware designed to encrypt files, change their filenames, and create a ransom note (the "+README-WARNING+.txt" file). We found that INT is part of the Makop ransomware family. It appends the victim's ID, an email address, and the ".INT" extension to filenames.

Our team discovered INT ransomware while inspecting malware samples submitted to VirusTotal. An example of how files are renamed by this ransomware: "1.jpg" is renamed to "1.jpg.[2AF20FA3].[integra2022@tutanota.com].INT", "2.png" to "2.png.[2AF20FA3].[integra2022@tutanota.com].INT", and so forth.