Virus and Spyware Removal Guides, uninstall instructions

What kind of application is IronBrowse?

While testing IronBrowse, we found that this application displays intrusive advertisements. Apps that show unwanted apps are called advertising-supported apps (or adware). A big part of adware is promoted and distributed using questionable (often deceptive) methods. We discovered IronBrowse on a deceptive page instructing us to update the Adobe Flash Player.

What is poshukach[.]com?

Similar to ubersear[.]ch, poshukach[.]com is the URL of an illegitimate search engine. Websites of this kind are typically promoted by browser hijackers.

However, we discovered poshukach[.]com while inspecting a malicious Android application that does not modify browsers. Instead, this app created a fake search engine bar on the device's home screen, using which resulted in redirects to the poshukach[.]com site.

What kind of email is "Apple Invoice"?

After inspecting the "Apple Invoice" email, we determined that it is spam mail. These scam emails are presented as invoices for Apple products that the recipients have supposedly purchased. Additionally, it is worth mentioning that we discovered spam text messages (SMSes) used to promote this "Apple Invoice" scam.

It must be emphasized that these emails and text messages are fake, and they are in no way associated with the actual Apple Inc.

What kind of website is ourhotposts[.]com?

After examining ourhotposts[.]com, our team learned that this page uses a clickbait technique to lure visitors into agreeing to receive notifications and redirects to other websites. This page was discovered by us while inspecting other pages that use rogue advertising networks. Usually, sites like ourhotposts[.]com are visited unintentionally.

What kind of malware is Royal?

Royal is the name of ransomware that encrypts files and appends the ".royal" extension to filenames (an updated variant of Royal ransomware appends ".royal_w" extension). It also creates a text file (named "README.TXT") containing a ransom note. Cybercriminals behind Royal ransomware attacks aim to extort money from victims. Before Royal, they used BlackCat and ZEON ransomware (ZEON generates ransom notes similar to CONTI ransomware) in their attacks.

An example of how Royal ransomware renames files: it changes "1.jpg" to "1.jpg.royal", "2.png" to "2.png.royal", "3.exe" to "3.exe.royal".

What is RealInfo?

RealInfo is a rogue app that our researchers discovered during a routine inspection of new submissions to VirusTotal. After analyzing this application, we determined that it is adware belonging to the AdLoad malware family.

What kind of page is champse[.]click?

While inspecting champse[.]click, our team discovered that this page runs the "McAfee - Your PC is infected with 5 viruses!" scam and wants to show notifications. It is designed to trick visitors into believing that their computers are infected. We found champse[.]click while examining pages that use rogue advertising networks.

What kind of page is desktopdefence[.]online?

Our researchers found the desktopdefence[.]online rogue page while inspecting suspect websites. It is designed to promote scams, push browser notification spam, and redirect users to other webpages (likely unreliable or harmful) sites.

Most visitors to pages like desktopdefence[.]online access them via redirects caused by websites using rogue advertising networks.

What kind of malware is T_TEN?

T_TEN is the name of a new DCRTR ransomware variant. It encrypts files and appends the ".T_TEN" extension to filenames. Also, it drops the "Readme.txt" file on the desktop and displays a pop-up window (both containing ransom notes). Our malware researchers discovered T_TEN while examining malware samples submitted to VirusTotal.

An example of how T_TEN changes filenames: it renames "1.jpg" to "1.jpg.T_TEN", "2.png" to "2.png.T_TEN", "3.exe" to "3.exe.T_TEN", and so forth.

What kind of page is defenderpage[.]xyz?

Defenderpage[.]xyz is a rogue webpage that our researchers discovered during a routine investigation of suspicious websites. It is designed to run online scams, promote spam browser notifications, and redirect visitors to other (likely unreliable/dangerous) sites.

Users typically enter defenderpage[.]xyz and pages akin to it - via redirects caused by websites that use rogue advertising networks.